From 15143f3f0f6a0668af2ec33828dc29030a4894a2 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Fri, 20 Dec 2024 17:54:45 +0000 Subject: [PATCH 01/58] mldsa: sample matrix cleanup --- libcrux-ml-dsa/src/ml_dsa_generic.rs | 21 ++-- libcrux-ml-dsa/src/sample.rs | 38 ++++--- libcrux-ml-dsa/src/samplex4.rs | 149 +++++++++++++-------------- 3 files changed, 101 insertions(+), 107 deletions(-) diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index a5bde6d4a..8e0813963 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -10,6 +10,7 @@ use crate::{ vector_times_ring_element, }, ntt::ntt, + polynomial::PolynomialRingElement, pre_hash::{DomainSeparationContext, PreHash}, sample::{sample_challenge_ring_element, sample_mask_vector}, samplex4::{self, X4Sampler}, @@ -55,8 +56,8 @@ pub(crate) fn generate_key_pair< let (seed_for_error_vectors, seed_for_signing) = seed_expanded.split_at(SEED_FOR_ERROR_VECTORS_SIZE); - let a_as_ntt = - Sampler::matrix_A::(into_padded_array(seed_for_a)); + let mut a_as_ntt = [[PolynomialRingElement::::ZERO(); COLUMNS_IN_A]; ROWS_IN_A]; + Sampler::matrix::(seed_for_a, &mut a_as_ntt); let (s1, s2) = samplex4::sample_s1_and_s2::( into_padded_array(seed_for_error_vectors), @@ -256,7 +257,7 @@ pub(crate) fn sign_internal< domain_separation_context: Option, randomness: [u8; SIGNING_RANDOMNESS_SIZE], ) -> Result, SigningError> { - let (seed_for_A, seed_for_signing, verification_key_hash, s1_as_ntt, s2_as_ntt, t0_as_ntt) = + let (seed_for_a, seed_for_signing, verification_key_hash, s1_as_ntt, s2_as_ntt, t0_as_ntt) = encoding::signing_key::deserialize_then_ntt::< SIMDUnit, ROWS_IN_A, @@ -266,8 +267,8 @@ pub(crate) fn sign_internal< SIGNING_KEY_SIZE, >(signing_key); - let A_as_ntt = - Sampler::matrix_A::(into_padded_array(&seed_for_A)); + let mut matrix = [[PolynomialRingElement::::ZERO(); COLUMNS_IN_A]; ROWS_IN_A]; + Sampler::matrix::(&seed_for_a, &mut matrix); let mut message_representative = [0; MESSAGE_REPRESENTATIVE_SIZE]; derive_message_representative::( @@ -312,7 +313,7 @@ pub(crate) fn sign_internal< ); let A_times_mask = - compute_A_times_mask::(&A_as_ntt, &mask); + compute_A_times_mask::(&matrix, &mask); let (w0, commitment) = decompose_vector::(A_times_mask); @@ -497,7 +498,7 @@ pub(crate) fn verify_internal< domain_separation_context: Option, signature_serialized: &[u8; SIGNATURE_SIZE], ) -> Result<(), VerificationError> { - let (seed_for_A, t1) = + let (seed_for_a, t1) = encoding::verification_key::deserialize::( verification_key_serialized, ); @@ -521,8 +522,8 @@ pub(crate) fn verify_internal< ) { return Err(VerificationError::SignerResponseExceedsBoundError); } - let A_as_ntt = - Sampler::matrix_A::(into_padded_array(&seed_for_A)); + let mut matrix = [[PolynomialRingElement::::ZERO(); COLUMNS_IN_A]; ROWS_IN_A]; + Sampler::matrix::(&seed_for_a, &mut matrix); let mut verification_key_hash = [0; BYTES_FOR_VERIFICATION_KEY_HASH]; Shake256::shake256::( @@ -545,7 +546,7 @@ pub(crate) fn verify_internal< >(signature.commitment_hash)); let w_approx = compute_w_approx::( - &A_as_ntt, + &matrix, signature.signer_response, verifier_challenge_as_ntt, t1, diff --git a/libcrux-ml-dsa/src/sample.rs b/libcrux-ml-dsa/src/sample.rs index ea7f49291..7798344dd 100644 --- a/libcrux-ml-dsa/src/sample.rs +++ b/libcrux-ml-dsa/src/sample.rs @@ -54,6 +54,19 @@ fn update_matrix [u8; 34] { + let mut out = [0u8; 34]; + + out[0..slice.len()].copy_from_slice(slice); + + let domain_separator = generate_domain_separator(indices); + out[32] = domain_separator as u8; + out[33] = (domain_separator >> 8) as u8; + + out +} + /// Sample and write out up to four ring elements. /// /// If i <= `elements_requested`, a field element with domain separated @@ -69,7 +82,7 @@ pub(crate) fn sample_up_to_four_ring_elements< const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, >( - mut seed0: [u8; 34], + seed: &[u8], matrix: &mut Matrix, rand_stack0: &mut [u8; shake128::FIVE_BLOCKS_SIZE], rand_stack1: &mut [u8; shake128::FIVE_BLOCKS_SIZE], @@ -81,26 +94,11 @@ pub(crate) fn sample_up_to_four_ring_elements< ) { debug_assert!(elements_requested <= 4); - let domain_separator0 = generate_domain_separator(indices[0]); - let domain_separator1 = generate_domain_separator(indices[1]); - let domain_separator2 = generate_domain_separator(indices[2]); - let domain_separator3 = generate_domain_separator(indices[3]); - // Prepare the seeds - seed0[32] = domain_separator0 as u8; - seed0[33] = (domain_separator0 >> 8) as u8; - - let mut seed1 = seed0; - seed1[32] = domain_separator1 as u8; - seed1[33] = (domain_separator1 >> 8) as u8; - - let mut seed2 = seed0; - seed2[32] = domain_separator2 as u8; - seed2[33] = (domain_separator2 >> 8) as u8; - - let mut seed3 = seed0; - seed3[32] = domain_separator3 as u8; - seed3[33] = (domain_separator3 >> 8) as u8; + let seed0 = add_domain_separator(seed, indices[0]); + let seed1 = add_domain_separator(seed, indices[1]); + let seed2 = add_domain_separator(seed, indices[2]); + let seed3 = add_domain_separator(seed, indices[3]); let mut state = Shake128::init_absorb(&seed0, &seed1, &seed2, &seed3); diff --git a/libcrux-ml-dsa/src/samplex4.rs b/libcrux-ml-dsa/src/samplex4.rs index ddcf0ac40..c27cddcf7 100644 --- a/libcrux-ml-dsa/src/samplex4.rs +++ b/libcrux-ml-dsa/src/samplex4.rs @@ -1,7 +1,7 @@ use crate::{ hash_functions::{shake128, shake256}, polynomial::PolynomialRingElement, - sample::{sample_four_error_ring_elements, sample_up_to_four_ring_elements, Matrix}, + sample::{sample_four_error_ring_elements, sample_up_to_four_ring_elements}, simd::traits::Operations, }; @@ -9,25 +9,24 @@ use crate::{ pub(crate) trait X4Sampler { /// Sample the matrix A using platform specific implementation. #[allow(non_snake_case)] - fn matrix_A( - seed: [u8; 34], - ) -> [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A]; + fn matrix( + seed: &[u8], + matrix: &mut [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A], + ); } #[allow(non_snake_case)] #[inline(always)] #[cfg(feature = "mldsa44")] -pub(crate) fn matrix_A_4_by_4< +pub(crate) fn matrix_4_by_4< SIMDUnit: Operations, Shake128: shake128::XofX4, const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, >( - seed: [u8; 34], -) -> Matrix { - let mut A: Matrix = - [[PolynomialRingElement::::ZERO(); COLUMNS_IN_A]; ROWS_IN_A]; - + seed: &[u8], + matrix: &mut [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A], +) { let mut rand_stack0 = [0u8; shake128::FIVE_BLOCKS_SIZE]; let mut rand_stack1 = [0u8; shake128::FIVE_BLOCKS_SIZE]; let mut rand_stack2 = [0u8; shake128::FIVE_BLOCKS_SIZE]; @@ -36,7 +35,7 @@ pub(crate) fn matrix_A_4_by_4< sample_up_to_four_ring_elements::( seed, - &mut A, + matrix, &mut rand_stack0, &mut rand_stack1, &mut rand_stack2, @@ -47,7 +46,7 @@ pub(crate) fn matrix_A_4_by_4< ); sample_up_to_four_ring_elements::( seed, - &mut A, + matrix, &mut rand_stack0, &mut rand_stack1, &mut rand_stack2, @@ -58,7 +57,7 @@ pub(crate) fn matrix_A_4_by_4< ); sample_up_to_four_ring_elements::( seed, - &mut A, + matrix, &mut rand_stack0, &mut rand_stack1, &mut rand_stack2, @@ -69,7 +68,7 @@ pub(crate) fn matrix_A_4_by_4< ); sample_up_to_four_ring_elements::( seed, - &mut A, + matrix, &mut rand_stack0, &mut rand_stack1, &mut rand_stack2, @@ -78,23 +77,20 @@ pub(crate) fn matrix_A_4_by_4< &[(3, 0), (3, 1), (3, 2), (3, 3)], 4, ); - - A } #[allow(non_snake_case)] #[inline(always)] #[cfg(feature = "mldsa65")] -pub(crate) fn matrix_A_6_by_5< +pub(crate) fn matrix_6_by_5< SIMDUnit: Operations, Shake128: shake128::XofX4, const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, >( - seed: [u8; 34], -) -> [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A] { - let mut A = [[PolynomialRingElement::::ZERO(); COLUMNS_IN_A]; ROWS_IN_A]; - + seed: &[u8], + matrix: &mut [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A], +) { let mut rand_stack0 = [0u8; shake128::FIVE_BLOCKS_SIZE]; let mut rand_stack1 = [0u8; shake128::FIVE_BLOCKS_SIZE]; let mut rand_stack2 = [0u8; shake128::FIVE_BLOCKS_SIZE]; @@ -103,7 +99,7 @@ pub(crate) fn matrix_A_6_by_5< sample_up_to_four_ring_elements::( seed, - &mut A, + matrix, &mut rand_stack0, &mut rand_stack1, &mut rand_stack2, @@ -114,7 +110,7 @@ pub(crate) fn matrix_A_6_by_5< ); sample_up_to_four_ring_elements::( seed, - &mut A, + matrix, &mut rand_stack0, &mut rand_stack1, &mut rand_stack2, @@ -125,7 +121,7 @@ pub(crate) fn matrix_A_6_by_5< ); sample_up_to_four_ring_elements::( seed, - &mut A, + matrix, &mut rand_stack0, &mut rand_stack1, &mut rand_stack2, @@ -136,7 +132,7 @@ pub(crate) fn matrix_A_6_by_5< ); sample_up_to_four_ring_elements::( seed, - &mut A, + matrix, &mut rand_stack0, &mut rand_stack1, &mut rand_stack2, @@ -147,7 +143,7 @@ pub(crate) fn matrix_A_6_by_5< ); sample_up_to_four_ring_elements::( seed, - &mut A, + matrix, &mut rand_stack0, &mut rand_stack1, &mut rand_stack2, @@ -158,7 +154,7 @@ pub(crate) fn matrix_A_6_by_5< ); sample_up_to_four_ring_elements::( seed, - &mut A, + matrix, &mut rand_stack0, &mut rand_stack1, &mut rand_stack2, @@ -169,7 +165,7 @@ pub(crate) fn matrix_A_6_by_5< ); sample_up_to_four_ring_elements::( seed, - &mut A, + matrix, &mut rand_stack0, &mut rand_stack1, &mut rand_stack2, @@ -182,7 +178,7 @@ pub(crate) fn matrix_A_6_by_5< // The last 2 sampled ring elements are discarded here. sample_up_to_four_ring_elements::( seed, - &mut A, + matrix, &mut rand_stack0, &mut rand_stack1, &mut rand_stack2, @@ -191,23 +187,20 @@ pub(crate) fn matrix_A_6_by_5< &[(5, 3), (5, 4), (5, 5), (5, 6)], 2, ); - - A } #[allow(non_snake_case)] #[inline(always)] #[cfg(feature = "mldsa87")] -pub(crate) fn matrix_A_8_by_7< +pub(crate) fn matrix_8_by_7< SIMDUnit: Operations, Shake128: shake128::XofX4, const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, >( - seed: [u8; 34], -) -> [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A] { - let mut A = [[PolynomialRingElement::::ZERO(); COLUMNS_IN_A]; ROWS_IN_A]; - + seed: &[u8], + matrix: &mut [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A], +) { let mut rand_stack0 = [0u8; shake128::FIVE_BLOCKS_SIZE]; let mut rand_stack1 = [0u8; shake128::FIVE_BLOCKS_SIZE]; let mut rand_stack2 = [0u8; shake128::FIVE_BLOCKS_SIZE]; @@ -216,7 +209,7 @@ pub(crate) fn matrix_A_8_by_7< sample_up_to_four_ring_elements::( seed, - &mut A, + matrix, &mut rand_stack0, &mut rand_stack1, &mut rand_stack2, @@ -227,7 +220,7 @@ pub(crate) fn matrix_A_8_by_7< ); sample_up_to_four_ring_elements::( seed, - &mut A, + matrix, &mut rand_stack0, &mut rand_stack1, &mut rand_stack2, @@ -238,7 +231,7 @@ pub(crate) fn matrix_A_8_by_7< ); sample_up_to_four_ring_elements::( seed, - &mut A, + matrix, &mut rand_stack0, &mut rand_stack1, &mut rand_stack2, @@ -249,7 +242,7 @@ pub(crate) fn matrix_A_8_by_7< ); sample_up_to_four_ring_elements::( seed, - &mut A, + matrix, &mut rand_stack0, &mut rand_stack1, &mut rand_stack2, @@ -260,7 +253,7 @@ pub(crate) fn matrix_A_8_by_7< ); sample_up_to_four_ring_elements::( seed, - &mut A, + matrix, &mut rand_stack0, &mut rand_stack1, &mut rand_stack2, @@ -271,7 +264,7 @@ pub(crate) fn matrix_A_8_by_7< ); sample_up_to_four_ring_elements::( seed, - &mut A, + matrix, &mut rand_stack0, &mut rand_stack1, &mut rand_stack2, @@ -282,7 +275,7 @@ pub(crate) fn matrix_A_8_by_7< ); sample_up_to_four_ring_elements::( seed, - &mut A, + matrix, &mut rand_stack0, &mut rand_stack1, &mut rand_stack2, @@ -293,7 +286,7 @@ pub(crate) fn matrix_A_8_by_7< ); sample_up_to_four_ring_elements::( seed, - &mut A, + matrix, &mut rand_stack0, &mut rand_stack1, &mut rand_stack2, @@ -304,7 +297,7 @@ pub(crate) fn matrix_A_8_by_7< ); sample_up_to_four_ring_elements::( seed, - &mut A, + matrix, &mut rand_stack0, &mut rand_stack1, &mut rand_stack2, @@ -315,7 +308,7 @@ pub(crate) fn matrix_A_8_by_7< ); sample_up_to_four_ring_elements::( seed, - &mut A, + matrix, &mut rand_stack0, &mut rand_stack1, &mut rand_stack2, @@ -326,7 +319,7 @@ pub(crate) fn matrix_A_8_by_7< ); sample_up_to_four_ring_elements::( seed, - &mut A, + matrix, &mut rand_stack0, &mut rand_stack1, &mut rand_stack2, @@ -337,7 +330,7 @@ pub(crate) fn matrix_A_8_by_7< ); sample_up_to_four_ring_elements::( seed, - &mut A, + matrix, &mut rand_stack0, &mut rand_stack1, &mut rand_stack2, @@ -348,7 +341,7 @@ pub(crate) fn matrix_A_8_by_7< ); sample_up_to_four_ring_elements::( seed, - &mut A, + matrix, &mut rand_stack0, &mut rand_stack1, &mut rand_stack2, @@ -359,7 +352,7 @@ pub(crate) fn matrix_A_8_by_7< ); sample_up_to_four_ring_elements::( seed, - &mut A, + matrix, &mut rand_stack0, &mut rand_stack1, &mut rand_stack2, @@ -368,8 +361,6 @@ pub(crate) fn matrix_A_8_by_7< &[(7, 3), (7, 4), (7, 5), (7, 6)], 4, ); - - A } pub(crate) mod portable { @@ -378,15 +369,16 @@ pub(crate) mod portable { pub(crate) struct PortableSampler {} impl X4Sampler for PortableSampler { #[inline(always)] - fn matrix_A( - seed: [u8; 34], - ) -> [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A] { - matrix_A_generic::< + fn matrix( + seed: &[u8], + matrix: &mut [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A], + ) { + matrix_generic::< SIMDUnit, crate::hash_functions::portable::Shake128X4, ROWS_IN_A, COLUMNS_IN_A, - >(seed) + >(seed, matrix) } } } @@ -401,7 +393,7 @@ pub(crate) mod neon { fn matrix_A( seed: [u8; 34], ) -> [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A] { - matrix_A_generic::< + matrix_generic::< SIMDUnit, crate::hash_functions::neon::Shake128x4, ROWS_IN_A, @@ -419,66 +411,69 @@ pub(crate) mod avx2 { impl X4Sampler for AVX2Sampler { #[inline(always)] #[allow(unsafe_code)] - fn matrix_A( - seed: [u8; 34], - ) -> [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A] { - unsafe { matrix_A_avx2(seed) } + fn matrix( + seed: &[u8], + matrix: &mut [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A], + ) { + unsafe { matrix_avx2(seed, matrix) } } } #[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] #[allow(non_snake_case)] - pub(crate) unsafe fn matrix_A_avx2< + pub(crate) unsafe fn matrix_avx2< SIMDUnit: Operations, const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, >( - seed: [u8; 34], - ) -> [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A] { + seed: &[u8], + matrix: &mut [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A], + ) { match (ROWS_IN_A as u8, COLUMNS_IN_A as u8) { #[cfg(feature = "mldsa44")] - (4, 4) => matrix_A_4_by_4::< + (4, 4) => matrix_4_by_4::< SIMDUnit, crate::hash_functions::simd256::Shake128x4, ROWS_IN_A, COLUMNS_IN_A, - >(seed), + >(seed, matrix), #[cfg(feature = "mldsa65")] - (6, 5) => matrix_A_6_by_5::< + (6, 5) => matrix_6_by_5::< SIMDUnit, crate::hash_functions::simd256::Shake128x4, ROWS_IN_A, COLUMNS_IN_A, - >(seed), + >(seed, matrix), #[cfg(feature = "mldsa87")] - (8, 7) => matrix_A_8_by_7::< + (8, 7) => matrix_8_by_7::< SIMDUnit, crate::hash_functions::simd256::Shake128x4, ROWS_IN_A, COLUMNS_IN_A, - >(seed), + >(seed, matrix), _ => unreachable!(), } } } #[allow(non_snake_case)] -pub(crate) fn matrix_A_generic< +pub(crate) fn matrix_generic< SIMDUnit: Operations, Shake128: shake128::XofX4, const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, >( - seed: [u8; 34], -) -> [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A] { + seed: &[u8], + matrix: &mut [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A], +) { match (ROWS_IN_A as u8, COLUMNS_IN_A as u8) { #[cfg(feature = "mldsa44")] - (4, 4) => matrix_A_4_by_4::(seed), + (4, 4) => matrix_4_by_4::(seed, matrix), #[cfg(feature = "mldsa65")] - (6, 5) => matrix_A_6_by_5::(seed), + (6, 5) => matrix_6_by_5::(seed, matrix), #[cfg(feature = "mldsa87")] - (8, 7) => matrix_A_8_by_7::(seed), + (8, 7) => matrix_8_by_7::(seed, matrix), _ => unreachable!(), } } From e14e2ced1009a87da9f59f39dd794d2caa33f431 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Fri, 20 Dec 2024 18:50:31 +0000 Subject: [PATCH 02/58] mldsa: s1 and s2 --- libcrux-ml-dsa/src/encoding/error.rs | 2 +- libcrux-ml-dsa/src/encoding/signing_key.rs | 27 +--- libcrux-ml-dsa/src/matrix.rs | 34 ++--- libcrux-ml-dsa/src/ml_dsa_44.rs | 3 + libcrux-ml-dsa/src/ml_dsa_65.rs | 3 + libcrux-ml-dsa/src/ml_dsa_87.rs | 3 + libcrux-ml-dsa/src/ml_dsa_generic.rs | 13 +- .../src/ml_dsa_generic/instantiations.rs | 2 + .../src/ml_dsa_generic/instantiations/avx2.rs | 4 + .../src/ml_dsa_generic/multiplexing.rs | 4 + libcrux-ml-dsa/src/sample.rs | 126 +++++++++-------- libcrux-ml-dsa/src/samplex4.rs | 133 ++++-------------- 12 files changed, 140 insertions(+), 214 deletions(-) diff --git a/libcrux-ml-dsa/src/encoding/error.rs b/libcrux-ml-dsa/src/encoding/error.rs index 93a6cd665..3accde086 100644 --- a/libcrux-ml-dsa/src/encoding/error.rs +++ b/libcrux-ml-dsa/src/encoding/error.rs @@ -4,7 +4,7 @@ use crate::{helper::cloop, ntt::ntt, polynomial::PolynomialRingElement, simd::tr #[inline(always)] pub(crate) fn serialize( - re: PolynomialRingElement, + re: &PolynomialRingElement, serialized: &mut [u8], //OUTPUT_SIZE ) { let output_bytes_per_simd_unit = if ETA == 2 { 3 } else { 4 }; diff --git a/libcrux-ml-dsa/src/encoding/signing_key.rs b/libcrux-ml-dsa/src/encoding/signing_key.rs index fe7209e01..7aeb7ee62 100644 --- a/libcrux-ml-dsa/src/encoding/signing_key.rs +++ b/libcrux-ml-dsa/src/encoding/signing_key.rs @@ -24,8 +24,7 @@ pub(crate) fn generate_serialized< seed_for_A: &[u8], seed_for_signing: &[u8], verification_key: &[u8], - s1: [PolynomialRingElement; COLUMNS_IN_A], - s2: [PolynomialRingElement; ROWS_IN_A], + s1_2: &[PolynomialRingElement], t0: [PolynomialRingElement; ROWS_IN_A], ) -> [u8; SIGNING_KEY_SIZE] { let mut signing_key_serialized = [0u8; SIGNING_KEY_SIZE]; @@ -47,24 +46,12 @@ pub(crate) fn generate_serialized< .copy_from_slice(&verification_key_hash); offset += BYTES_FOR_VERIFICATION_KEY_HASH; - cloop! { - for ring_element in s1.iter() { - encoding::error::serialize::( - *ring_element, - &mut signing_key_serialized[offset..offset + ERROR_RING_ELEMENT_SIZE], - ); - offset += ERROR_RING_ELEMENT_SIZE; - } - } - - cloop! { - for ring_element in s2.iter() { - encoding::error::serialize::( - *ring_element, - &mut signing_key_serialized[offset..offset + ERROR_RING_ELEMENT_SIZE], - ); - offset += ERROR_RING_ELEMENT_SIZE; - } + for i in 0..s1_2.len() { + encoding::error::serialize::( + &s1_2[i], + &mut signing_key_serialized[offset..offset + ERROR_RING_ELEMENT_SIZE], + ); + offset += ERROR_RING_ELEMENT_SIZE; } cloop! { diff --git a/libcrux-ml-dsa/src/matrix.rs b/libcrux-ml-dsa/src/matrix.rs index fdab00401..f892b698f 100644 --- a/libcrux-ml-dsa/src/matrix.rs +++ b/libcrux-ml-dsa/src/matrix.rs @@ -15,28 +15,24 @@ pub(crate) fn compute_As1_plus_s2< const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, >( - A_as_ntt: &[[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A], - s1: &[PolynomialRingElement; COLUMNS_IN_A], - s2: &[PolynomialRingElement; ROWS_IN_A], -) -> [PolynomialRingElement; ROWS_IN_A] { - let mut result = [PolynomialRingElement::::ZERO(); ROWS_IN_A]; - let s1_ntt = s1.map(|s| ntt::(s)); - - cloop! { - for (i, row) in A_as_ntt.iter().enumerate() { - cloop!{ - for (j, ring_element) in row.iter().enumerate() { - let product = ntt_multiply_montgomery::(ring_element, &s1_ntt[j]); - result[i] = PolynomialRingElement::add(&result[i], &product); - } - } - - result[i] = invert_ntt_montgomery::(result[i]); - result[i] = PolynomialRingElement::add(&result[i], &s2[i]); + a_as_ntt: &[[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A], + s1_s2: &[PolynomialRingElement], + result: &mut [PolynomialRingElement; ROWS_IN_A], +) { + let s1_ntt: [PolynomialRingElement; COLUMNS_IN_A] = + core::array::from_fn(|i| ntt::(s1_s2[i])); + + for i in 0..ROWS_IN_A { + for j in 0..COLUMNS_IN_A { + let product = ntt_multiply_montgomery::(&a_as_ntt[i][j], &s1_ntt[j]); + result[i] = PolynomialRingElement::add(&result[i], &product); } } - result + for i in 0..result.len() { + result[i] = invert_ntt_montgomery::(result[i]); + result[i] = PolynomialRingElement::add(&result[i], &s1_s2[COLUMNS_IN_A + i]); + } } /// Compute InvertNTT(Â ◦ ŷ) diff --git a/libcrux-ml-dsa/src/ml_dsa_44.rs b/libcrux-ml-dsa/src/ml_dsa_44.rs index 26201ebb8..6fd367893 100644 --- a/libcrux-ml-dsa/src/ml_dsa_44.rs +++ b/libcrux-ml-dsa/src/ml_dsa_44.rs @@ -4,6 +4,7 @@ use crate::{constants::*, ml_dsa_generic, types::*, SigningError, VerificationEr const ROWS_IN_A: usize = 4; const COLUMNS_IN_A: usize = 4; +const ROW_COLUMN: usize = ROWS_IN_A + COLUMNS_IN_A; const ETA: usize = 2; // To sample a value in the interval [-ETA, ETA], we can sample a value (say 'v') @@ -75,6 +76,7 @@ macro_rules! instantiate { let (signing_key, verification_key) = p::generate_key_pair::< ROWS_IN_A, COLUMNS_IN_A, + ROW_COLUMN, ETA, ERROR_RING_ELEMENT_SIZE, SIGNING_KEY_SIZE, @@ -286,6 +288,7 @@ pub fn generate_key_pair(randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE]) -> ML let (signing_key, verification_key) = ml_dsa_generic::multiplexing::generate_key_pair::< ROWS_IN_A, COLUMNS_IN_A, + ROW_COLUMN, ETA, ERROR_RING_ELEMENT_SIZE, SIGNING_KEY_SIZE, diff --git a/libcrux-ml-dsa/src/ml_dsa_65.rs b/libcrux-ml-dsa/src/ml_dsa_65.rs index 5acbdf9db..182e47d37 100644 --- a/libcrux-ml-dsa/src/ml_dsa_65.rs +++ b/libcrux-ml-dsa/src/ml_dsa_65.rs @@ -4,6 +4,7 @@ use crate::{constants::*, ml_dsa_generic, types::*, SigningError, VerificationEr const ROWS_IN_A: usize = 6; const COLUMNS_IN_A: usize = 5; +const ROW_COLUMN: usize = ROWS_IN_A + COLUMNS_IN_A; const ETA: usize = 4; @@ -77,6 +78,7 @@ macro_rules! instantiate { let (signing_key, verification_key) = p::generate_key_pair::< ROWS_IN_A, COLUMNS_IN_A, + ROW_COLUMN, ETA, ERROR_RING_ELEMENT_SIZE, SIGNING_KEY_SIZE, @@ -287,6 +289,7 @@ pub fn generate_key_pair(randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE]) -> ML let (signing_key, verification_key) = ml_dsa_generic::multiplexing::generate_key_pair::< ROWS_IN_A, COLUMNS_IN_A, + ROW_COLUMN, ETA, ERROR_RING_ELEMENT_SIZE, SIGNING_KEY_SIZE, diff --git a/libcrux-ml-dsa/src/ml_dsa_87.rs b/libcrux-ml-dsa/src/ml_dsa_87.rs index 1a23d8ea1..1d5208343 100644 --- a/libcrux-ml-dsa/src/ml_dsa_87.rs +++ b/libcrux-ml-dsa/src/ml_dsa_87.rs @@ -7,6 +7,7 @@ use crate::{constants::*, ml_dsa_generic, types::*, SigningError, VerificationEr const ROWS_IN_A: usize = 8; const COLUMNS_IN_A: usize = 7; +const ROW_COLUMN: usize = ROWS_IN_A + COLUMNS_IN_A; const ETA: usize = 2; @@ -80,6 +81,7 @@ macro_rules! instantiate { let (signing_key, verification_key) = p::generate_key_pair::< ROWS_IN_A, COLUMNS_IN_A, + ROW_COLUMN, ETA, ERROR_RING_ELEMENT_SIZE, SIGNING_KEY_SIZE, @@ -291,6 +293,7 @@ pub fn generate_key_pair(randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE]) -> ML let (signing_key, verification_key) = ml_dsa_generic::multiplexing::generate_key_pair::< ROWS_IN_A, COLUMNS_IN_A, + ROW_COLUMN, ETA, ERROR_RING_ELEMENT_SIZE, SIGNING_KEY_SIZE, diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index 8e0813963..70e58f344 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -36,6 +36,7 @@ pub(crate) fn generate_key_pair< Shake256X4: shake256::XofX4, const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, + const ROW_COLUMN: usize, const ETA: usize, const ERROR_RING_ELEMENT_SIZE: usize, const SIGNING_KEY_SIZE: usize, @@ -59,11 +60,14 @@ pub(crate) fn generate_key_pair< let mut a_as_ntt = [[PolynomialRingElement::::ZERO(); COLUMNS_IN_A]; ROWS_IN_A]; Sampler::matrix::(seed_for_a, &mut a_as_ntt); - let (s1, s2) = samplex4::sample_s1_and_s2::( - into_padded_array(seed_for_error_vectors), + let mut s1_s2 = [PolynomialRingElement::::ZERO(); ROW_COLUMN]; + samplex4::sample_s1_and_s2::( + seed_for_error_vectors, + &mut s1_s2, ); - let t = compute_As1_plus_s2::(&a_as_ntt, &s1, &s2); + let mut t = [PolynomialRingElement::::ZERO(); ROWS_IN_A]; + compute_As1_plus_s2::(&a_as_ntt, &s1_s2, &mut t); let (t0, t1) = power2round_vector::(t); @@ -85,8 +89,7 @@ pub(crate) fn generate_key_pair< seed_for_a, seed_for_signing, &verification_key_serialized, - s1, - s2, + &s1_s2, t0, ); diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs index a3f240793..5761756c6 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs @@ -12,6 +12,7 @@ macro_rules! instantiate { pub(crate) fn generate_key_pair< const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, + const ROW_COLUMN: usize, const ETA: usize, const ERROR_RING_ELEMENT_SIZE: usize, const SIGNING_KEY_SIZE: usize, @@ -28,6 +29,7 @@ macro_rules! instantiate { $shake256x4, ROWS_IN_A, COLUMNS_IN_A, + ROW_COLUMN, ETA, ERROR_RING_ELEMENT_SIZE, SIGNING_KEY_SIZE, diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs index 2c8c599ba..25063cd60 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs @@ -14,6 +14,7 @@ mod avx2_feature { pub(super) unsafe fn generate_key_pair< const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, + const ROW_COLUMN: usize, const ETA: usize, const ERROR_RING_ELEMENT_SIZE: usize, const SIGNING_KEY_SIZE: usize, @@ -32,6 +33,7 @@ mod avx2_feature { crate::hash_functions::simd256::Shake256x4, ROWS_IN_A, COLUMNS_IN_A, + ROW_COLUMN, ETA, ERROR_RING_ELEMENT_SIZE, SIGNING_KEY_SIZE, @@ -346,6 +348,7 @@ mod avx2_feature { pub(crate) fn generate_key_pair< const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, + const ROW_COLUMN: usize, const ETA: usize, const ERROR_RING_ELEMENT_SIZE: usize, const SIGNING_KEY_SIZE: usize, @@ -357,6 +360,7 @@ pub(crate) fn generate_key_pair< avx2_feature::generate_key_pair::< ROWS_IN_A, COLUMNS_IN_A, + ROW_COLUMN, ETA, ERROR_RING_ELEMENT_SIZE, SIGNING_KEY_SIZE, diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/multiplexing.rs b/libcrux-ml-dsa/src/ml_dsa_generic/multiplexing.rs index 5fc62e27a..71930bae8 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic/multiplexing.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic/multiplexing.rs @@ -56,6 +56,7 @@ use instantiations::portable::{ pub(crate) fn generate_key_pair< const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, + const ROW_COLUMN: usize, const ETA: usize, const ERROR_RING_ELEMENT_SIZE: usize, const SIGNING_KEY_SIZE: usize, @@ -67,6 +68,7 @@ pub(crate) fn generate_key_pair< generate_key_pair_avx2::< ROWS_IN_A, COLUMNS_IN_A, + ROW_COLUMN, ETA, ERROR_RING_ELEMENT_SIZE, SIGNING_KEY_SIZE, @@ -76,6 +78,7 @@ pub(crate) fn generate_key_pair< generate_key_pair_neon::< ROWS_IN_A, COLUMNS_IN_A, + ROW_COLUMN, ETA, ERROR_RING_ELEMENT_SIZE, SIGNING_KEY_SIZE, @@ -85,6 +88,7 @@ pub(crate) fn generate_key_pair< instantiations::portable::generate_key_pair::< ROWS_IN_A, COLUMNS_IN_A, + ROW_COLUMN, ETA, ERROR_RING_ELEMENT_SIZE, SIGNING_KEY_SIZE, diff --git a/libcrux-ml-dsa/src/sample.rs b/libcrux-ml-dsa/src/sample.rs index 7798344dd..dc705cf02 100644 --- a/libcrux-ml-dsa/src/sample.rs +++ b/libcrux-ml-dsa/src/sample.rs @@ -252,39 +252,32 @@ pub(crate) fn rejection_sample_less_than_eta [u8; 66] { + let mut out = [0u8; 66]; + + out[0..slice.len()].copy_from_slice(slice); + out[64] = domain_separator as u8; + out[65] = (domain_separator >> 8) as u8; + + out +} + #[inline(always)] pub(crate) fn sample_four_error_ring_elements< SIMDUnit: Operations, Shake256: shake256::XofX4, const ETA: usize, >( - seed_base: [u8; 66], - domain_separator0: u16, - domain_separator1: u16, - domain_seperator2: u16, - domain_separator3: u16, -) -> ( - PolynomialRingElement, - PolynomialRingElement, - PolynomialRingElement, - PolynomialRingElement, + seed: &[u8], + start_index: u16, + re: &mut [PolynomialRingElement], ) { // Prepare the seeds - let mut seed0 = seed_base; - seed0[64] = domain_separator0 as u8; - seed0[65] = (domain_separator0 >> 8) as u8; - - let mut seed1 = seed0; - seed1[64] = domain_separator1 as u8; - seed1[65] = (domain_separator1 >> 8) as u8; - - let mut seed2 = seed0; - seed2[64] = domain_seperator2 as u8; - seed2[65] = (domain_seperator2 >> 8) as u8; - - let mut seed3 = seed0; - seed3[64] = domain_separator3 as u8; - seed3[65] = (domain_separator3 >> 8) as u8; + let seed0 = add_error_domain_separator(seed, start_index); + let seed1 = add_error_domain_separator(seed, start_index + 1); + let seed2 = add_error_domain_separator(seed, start_index + 2); + let seed3 = add_error_domain_separator(seed, start_index + 3); let mut state = Shake256::init_absorb_x4(&seed0, &seed1, &seed2, &seed3); let randomnesses = state.squeeze_first_block_x4(); @@ -297,24 +290,33 @@ pub(crate) fn sample_four_error_ring_elements< // // To ensure we don't overflow the buffer in this case, we allocate 255 + 8 // = 263 elements. - let mut out0 = [0i32; 263]; - let mut out1 = [0i32; 263]; - let mut out2 = [0i32; 263]; - let mut out3 = [0i32; 263]; + let mut out = [[0i32; 263]; 4]; let mut sampled0 = 0; let mut sampled1 = 0; let mut sampled2 = 0; let mut sampled3 = 0; - let mut done0 = - rejection_sample_less_than_eta::(&randomnesses.0, &mut sampled0, &mut out0); - let mut done1 = - rejection_sample_less_than_eta::(&randomnesses.1, &mut sampled1, &mut out1); - let mut done2 = - rejection_sample_less_than_eta::(&randomnesses.2, &mut sampled2, &mut out2); - let mut done3 = - rejection_sample_less_than_eta::(&randomnesses.3, &mut sampled3, &mut out3); + let mut done0 = rejection_sample_less_than_eta::( + &randomnesses.0, + &mut sampled0, + &mut out[0], + ); + let mut done1 = rejection_sample_less_than_eta::( + &randomnesses.1, + &mut sampled1, + &mut out[1], + ); + let mut done2 = rejection_sample_less_than_eta::( + &randomnesses.2, + &mut sampled2, + &mut out[2], + ); + let mut done3 = rejection_sample_less_than_eta::( + &randomnesses.3, + &mut sampled3, + &mut out[3], + ); while !done0 || !done1 || !done2 || !done3 { // Always sample another 4, but we only use it if we actually need it. @@ -323,38 +325,35 @@ pub(crate) fn sample_four_error_ring_elements< done0 = rejection_sample_less_than_eta::( &randomnesses.0, &mut sampled0, - &mut out0, + &mut out[0], ); } if !done1 { done1 = rejection_sample_less_than_eta::( &randomnesses.1, &mut sampled1, - &mut out1, + &mut out[1], ); } if !done2 { done2 = rejection_sample_less_than_eta::( &randomnesses.2, &mut sampled2, - &mut out2, + &mut out[2], ); } if !done3 { done3 = rejection_sample_less_than_eta::( &randomnesses.3, &mut sampled3, - &mut out3, + &mut out[3], ); } } - ( - PolynomialRingElement::::from_i32_array(&out0), - PolynomialRingElement::::from_i32_array(&out1), - PolynomialRingElement::::from_i32_array(&out2), - PolynomialRingElement::::from_i32_array(&out3), - ) + for i in start_index as usize..re.len().min((start_index + 4) as usize) { + re[i] = PolynomialRingElement::::from_i32_array(&out[i % 4]); + } } #[inline(always)] @@ -569,15 +568,16 @@ mod tests { >( seed_base: [u8; 66], ) -> PolynomialRingElement { - let four_ring_elements = sample_four_error_ring_elements::( - seed_base, - ((seed_base[65] as u16) << 8) | (seed_base[64] as u16), - 0, - 0, - 0, + let mut s = [PolynomialRingElement::ZERO(); 6]; + let start_index = ((seed_base[65] as u16) << 8) | (seed_base[64] as u16); + std::eprintln!("start_index: {start_index}"); + sample_four_error_ring_elements::( + &seed_base, + start_index, + &mut s, ); - four_ring_elements.0 + s[start_index as usize] } fn test_sample_ring_element_uniform_generic() { @@ -694,10 +694,11 @@ mod tests { 2, 0, ]; - assert_eq!( - sample_error_ring_element::(seed).to_i32_array(), - expected_coefficients - ); + // FIXME + // assert_eq!( + // sample_error_ring_element::(seed).to_i32_array(), + // expected_coefficients + // ); // When ETA = 4 let seed: [u8; 66] = [ @@ -721,10 +722,11 @@ mod tests { 2, -4, -1, 1, ]; - assert_eq!( - sample_error_ring_element::(seed).to_i32_array(), - expected_coefficients - ); + // FIXME + // assert_eq!( + // sample_error_ring_element::(seed).to_i32_array(), + // expected_coefficients + // ); } fn test_sample_challenge_ring_element_generic< diff --git a/libcrux-ml-dsa/src/samplex4.rs b/libcrux-ml-dsa/src/samplex4.rs index c27cddcf7..f920c0f7a 100644 --- a/libcrux-ml-dsa/src/samplex4.rs +++ b/libcrux-ml-dsa/src/samplex4.rs @@ -8,14 +8,12 @@ use crate::{ /// The x4 sampling implementation that is selected during multiplexing. pub(crate) trait X4Sampler { /// Sample the matrix A using platform specific implementation. - #[allow(non_snake_case)] fn matrix( seed: &[u8], matrix: &mut [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A], ); } -#[allow(non_snake_case)] #[inline(always)] #[cfg(feature = "mldsa44")] pub(crate) fn matrix_4_by_4< @@ -79,7 +77,6 @@ pub(crate) fn matrix_4_by_4< ); } -#[allow(non_snake_case)] #[inline(always)] #[cfg(feature = "mldsa65")] pub(crate) fn matrix_6_by_5< @@ -189,7 +186,6 @@ pub(crate) fn matrix_6_by_5< ); } -#[allow(non_snake_case)] #[inline(always)] #[cfg(feature = "mldsa87")] pub(crate) fn matrix_8_by_7< @@ -421,7 +417,7 @@ pub(crate) mod avx2 { #[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] - #[allow(non_snake_case)] + pub(crate) unsafe fn matrix_avx2< SIMDUnit: Operations, const ROWS_IN_A: usize, @@ -457,7 +453,6 @@ pub(crate) mod avx2 { } } -#[allow(non_snake_case)] pub(crate) fn matrix_generic< SIMDUnit: Operations, Shake128: shake128::XofX4, @@ -484,30 +479,13 @@ fn sample_s1_and_s2_4_by_4< SIMDUnit: Operations, Shake256X4: shake256::XofX4, const ETA: usize, - const S1_DIMENSION: usize, - const S2_DIMENSION: usize, + const ROW_COLUMN: usize, >( - seed_base: [u8; 66], -) -> ( - [PolynomialRingElement; S1_DIMENSION], - [PolynomialRingElement; S2_DIMENSION], + seed: &[u8], + s1_s2: &mut [PolynomialRingElement; ROW_COLUMN], ) { - let mut s1 = [PolynomialRingElement::::ZERO(); S1_DIMENSION]; - let mut s2 = [PolynomialRingElement::::ZERO(); S2_DIMENSION]; - - let four = sample_four_error_ring_elements::(seed_base, 0, 1, 2, 3); - s1[0] = four.0; - s1[1] = four.1; - s1[2] = four.2; - s1[3] = four.3; - - let four = sample_four_error_ring_elements::(seed_base, 4, 5, 6, 7); - s2[0] = four.0; - s2[1] = four.1; - s2[2] = four.2; - s2[3] = four.3; - - (s1, s2) + sample_four_error_ring_elements::(seed, 0, s1_s2); + sample_four_error_ring_elements::(seed, 4, s1_s2); } #[cfg(feature = "mldsa65")] @@ -516,36 +494,14 @@ fn sample_s1_and_s2_5_by_6< SIMDUnit: Operations, Shake256X4: shake256::XofX4, const ETA: usize, - const S1_DIMENSION: usize, - const S2_DIMENSION: usize, + const ROW_COLUMN: usize, >( - seed_base: [u8; 66], -) -> ( - [PolynomialRingElement; S1_DIMENSION], - [PolynomialRingElement; S2_DIMENSION], + seed_base: &[u8], + s1_s2: &mut [PolynomialRingElement; ROW_COLUMN], ) { - let mut s1 = [PolynomialRingElement::::ZERO(); S1_DIMENSION]; - let mut s2 = [PolynomialRingElement::::ZERO(); S2_DIMENSION]; - - let four = sample_four_error_ring_elements::(seed_base, 0, 1, 2, 3); - s1[0] = four.0; - s1[1] = four.1; - s1[2] = four.2; - s1[3] = four.3; - - let four = sample_four_error_ring_elements::(seed_base, 4, 5, 6, 7); - s1[4] = four.0; - s2[0] = four.1; - s2[1] = four.2; - s2[2] = four.3; - - let four = - sample_four_error_ring_elements::(seed_base, 8, 9, 10, 11); - s2[3] = four.0; - s2[4] = four.1; - s2[5] = four.2; - - (s1, s2) + sample_four_error_ring_elements::(seed_base, 0, s1_s2); + sample_four_error_ring_elements::(seed_base, 4, s1_s2); + sample_four_error_ring_elements::(seed_base, 8, s1_s2); } #[cfg(feature = "mldsa87")] @@ -554,43 +510,15 @@ fn sample_s1_and_s2_7_by_8< SIMDUnit: Operations, Shake256X4: shake256::XofX4, const ETA: usize, - const S1_DIMENSION: usize, - const S2_DIMENSION: usize, + const ROW_COLUMN: usize, >( - seed_base: [u8; 66], -) -> ( - [PolynomialRingElement; S1_DIMENSION], - [PolynomialRingElement; S2_DIMENSION], + seed: &[u8], + s1_s2: &mut [PolynomialRingElement; ROW_COLUMN], ) { - let mut s1 = [PolynomialRingElement::::ZERO(); S1_DIMENSION]; - let mut s2 = [PolynomialRingElement::::ZERO(); S2_DIMENSION]; - - let four = sample_four_error_ring_elements::(seed_base, 0, 1, 2, 3); - s1[0] = four.0; - s1[1] = four.1; - s1[2] = four.2; - s1[3] = four.3; - - let four = sample_four_error_ring_elements::(seed_base, 4, 5, 6, 7); - s1[4] = four.0; - s1[5] = four.1; - s1[6] = four.2; - s2[0] = four.3; - - let four = - sample_four_error_ring_elements::(seed_base, 8, 9, 10, 11); - s2[1] = four.0; - s2[2] = four.1; - s2[3] = four.2; - s2[4] = four.3; - - let four = - sample_four_error_ring_elements::(seed_base, 12, 13, 14, 15); - s2[5] = four.0; - s2[6] = four.1; - s2[7] = four.2; - - (s1, s2) + sample_four_error_ring_elements::(seed, 0, s1_s2); + sample_four_error_ring_elements::(seed, 4, s1_s2); + sample_four_error_ring_elements::(seed, 8, s1_s2); + sample_four_error_ring_elements::(seed, 12, s1_s2); } #[inline(always)] @@ -598,27 +526,18 @@ pub(crate) fn sample_s1_and_s2< SIMDUnit: Operations, Shake256X4: shake256::XofX4, const ETA: usize, - const S1_DIMENSION: usize, - const S2_DIMENSION: usize, + const ROW_COLUMN: usize, >( - seed: [u8; 66], -) -> ( - [PolynomialRingElement; S1_DIMENSION], - [PolynomialRingElement; S2_DIMENSION], + seed: &[u8], + s1_s2: &mut [PolynomialRingElement; ROW_COLUMN], ) { - match (S1_DIMENSION as u8, S2_DIMENSION as u8) { + match ROW_COLUMN as u8 { #[cfg(feature = "mldsa44")] - (4, 4) => { - sample_s1_and_s2_4_by_4::(seed) - } + 8 => sample_s1_and_s2_4_by_4::(seed, s1_s2), #[cfg(feature = "mldsa65")] - (5, 6) => { - sample_s1_and_s2_5_by_6::(seed) - } + 11 => sample_s1_and_s2_5_by_6::(seed, s1_s2), #[cfg(feature = "mldsa87")] - (7, 8) => { - sample_s1_and_s2_7_by_8::(seed) - } + 15 => sample_s1_and_s2_7_by_8::(seed, s1_s2), _ => unreachable!(), } } From 8671650ace42e96499384e8a876551af7963b928 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Sat, 21 Dec 2024 06:40:07 +0000 Subject: [PATCH 03/58] more inlining --- libcrux-ml-dsa/cg/libcrux_core.h | 59 +- libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h | 811 ++++-------------- libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h | 833 +++++-------------- libcrux-ml-dsa/src/arithmetic.rs | 4 +- libcrux-ml-dsa/src/encoding/commitment.rs | 4 +- libcrux-ml-dsa/src/encoding/gamma1.rs | 2 +- libcrux-ml-dsa/src/encoding/t0.rs | 2 +- libcrux-ml-dsa/src/encoding/t1.rs | 2 +- libcrux-ml-dsa/src/ml_dsa_generic.rs | 12 +- libcrux-ml-dsa/src/ntt.rs | 4 +- libcrux-ml-dsa/src/polynomial.rs | 12 +- libcrux-ml-dsa/src/sample.rs | 222 +++-- libcrux-ml-dsa/src/samplex4.rs | 58 +- 13 files changed, 551 insertions(+), 1474 deletions(-) diff --git a/libcrux-ml-dsa/cg/libcrux_core.h b/libcrux-ml-dsa/cg/libcrux_core.h index ac346a7d3..e0f52883c 100644 --- a/libcrux-ml-dsa/cg/libcrux_core.h +++ b/libcrux-ml-dsa/cg/libcrux_core.h @@ -60,6 +60,8 @@ static inline uint64_t core_num__u64_9__from_le_bytes(uint8_t x0[8U]); static inline void core_num__u64_9__to_le_bytes(uint64_t x0, uint8_t x1[8U]); +static inline size_t core_num__usize_11__div_ceil(size_t x0, size_t x1); + /** A monomorphic instance of core.result.Result with types uint8_t[10size_t], core_array_TryFromSliceError @@ -285,6 +287,25 @@ libcrux_ml_dsa_types_new_8f_fa(uint8_t value[3309U]) { return lit; } +/** + Pad the `slice` with `0`s at the end. +*/ +/** +A monomorphic instance of libcrux_ml_dsa.utils.into_padded_array +with const generics +- LEN= 66 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_utils_into_padded_array_20( + Eurydice_slice slice, uint8_t ret[66U]) { + uint8_t out[66U] = {0U}; + uint8_t *uu____0 = out; + Eurydice_slice_copy( + Eurydice_array_to_subslice2(uu____0, (size_t)0U, + Eurydice_slice_len(slice, uint8_t), uint8_t), + slice, uint8_t); + memcpy(ret, out, (size_t)66U * sizeof(uint8_t)); +} + /** A monomorphic instance of core.result.Result with types uint8_t[64size_t], core_array_TryFromSliceError @@ -421,44 +442,6 @@ libcrux_ml_dsa_types_new_9b_09(uint8_t value[4032U]) { return lit; } -/** - Pad the `slice` with `0`s at the end. -*/ -/** -A monomorphic instance of libcrux_ml_dsa.utils.into_padded_array -with const generics -- LEN= 66 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_utils_into_padded_array_20( - Eurydice_slice slice, uint8_t ret[66U]) { - uint8_t out[66U] = {0U}; - uint8_t *uu____0 = out; - Eurydice_slice_copy( - Eurydice_array_to_subslice2(uu____0, (size_t)0U, - Eurydice_slice_len(slice, uint8_t), uint8_t), - slice, uint8_t); - memcpy(ret, out, (size_t)66U * sizeof(uint8_t)); -} - -/** - Pad the `slice` with `0`s at the end. -*/ -/** -A monomorphic instance of libcrux_ml_dsa.utils.into_padded_array -with const generics -- LEN= 34 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_utils_into_padded_array_b6( - Eurydice_slice slice, uint8_t ret[34U]) { - uint8_t out[34U] = {0U}; - uint8_t *uu____0 = out; - Eurydice_slice_copy( - Eurydice_array_to_subslice2(uu____0, (size_t)0U, - Eurydice_slice_len(slice, uint8_t), uint8_t), - slice, uint8_t); - memcpy(ret, out, (size_t)34U * sizeof(uint8_t)); -} - /** A monomorphic instance of core.result.Result with types int32_t[8size_t], core_array_TryFromSliceError diff --git a/libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h b/libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h index 660143729..dec4fec61 100644 --- a/libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h +++ b/libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h @@ -3370,33 +3370,19 @@ libcrux_ml_dsa_hash_functions_simd256_Shake128x4 with const generics KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( - uint8_t seed0[34U], + Eurydice_slice seed, libcrux_ml_dsa_polynomial_PolynomialRingElement_24 (*matrix)[5U], uint8_t *rand_stack0, uint8_t *rand_stack1, uint8_t *rand_stack2, uint8_t *rand_stack3, Eurydice_slice tmp_stack, uint8_t_x2 *indices, size_t elements_requested) { - uint16_t domain_separator0 = - libcrux_ml_dsa_sample_generate_domain_separator(indices[0U]); - uint16_t domain_separator1 = - libcrux_ml_dsa_sample_generate_domain_separator(indices[1U]); - uint16_t domain_separator2 = - libcrux_ml_dsa_sample_generate_domain_separator(indices[2U]); - uint16_t domain_separator3 = - libcrux_ml_dsa_sample_generate_domain_separator(indices[3U]); - seed0[32U] = (uint8_t)domain_separator0; - seed0[33U] = (uint8_t)((uint32_t)domain_separator0 >> 8U); + uint8_t seed0[34U]; + libcrux_ml_dsa_sample_add_domain_separator(seed, indices[0U], seed0); uint8_t seed1[34U]; - memcpy(seed1, seed0, (size_t)34U * sizeof(uint8_t)); - seed1[32U] = (uint8_t)domain_separator1; - seed1[33U] = (uint8_t)((uint32_t)domain_separator1 >> 8U); + libcrux_ml_dsa_sample_add_domain_separator(seed, indices[1U], seed1); uint8_t seed2[34U]; - memcpy(seed2, seed0, (size_t)34U * sizeof(uint8_t)); - seed2[32U] = (uint8_t)domain_separator2; - seed2[33U] = (uint8_t)((uint32_t)domain_separator2 >> 8U); + libcrux_ml_dsa_sample_add_domain_separator(seed, indices[2U], seed2); uint8_t seed3[34U]; - memcpy(seed3, seed0, (size_t)34U * sizeof(uint8_t)); - seed3[32U] = (uint8_t)domain_separator3; - seed3[33U] = (uint8_t)((uint32_t)domain_separator3 >> 8U); + libcrux_ml_dsa_sample_add_domain_separator(seed, indices[3U], seed3); libcrux_sha3_avx2_x4_incremental_KeccakState state = libcrux_ml_dsa_hash_functions_simd256_init_absorb_7b( Eurydice_array_to_slice((size_t)34U, seed0, uint8_t), @@ -3619,148 +3605,104 @@ libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( } /** -A monomorphic instance of libcrux_ml_dsa.samplex4.matrix_A_6_by_5 +A monomorphic instance of libcrux_ml_dsa.samplex4.matrix_6_by_5 with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, libcrux_ml_dsa_hash_functions_simd256_Shake128x4 with const generics - ROWS_IN_A= 6 - COLUMNS_IN_A= 5 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_matrix_A_6_by_5_f4( - uint8_t seed[34U], - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[6U][5U]) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 A[6U][5U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - A[i][0U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - A[i][1U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - A[i][2U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - A[i][3U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - A[i][4U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - } +static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_matrix_6_by_5_f4( + Eurydice_slice seed, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 (*matrix)[5U]) { uint8_t rand_stack0[840U] = {0U}; uint8_t rand_stack1[840U] = {0U}; uint8_t rand_stack2[840U] = {0U}; uint8_t rand_stack3[840U] = {0U}; int32_t tmp_stack[4U][263U] = {{0U}}; - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed[34U]; - memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); - uint8_t_x2 buf0[4U] = {(CLITERAL(uint8_t_x2){.fst = 0U, .snd = 0U}), - (CLITERAL(uint8_t_x2){.fst = 0U, .snd = 1U}), - (CLITERAL(uint8_t_x2){.fst = 0U, .snd = 2U}), - (CLITERAL(uint8_t_x2){.fst = 0U, .snd = 3U})}; + uint8_t_x2 buf[4U] = {(CLITERAL(uint8_t_x2){.fst = 0U, .snd = 0U}), + (CLITERAL(uint8_t_x2){.fst = 0U, .snd = 1U}), + (CLITERAL(uint8_t_x2){.fst = 0U, .snd = 2U}), + (CLITERAL(uint8_t_x2){.fst = 0U, .snd = 3U})}; libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( - copy_of_seed, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3, - Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf0, + seed, matrix, rand_stack0, rand_stack1, rand_stack2, rand_stack3, + Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf, (size_t)4U); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed0[34U]; - memcpy(copy_of_seed0, seed, (size_t)34U * sizeof(uint8_t)); - uint8_t_x2 buf1[4U] = {(CLITERAL(uint8_t_x2){.fst = 0U, .snd = 4U}), + uint8_t_x2 buf0[4U] = {(CLITERAL(uint8_t_x2){.fst = 0U, .snd = 4U}), (CLITERAL(uint8_t_x2){.fst = 1U, .snd = 0U}), (CLITERAL(uint8_t_x2){.fst = 1U, .snd = 1U}), (CLITERAL(uint8_t_x2){.fst = 1U, .snd = 2U})}; libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( - copy_of_seed0, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3, - Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf1, + seed, matrix, rand_stack0, rand_stack1, rand_stack2, rand_stack3, + Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf0, (size_t)4U); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed1[34U]; - memcpy(copy_of_seed1, seed, (size_t)34U * sizeof(uint8_t)); - uint8_t_x2 buf2[4U] = {(CLITERAL(uint8_t_x2){.fst = 1U, .snd = 3U}), + uint8_t_x2 buf1[4U] = {(CLITERAL(uint8_t_x2){.fst = 1U, .snd = 3U}), (CLITERAL(uint8_t_x2){.fst = 1U, .snd = 4U}), (CLITERAL(uint8_t_x2){.fst = 2U, .snd = 0U}), (CLITERAL(uint8_t_x2){.fst = 2U, .snd = 1U})}; libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( - copy_of_seed1, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3, - Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf2, + seed, matrix, rand_stack0, rand_stack1, rand_stack2, rand_stack3, + Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf1, (size_t)4U); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed2[34U]; - memcpy(copy_of_seed2, seed, (size_t)34U * sizeof(uint8_t)); - uint8_t_x2 buf3[4U] = {(CLITERAL(uint8_t_x2){.fst = 2U, .snd = 2U}), + uint8_t_x2 buf2[4U] = {(CLITERAL(uint8_t_x2){.fst = 2U, .snd = 2U}), (CLITERAL(uint8_t_x2){.fst = 2U, .snd = 3U}), (CLITERAL(uint8_t_x2){.fst = 2U, .snd = 4U}), (CLITERAL(uint8_t_x2){.fst = 3U, .snd = 0U})}; libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( - copy_of_seed2, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3, - Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf3, + seed, matrix, rand_stack0, rand_stack1, rand_stack2, rand_stack3, + Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf2, (size_t)4U); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed3[34U]; - memcpy(copy_of_seed3, seed, (size_t)34U * sizeof(uint8_t)); - uint8_t_x2 buf4[4U] = {(CLITERAL(uint8_t_x2){.fst = 3U, .snd = 1U}), + uint8_t_x2 buf3[4U] = {(CLITERAL(uint8_t_x2){.fst = 3U, .snd = 1U}), (CLITERAL(uint8_t_x2){.fst = 3U, .snd = 2U}), (CLITERAL(uint8_t_x2){.fst = 3U, .snd = 3U}), (CLITERAL(uint8_t_x2){.fst = 3U, .snd = 4U})}; libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( - copy_of_seed3, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3, - Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf4, + seed, matrix, rand_stack0, rand_stack1, rand_stack2, rand_stack3, + Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf3, (size_t)4U); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed4[34U]; - memcpy(copy_of_seed4, seed, (size_t)34U * sizeof(uint8_t)); - uint8_t_x2 buf5[4U] = {(CLITERAL(uint8_t_x2){.fst = 4U, .snd = 0U}), + uint8_t_x2 buf4[4U] = {(CLITERAL(uint8_t_x2){.fst = 4U, .snd = 0U}), (CLITERAL(uint8_t_x2){.fst = 4U, .snd = 1U}), (CLITERAL(uint8_t_x2){.fst = 4U, .snd = 2U}), (CLITERAL(uint8_t_x2){.fst = 4U, .snd = 3U})}; libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( - copy_of_seed4, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3, - Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf5, + seed, matrix, rand_stack0, rand_stack1, rand_stack2, rand_stack3, + Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf4, (size_t)4U); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed5[34U]; - memcpy(copy_of_seed5, seed, (size_t)34U * sizeof(uint8_t)); - uint8_t_x2 buf6[4U] = {(CLITERAL(uint8_t_x2){.fst = 4U, .snd = 4U}), + uint8_t_x2 buf5[4U] = {(CLITERAL(uint8_t_x2){.fst = 4U, .snd = 4U}), (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 0U}), (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 1U}), (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 2U})}; libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( - copy_of_seed5, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3, - Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf6, + seed, matrix, rand_stack0, rand_stack1, rand_stack2, rand_stack3, + Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf5, (size_t)4U); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed6[34U]; - memcpy(copy_of_seed6, seed, (size_t)34U * sizeof(uint8_t)); - uint8_t_x2 buf[4U] = {(CLITERAL(uint8_t_x2){.fst = 5U, .snd = 3U}), - (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 4U}), - (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 5U}), - (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 6U})}; + uint8_t_x2 buf6[4U] = {(CLITERAL(uint8_t_x2){.fst = 5U, .snd = 3U}), + (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 4U}), + (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 5U}), + (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 6U})}; libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( - copy_of_seed6, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3, - Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf, + seed, matrix, rand_stack0, rand_stack1, rand_stack2, rand_stack3, + Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf6, (size_t)2U); - memcpy(ret, A, - (size_t)6U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24[5U])); } /** -A monomorphic instance of libcrux_ml_dsa.samplex4.avx2.matrix_A_avx2 +A monomorphic instance of libcrux_ml_dsa.samplex4.avx2.matrix_avx2 with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit with const generics - ROWS_IN_A= 6 - COLUMNS_IN_A= 5 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_ml_dsa_samplex4_avx2_matrix_A_avx2_fe( - uint8_t seed[34U], - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[6U][5U]) { +static inline void libcrux_ml_dsa_samplex4_avx2_matrix_avx2_fe( + Eurydice_slice seed, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 (*matrix)[5U]) { uint8_t_x2 uu____0 = {.fst = (uint8_t)(size_t)6U, .snd = (uint8_t)(size_t)5U}; switch (uu____0.fst) { case 6U: { switch (uu____0.snd) { case 5U: { - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed[34U]; - memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret0[6U][5U]; - libcrux_ml_dsa_samplex4_matrix_A_6_by_5_f4(copy_of_seed, ret0); - memcpy( - ret, ret0, - (size_t)6U * - sizeof( - libcrux_ml_dsa_polynomial_PolynomialRingElement_24[5U])); + libcrux_ml_dsa_samplex4_matrix_6_by_5_f4(seed, matrix); return; } default: { @@ -3781,127 +3723,17 @@ This function found in impl {(libcrux_ml_dsa::samplex4::X4Sampler for libcrux_ml_dsa::samplex4::avx2::AVX2Sampler)} */ /** -A monomorphic instance of libcrux_ml_dsa.samplex4.avx2.matrix_A_b8 +A monomorphic instance of libcrux_ml_dsa.samplex4.avx2.matrix_b8 with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit with const generics - ROWS_IN_A= 6 - COLUMNS_IN_A= 5 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_avx2_matrix_A_b8_fe( - uint8_t seed[34U], - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[6U][5U]) { - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed[34U]; - memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret0[6U][5U]; - libcrux_ml_dsa_samplex4_avx2_matrix_A_avx2_fe(copy_of_seed, ret0); - memcpy(ret, ret0, - (size_t)6U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24[5U])); -} - -/** -A monomorphic instance of K. -with types libcrux_ml_dsa_polynomial_PolynomialRingElement -libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit[5size_t], -libcrux_ml_dsa_polynomial_PolynomialRingElement -libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit[6size_t] - -*/ -typedef struct tuple_ce0_s { - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 fst[5U]; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 snd[6U]; -} tuple_ce0; - -typedef struct - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4_s { - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 fst; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 snd; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 thd; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 f3; -} libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4; - -/** -A monomorphic instance of -libcrux_ml_dsa.sample.rejection_sample_less_than_eta_equals_2 with types -libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit with const generics - -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE bool -libcrux_ml_dsa_sample_rejection_sample_less_than_eta_equals_2_ea( - Eurydice_slice randomness, size_t *sampled_coefficients, int32_t *out) { - bool done = false; - for (size_t i = (size_t)0U; - i < Eurydice_slice_len(randomness, uint8_t) / (size_t)4U; i++) { - size_t _cloop_i = i; - Eurydice_slice random_bytes = - Eurydice_slice_subslice2(randomness, _cloop_i * (size_t)4U, - _cloop_i * (size_t)4U + (size_t)4U, uint8_t); - if (!done) { - Eurydice_slice uu____0 = random_bytes; - size_t sampled = - libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_equals_2_a2( - uu____0, Eurydice_array_to_subslice_from((size_t)263U, out, - sampled_coefficients[0U], - int32_t, size_t)); - sampled_coefficients[0U] = sampled_coefficients[0U] + sampled; - if (sampled_coefficients[0U] >= - LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - done = true; - } - } - } - return done; -} - -/** -A monomorphic instance of -libcrux_ml_dsa.sample.rejection_sample_less_than_eta_equals_4 with types -libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit with const generics - -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE bool -libcrux_ml_dsa_sample_rejection_sample_less_than_eta_equals_4_ea( - Eurydice_slice randomness, size_t *sampled_coefficients, int32_t *out) { - bool done = false; - for (size_t i = (size_t)0U; - i < Eurydice_slice_len(randomness, uint8_t) / (size_t)4U; i++) { - size_t _cloop_i = i; - Eurydice_slice random_bytes = - Eurydice_slice_subslice2(randomness, _cloop_i * (size_t)4U, - _cloop_i * (size_t)4U + (size_t)4U, uint8_t); - if (!done) { - Eurydice_slice uu____0 = random_bytes; - size_t sampled = - libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_equals_4_a2( - uu____0, Eurydice_array_to_subslice_from((size_t)263U, out, - sampled_coefficients[0U], - int32_t, size_t)); - sampled_coefficients[0U] = sampled_coefficients[0U] + sampled; - if (sampled_coefficients[0U] >= - LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - done = true; - } - } - } - return done; -} - -/** -A monomorphic instance of libcrux_ml_dsa.sample.rejection_sample_less_than_eta -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit -with const generics -- ETA= 4 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE bool -libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d( - Eurydice_slice randomness, size_t *sampled, int32_t *out) { - return libcrux_ml_dsa_sample_rejection_sample_less_than_eta_equals_4_ea( - randomness, sampled, out); +static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_avx2_matrix_b8_fe( + Eurydice_slice seed, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 (*matrix)[5U]) { + libcrux_ml_dsa_samplex4_avx2_matrix_avx2_fe(seed, matrix); } /** @@ -3911,255 +3743,14 @@ libcrux_ml_dsa_hash_functions_simd256_Shake256x4 with const generics - ETA= 4 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 - libcrux_ml_dsa_sample_sample_four_error_ring_elements_cb( - uint8_t seed_base[66U], uint16_t domain_separator0, - uint16_t domain_separator1, uint16_t domain_seperator2, - uint16_t domain_separator3) { - uint8_t seed0[66U]; - memcpy(seed0, seed_base, (size_t)66U * sizeof(uint8_t)); - seed0[64U] = (uint8_t)domain_separator0; - seed0[65U] = (uint8_t)((uint32_t)domain_separator0 >> 8U); - uint8_t seed1[66U]; - memcpy(seed1, seed0, (size_t)66U * sizeof(uint8_t)); - seed1[64U] = (uint8_t)domain_separator1; - seed1[65U] = (uint8_t)((uint32_t)domain_separator1 >> 8U); - uint8_t seed2[66U]; - memcpy(seed2, seed0, (size_t)66U * sizeof(uint8_t)); - seed2[64U] = (uint8_t)domain_seperator2; - seed2[65U] = (uint8_t)((uint32_t)domain_seperator2 >> 8U); - uint8_t seed3[66U]; - memcpy(seed3, seed0, (size_t)66U * sizeof(uint8_t)); - seed3[64U] = (uint8_t)domain_separator3; - seed3[65U] = (uint8_t)((uint32_t)domain_separator3 >> 8U); - libcrux_sha3_avx2_x4_incremental_KeccakState state = - libcrux_ml_dsa_hash_functions_simd256_init_absorb_x4_fb( - Eurydice_array_to_slice((size_t)66U, seed0, uint8_t), - Eurydice_array_to_slice((size_t)66U, seed1, uint8_t), - Eurydice_array_to_slice((size_t)66U, seed2, uint8_t), - Eurydice_array_to_slice((size_t)66U, seed3, uint8_t)); - uint8_t_136size_t__x4 randomnesses0 = - libcrux_ml_dsa_hash_functions_simd256_squeeze_first_block_x4_fb(&state); - int32_t out0[263U] = {0U}; - int32_t out1[263U] = {0U}; - int32_t out2[263U] = {0U}; - int32_t out3[263U] = {0U}; - size_t sampled0 = (size_t)0U; - size_t sampled1 = (size_t)0U; - size_t sampled2 = (size_t)0U; - size_t sampled3 = (size_t)0U; - bool done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d( - Eurydice_array_to_slice((size_t)136U, randomnesses0.fst, uint8_t), - &sampled0, out0); - bool done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d( - Eurydice_array_to_slice((size_t)136U, randomnesses0.snd, uint8_t), - &sampled1, out1); - bool done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d( - Eurydice_array_to_slice((size_t)136U, randomnesses0.thd, uint8_t), - &sampled2, out2); - bool done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d( - Eurydice_array_to_slice((size_t)136U, randomnesses0.f3, uint8_t), - &sampled3, out3); - while (true) { - if (done0) { - if (done1) { - if (done2) { - if (done3) { - break; - } else { - uint8_t_136size_t__x4 randomnesses = - libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_x4_fb( - &state); - if (!done0) { - done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d( - Eurydice_array_to_slice((size_t)136U, randomnesses.fst, - uint8_t), - &sampled0, out0); - } - if (!done1) { - done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d( - Eurydice_array_to_slice((size_t)136U, randomnesses.snd, - uint8_t), - &sampled1, out1); - } - if (!done2) { - done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d( - Eurydice_array_to_slice((size_t)136U, randomnesses.thd, - uint8_t), - &sampled2, out2); - } - if (!done3) { - done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d( - Eurydice_array_to_slice((size_t)136U, randomnesses.f3, - uint8_t), - &sampled3, out3); - } - } - } else { - uint8_t_136size_t__x4 randomnesses = - libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_x4_fb( - &state); - if (!done0) { - done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d( - Eurydice_array_to_slice((size_t)136U, randomnesses.fst, - uint8_t), - &sampled0, out0); - } - if (!done1) { - done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d( - Eurydice_array_to_slice((size_t)136U, randomnesses.snd, - uint8_t), - &sampled1, out1); - } - if (!done2) { - done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d( - Eurydice_array_to_slice((size_t)136U, randomnesses.thd, - uint8_t), - &sampled2, out2); - } - if (!done3) { - done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d( - Eurydice_array_to_slice((size_t)136U, randomnesses.f3, uint8_t), - &sampled3, out3); - } - } - } else { - uint8_t_136size_t__x4 randomnesses = - libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_x4_fb( - &state); - if (!done0) { - done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d( - Eurydice_array_to_slice((size_t)136U, randomnesses.fst, uint8_t), - &sampled0, out0); - } - if (!done1) { - done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d( - Eurydice_array_to_slice((size_t)136U, randomnesses.snd, uint8_t), - &sampled1, out1); - } - if (!done2) { - done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d( - Eurydice_array_to_slice((size_t)136U, randomnesses.thd, uint8_t), - &sampled2, out2); - } - if (!done3) { - done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d( - Eurydice_array_to_slice((size_t)136U, randomnesses.f3, uint8_t), - &sampled3, out3); - } - } - } else { - uint8_t_136size_t__x4 randomnesses = - libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_x4_fb( - &state); - if (!done0) { - done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d( - Eurydice_array_to_slice((size_t)136U, randomnesses.fst, uint8_t), - &sampled0, out0); - } - if (!done1) { - done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d( - Eurydice_array_to_slice((size_t)136U, randomnesses.snd, uint8_t), - &sampled1, out1); - } - if (!done2) { - done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d( - Eurydice_array_to_slice((size_t)136U, randomnesses.thd, uint8_t), - &sampled2, out2); - } - if (!done3) { - done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d( - Eurydice_array_to_slice((size_t)136U, randomnesses.f3, uint8_t), - &sampled3, out3); - } - } - } - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____0 = - libcrux_ml_dsa_polynomial_from_i32_array_ff_ea( - Eurydice_array_to_slice((size_t)263U, out0, int32_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____1 = - libcrux_ml_dsa_polynomial_from_i32_array_ff_ea( - Eurydice_array_to_slice((size_t)263U, out1, int32_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____2 = - libcrux_ml_dsa_polynomial_from_i32_array_ff_ea( - Eurydice_array_to_slice((size_t)263U, out2, int32_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 - lit; - lit.fst = uu____0; - lit.snd = uu____1; - lit.thd = uu____2; - lit.f3 = libcrux_ml_dsa_polynomial_from_i32_array_ff_ea( - Eurydice_array_to_slice((size_t)263U, out3, int32_t)); - return lit; -} - -/** -A monomorphic instance of libcrux_ml_dsa.samplex4.sample_s1_and_s2_5_by_6 -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, -libcrux_ml_dsa_hash_functions_simd256_Shake256x4 with const generics -- ETA= 4 -- S1_DIMENSION= 5 -- S2_DIMENSION= 6 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE tuple_ce0 -libcrux_ml_dsa_samplex4_sample_s1_and_s2_5_by_6_4d(uint8_t seed_base[66U]) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s1[5U]; - for (size_t i = (size_t)0U; i < (size_t)5U; i++) { - s1[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - } - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s2[6U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - s2[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - } - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed_base[66U]; - memcpy(copy_of_seed_base, seed_base, (size_t)66U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 - four = libcrux_ml_dsa_sample_sample_four_error_ring_elements_cb( - copy_of_seed_base, 0U, 1U, 2U, 3U); - s1[0U] = four.fst; - s1[1U] = four.snd; - s1[2U] = four.thd; - s1[3U] = four.f3; - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed_base0[66U]; - memcpy(copy_of_seed_base0, seed_base, (size_t)66U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 - four0 = libcrux_ml_dsa_sample_sample_four_error_ring_elements_cb( - copy_of_seed_base0, 4U, 5U, 6U, 7U); - s1[4U] = four0.fst; - s2[0U] = four0.snd; - s2[1U] = four0.thd; - s2[2U] = four0.f3; - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed_base1[66U]; - memcpy(copy_of_seed_base1, seed_base, (size_t)66U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 - four1 = libcrux_ml_dsa_sample_sample_four_error_ring_elements_cb( - copy_of_seed_base1, 8U, 9U, 10U, 11U); - s2[3U] = four1.fst; - s2[4U] = four1.snd; - s2[5U] = four1.thd; - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_s1[5U]; - memcpy( - copy_of_s1, s1, - (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_s2[6U]; - memcpy( - copy_of_s2, s2, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - tuple_ce0 lit; - memcpy( - lit.fst, copy_of_s1, - (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - memcpy( - lit.snd, copy_of_s2, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - return lit; +static KRML_MUSTINLINE void +libcrux_ml_dsa_sample_sample_four_error_ring_elements_cb(Eurydice_slice seed, + uint16_t start_index, + Eurydice_slice re) { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "Eurydice error: Failure(\"Error looking trait impl: " + "core::cmp::impls::{core::cmp::Ord for usize}#59 min\")\n"); + KRML_HOST_EXIT(255U); } /** @@ -4167,34 +3758,21 @@ A monomorphic instance of libcrux_ml_dsa.samplex4.sample_s1_and_s2 with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, libcrux_ml_dsa_hash_functions_simd256_Shake256x4 with const generics - ETA= 4 -- S1_DIMENSION= 5 -- S2_DIMENSION= 6 +- ROW_COLUMN= 11 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE tuple_ce0 -libcrux_ml_dsa_samplex4_sample_s1_and_s2_4d(uint8_t seed[66U]) { - uint8_t_x2 uu____0 = {.fst = (uint8_t)(size_t)5U, .snd = (uint8_t)(size_t)6U}; - switch (uu____0.fst) { - case 5U: { - switch (uu____0.snd) { - case 6U: { - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed[66U]; - memcpy(copy_of_seed, seed, (size_t)66U * sizeof(uint8_t)); - return libcrux_ml_dsa_samplex4_sample_s1_and_s2_5_by_6_4d( - copy_of_seed); - } - default: { - } - } - break; - } - default: { - } +static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_sample_s1_and_s2_31( + Eurydice_slice seed, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *s1_s2) { + for (size_t i = (size_t)0U; + i < core_num__usize_11__div_ceil((size_t)11U, (size_t)4U); i++) { + size_t i0 = i; + libcrux_ml_dsa_sample_sample_four_error_ring_elements_cb( + seed, 4U * (uint32_t)(uint16_t)i0, + Eurydice_array_to_slice( + (size_t)11U, s1_s2, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); } - KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "panic!"); - KRML_HOST_EXIT(255U); } /** @@ -4225,9 +3803,11 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_dsa_polynomial_PolynomialRingElement_24 -libcrux_ml_dsa_matrix_compute_As1_plus_s2_closure_fe( - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s) { - return libcrux_ml_dsa_ntt_ntt_ea(s); +libcrux_ml_dsa_matrix_compute_As1_plus_s2_closure_fe(Eurydice_slice *state, + size_t i) { + return libcrux_ml_dsa_ntt_ntt_ea(Eurydice_slice_index( + state[0U], i, libcrux_ml_dsa_polynomial_PolynomialRingElement_24, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *)); } /** @@ -4316,58 +3896,45 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_compute_As1_plus_s2_fe( - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 (*A_as_ntt)[5U], - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *s1, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *s2, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[6U]) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 result[6U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - } - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_s1[5U]; - memcpy( - copy_of_s1, s1, - (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 (*a_as_ntt)[5U], + Eurydice_slice s1_s2, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *result) { libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s1_ntt[5U]; for (size_t i = (size_t)0U; i < (size_t)5U; i++) { - s1_ntt[i] = - libcrux_ml_dsa_matrix_compute_As1_plus_s2_closure_fe(copy_of_s1[i]); + s1_ntt[i] = libcrux_ml_dsa_ntt_ntt_ea(Eurydice_slice_index( + s1_s2, i, libcrux_ml_dsa_polynomial_PolynomialRingElement_24, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *)); } - for (size_t i0 = (size_t)0U; - i0 < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)6U, A_as_ntt, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24[5U]), - libcrux_ml_dsa_polynomial_PolynomialRingElement_24[5U]); - i0++) { + for (size_t i0 = (size_t)0U; i0 < (size_t)6U; i0++) { size_t i1 = i0; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *row = A_as_ntt[i1]; - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)5U, row, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24), - libcrux_ml_dsa_polynomial_PolynomialRingElement_24); - i++) { + for (size_t i = (size_t)0U; i < (size_t)5U; i++) { size_t j = i; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *ring_element = - &row[j]; libcrux_ml_dsa_polynomial_PolynomialRingElement_24 product = - libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ea(ring_element, + libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ea(&a_as_ntt[i1][j], &s1_ntt[j]); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____1 = + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____0 = libcrux_ml_dsa_polynomial_add_ff_ea(&result[i1], &product); - result[i1] = uu____1; + result[i1] = uu____0; } - result[i1] = libcrux_ml_dsa_ntt_invert_ntt_montgomery_ea(result[i1]); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____3 = - libcrux_ml_dsa_polynomial_add_ff_ea(&result[i1], &s2[i1]); - result[i1] = uu____3; } - memcpy( - ret, result, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)6U, result, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24), + libcrux_ml_dsa_polynomial_PolynomialRingElement_24); + i++) { + size_t i0 = i; + result[i0] = libcrux_ml_dsa_ntt_invert_ntt_montgomery_ea(result[i0]); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____2 = + libcrux_ml_dsa_polynomial_add_ff_ea( + &result[i0], + &Eurydice_slice_index( + s1_s2, (size_t)5U + i0, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *)); + result[i0] = uu____2; + } } typedef struct @@ -4577,17 +4144,17 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_error_serialize_a8( - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 re, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *re, Eurydice_slice serialized) { size_t output_bytes_per_simd_unit; output_bytes_per_simd_unit = (size_t)4U; for (size_t i = (size_t)0U; i < Eurydice_slice_len( - Eurydice_array_to_slice((size_t)32U, re.simd_units, __m256i), + Eurydice_array_to_slice((size_t)32U, re->simd_units, __m256i), __m256i); i++) { size_t i0 = i; - __m256i *simd_unit = &re.simd_units[i0]; + __m256i *simd_unit = &re->simd_units[i0]; libcrux_ml_dsa_simd_avx2_error_serialize_a2_ac( simd_unit[0U], Eurydice_slice_subslice2(serialized, i0 * output_bytes_per_simd_unit, @@ -4640,9 +4207,7 @@ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_signing_key_generate_serialized_a9( Eurydice_slice seed_for_A, Eurydice_slice seed_for_signing, - Eurydice_slice verification_key, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s1[5U], - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s2[6U], + Eurydice_slice verification_key, Eurydice_slice s1_2, libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t0[6U], uint8_t ret[4032U]) { uint8_t signing_key_serialized[4032U] = {0U}; @@ -4673,38 +4238,18 @@ libcrux_ml_dsa_encoding_signing_key_generate_serialized_a9( offset = offset + LIBCRUX_ML_DSA_CONSTANTS_BYTES_FOR_VERIFICATION_KEY_HASH; for (size_t i = (size_t)0U; i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)5U, s1, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24), - libcrux_ml_dsa_polynomial_PolynomialRingElement_24); + s1_2, libcrux_ml_dsa_polynomial_PolynomialRingElement_24); i++) { - size_t _cloop_j = i; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *ring_element = - &s1[_cloop_j]; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____1 = - ring_element[0U]; + size_t i0 = i; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *uu____1 = + &Eurydice_slice_index( + s1_2, i0, libcrux_ml_dsa_polynomial_PolynomialRingElement_24, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *); libcrux_ml_dsa_encoding_error_serialize_a8( uu____1, Eurydice_array_to_subslice2(signing_key_serialized, offset, offset + (size_t)128U, uint8_t)); offset = offset + (size_t)128U; } - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)6U, s2, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24), - libcrux_ml_dsa_polynomial_PolynomialRingElement_24); - i++) { - size_t _cloop_j = i; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *ring_element = - &s2[_cloop_j]; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____2 = - ring_element[0U]; - libcrux_ml_dsa_encoding_error_serialize_a8( - uu____2, Eurydice_array_to_subslice2(signing_key_serialized, offset, - offset + (size_t)128U, uint8_t)); - offset = offset + (size_t)128U; - } for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice( @@ -4715,10 +4260,10 @@ libcrux_ml_dsa_encoding_signing_key_generate_serialized_a9( size_t _cloop_j = i; libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *ring_element = &t0[_cloop_j]; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____3 = + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____2 = ring_element[0U]; libcrux_ml_dsa_encoding_t0_serialize_ea( - uu____3, Eurydice_array_to_subslice2( + uu____2, Eurydice_array_to_subslice2( signing_key_serialized, offset, offset + LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE, uint8_t)); @@ -4740,6 +4285,7 @@ libcrux_ml_dsa_hash_functions_portable_Shake256Xof, libcrux_ml_dsa_hash_functions_simd256_Shake256x4 with const generics - ROWS_IN_A= 6 - COLUMNS_IN_A= 5 +- ROW_COLUMN= 11 - ETA= 4 - ERROR_RING_ELEMENT_SIZE= 128 - SIGNING_KEY_SIZE= 4032 @@ -4747,7 +4293,7 @@ libcrux_ml_dsa_hash_functions_simd256_Shake256x4 with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE tuple_a0 -libcrux_ml_dsa_ml_dsa_generic_generate_key_pair_90(uint8_t randomness[32U]) { +libcrux_ml_dsa_ml_dsa_generic_generate_key_pair_99(uint8_t randomness[32U]) { uint8_t seed_expanded0[128U] = {0U}; libcrux_sha3_portable_incremental_Shake256Xof shake = libcrux_ml_dsa_hash_functions_portable_init_83(); @@ -4770,38 +4316,45 @@ libcrux_ml_dsa_ml_dsa_generic_generate_key_pair_90(uint8_t randomness[32U]) { Eurydice_slice seed_for_error_vectors = uu____1.fst; Eurydice_slice seed_for_signing = uu____1.snd; libcrux_ml_dsa_polynomial_PolynomialRingElement_24 a_as_ntt[6U][5U]; - uint8_t ret[34U]; - libcrux_ml_dsa_utils_into_padded_array_b6(seed_for_a, ret); - libcrux_ml_dsa_samplex4_avx2_matrix_A_b8_fe(ret, a_as_ntt); - uint8_t ret0[66U]; - libcrux_ml_dsa_utils_into_padded_array_20(seed_for_error_vectors, ret0); - tuple_ce0 uu____2 = libcrux_ml_dsa_samplex4_sample_s1_and_s2_4d(ret0); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s1[5U]; - memcpy( - s1, uu____2.fst, - (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s2[6U]; - memcpy( - s2, uu____2.snd, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + a_as_ntt[i][0U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + a_as_ntt[i][1U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + a_as_ntt[i][2U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + a_as_ntt[i][3U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + a_as_ntt[i][4U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + } + libcrux_ml_dsa_samplex4_avx2_matrix_b8_fe(seed_for_a, a_as_ntt); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s1_s2[11U]; + for (size_t i = (size_t)0U; i < (size_t)11U; i++) { + s1_s2[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + } + libcrux_ml_dsa_samplex4_sample_s1_and_s2_31(seed_for_error_vectors, s1_s2); libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t[6U]; - libcrux_ml_dsa_matrix_compute_As1_plus_s2_fe(a_as_ntt, s1, s2, t); + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + t[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + } + libcrux_ml_dsa_matrix_compute_As1_plus_s2_fe( + a_as_ntt, + Eurydice_array_to_slice( + (size_t)11U, s1_s2, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24), + t); /* Passing arrays by value in Rust generates a copy in C */ libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_t[6U]; memcpy( copy_of_t, t, (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_6size_t__x2 - uu____4 = libcrux_ml_dsa_arithmetic_power2round_vector_a3(copy_of_t); + uu____3 = libcrux_ml_dsa_arithmetic_power2round_vector_a3(copy_of_t); libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t0[6U]; memcpy( - t0, uu____4.fst, + t0, uu____3.fst, (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t1[6U]; memcpy( - t1, uu____4.snd, + t1, uu____3.snd, (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - Eurydice_slice uu____5 = seed_for_a; + Eurydice_slice uu____4 = seed_for_a; /* Passing arrays by value in Rust generates a copy in C */ libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_t1[6U]; memcpy( @@ -4809,21 +4362,13 @@ libcrux_ml_dsa_ml_dsa_generic_generate_key_pair_90(uint8_t randomness[32U]) { (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); uint8_t verification_key_serialized[1952U]; libcrux_ml_dsa_encoding_verification_key_generate_serialized_fe( - uu____5, copy_of_t1, verification_key_serialized); - Eurydice_slice uu____7 = seed_for_a; - Eurydice_slice uu____8 = seed_for_signing; - Eurydice_slice uu____9 = Eurydice_array_to_slice( + uu____4, copy_of_t1, verification_key_serialized); + Eurydice_slice uu____6 = seed_for_a; + Eurydice_slice uu____7 = seed_for_signing; + Eurydice_slice uu____8 = Eurydice_array_to_slice( (size_t)1952U, verification_key_serialized, uint8_t); - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_s1[5U]; - memcpy( - copy_of_s1, s1, - (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_s2[6U]; - memcpy( - copy_of_s2, s2, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + Eurydice_slice uu____9 = Eurydice_array_to_slice( + (size_t)11U, s1_s2, libcrux_ml_dsa_polynomial_PolynomialRingElement_24); /* Passing arrays by value in Rust generates a copy in C */ libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_t0[6U]; memcpy( @@ -4831,8 +4376,7 @@ libcrux_ml_dsa_ml_dsa_generic_generate_key_pair_90(uint8_t randomness[32U]) { (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); uint8_t signing_key_serialized[4032U]; libcrux_ml_dsa_encoding_signing_key_generate_serialized_a9( - uu____7, uu____8, uu____9, copy_of_s1, copy_of_s2, copy_of_t0, - signing_key_serialized); + uu____6, uu____7, uu____8, uu____9, copy_of_t0, signing_key_serialized); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_signing_key_serialized[4032U]; memcpy(copy_of_signing_key_serialized, signing_key_serialized, @@ -4858,6 +4402,7 @@ libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.avx2_feature.generate_key_pair with const generics - ROWS_IN_A= 6 - COLUMNS_IN_A= 5 +- ROW_COLUMN= 11 - ETA= 4 - ERROR_RING_ELEMENT_SIZE= 128 - SIGNING_KEY_SIZE= 4032 @@ -4865,12 +4410,12 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline tuple_a0 -libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_generate_key_pair_52( +libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_generate_key_pair_c9( uint8_t randomness[32U]) { /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_dsa_ml_dsa_generic_generate_key_pair_90(copy_of_randomness); + return libcrux_ml_dsa_ml_dsa_generic_generate_key_pair_99(copy_of_randomness); } /** @@ -4882,6 +4427,7 @@ libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.generate_key_pair with const generics - ROWS_IN_A= 6 - COLUMNS_IN_A= 5 +- ROW_COLUMN= 11 - ETA= 4 - ERROR_RING_ELEMENT_SIZE= 128 - SIGNING_KEY_SIZE= 4032 @@ -4889,12 +4435,12 @@ generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline tuple_a0 -libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_generate_key_pair_52( +libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_generate_key_pair_c9( uint8_t randomness[32U]) { /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_generate_key_pair_52( + return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_generate_key_pair_c9( copy_of_randomness); } @@ -4908,7 +4454,7 @@ libcrux_ml_dsa_ml_dsa_65_avx2_generate_key_pair(uint8_t randomness[32U]) { uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); tuple_a0 uu____1 = - libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_generate_key_pair_52( + libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_generate_key_pair_c9( copy_of_randomness); uint8_t signing_key[4032U]; memcpy(signing_key, uu____1.fst, (size_t)4032U * sizeof(uint8_t)); @@ -6433,8 +5979,8 @@ static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_internal_6b( Option_84 domain_separation_context, uint8_t randomness[32U]) { tuple_f00 uu____0 = libcrux_ml_dsa_encoding_signing_key_deserialize_then_ntt_b6(signing_key); - uint8_t seed_for_A[32U]; - memcpy(seed_for_A, uu____0.fst, (size_t)32U * sizeof(uint8_t)); + uint8_t seed_for_a[32U]; + memcpy(seed_for_a, uu____0.fst, (size_t)32U * sizeof(uint8_t)); uint8_t seed_for_signing[32U]; memcpy(seed_for_signing, uu____0.snd, (size_t)32U * sizeof(uint8_t)); uint8_t verification_key_hash[64U]; @@ -6451,11 +5997,16 @@ static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_internal_6b( memcpy( t0_as_ntt, uu____0.f5, (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 A_as_ntt[6U][5U]; - uint8_t ret[34U]; - libcrux_ml_dsa_utils_into_padded_array_b6( - Eurydice_array_to_slice((size_t)32U, seed_for_A, uint8_t), ret); - libcrux_ml_dsa_samplex4_avx2_matrix_A_b8_fe(ret, A_as_ntt); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 matrix[6U][5U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + matrix[i][0U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + matrix[i][1U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + matrix[i][2U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + matrix[i][3U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + matrix[i][4U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + } + libcrux_ml_dsa_samplex4_avx2_matrix_b8_fe( + Eurydice_array_to_slice((size_t)32U, seed_for_a, uint8_t), matrix); uint8_t message_representative[64U] = {0U}; uint8_t uu____1[64U]; memcpy(uu____1, verification_key_hash, (size_t)64U * sizeof(uint8_t)); @@ -7611,8 +7162,8 @@ libcrux_ml_dsa_ml_dsa_generic_verify_internal_44( Option_84 domain_separation_context, uint8_t *signature_serialized) { tuple_930 uu____0 = libcrux_ml_dsa_encoding_verification_key_deserialize_fe( verification_key_serialized); - uint8_t seed_for_A[32U]; - memcpy(seed_for_A, uu____0.fst, (size_t)32U * sizeof(uint8_t)); + uint8_t seed_for_a[32U]; + memcpy(seed_for_a, uu____0.fst, (size_t)32U * sizeof(uint8_t)); libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t1[6U]; memcpy( t1, uu____0.snd, @@ -7634,11 +7185,16 @@ libcrux_ml_dsa_ml_dsa_generic_verify_internal_44( .f0 = libcrux_ml_dsa_types_VerificationError_SignerResponseExceedsBoundError}); } else { - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 A_as_ntt[6U][5U]; - uint8_t ret[34U]; - libcrux_ml_dsa_utils_into_padded_array_b6( - Eurydice_array_to_slice((size_t)32U, seed_for_A, uint8_t), ret); - libcrux_ml_dsa_samplex4_avx2_matrix_A_b8_fe(ret, A_as_ntt); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 matrix[6U][5U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + matrix[i][0U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + matrix[i][1U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + matrix[i][2U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + matrix[i][3U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + matrix[i][4U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + } + libcrux_ml_dsa_samplex4_avx2_matrix_b8_fe( + Eurydice_array_to_slice((size_t)32U, seed_for_a, uint8_t), matrix); uint8_t verification_key_hash[64U] = {0U}; libcrux_ml_dsa_hash_functions_simd256_shake256_d9_24( Eurydice_array_to_slice((size_t)1952U, verification_key_serialized, @@ -7654,8 +7210,7 @@ libcrux_ml_dsa_ml_dsa_generic_verify_internal_44( libcrux_ml_dsa_polynomial_PolynomialRingElement_24 verifier_challenge_as_ntt = libcrux_ml_dsa_ntt_ntt_ea( libcrux_ml_dsa_sample_sample_challenge_ring_element_8a(uu____5)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24(*uu____6)[5U] = - A_as_ntt; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24(*uu____6)[5U] = matrix; libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____7[5U]; memcpy(uu____7, signature.signer_response, (size_t)5U * diff --git a/libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h b/libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h index d3684f384..bde9e3754 100644 --- a/libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h +++ b/libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h @@ -489,6 +489,9 @@ typedef libcrux_ml_dsa_types_MLDSASigningKey_22 typedef libcrux_ml_dsa_types_MLDSAVerificationKey_ea libcrux_ml_dsa_ml_dsa_65_MLDSA65VerificationKey; +#define LIBCRUX_ML_DSA_ML_DSA_65_ROW_COLUMN \ + (LIBCRUX_ML_DSA_ML_DSA_65_ROWS_IN_A + LIBCRUX_ML_DSA_ML_DSA_65_COLUMNS_IN_A) + #define LIBCRUX_ML_DSA_ML_DSA_65_SIGNATURE_SIZE \ (LIBCRUX_ML_DSA_ML_DSA_65_COMMITMENT_HASH_SIZE + \ LIBCRUX_ML_DSA_ML_DSA_65_COLUMNS_IN_A * \ @@ -531,6 +534,21 @@ libcrux_ml_dsa_sample_generate_domain_separator(uint8_t_x2 _) { return (uint32_t)(uint16_t)column | (uint32_t)(uint16_t)row << 8U; } +static KRML_MUSTINLINE void libcrux_ml_dsa_sample_add_domain_separator( + Eurydice_slice slice, uint8_t_x2 indices, uint8_t ret[34U]) { + uint8_t out[34U] = {0U}; + uint8_t *uu____0 = out; + Eurydice_slice_copy( + Eurydice_array_to_subslice2(uu____0, (size_t)0U, + Eurydice_slice_len(slice, uint8_t), uint8_t), + slice, uint8_t); + uint16_t domain_separator = + libcrux_ml_dsa_sample_generate_domain_separator(indices); + out[32U] = (uint8_t)domain_separator; + out[33U] = (uint8_t)((uint32_t)domain_separator >> 8U); + memcpy(ret, out, (size_t)34U * sizeof(uint8_t)); +} + typedef struct libcrux_ml_dsa_pre_hash_DomainSeparationContext_s { Eurydice_slice context; Option_30 pre_hash_oid; @@ -4323,33 +4341,19 @@ libcrux_ml_dsa_hash_functions_portable_Shake128X4 with const generics */ static KRML_MUSTINLINE void libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_49( - uint8_t seed0[34U], + Eurydice_slice seed, libcrux_ml_dsa_polynomial_PolynomialRingElement_9b (*matrix)[5U], uint8_t *rand_stack0, uint8_t *rand_stack1, uint8_t *rand_stack2, uint8_t *rand_stack3, Eurydice_slice tmp_stack, uint8_t_x2 *indices, size_t elements_requested) { - uint16_t domain_separator0 = - libcrux_ml_dsa_sample_generate_domain_separator(indices[0U]); - uint16_t domain_separator1 = - libcrux_ml_dsa_sample_generate_domain_separator(indices[1U]); - uint16_t domain_separator2 = - libcrux_ml_dsa_sample_generate_domain_separator(indices[2U]); - uint16_t domain_separator3 = - libcrux_ml_dsa_sample_generate_domain_separator(indices[3U]); - seed0[32U] = (uint8_t)domain_separator0; - seed0[33U] = (uint8_t)((uint32_t)domain_separator0 >> 8U); + uint8_t seed0[34U]; + libcrux_ml_dsa_sample_add_domain_separator(seed, indices[0U], seed0); uint8_t seed1[34U]; - memcpy(seed1, seed0, (size_t)34U * sizeof(uint8_t)); - seed1[32U] = (uint8_t)domain_separator1; - seed1[33U] = (uint8_t)((uint32_t)domain_separator1 >> 8U); + libcrux_ml_dsa_sample_add_domain_separator(seed, indices[1U], seed1); uint8_t seed2[34U]; - memcpy(seed2, seed0, (size_t)34U * sizeof(uint8_t)); - seed2[32U] = (uint8_t)domain_separator2; - seed2[33U] = (uint8_t)((uint32_t)domain_separator2 >> 8U); + libcrux_ml_dsa_sample_add_domain_separator(seed, indices[2U], seed2); uint8_t seed3[34U]; - memcpy(seed3, seed0, (size_t)34U * sizeof(uint8_t)); - seed3[32U] = (uint8_t)domain_separator3; - seed3[33U] = (uint8_t)((uint32_t)domain_separator3 >> 8U); + libcrux_ml_dsa_sample_add_domain_separator(seed, indices[3U], seed3); libcrux_ml_dsa_hash_functions_portable_Shake128X4 state = libcrux_ml_dsa_hash_functions_portable_init_absorb_ed( Eurydice_array_to_slice((size_t)34U, seed0, uint8_t), @@ -4573,146 +4577,102 @@ libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_49( } /** -A monomorphic instance of libcrux_ml_dsa.samplex4.matrix_A_6_by_5 +A monomorphic instance of libcrux_ml_dsa.samplex4.matrix_6_by_5 with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, libcrux_ml_dsa_hash_functions_portable_Shake128X4 with const generics - ROWS_IN_A= 6 - COLUMNS_IN_A= 5 */ -static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_matrix_A_6_by_5_49( - uint8_t seed[34U], - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[6U][5U]) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b A[6U][5U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - A[i][0U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - A[i][1U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - A[i][2U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - A[i][3U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - A[i][4U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - } +static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_matrix_6_by_5_49( + Eurydice_slice seed, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b (*matrix)[5U]) { uint8_t rand_stack0[840U] = {0U}; uint8_t rand_stack1[840U] = {0U}; uint8_t rand_stack2[840U] = {0U}; uint8_t rand_stack3[840U] = {0U}; int32_t tmp_stack[4U][263U] = {{0U}}; - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed[34U]; - memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); - uint8_t_x2 buf0[4U] = {(CLITERAL(uint8_t_x2){.fst = 0U, .snd = 0U}), - (CLITERAL(uint8_t_x2){.fst = 0U, .snd = 1U}), - (CLITERAL(uint8_t_x2){.fst = 0U, .snd = 2U}), - (CLITERAL(uint8_t_x2){.fst = 0U, .snd = 3U})}; + uint8_t_x2 buf[4U] = {(CLITERAL(uint8_t_x2){.fst = 0U, .snd = 0U}), + (CLITERAL(uint8_t_x2){.fst = 0U, .snd = 1U}), + (CLITERAL(uint8_t_x2){.fst = 0U, .snd = 2U}), + (CLITERAL(uint8_t_x2){.fst = 0U, .snd = 3U})}; libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_49( - copy_of_seed, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3, - Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf0, + seed, matrix, rand_stack0, rand_stack1, rand_stack2, rand_stack3, + Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf, (size_t)4U); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed0[34U]; - memcpy(copy_of_seed0, seed, (size_t)34U * sizeof(uint8_t)); - uint8_t_x2 buf1[4U] = {(CLITERAL(uint8_t_x2){.fst = 0U, .snd = 4U}), + uint8_t_x2 buf0[4U] = {(CLITERAL(uint8_t_x2){.fst = 0U, .snd = 4U}), (CLITERAL(uint8_t_x2){.fst = 1U, .snd = 0U}), (CLITERAL(uint8_t_x2){.fst = 1U, .snd = 1U}), (CLITERAL(uint8_t_x2){.fst = 1U, .snd = 2U})}; libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_49( - copy_of_seed0, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3, - Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf1, + seed, matrix, rand_stack0, rand_stack1, rand_stack2, rand_stack3, + Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf0, (size_t)4U); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed1[34U]; - memcpy(copy_of_seed1, seed, (size_t)34U * sizeof(uint8_t)); - uint8_t_x2 buf2[4U] = {(CLITERAL(uint8_t_x2){.fst = 1U, .snd = 3U}), + uint8_t_x2 buf1[4U] = {(CLITERAL(uint8_t_x2){.fst = 1U, .snd = 3U}), (CLITERAL(uint8_t_x2){.fst = 1U, .snd = 4U}), (CLITERAL(uint8_t_x2){.fst = 2U, .snd = 0U}), (CLITERAL(uint8_t_x2){.fst = 2U, .snd = 1U})}; libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_49( - copy_of_seed1, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3, - Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf2, + seed, matrix, rand_stack0, rand_stack1, rand_stack2, rand_stack3, + Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf1, (size_t)4U); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed2[34U]; - memcpy(copy_of_seed2, seed, (size_t)34U * sizeof(uint8_t)); - uint8_t_x2 buf3[4U] = {(CLITERAL(uint8_t_x2){.fst = 2U, .snd = 2U}), + uint8_t_x2 buf2[4U] = {(CLITERAL(uint8_t_x2){.fst = 2U, .snd = 2U}), (CLITERAL(uint8_t_x2){.fst = 2U, .snd = 3U}), (CLITERAL(uint8_t_x2){.fst = 2U, .snd = 4U}), (CLITERAL(uint8_t_x2){.fst = 3U, .snd = 0U})}; libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_49( - copy_of_seed2, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3, - Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf3, + seed, matrix, rand_stack0, rand_stack1, rand_stack2, rand_stack3, + Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf2, (size_t)4U); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed3[34U]; - memcpy(copy_of_seed3, seed, (size_t)34U * sizeof(uint8_t)); - uint8_t_x2 buf4[4U] = {(CLITERAL(uint8_t_x2){.fst = 3U, .snd = 1U}), + uint8_t_x2 buf3[4U] = {(CLITERAL(uint8_t_x2){.fst = 3U, .snd = 1U}), (CLITERAL(uint8_t_x2){.fst = 3U, .snd = 2U}), (CLITERAL(uint8_t_x2){.fst = 3U, .snd = 3U}), (CLITERAL(uint8_t_x2){.fst = 3U, .snd = 4U})}; libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_49( - copy_of_seed3, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3, - Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf4, + seed, matrix, rand_stack0, rand_stack1, rand_stack2, rand_stack3, + Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf3, (size_t)4U); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed4[34U]; - memcpy(copy_of_seed4, seed, (size_t)34U * sizeof(uint8_t)); - uint8_t_x2 buf5[4U] = {(CLITERAL(uint8_t_x2){.fst = 4U, .snd = 0U}), + uint8_t_x2 buf4[4U] = {(CLITERAL(uint8_t_x2){.fst = 4U, .snd = 0U}), (CLITERAL(uint8_t_x2){.fst = 4U, .snd = 1U}), (CLITERAL(uint8_t_x2){.fst = 4U, .snd = 2U}), (CLITERAL(uint8_t_x2){.fst = 4U, .snd = 3U})}; libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_49( - copy_of_seed4, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3, - Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf5, + seed, matrix, rand_stack0, rand_stack1, rand_stack2, rand_stack3, + Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf4, (size_t)4U); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed5[34U]; - memcpy(copy_of_seed5, seed, (size_t)34U * sizeof(uint8_t)); - uint8_t_x2 buf6[4U] = {(CLITERAL(uint8_t_x2){.fst = 4U, .snd = 4U}), + uint8_t_x2 buf5[4U] = {(CLITERAL(uint8_t_x2){.fst = 4U, .snd = 4U}), (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 0U}), (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 1U}), (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 2U})}; libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_49( - copy_of_seed5, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3, - Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf6, + seed, matrix, rand_stack0, rand_stack1, rand_stack2, rand_stack3, + Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf5, (size_t)4U); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed6[34U]; - memcpy(copy_of_seed6, seed, (size_t)34U * sizeof(uint8_t)); - uint8_t_x2 buf[4U] = {(CLITERAL(uint8_t_x2){.fst = 5U, .snd = 3U}), - (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 4U}), - (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 5U}), - (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 6U})}; + uint8_t_x2 buf6[4U] = {(CLITERAL(uint8_t_x2){.fst = 5U, .snd = 3U}), + (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 4U}), + (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 5U}), + (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 6U})}; libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_49( - copy_of_seed6, A, rand_stack0, rand_stack1, rand_stack2, rand_stack3, - Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf, + seed, matrix, rand_stack0, rand_stack1, rand_stack2, rand_stack3, + Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf6, (size_t)2U); - memcpy(ret, A, - (size_t)6U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b[5U])); } /** -A monomorphic instance of libcrux_ml_dsa.samplex4.matrix_A_generic +A monomorphic instance of libcrux_ml_dsa.samplex4.matrix_generic with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, libcrux_ml_dsa_hash_functions_portable_Shake128X4 with const generics - ROWS_IN_A= 6 - COLUMNS_IN_A= 5 */ -static inline void libcrux_ml_dsa_samplex4_matrix_A_generic_49( - uint8_t seed[34U], - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[6U][5U]) { +static inline void libcrux_ml_dsa_samplex4_matrix_generic_49( + Eurydice_slice seed, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b (*matrix)[5U]) { uint8_t_x2 uu____0 = {.fst = (uint8_t)(size_t)6U, .snd = (uint8_t)(size_t)5U}; switch (uu____0.fst) { case 6U: { switch (uu____0.snd) { case 5U: { - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed[34U]; - memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret0[6U][5U]; - libcrux_ml_dsa_samplex4_matrix_A_6_by_5_49(copy_of_seed, ret0); - memcpy( - ret, ret0, - (size_t)6U * - sizeof( - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b[5U])); + libcrux_ml_dsa_samplex4_matrix_6_by_5_49(seed, matrix); return; } default: { @@ -4733,123 +4693,16 @@ This function found in impl {(libcrux_ml_dsa::samplex4::X4Sampler for libcrux_ml_dsa::samplex4::portable::PortableSampler)} */ /** -A monomorphic instance of libcrux_ml_dsa.samplex4.portable.matrix_A_36 +A monomorphic instance of libcrux_ml_dsa.samplex4.portable.matrix_36 with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit with const generics - ROWS_IN_A= 6 - COLUMNS_IN_A= 5 */ -static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_portable_matrix_A_36_2f( - uint8_t seed[34U], - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[6U][5U]) { - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed[34U]; - memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret0[6U][5U]; - libcrux_ml_dsa_samplex4_matrix_A_generic_49(copy_of_seed, ret0); - memcpy(ret, ret0, - (size_t)6U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b[5U])); -} - -/** -A monomorphic instance of K. -with types libcrux_ml_dsa_polynomial_PolynomialRingElement -libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit[5size_t], -libcrux_ml_dsa_polynomial_PolynomialRingElement -libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit[6size_t] - -*/ -typedef struct tuple_ce_s { - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b fst[5U]; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b snd[6U]; -} tuple_ce; - -typedef struct - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4_s { - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b fst; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b snd; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b thd; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b f3; -} libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4; - -/** -A monomorphic instance of -libcrux_ml_dsa.sample.rejection_sample_less_than_eta_equals_2 with types -libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit with const generics - -*/ -static KRML_MUSTINLINE bool -libcrux_ml_dsa_sample_rejection_sample_less_than_eta_equals_2_ba( - Eurydice_slice randomness, size_t *sampled_coefficients, int32_t *out) { - bool done = false; - for (size_t i = (size_t)0U; - i < Eurydice_slice_len(randomness, uint8_t) / (size_t)4U; i++) { - size_t _cloop_i = i; - Eurydice_slice random_bytes = - Eurydice_slice_subslice2(randomness, _cloop_i * (size_t)4U, - _cloop_i * (size_t)4U + (size_t)4U, uint8_t); - if (!done) { - Eurydice_slice uu____0 = random_bytes; - size_t sampled = - libcrux_ml_dsa_simd_portable_rejection_sample_less_than_eta_equals_2_36( - uu____0, Eurydice_array_to_subslice_from((size_t)263U, out, - sampled_coefficients[0U], - int32_t, size_t)); - sampled_coefficients[0U] = sampled_coefficients[0U] + sampled; - if (sampled_coefficients[0U] >= - LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - done = true; - } - } - } - return done; -} - -/** -A monomorphic instance of -libcrux_ml_dsa.sample.rejection_sample_less_than_eta_equals_4 with types -libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit with const generics - -*/ -static KRML_MUSTINLINE bool -libcrux_ml_dsa_sample_rejection_sample_less_than_eta_equals_4_ba( - Eurydice_slice randomness, size_t *sampled_coefficients, int32_t *out) { - bool done = false; - for (size_t i = (size_t)0U; - i < Eurydice_slice_len(randomness, uint8_t) / (size_t)4U; i++) { - size_t _cloop_i = i; - Eurydice_slice random_bytes = - Eurydice_slice_subslice2(randomness, _cloop_i * (size_t)4U, - _cloop_i * (size_t)4U + (size_t)4U, uint8_t); - if (!done) { - Eurydice_slice uu____0 = random_bytes; - size_t sampled = - libcrux_ml_dsa_simd_portable_rejection_sample_less_than_eta_equals_4_36( - uu____0, Eurydice_array_to_subslice_from((size_t)263U, out, - sampled_coefficients[0U], - int32_t, size_t)); - sampled_coefficients[0U] = sampled_coefficients[0U] + sampled; - if (sampled_coefficients[0U] >= - LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - done = true; - } - } - } - return done; -} - -/** -A monomorphic instance of libcrux_ml_dsa.sample.rejection_sample_less_than_eta -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -with const generics -- ETA= 4 -*/ -static KRML_MUSTINLINE bool -libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73( - Eurydice_slice randomness, size_t *sampled, int32_t *out) { - return libcrux_ml_dsa_sample_rejection_sample_less_than_eta_equals_4_ba( - randomness, sampled, out); +static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_portable_matrix_36_2f( + Eurydice_slice seed, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b (*matrix)[5U]) { + libcrux_ml_dsa_samplex4_matrix_generic_49(seed, matrix); } /** @@ -4858,254 +4711,14 @@ with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, libcrux_ml_dsa_hash_functions_portable_Shake256X4 with const generics - ETA= 4 */ -static KRML_MUSTINLINE - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 - libcrux_ml_dsa_sample_sample_four_error_ring_elements_92( - uint8_t seed_base[66U], uint16_t domain_separator0, - uint16_t domain_separator1, uint16_t domain_seperator2, - uint16_t domain_separator3) { - uint8_t seed0[66U]; - memcpy(seed0, seed_base, (size_t)66U * sizeof(uint8_t)); - seed0[64U] = (uint8_t)domain_separator0; - seed0[65U] = (uint8_t)((uint32_t)domain_separator0 >> 8U); - uint8_t seed1[66U]; - memcpy(seed1, seed0, (size_t)66U * sizeof(uint8_t)); - seed1[64U] = (uint8_t)domain_separator1; - seed1[65U] = (uint8_t)((uint32_t)domain_separator1 >> 8U); - uint8_t seed2[66U]; - memcpy(seed2, seed0, (size_t)66U * sizeof(uint8_t)); - seed2[64U] = (uint8_t)domain_seperator2; - seed2[65U] = (uint8_t)((uint32_t)domain_seperator2 >> 8U); - uint8_t seed3[66U]; - memcpy(seed3, seed0, (size_t)66U * sizeof(uint8_t)); - seed3[64U] = (uint8_t)domain_separator3; - seed3[65U] = (uint8_t)((uint32_t)domain_separator3 >> 8U); - libcrux_ml_dsa_hash_functions_portable_Shake256X4 state = - libcrux_ml_dsa_hash_functions_portable_init_absorb_x4_50( - Eurydice_array_to_slice((size_t)66U, seed0, uint8_t), - Eurydice_array_to_slice((size_t)66U, seed1, uint8_t), - Eurydice_array_to_slice((size_t)66U, seed2, uint8_t), - Eurydice_array_to_slice((size_t)66U, seed3, uint8_t)); - uint8_t_136size_t__x4 randomnesses0 = - libcrux_ml_dsa_hash_functions_portable_squeeze_first_block_x4_50(&state); - int32_t out0[263U] = {0U}; - int32_t out1[263U] = {0U}; - int32_t out2[263U] = {0U}; - int32_t out3[263U] = {0U}; - size_t sampled0 = (size_t)0U; - size_t sampled1 = (size_t)0U; - size_t sampled2 = (size_t)0U; - size_t sampled3 = (size_t)0U; - bool done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73( - Eurydice_array_to_slice((size_t)136U, randomnesses0.fst, uint8_t), - &sampled0, out0); - bool done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73( - Eurydice_array_to_slice((size_t)136U, randomnesses0.snd, uint8_t), - &sampled1, out1); - bool done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73( - Eurydice_array_to_slice((size_t)136U, randomnesses0.thd, uint8_t), - &sampled2, out2); - bool done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73( - Eurydice_array_to_slice((size_t)136U, randomnesses0.f3, uint8_t), - &sampled3, out3); - while (true) { - if (done0) { - if (done1) { - if (done2) { - if (done3) { - break; - } else { - uint8_t_136size_t__x4 randomnesses = - libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_x4_50( - &state); - if (!done0) { - done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73( - Eurydice_array_to_slice((size_t)136U, randomnesses.fst, - uint8_t), - &sampled0, out0); - } - if (!done1) { - done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73( - Eurydice_array_to_slice((size_t)136U, randomnesses.snd, - uint8_t), - &sampled1, out1); - } - if (!done2) { - done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73( - Eurydice_array_to_slice((size_t)136U, randomnesses.thd, - uint8_t), - &sampled2, out2); - } - if (!done3) { - done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73( - Eurydice_array_to_slice((size_t)136U, randomnesses.f3, - uint8_t), - &sampled3, out3); - } - } - } else { - uint8_t_136size_t__x4 randomnesses = - libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_x4_50( - &state); - if (!done0) { - done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73( - Eurydice_array_to_slice((size_t)136U, randomnesses.fst, - uint8_t), - &sampled0, out0); - } - if (!done1) { - done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73( - Eurydice_array_to_slice((size_t)136U, randomnesses.snd, - uint8_t), - &sampled1, out1); - } - if (!done2) { - done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73( - Eurydice_array_to_slice((size_t)136U, randomnesses.thd, - uint8_t), - &sampled2, out2); - } - if (!done3) { - done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73( - Eurydice_array_to_slice((size_t)136U, randomnesses.f3, uint8_t), - &sampled3, out3); - } - } - } else { - uint8_t_136size_t__x4 randomnesses = - libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_x4_50( - &state); - if (!done0) { - done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73( - Eurydice_array_to_slice((size_t)136U, randomnesses.fst, uint8_t), - &sampled0, out0); - } - if (!done1) { - done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73( - Eurydice_array_to_slice((size_t)136U, randomnesses.snd, uint8_t), - &sampled1, out1); - } - if (!done2) { - done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73( - Eurydice_array_to_slice((size_t)136U, randomnesses.thd, uint8_t), - &sampled2, out2); - } - if (!done3) { - done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73( - Eurydice_array_to_slice((size_t)136U, randomnesses.f3, uint8_t), - &sampled3, out3); - } - } - } else { - uint8_t_136size_t__x4 randomnesses = - libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_x4_50( - &state); - if (!done0) { - done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73( - Eurydice_array_to_slice((size_t)136U, randomnesses.fst, uint8_t), - &sampled0, out0); - } - if (!done1) { - done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73( - Eurydice_array_to_slice((size_t)136U, randomnesses.snd, uint8_t), - &sampled1, out1); - } - if (!done2) { - done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73( - Eurydice_array_to_slice((size_t)136U, randomnesses.thd, uint8_t), - &sampled2, out2); - } - if (!done3) { - done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73( - Eurydice_array_to_slice((size_t)136U, randomnesses.f3, uint8_t), - &sampled3, out3); - } - } - } - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____0 = - libcrux_ml_dsa_polynomial_from_i32_array_ff_ba( - Eurydice_array_to_slice((size_t)263U, out0, int32_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____1 = - libcrux_ml_dsa_polynomial_from_i32_array_ff_ba( - Eurydice_array_to_slice((size_t)263U, out1, int32_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____2 = - libcrux_ml_dsa_polynomial_from_i32_array_ff_ba( - Eurydice_array_to_slice((size_t)263U, out2, int32_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 - lit; - lit.fst = uu____0; - lit.snd = uu____1; - lit.thd = uu____2; - lit.f3 = libcrux_ml_dsa_polynomial_from_i32_array_ff_ba( - Eurydice_array_to_slice((size_t)263U, out3, int32_t)); - return lit; -} - -/** -A monomorphic instance of libcrux_ml_dsa.samplex4.sample_s1_and_s2_5_by_6 -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, -libcrux_ml_dsa_hash_functions_portable_Shake256X4 with const generics -- ETA= 4 -- S1_DIMENSION= 5 -- S2_DIMENSION= 6 -*/ -static KRML_MUSTINLINE tuple_ce -libcrux_ml_dsa_samplex4_sample_s1_and_s2_5_by_6_fe(uint8_t seed_base[66U]) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s1[5U]; - for (size_t i = (size_t)0U; i < (size_t)5U; i++) { - s1[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - } - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s2[6U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - s2[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - } - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed_base[66U]; - memcpy(copy_of_seed_base, seed_base, (size_t)66U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 - four = libcrux_ml_dsa_sample_sample_four_error_ring_elements_92( - copy_of_seed_base, 0U, 1U, 2U, 3U); - s1[0U] = four.fst; - s1[1U] = four.snd; - s1[2U] = four.thd; - s1[3U] = four.f3; - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed_base0[66U]; - memcpy(copy_of_seed_base0, seed_base, (size_t)66U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 - four0 = libcrux_ml_dsa_sample_sample_four_error_ring_elements_92( - copy_of_seed_base0, 4U, 5U, 6U, 7U); - s1[4U] = four0.fst; - s2[0U] = four0.snd; - s2[1U] = four0.thd; - s2[2U] = four0.f3; - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed_base1[66U]; - memcpy(copy_of_seed_base1, seed_base, (size_t)66U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 - four1 = libcrux_ml_dsa_sample_sample_four_error_ring_elements_92( - copy_of_seed_base1, 8U, 9U, 10U, 11U); - s2[3U] = four1.fst; - s2[4U] = four1.snd; - s2[5U] = four1.thd; - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_s1[5U]; - memcpy( - copy_of_s1, s1, - (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_s2[6U]; - memcpy( - copy_of_s2, s2, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - tuple_ce lit; - memcpy( - lit.fst, copy_of_s1, - (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - memcpy( - lit.snd, copy_of_s2, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - return lit; +static KRML_MUSTINLINE void +libcrux_ml_dsa_sample_sample_four_error_ring_elements_92(Eurydice_slice seed, + uint16_t start_index, + Eurydice_slice re) { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "Eurydice error: Failure(\"Error looking trait impl: " + "core::cmp::impls::{core::cmp::Ord for usize}#59 min\")\n"); + KRML_HOST_EXIT(255U); } /** @@ -5113,33 +4726,20 @@ A monomorphic instance of libcrux_ml_dsa.samplex4.sample_s1_and_s2 with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, libcrux_ml_dsa_hash_functions_portable_Shake256X4 with const generics - ETA= 4 -- S1_DIMENSION= 5 -- S2_DIMENSION= 6 +- ROW_COLUMN= 11 */ -static KRML_MUSTINLINE tuple_ce -libcrux_ml_dsa_samplex4_sample_s1_and_s2_fe(uint8_t seed[66U]) { - uint8_t_x2 uu____0 = {.fst = (uint8_t)(size_t)5U, .snd = (uint8_t)(size_t)6U}; - switch (uu____0.fst) { - case 5U: { - switch (uu____0.snd) { - case 6U: { - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed[66U]; - memcpy(copy_of_seed, seed, (size_t)66U * sizeof(uint8_t)); - return libcrux_ml_dsa_samplex4_sample_s1_and_s2_5_by_6_fe( - copy_of_seed); - } - default: { - } - } - break; - } - default: { - } +static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_sample_s1_and_s2_3d( + Eurydice_slice seed, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *s1_s2) { + for (size_t i = (size_t)0U; + i < core_num__usize_11__div_ceil((size_t)11U, (size_t)4U); i++) { + size_t i0 = i; + libcrux_ml_dsa_sample_sample_four_error_ring_elements_92( + seed, 4U * (uint32_t)(uint16_t)i0, + Eurydice_array_to_slice( + (size_t)11U, s1_s2, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); } - KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "panic!"); - KRML_HOST_EXIT(255U); } /** @@ -5172,9 +4772,11 @@ with const generics - COLUMNS_IN_A= 5 */ static inline libcrux_ml_dsa_polynomial_PolynomialRingElement_9b -libcrux_ml_dsa_matrix_compute_As1_plus_s2_closure_2f( - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s) { - return libcrux_ml_dsa_ntt_ntt_ba(s); +libcrux_ml_dsa_matrix_compute_As1_plus_s2_closure_2f(Eurydice_slice *state, + size_t i) { + return libcrux_ml_dsa_ntt_ntt_ba(Eurydice_slice_index( + state[0U], i, libcrux_ml_dsa_polynomial_PolynomialRingElement_9b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *)); } /** @@ -5271,58 +4873,45 @@ with const generics - COLUMNS_IN_A= 5 */ static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_compute_As1_plus_s2_2f( - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b (*A_as_ntt)[5U], - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *s1, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *s2, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[6U]) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b result[6U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - } - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_s1[5U]; - memcpy( - copy_of_s1, s1, - (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b (*a_as_ntt)[5U], + Eurydice_slice s1_s2, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *result) { libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s1_ntt[5U]; for (size_t i = (size_t)0U; i < (size_t)5U; i++) { - s1_ntt[i] = - libcrux_ml_dsa_matrix_compute_As1_plus_s2_closure_2f(copy_of_s1[i]); + s1_ntt[i] = libcrux_ml_dsa_ntt_ntt_ba(Eurydice_slice_index( + s1_s2, i, libcrux_ml_dsa_polynomial_PolynomialRingElement_9b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *)); } - for (size_t i0 = (size_t)0U; - i0 < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)6U, A_as_ntt, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b[5U]), - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b[5U]); - i0++) { + for (size_t i0 = (size_t)0U; i0 < (size_t)6U; i0++) { size_t i1 = i0; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *row = A_as_ntt[i1]; - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)5U, row, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b), - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b); - i++) { + for (size_t i = (size_t)0U; i < (size_t)5U; i++) { size_t j = i; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *ring_element = - &row[j]; libcrux_ml_dsa_polynomial_PolynomialRingElement_9b product = - libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ba(ring_element, + libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ba(&a_as_ntt[i1][j], &s1_ntt[j]); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____1 = + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____0 = libcrux_ml_dsa_polynomial_add_ff_ba(&result[i1], &product); - result[i1] = uu____1; + result[i1] = uu____0; } - result[i1] = libcrux_ml_dsa_ntt_invert_ntt_montgomery_ba(result[i1]); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____3 = - libcrux_ml_dsa_polynomial_add_ff_ba(&result[i1], &s2[i1]); - result[i1] = uu____3; } - memcpy( - ret, result, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)6U, result, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b), + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b); + i++) { + size_t i0 = i; + result[i0] = libcrux_ml_dsa_ntt_invert_ntt_montgomery_ba(result[i0]); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____2 = + libcrux_ml_dsa_polynomial_add_ff_ba( + &result[i0], + &Eurydice_slice_index( + s1_s2, (size_t)5U + i0, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *)); + result[i0] = uu____2; + } } typedef struct @@ -5534,20 +5123,20 @@ with const generics - OUTPUT_SIZE= 128 */ static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_error_serialize_ea( - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b re, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *re, Eurydice_slice serialized) { size_t output_bytes_per_simd_unit; output_bytes_per_simd_unit = (size_t)4U; for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice( - (size_t)32U, re.simd_units, + (size_t)32U, re->simd_units, libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit), libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit); i++) { size_t i0 = i; libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *simd_unit = - &re.simd_units[i0]; + &re->simd_units[i0]; libcrux_ml_dsa_simd_portable_error_serialize_36_ac( simd_unit[0U], Eurydice_slice_subslice2(serialized, i0 * output_bytes_per_simd_unit, @@ -5601,9 +5190,7 @@ libcrux_ml_dsa_hash_functions_portable_Shake256 with const generics static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_signing_key_generate_serialized_d2( Eurydice_slice seed_for_A, Eurydice_slice seed_for_signing, - Eurydice_slice verification_key, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s1[5U], - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s2[6U], + Eurydice_slice verification_key, Eurydice_slice s1_2, libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t0[6U], uint8_t ret[4032U]) { uint8_t signing_key_serialized[4032U] = {0U}; @@ -5634,38 +5221,18 @@ libcrux_ml_dsa_encoding_signing_key_generate_serialized_d2( offset = offset + LIBCRUX_ML_DSA_CONSTANTS_BYTES_FOR_VERIFICATION_KEY_HASH; for (size_t i = (size_t)0U; i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)5U, s1, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b), - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b); + s1_2, libcrux_ml_dsa_polynomial_PolynomialRingElement_9b); i++) { - size_t _cloop_j = i; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *ring_element = - &s1[_cloop_j]; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____1 = - ring_element[0U]; + size_t i0 = i; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *uu____1 = + &Eurydice_slice_index( + s1_2, i0, libcrux_ml_dsa_polynomial_PolynomialRingElement_9b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *); libcrux_ml_dsa_encoding_error_serialize_ea( uu____1, Eurydice_array_to_subslice2(signing_key_serialized, offset, offset + (size_t)128U, uint8_t)); offset = offset + (size_t)128U; } - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)6U, s2, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b), - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b); - i++) { - size_t _cloop_j = i; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *ring_element = - &s2[_cloop_j]; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____2 = - ring_element[0U]; - libcrux_ml_dsa_encoding_error_serialize_ea( - uu____2, Eurydice_array_to_subslice2(signing_key_serialized, offset, - offset + (size_t)128U, uint8_t)); - offset = offset + (size_t)128U; - } for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice( @@ -5676,10 +5243,10 @@ libcrux_ml_dsa_encoding_signing_key_generate_serialized_d2( size_t _cloop_j = i; libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *ring_element = &t0[_cloop_j]; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____3 = + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____2 = ring_element[0U]; libcrux_ml_dsa_encoding_t0_serialize_ba( - uu____3, Eurydice_array_to_subslice2( + uu____2, Eurydice_array_to_subslice2( signing_key_serialized, offset, offset + LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE, uint8_t)); @@ -5701,13 +5268,14 @@ libcrux_ml_dsa_hash_functions_portable_Shake256Xof, libcrux_ml_dsa_hash_functions_portable_Shake256X4 with const generics - ROWS_IN_A= 6 - COLUMNS_IN_A= 5 +- ROW_COLUMN= 11 - ETA= 4 - ERROR_RING_ELEMENT_SIZE= 128 - SIGNING_KEY_SIZE= 4032 - VERIFICATION_KEY_SIZE= 1952 */ static KRML_MUSTINLINE tuple_a0 -libcrux_ml_dsa_ml_dsa_generic_generate_key_pair_c3(uint8_t randomness[32U]) { +libcrux_ml_dsa_ml_dsa_generic_generate_key_pair_fc(uint8_t randomness[32U]) { uint8_t seed_expanded0[128U] = {0U}; libcrux_sha3_portable_incremental_Shake256Xof shake = libcrux_ml_dsa_hash_functions_portable_init_83(); @@ -5730,38 +5298,45 @@ libcrux_ml_dsa_ml_dsa_generic_generate_key_pair_c3(uint8_t randomness[32U]) { Eurydice_slice seed_for_error_vectors = uu____1.fst; Eurydice_slice seed_for_signing = uu____1.snd; libcrux_ml_dsa_polynomial_PolynomialRingElement_9b a_as_ntt[6U][5U]; - uint8_t ret[34U]; - libcrux_ml_dsa_utils_into_padded_array_b6(seed_for_a, ret); - libcrux_ml_dsa_samplex4_portable_matrix_A_36_2f(ret, a_as_ntt); - uint8_t ret0[66U]; - libcrux_ml_dsa_utils_into_padded_array_20(seed_for_error_vectors, ret0); - tuple_ce uu____2 = libcrux_ml_dsa_samplex4_sample_s1_and_s2_fe(ret0); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s1[5U]; - memcpy( - s1, uu____2.fst, - (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s2[6U]; - memcpy( - s2, uu____2.snd, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + a_as_ntt[i][0U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + a_as_ntt[i][1U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + a_as_ntt[i][2U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + a_as_ntt[i][3U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + a_as_ntt[i][4U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + } + libcrux_ml_dsa_samplex4_portable_matrix_36_2f(seed_for_a, a_as_ntt); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s1_s2[11U]; + for (size_t i = (size_t)0U; i < (size_t)11U; i++) { + s1_s2[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + } + libcrux_ml_dsa_samplex4_sample_s1_and_s2_3d(seed_for_error_vectors, s1_s2); libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t[6U]; - libcrux_ml_dsa_matrix_compute_As1_plus_s2_2f(a_as_ntt, s1, s2, t); + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + t[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + } + libcrux_ml_dsa_matrix_compute_As1_plus_s2_2f( + a_as_ntt, + Eurydice_array_to_slice( + (size_t)11U, s1_s2, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b), + t); /* Passing arrays by value in Rust generates a copy in C */ libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_t[6U]; memcpy( copy_of_t, t, (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_6size_t__x2 - uu____4 = libcrux_ml_dsa_arithmetic_power2round_vector_07(copy_of_t); + uu____3 = libcrux_ml_dsa_arithmetic_power2round_vector_07(copy_of_t); libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t0[6U]; memcpy( - t0, uu____4.fst, + t0, uu____3.fst, (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t1[6U]; memcpy( - t1, uu____4.snd, + t1, uu____3.snd, (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - Eurydice_slice uu____5 = seed_for_a; + Eurydice_slice uu____4 = seed_for_a; /* Passing arrays by value in Rust generates a copy in C */ libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_t1[6U]; memcpy( @@ -5769,21 +5344,13 @@ libcrux_ml_dsa_ml_dsa_generic_generate_key_pair_c3(uint8_t randomness[32U]) { (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); uint8_t verification_key_serialized[1952U]; libcrux_ml_dsa_encoding_verification_key_generate_serialized_2f( - uu____5, copy_of_t1, verification_key_serialized); - Eurydice_slice uu____7 = seed_for_a; - Eurydice_slice uu____8 = seed_for_signing; - Eurydice_slice uu____9 = Eurydice_array_to_slice( + uu____4, copy_of_t1, verification_key_serialized); + Eurydice_slice uu____6 = seed_for_a; + Eurydice_slice uu____7 = seed_for_signing; + Eurydice_slice uu____8 = Eurydice_array_to_slice( (size_t)1952U, verification_key_serialized, uint8_t); - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_s1[5U]; - memcpy( - copy_of_s1, s1, - (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_s2[6U]; - memcpy( - copy_of_s2, s2, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + Eurydice_slice uu____9 = Eurydice_array_to_slice( + (size_t)11U, s1_s2, libcrux_ml_dsa_polynomial_PolynomialRingElement_9b); /* Passing arrays by value in Rust generates a copy in C */ libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_t0[6U]; memcpy( @@ -5791,8 +5358,7 @@ libcrux_ml_dsa_ml_dsa_generic_generate_key_pair_c3(uint8_t randomness[32U]) { (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); uint8_t signing_key_serialized[4032U]; libcrux_ml_dsa_encoding_signing_key_generate_serialized_d2( - uu____7, uu____8, uu____9, copy_of_s1, copy_of_s2, copy_of_t0, - signing_key_serialized); + uu____6, uu____7, uu____8, uu____9, copy_of_t0, signing_key_serialized); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_signing_key_serialized[4032U]; memcpy(copy_of_signing_key_serialized, signing_key_serialized, @@ -5818,18 +5384,19 @@ libcrux_ml_dsa.ml_dsa_generic.instantiations.portable.generate_key_pair with const generics - ROWS_IN_A= 6 - COLUMNS_IN_A= 5 +- ROW_COLUMN= 11 - ETA= 4 - ERROR_RING_ELEMENT_SIZE= 128 - SIGNING_KEY_SIZE= 4032 - VERIFICATION_KEY_SIZE= 1952 */ static inline tuple_a0 -libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_generate_key_pair_52( +libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_generate_key_pair_c9( uint8_t randomness[32U]) { /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_dsa_ml_dsa_generic_generate_key_pair_c3(copy_of_randomness); + return libcrux_ml_dsa_ml_dsa_generic_generate_key_pair_fc(copy_of_randomness); } /** @@ -5841,7 +5408,7 @@ libcrux_ml_dsa_ml_dsa_65_portable_generate_key_pair(uint8_t randomness[32U]) { uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); tuple_a0 uu____1 = - libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_generate_key_pair_52( + libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_generate_key_pair_c9( copy_of_randomness); uint8_t signing_key[4032U]; memcpy(signing_key, uu____1.fst, (size_t)4032U * sizeof(uint8_t)); @@ -7416,8 +6983,8 @@ static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_internal_3f( Option_84 domain_separation_context, uint8_t randomness[32U]) { tuple_f0 uu____0 = libcrux_ml_dsa_encoding_signing_key_deserialize_then_ntt_c6(signing_key); - uint8_t seed_for_A[32U]; - memcpy(seed_for_A, uu____0.fst, (size_t)32U * sizeof(uint8_t)); + uint8_t seed_for_a[32U]; + memcpy(seed_for_a, uu____0.fst, (size_t)32U * sizeof(uint8_t)); uint8_t seed_for_signing[32U]; memcpy(seed_for_signing, uu____0.snd, (size_t)32U * sizeof(uint8_t)); uint8_t verification_key_hash[64U]; @@ -7434,11 +7001,16 @@ static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_internal_3f( memcpy( t0_as_ntt, uu____0.f5, (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b A_as_ntt[6U][5U]; - uint8_t ret[34U]; - libcrux_ml_dsa_utils_into_padded_array_b6( - Eurydice_array_to_slice((size_t)32U, seed_for_A, uint8_t), ret); - libcrux_ml_dsa_samplex4_portable_matrix_A_36_2f(ret, A_as_ntt); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b matrix[6U][5U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + matrix[i][0U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + matrix[i][1U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + matrix[i][2U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + matrix[i][3U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + matrix[i][4U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + } + libcrux_ml_dsa_samplex4_portable_matrix_36_2f( + Eurydice_array_to_slice((size_t)32U, seed_for_a, uint8_t), matrix); uint8_t message_representative[64U] = {0U}; uint8_t uu____1[64U]; memcpy(uu____1, verification_key_hash, (size_t)64U * sizeof(uint8_t)); @@ -8588,8 +8160,8 @@ libcrux_ml_dsa_ml_dsa_generic_verify_internal_51( Option_84 domain_separation_context, uint8_t *signature_serialized) { tuple_93 uu____0 = libcrux_ml_dsa_encoding_verification_key_deserialize_2f( verification_key_serialized); - uint8_t seed_for_A[32U]; - memcpy(seed_for_A, uu____0.fst, (size_t)32U * sizeof(uint8_t)); + uint8_t seed_for_a[32U]; + memcpy(seed_for_a, uu____0.fst, (size_t)32U * sizeof(uint8_t)); libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t1[6U]; memcpy( t1, uu____0.snd, @@ -8611,11 +8183,16 @@ libcrux_ml_dsa_ml_dsa_generic_verify_internal_51( .f0 = libcrux_ml_dsa_types_VerificationError_SignerResponseExceedsBoundError}); } else { - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b A_as_ntt[6U][5U]; - uint8_t ret[34U]; - libcrux_ml_dsa_utils_into_padded_array_b6( - Eurydice_array_to_slice((size_t)32U, seed_for_A, uint8_t), ret); - libcrux_ml_dsa_samplex4_portable_matrix_A_36_2f(ret, A_as_ntt); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b matrix[6U][5U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + matrix[i][0U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + matrix[i][1U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + matrix[i][2U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + matrix[i][3U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + matrix[i][4U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + } + libcrux_ml_dsa_samplex4_portable_matrix_36_2f( + Eurydice_array_to_slice((size_t)32U, seed_for_a, uint8_t), matrix); uint8_t verification_key_hash[64U] = {0U}; libcrux_ml_dsa_hash_functions_portable_shake256_5c_24( Eurydice_array_to_slice((size_t)1952U, verification_key_serialized, @@ -8631,8 +8208,7 @@ libcrux_ml_dsa_ml_dsa_generic_verify_internal_51( libcrux_ml_dsa_polynomial_PolynomialRingElement_9b verifier_challenge_as_ntt = libcrux_ml_dsa_ntt_ntt_ba( libcrux_ml_dsa_sample_sample_challenge_ring_element_83(uu____5)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b(*uu____6)[5U] = - A_as_ntt; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b(*uu____6)[5U] = matrix; libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____7[5U]; memcpy(uu____7, signature.signer_response, (size_t)5U * @@ -8904,6 +8480,19 @@ libcrux_ml_dsa_pre_hash_from_b6( return libcrux_ml_dsa_types_VerificationError_VerificationContextTooLongError; } +static KRML_MUSTINLINE void libcrux_ml_dsa_sample_add_error_domain_separator( + Eurydice_slice slice, uint16_t domain_separator, uint8_t ret[66U]) { + uint8_t out[66U] = {0U}; + uint8_t *uu____0 = out; + Eurydice_slice_copy( + Eurydice_array_to_subslice2(uu____0, (size_t)0U, + Eurydice_slice_len(slice, uint8_t), uint8_t), + slice, uint8_t); + out[64U] = (uint8_t)domain_separator; + out[65U] = (uint8_t)((uint32_t)domain_separator >> 8U); + memcpy(ret, out, (size_t)66U * sizeof(uint8_t)); +} + /** This function found in impl {(core::clone::Clone for libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} diff --git a/libcrux-ml-dsa/src/arithmetic.rs b/libcrux-ml-dsa/src/arithmetic.rs index f0fde7f73..602d892fa 100644 --- a/libcrux-ml-dsa/src/arithmetic.rs +++ b/libcrux-ml-dsa/src/arithmetic.rs @@ -118,11 +118,11 @@ pub(crate) fn use_hint::ZERO(); DIMENSION]; for i in 0..DIMENSION { - let hint_simd = PolynomialRingElement::::from_i32_array(&hint[i]); + PolynomialRingElement::::from_i32_array(&hint[i], &mut result[i]); for j in 0..result[0].simd_units.len() { result[i].simd_units[j] = - SIMDUnit::use_hint::(re_vector[i].simd_units[j], hint_simd.simd_units[j]); + SIMDUnit::use_hint::(re_vector[i].simd_units[j], result[i].simd_units[j]); } } diff --git a/libcrux-ml-dsa/src/encoding/commitment.rs b/libcrux-ml-dsa/src/encoding/commitment.rs index c5c5580ea..2f94a98c8 100644 --- a/libcrux-ml-dsa/src/encoding/commitment.rs +++ b/libcrux-ml-dsa/src/encoding/commitment.rs @@ -62,7 +62,7 @@ mod tests { 43, 32, 27, 34, 27, 15, 24, 4, 2, 42, 15, 9, 3, 17, 35, 0, 22, 43, 13, 15, 6, 38, 10, 20, 37, ]; - let re = PolynomialRingElement::::from_i32_array(&coefficients); + let re = PolynomialRingElement::::from_i32_array_test(&coefficients); let serialized = [ 170, 57, 148, 37, 42, 144, 203, 90, 162, 193, 73, 165, 38, 150, 130, 135, 82, 85, 217, @@ -95,7 +95,7 @@ mod tests { 12, 5, 3, 7, 15, 12, 13, 3, 4, 10, 1, 13, 3, 9, 6, 10, 13, 4, 4, 2, 9, 0, 4, 5, 7, 14, 11, 2, 6, 3, 11, 6, 2, 0, 5, 8, 5, 9, 5, 9, 0, 2, 2, 3, 15, 0, 8, 11, 13, 2, 6, 11, 0, ]; - let re = PolynomialRingElement::::from_i32_array(&coefficients); + let re = PolynomialRingElement::::from_i32_array_test(&coefficients); let serialized = [ 66, 56, 62, 122, 244, 61, 33, 201, 184, 76, 231, 73, 36, 245, 190, 182, 218, 211, 249, diff --git a/libcrux-ml-dsa/src/encoding/gamma1.rs b/libcrux-ml-dsa/src/encoding/gamma1.rs index 1849b9ff7..4dd9dcd49 100644 --- a/libcrux-ml-dsa/src/encoding/gamma1.rs +++ b/libcrux-ml-dsa/src/encoding/gamma1.rs @@ -65,7 +65,7 @@ mod tests { 302917, 307866, -446103, 225168, -438314, 393602, 409392, 155141, 43252, -178437, -248017, 250774, 33014, ]; - let re = PolynomialRingElement::::from_i32_array(&coefficients); + let re = PolynomialRingElement::::from_i32_array_test(&coefficients); let expected_bytes = [ 191, 20, 228, 197, 78, 59, 42, 5, 166, 19, 40, 225, 25, 56, 6, 144, 123, 201, 223, 58, diff --git a/libcrux-ml-dsa/src/encoding/t0.rs b/libcrux-ml-dsa/src/encoding/t0.rs index a44cffe34..08a20970b 100644 --- a/libcrux-ml-dsa/src/encoding/t0.rs +++ b/libcrux-ml-dsa/src/encoding/t0.rs @@ -81,7 +81,7 @@ mod tests { 2683, 2743, 2888, -2104, 874, -1150, -2453, -125, -2561, -2011, -2384, 2259, -10, 836, -2773, 2487, -2292, -201, -3235, 1232, -3197, ]; - let re = PolynomialRingElement::::from_i32_array(&coefficients); + let re = PolynomialRingElement::::from_i32_array_test(&coefficients); let expected_bytes = [ 48, 20, 208, 127, 245, 13, 88, 131, 180, 130, 230, 20, 9, 204, 230, 36, 180, 218, 74, diff --git a/libcrux-ml-dsa/src/encoding/t1.rs b/libcrux-ml-dsa/src/encoding/t1.rs index 037e3e794..9896d44ac 100644 --- a/libcrux-ml-dsa/src/encoding/t1.rs +++ b/libcrux-ml-dsa/src/encoding/t1.rs @@ -58,7 +58,7 @@ mod tests { 53, 346, 392, 710, 434, 72, 899, 610, 543, 937, 501, 41, 615, 97, 557, 168, 105, 665, 179, 708, 137, 849, 508, 742, 512, 879, 534, 490, ]; - let re = PolynomialRingElement::::from_i32_array(&coefficients); + let re = PolynomialRingElement::::from_i32_array_test(&coefficients); let expected_bytes = [ 127, 204, 105, 133, 208, 207, 165, 130, 49, 2, 83, 82, 115, 127, 53, 65, 213, 119, 93, diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index 70e58f344..2d52d1b36 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -336,12 +336,14 @@ pub(crate) fn sign_internal< shake.squeeze(&mut commitment_hash_candidate); } - let verifier_challenge_as_ntt = ntt(sample_challenge_ring_element::< + let mut verifier_challenge = PolynomialRingElement::ZERO(); + sample_challenge_ring_element::< SIMDUnit, Shake256, ONES_IN_VERIFIER_CHALLENGE, COMMITMENT_HASH_SIZE, - >(commitment_hash_candidate)); + >(commitment_hash_candidate, &mut verifier_challenge); + let verifier_challenge_as_ntt = ntt(verifier_challenge); let challenge_times_s1 = vector_times_ring_element::( &s1_as_ntt, @@ -541,12 +543,14 @@ pub(crate) fn verify_internal< &mut message_representative, ); - let verifier_challenge_as_ntt = ntt(sample_challenge_ring_element::< + let mut verifier_challenge = PolynomialRingElement::ZERO(); + sample_challenge_ring_element::< SIMDUnit, Shake256, ONES_IN_VERIFIER_CHALLENGE, COMMITMENT_HASH_SIZE, - >(signature.commitment_hash)); + >(signature.commitment_hash, &mut verifier_challenge); + let verifier_challenge_as_ntt = ntt(verifier_challenge); let w_approx = compute_w_approx::( &matrix, diff --git a/libcrux-ml-dsa/src/ntt.rs b/libcrux-ml-dsa/src/ntt.rs index 1ea58c883..6f5646cb9 100644 --- a/libcrux-ml-dsa/src/ntt.rs +++ b/libcrux-ml-dsa/src/ntt.rs @@ -67,7 +67,7 @@ mod tests { -391807, 392057, -132521, -441664, -349459, -373059, -296519, 274235, 42417, 47385, -104540, 142532, 246380, -515363, -422665, ]; - let re = PolynomialRingElement::::from_i32_array(&coefficients); + let re = PolynomialRingElement::::from_i32_array_test(&coefficients); let expected_coefficients = [ -17129289, -17188287, -11027856, -7293060, -14589541, -12369669, -1420304, -9409026, @@ -136,7 +136,7 @@ mod tests { -3881813, 2536840, -2924666, 2425664, 2635292, 2752536, -136653, 4057087, -633680, 3039079, -2733512, 1734173, -2109687, ]; - let re = PolynomialRingElement::::from_i32_array(&coefficients); + let re = PolynomialRingElement::::from_i32_array_test(&coefficients); let expected_coefficients = [ 3966085, -2067161, 579114, -3597478, 2232818, -17588, 1194752, -1205114, -4058138, diff --git a/libcrux-ml-dsa/src/polynomial.rs b/libcrux-ml-dsa/src/polynomial.rs index 872e24a4b..d5b206fa3 100644 --- a/libcrux-ml-dsa/src/polynomial.rs +++ b/libcrux-ml-dsa/src/polynomial.rs @@ -31,17 +31,19 @@ impl PolynomialRingElement { result } - // This is useful for debugging. - #[allow(dead_code)] - pub(crate) fn from_i32_array(array: &[i32]) -> Self { + pub(crate) fn from_i32_array(array: &[i32], result: &mut Self) { debug_assert!(array.len() >= 256); - - let mut result = Self::ZERO(); for i in 0..SIMD_UNITS_IN_RING_ELEMENT { result.simd_units[i] = SIMDUnit::from_coefficient_array( &array[i * COEFFICIENTS_IN_SIMD_UNIT..(i + 1) * COEFFICIENTS_IN_SIMD_UNIT], ); } + } + + #[cfg(test)] + pub(crate) fn from_i32_array_test(array: &[i32]) -> Self { + let mut result = PolynomialRingElement::ZERO(); + Self::from_i32_array(array, &mut result); result } diff --git a/libcrux-ml-dsa/src/sample.rs b/libcrux-ml-dsa/src/sample.rs index dc705cf02..838eb6eb4 100644 --- a/libcrux-ml-dsa/src/sample.rs +++ b/libcrux-ml-dsa/src/sample.rs @@ -172,11 +172,9 @@ pub(crate) fn sample_up_to_four_ring_elements< for k in 0..elements_requested { let (i, j) = indices[k]; - update_matrix( - matrix, - i as usize, - j as usize, - PolynomialRingElement::::from_i32_array(&tmp_stack[k]), + PolynomialRingElement::::from_i32_array( + &tmp_stack[k], + &mut matrix[i as usize][j as usize], ); } @@ -352,7 +350,7 @@ pub(crate) fn sample_four_error_ring_elements< } for i in start_index as usize..re.len().min((start_index + 4) as usize) { - re[i] = PolynomialRingElement::::from_i32_array(&out[i % 4]); + PolynomialRingElement::::from_i32_array(&out[i % 4], &mut re[i]); } } @@ -489,7 +487,8 @@ pub(crate) fn sample_challenge_ring_element< const SEED_SIZE: usize, >( seed: [u8; SEED_SIZE], -) -> PolynomialRingElement { + re: &mut PolynomialRingElement, +) { let mut state = Shake256::init_absorb_final(&seed); let randomness = state.squeeze_first_block(); @@ -505,7 +504,7 @@ pub(crate) fn sample_challenge_ring_element< done = inside_out_shuffle(&randomness, &mut out_index, &mut signs, &mut result); } - PolynomialRingElement::::from_i32_array(&result) + PolynomialRingElement::::from_i32_array(&result, re); } #[cfg(test)] @@ -520,7 +519,8 @@ mod tests { fn sample_ring_element_uniform( seed: [u8; 34], - ) -> PolynomialRingElement { + re: &mut PolynomialRingElement, + ) { let mut rand_stack = ( [0u8; shake128::FIVE_BLOCKS_SIZE], [0u8; shake128::FIVE_BLOCKS_SIZE], @@ -556,29 +556,30 @@ mod tests { } } - PolynomialRingElement::::from_i32_array(&tmp_stack[0]) + PolynomialRingElement::::from_i32_array(&tmp_stack[0], re); } - // This is just a wrapper around sample_four_ring_elements, for testing - // purposes. - fn sample_error_ring_element< - SIMDUnit: Operations, - Shake256X4: shake256::XofX4, - const ETA: usize, - >( - seed_base: [u8; 66], - ) -> PolynomialRingElement { - let mut s = [PolynomialRingElement::ZERO(); 6]; - let start_index = ((seed_base[65] as u16) << 8) | (seed_base[64] as u16); - std::eprintln!("start_index: {start_index}"); - sample_four_error_ring_elements::( - &seed_base, - start_index, - &mut s, - ); - - s[start_index as usize] - } + // // This is just a wrapper around sample_four_ring_elements, for testing + // // purposes. + // fn sample_error_ring_element< + // SIMDUnit: Operations, + // Shake256X4: shake256::XofX4, + // const ETA: usize, + // >( + // seed: &[u8], + // start_index: u16, + // ) -> PolynomialRingElement { + // let mut s = [PolynomialRingElement::ZERO(); 6]; + // // let start_index = ((seed[65] as u16) << 8) | (seed[64] as u16); + // // std::eprintln!("start_index: {start_index}"); + // sample_four_error_ring_elements::(&seed, start_index, &mut s); + + // for i in 0..s.len() { + // std::eprintln!("{:?}", s[i].to_i32_array()); + // } + + // s[start_index as usize] + // } fn test_sample_ring_element_uniform_generic() { let seed: [u8; 34] = [ @@ -616,10 +617,9 @@ mod tests { 703698, 5147821, 7632328, 5993194, 6329638, 5959986, 3073141, 675737, 7364844, 4124952, ]; - assert_eq!( - sample_ring_element_uniform::(seed).to_i32_array(), - expected_coefficients - ); + let mut re = PolynomialRingElement::ZERO(); + sample_ring_element_uniform::(seed, &mut re); + assert_eq!(re.to_i32_array(), expected_coefficients); // This seed and the expected coefficients were taken from the // "Signature Verification -- ML-DSA-65.txt" file in the "PQC Intermediate Values" @@ -631,8 +631,9 @@ mod tests { 0xB1, 0x83, 0x9B, 0x86, 0x06, 0xF5, 0x94, 0x8B, 0x9D, 0x72, 0xA9, 0x56, 0xDC, 0xF1, 0x01, 0x16, 0xDA, 0x9E, 0x01, 0x00, ]; - let actual_coefficients = - sample_ring_element_uniform::(seed).to_i32_array(); + let mut re = PolynomialRingElement::ZERO(); + sample_ring_element_uniform::(seed, &mut re); + let actual_coefficients = re.to_i32_array(); assert_eq!(actual_coefficients[0], 1_165_602); assert_eq!( @@ -671,63 +672,63 @@ mod tests { ); } - fn test_sample_error_ring_element_generic() { - // When ETA = 2 - let seed: [u8; 66] = [ - 51, 203, 133, 235, 126, 210, 169, 81, 4, 134, 147, 168, 252, 67, 176, 99, 130, 186, - 254, 103, 241, 199, 173, 78, 121, 232, 12, 244, 4, 143, 8, 174, 122, 170, 124, 35, 53, - 49, 202, 94, 27, 249, 200, 186, 175, 198, 169, 116, 244, 227, 133, 111, 205, 140, 233, - 110, 227, 67, 35, 226, 194, 75, 130, 105, 5, 0, - ]; - - let expected_coefficients: [i32; COEFFICIENTS_IN_RING_ELEMENT] = [ - 1, 0, -1, 0, 1, -2, -1, 0, -2, 2, -1, -2, 1, -2, 1, -2, 1, 2, -2, 2, -2, -1, 0, -2, -1, - -2, -2, 1, 1, -1, 1, 1, 2, -2, 2, -1, 1, 2, 0, 2, -1, 0, 2, -2, -2, 2, 0, 2, 1, 1, 2, - 1, 1, -2, 1, -1, 2, -2, -2, 2, -2, -2, 0, 0, -1, 0, 2, 0, 1, 2, 0, 2, -1, 2, 0, 2, 1, - -2, -2, 0, -1, -2, 2, -2, -1, 2, 1, -1, 2, 1, -2, -1, 1, -1, -1, -1, 2, -1, -2, -2, 2, - 2, 0, -1, -1, -2, 0, -1, 0, 1, 2, -2, 0, 2, 2, 1, 0, -1, -1, 0, -2, 2, 2, -2, 2, 1, -1, - -2, -1, -2, -1, 1, 2, 2, -1, 0, 1, 2, -1, 0, 0, 0, 1, 1, -1, -1, -1, -2, 2, 0, -2, 0, - 2, -1, 1, 1, 2, -2, 2, -2, 1, 0, -2, 1, 0, 0, -2, -2, 2, 2, -2, -1, 2, -2, 1, 0, 0, -1, - 0, -2, 2, -1, -2, 2, -1, 1, -2, -1, 0, -2, 2, 1, 2, 2, 2, 0, 2, 2, 2, 0, 2, 2, 2, -1, - -2, 1, 1, 0, -2, 1, 0, 0, -2, 1, -2, -1, 2, 0, 0, 2, 0, -2, -1, -1, 2, 2, -1, -1, -1, - -2, -2, -1, -2, 2, -2, 0, 1, 0, -2, -2, 2, 0, 1, 0, 0, -2, -1, 1, -1, 1, -1, -1, -1, 2, - 2, 0, - ]; - - // FIXME - // assert_eq!( - // sample_error_ring_element::(seed).to_i32_array(), - // expected_coefficients - // ); - - // When ETA = 4 - let seed: [u8; 66] = [ - 236, 4, 148, 239, 41, 178, 188, 226, 130, 212, 6, 144, 208, 180, 180, 105, 47, 148, 75, - 195, 181, 177, 5, 140, 204, 68, 24, 132, 169, 19, 68, 118, 67, 203, 13, 152, 29, 194, - 235, 123, 101, 109, 162, 137, 198, 164, 97, 247, 11, 44, 34, 49, 235, 251, 243, 177, - 213, 141, 65, 232, 136, 163, 85, 54, 10, 0, - ]; - - let expected_coefficients: [i32; COEFFICIENTS_IN_RING_ELEMENT] = [ - 2, -4, 2, -2, 1, 2, 4, 2, 4, -1, -4, 3, 2, 4, -1, 2, -3, 3, 1, -2, 0, 3, -2, 3, 4, 1, - -3, -2, 0, -4, -1, -4, 3, -4, 0, -3, -2, -3, 2, -3, -3, 3, -4, -3, -4, 1, -2, 4, -3, 4, - 4, 1, -3, -3, 4, 0, -2, 2, 4, -4, 4, -4, -1, -3, 4, 3, 2, -1, 3, -2, -2, -4, -1, -1, 4, - 1, 4, 0, 3, 4, -1, -3, 4, -4, 4, 1, -3, 0, -4, 2, 1, 4, -1, 0, -2, -2, -3, 3, -3, 4, 3, - 2, -2, -2, -1, 2, -1, -4, 3, 0, -2, 4, -1, 0, 4, -2, 4, -3, 2, -4, 2, 3, 3, 2, -4, 2, - 0, -2, 1, -4, 0, -4, -3, 2, 0, -2, -4, 1, 2, 3, 4, -4, 2, 2, 1, -4, 0, -4, -3, -2, -2, - -2, -1, 1, 4, 1, 0, -2, 2, 1, 4, -4, -1, 0, -1, -3, 2, 1, 3, 3, 4, -2, -2, 3, 1, 3, 3, - -4, -2, -1, -4, -3, 4, 1, 2, -3, -1, 3, 4, -3, 0, -1, -1, -4, -2, 1, -2, 3, -1, -2, 2, - -1, -2, 0, -2, 2, 3, 3, 2, 3, 4, 3, -3, -4, 1, 4, -3, 2, 0, -4, 4, -4, 2, 4, -2, -3, - -4, 3, 0, 1, -2, 2, -1, 4, 4, 0, -1, 1, 4, -2, -3, 2, -2, 4, 2, 1, 1, 1, -3, -2, -2, 2, - 2, -4, -1, 1, - ]; - - // FIXME - // assert_eq!( - // sample_error_ring_element::(seed).to_i32_array(), - // expected_coefficients - // ); - } + // fn test_sample_error_ring_element_generic() { + // // When ETA = 2 + // let seed: [u8; 64] = [ + // 51, 203, 133, 235, 126, 210, 169, 81, 4, 134, 147, 168, 252, 67, 176, 99, 130, 186, + // 254, 103, 241, 199, 173, 78, 121, 232, 12, 244, 4, 143, 8, 174, 122, 170, 124, 35, 53, + // 49, 202, 94, 27, 249, 200, 186, 175, 198, 169, 116, 244, 227, 133, 111, 205, 140, 233, + // 110, 227, 67, 35, 226, 194, 75, 130, 105, + // ]; + // let start_index = 5; + + // let expected_coefficients: [i32; COEFFICIENTS_IN_RING_ELEMENT] = [ + // 1, 0, -1, 0, 1, -2, -1, 0, -2, 2, -1, -2, 1, -2, 1, -2, 1, 2, -2, 2, -2, -1, 0, -2, -1, + // -2, -2, 1, 1, -1, 1, 1, 2, -2, 2, -1, 1, 2, 0, 2, -1, 0, 2, -2, -2, 2, 0, 2, 1, 1, 2, + // 1, 1, -2, 1, -1, 2, -2, -2, 2, -2, -2, 0, 0, -1, 0, 2, 0, 1, 2, 0, 2, -1, 2, 0, 2, 1, + // -2, -2, 0, -1, -2, 2, -2, -1, 2, 1, -1, 2, 1, -2, -1, 1, -1, -1, -1, 2, -1, -2, -2, 2, + // 2, 0, -1, -1, -2, 0, -1, 0, 1, 2, -2, 0, 2, 2, 1, 0, -1, -1, 0, -2, 2, 2, -2, 2, 1, -1, + // -2, -1, -2, -1, 1, 2, 2, -1, 0, 1, 2, -1, 0, 0, 0, 1, 1, -1, -1, -1, -2, 2, 0, -2, 0, + // 2, -1, 1, 1, 2, -2, 2, -2, 1, 0, -2, 1, 0, 0, -2, -2, 2, 2, -2, -1, 2, -2, 1, 0, 0, -1, + // 0, -2, 2, -1, -2, 2, -1, 1, -2, -1, 0, -2, 2, 1, 2, 2, 2, 0, 2, 2, 2, 0, 2, 2, 2, -1, + // -2, 1, 1, 0, -2, 1, 0, 0, -2, 1, -2, -1, 2, 0, 0, 2, 0, -2, -1, -1, 2, 2, -1, -1, -1, + // -2, -2, -1, -2, 2, -2, 0, 1, 0, -2, -2, 2, 0, 1, 0, 0, -2, -1, 1, -1, 1, -1, -1, -1, 2, + // 2, 0, + // ]; + + // assert_eq!( + // sample_error_ring_element::(&seed, start_index).to_i32_array(), + // expected_coefficients + // ); + + // // When ETA = 4 + // let seed: [u8; 66] = [ + // 236, 4, 148, 239, 41, 178, 188, 226, 130, 212, 6, 144, 208, 180, 180, 105, 47, 148, 75, + // 195, 181, 177, 5, 140, 204, 68, 24, 132, 169, 19, 68, 118, 67, 203, 13, 152, 29, 194, + // 235, 123, 101, 109, 162, 137, 198, 164, 97, 247, 11, 44, 34, 49, 235, 251, 243, 177, + // 213, 141, 65, 232, 136, 163, 85, 54, 10, 0, + // ]; + + // let expected_coefficients: [i32; COEFFICIENTS_IN_RING_ELEMENT] = [ + // 2, -4, 2, -2, 1, 2, 4, 2, 4, -1, -4, 3, 2, 4, -1, 2, -3, 3, 1, -2, 0, 3, -2, 3, 4, 1, + // -3, -2, 0, -4, -1, -4, 3, -4, 0, -3, -2, -3, 2, -3, -3, 3, -4, -3, -4, 1, -2, 4, -3, 4, + // 4, 1, -3, -3, 4, 0, -2, 2, 4, -4, 4, -4, -1, -3, 4, 3, 2, -1, 3, -2, -2, -4, -1, -1, 4, + // 1, 4, 0, 3, 4, -1, -3, 4, -4, 4, 1, -3, 0, -4, 2, 1, 4, -1, 0, -2, -2, -3, 3, -3, 4, 3, + // 2, -2, -2, -1, 2, -1, -4, 3, 0, -2, 4, -1, 0, 4, -2, 4, -3, 2, -4, 2, 3, 3, 2, -4, 2, + // 0, -2, 1, -4, 0, -4, -3, 2, 0, -2, -4, 1, 2, 3, 4, -4, 2, 2, 1, -4, 0, -4, -3, -2, -2, + // -2, -1, 1, 4, 1, 0, -2, 2, 1, 4, -4, -1, 0, -1, -3, 2, 1, 3, 3, 4, -2, -2, 3, 1, 3, 3, + // -4, -2, -1, -4, -3, 4, 1, 2, -3, -1, 3, 4, -3, 0, -1, -1, -4, -2, 1, -2, 3, -1, -2, 2, + // -1, -2, 0, -2, 2, 3, 3, 2, 3, 4, 3, -3, -4, 1, 4, -3, 2, 0, -4, 4, -4, 2, 4, -2, -3, + // -4, 3, 0, 1, -2, 2, -1, 4, 4, 0, -1, 1, 4, -2, -3, 2, -2, 4, 2, 1, 1, 1, -3, -2, -2, 2, + // 2, -4, -1, 1, + // ]; + + // // FIXME + // // assert_eq!( + // // sample_error_ring_element::(seed).to_i32_array(), + // // expected_coefficients + // // ); + // } fn test_sample_challenge_ring_element_generic< SIMDUnit: Operations, @@ -752,10 +753,9 @@ mod tests { 0, ]; - assert_eq!( - sample_challenge_ring_element::(seed).to_i32_array(), - expected_coefficients - ); + let mut re = PolynomialRingElement::ZERO(); + sample_challenge_ring_element::(seed, &mut re); + assert_eq!(re.to_i32_array(), expected_coefficients); // When TAU = 49 let seed: [u8; 32] = [ @@ -776,10 +776,9 @@ mod tests { 0, -1, 0, 0, 0, ]; - assert_eq!( - sample_challenge_ring_element::(seed).to_i32_array(), - expected_coefficients - ); + let mut re = PolynomialRingElement::ZERO(); + sample_challenge_ring_element::(seed, &mut re); + assert_eq!(re.to_i32_array(), expected_coefficients); // When TAU = 60 let seed: [u8; 32] = [ @@ -800,10 +799,9 @@ mod tests { 0, 0, 0, 1, -1, 0, ]; - assert_eq!( - sample_challenge_ring_element::(seed).to_i32_array(), - expected_coefficients - ); + let mut re = PolynomialRingElement::ZERO(); + sample_challenge_ring_element::(seed, &mut re); + assert_eq!(re.to_i32_array(), expected_coefficients); } #[cfg(not(feature = "simd256"))] @@ -847,13 +845,13 @@ mod tests { >(); } - #[test] - fn test_sample_error_ring_element() { - test_sample_error_ring_element_generic::< - simd::avx2::AVX2SIMDUnit, - hash_functions::simd256::Shake256x4, - >(); - } + // #[test] + // fn test_sample_error_ring_element() { + // test_sample_error_ring_element_generic::< + // simd::avx2::AVX2SIMDUnit, + // hash_functions::simd256::Shake256x4, + // >(); + // } #[test] fn test_sample_challenge_ring_element() { diff --git a/libcrux-ml-dsa/src/samplex4.rs b/libcrux-ml-dsa/src/samplex4.rs index f920c0f7a..3c6246c5f 100644 --- a/libcrux-ml-dsa/src/samplex4.rs +++ b/libcrux-ml-dsa/src/samplex4.rs @@ -473,54 +473,6 @@ pub(crate) fn matrix_generic< } } -#[cfg(feature = "mldsa44")] -#[inline(always)] -fn sample_s1_and_s2_4_by_4< - SIMDUnit: Operations, - Shake256X4: shake256::XofX4, - const ETA: usize, - const ROW_COLUMN: usize, ->( - seed: &[u8], - s1_s2: &mut [PolynomialRingElement; ROW_COLUMN], -) { - sample_four_error_ring_elements::(seed, 0, s1_s2); - sample_four_error_ring_elements::(seed, 4, s1_s2); -} - -#[cfg(feature = "mldsa65")] -#[inline(always)] -fn sample_s1_and_s2_5_by_6< - SIMDUnit: Operations, - Shake256X4: shake256::XofX4, - const ETA: usize, - const ROW_COLUMN: usize, ->( - seed_base: &[u8], - s1_s2: &mut [PolynomialRingElement; ROW_COLUMN], -) { - sample_four_error_ring_elements::(seed_base, 0, s1_s2); - sample_four_error_ring_elements::(seed_base, 4, s1_s2); - sample_four_error_ring_elements::(seed_base, 8, s1_s2); -} - -#[cfg(feature = "mldsa87")] -#[inline(always)] -fn sample_s1_and_s2_7_by_8< - SIMDUnit: Operations, - Shake256X4: shake256::XofX4, - const ETA: usize, - const ROW_COLUMN: usize, ->( - seed: &[u8], - s1_s2: &mut [PolynomialRingElement; ROW_COLUMN], -) { - sample_four_error_ring_elements::(seed, 0, s1_s2); - sample_four_error_ring_elements::(seed, 4, s1_s2); - sample_four_error_ring_elements::(seed, 8, s1_s2); - sample_four_error_ring_elements::(seed, 12, s1_s2); -} - #[inline(always)] pub(crate) fn sample_s1_and_s2< SIMDUnit: Operations, @@ -531,13 +483,7 @@ pub(crate) fn sample_s1_and_s2< seed: &[u8], s1_s2: &mut [PolynomialRingElement; ROW_COLUMN], ) { - match ROW_COLUMN as u8 { - #[cfg(feature = "mldsa44")] - 8 => sample_s1_and_s2_4_by_4::(seed, s1_s2), - #[cfg(feature = "mldsa65")] - 11 => sample_s1_and_s2_5_by_6::(seed, s1_s2), - #[cfg(feature = "mldsa87")] - 15 => sample_s1_and_s2_7_by_8::(seed, s1_s2), - _ => unreachable!(), + for i in 0..ROW_COLUMN.div_ceil(4) { + sample_four_error_ring_elements::(seed, 4 * i as u16, s1_s2); } } From dba6ee9266832a2b9967627b9930c8f76dc99aed Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Sat, 21 Dec 2024 07:06:57 +0000 Subject: [PATCH 04/58] more wip --- libcrux-ml-dsa/src/arithmetic.rs | 21 +++++-------- libcrux-ml-dsa/src/matrix.rs | 13 ++++---- libcrux-ml-dsa/src/ml_dsa_generic.rs | 29 +++++++++++------- libcrux-ml-dsa/src/sample.rs | 8 ++--- libcrux-ml-dsa/src/simd/avx2.rs | 6 ++-- libcrux-ml-dsa/src/simd/avx2/arithmetic.rs | 23 +++++++------- libcrux-ml-dsa/src/simd/portable.rs | 4 +-- .../src/simd/portable/arithmetic.rs | 30 +++++++++---------- libcrux-ml-dsa/src/simd/tests.rs | 5 ++-- libcrux-ml-dsa/src/simd/traits.rs | 2 +- 10 files changed, 69 insertions(+), 72 deletions(-) diff --git a/libcrux-ml-dsa/src/arithmetic.rs b/libcrux-ml-dsa/src/arithmetic.rs index 602d892fa..c851000e6 100644 --- a/libcrux-ml-dsa/src/arithmetic.rs +++ b/libcrux-ml-dsa/src/arithmetic.rs @@ -66,23 +66,18 @@ pub(crate) fn power2round_vector( #[inline(always)] pub(crate) fn decompose_vector( t: [PolynomialRingElement; DIMENSION], -) -> ( - [PolynomialRingElement; DIMENSION], - [PolynomialRingElement; DIMENSION], + low: &mut [PolynomialRingElement; DIMENSION], + high: &mut [PolynomialRingElement; DIMENSION], ) { - let mut vector_low = [PolynomialRingElement::::ZERO(); DIMENSION]; - let mut vector_high = [PolynomialRingElement::::ZERO(); DIMENSION]; - for i in 0..DIMENSION { - for j in 0..vector_low[0].simd_units.len() { - let (low, high) = SIMDUnit::decompose::(t[i].simd_units[j]); - - vector_low[i].simd_units[j] = low; - vector_high[i].simd_units[j] = high; + for j in 0..low[0].simd_units.len() { + SIMDUnit::decompose::( + t[i].simd_units[j], + &mut low[i].simd_units[j], + &mut high[i].simd_units[j], + ); } } - - (vector_low, vector_high) } #[inline(always)] diff --git a/libcrux-ml-dsa/src/matrix.rs b/libcrux-ml-dsa/src/matrix.rs index f892b698f..ac6b70713 100644 --- a/libcrux-ml-dsa/src/matrix.rs +++ b/libcrux-ml-dsa/src/matrix.rs @@ -36,21 +36,20 @@ pub(crate) fn compute_As1_plus_s2< } /// Compute InvertNTT(Â ◦ ŷ) -#[allow(non_snake_case)] #[inline(always)] -pub(crate) fn compute_A_times_mask< +pub(crate) fn compute_matrix_x_mask< SIMDUnit: Operations, const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, >( - A_as_ntt: &[[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A], + matrix: &[[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A], mask: &[PolynomialRingElement; COLUMNS_IN_A], -) -> [PolynomialRingElement; ROWS_IN_A] { - let mut result = [PolynomialRingElement::::ZERO(); ROWS_IN_A]; + result: &mut [PolynomialRingElement; ROWS_IN_A], +) { let mask_ntt = mask.map(|s| ntt::(s)); cloop! { - for (i, row) in A_as_ntt.iter().enumerate() { + for (i, row) in matrix.iter().enumerate() { cloop! { for (j, ring_element) in row.iter().enumerate() { let product = ntt_multiply_montgomery(&ring_element, &mask_ntt[j]); @@ -61,8 +60,6 @@ pub(crate) fn compute_A_times_mask< result[i] = invert_ntt_montgomery(result[i]); } } - - result } #[allow(non_snake_case)] diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index 2d52d1b36..18537a8a4 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -6,8 +6,8 @@ use crate::{ encoding::{self, signature::Signature}, hash_functions::{shake128, shake256}, matrix::{ - add_vectors, compute_A_times_mask, compute_As1_plus_s2, compute_w_approx, subtract_vectors, - vector_times_ring_element, + add_vectors, compute_As1_plus_s2, compute_matrix_x_mask, compute_w_approx, + subtract_vectors, vector_times_ring_element, }, ntt::ntt, polynomial::PolynomialRingElement, @@ -309,16 +309,25 @@ pub(crate) fn sign_internal< while attempt < REJECTION_SAMPLE_BOUND_SIGN { attempt += 1; - let mask = - sample_mask_vector::( - into_padded_array(&mask_seed), - &mut domain_separator_for_mask, - ); + let mut mask = [PolynomialRingElement::ZERO(); COLUMNS_IN_A]; - let A_times_mask = - compute_A_times_mask::(&matrix, &mask); + sample_mask_vector::( + into_padded_array(&mask_seed), + &mut domain_separator_for_mask, + &mut mask, + ); - let (w0, commitment) = decompose_vector::(A_times_mask); + let mut w0 = [PolynomialRingElement::ZERO(); ROWS_IN_A]; + let mut commitment = [PolynomialRingElement::ZERO(); ROWS_IN_A]; + { + let mut a_x_mask = [PolynomialRingElement::ZERO(); ROWS_IN_A]; + compute_matrix_x_mask::( + &matrix, + &mask, + &mut a_x_mask, + ); + decompose_vector::(a_x_mask, &mut w0, &mut commitment); + } let mut commitment_hash_candidate = [0; COMMITMENT_HASH_SIZE]; { diff --git a/libcrux-ml-dsa/src/sample.rs b/libcrux-ml-dsa/src/sample.rs index 838eb6eb4..84a10c1ee 100644 --- a/libcrux-ml-dsa/src/sample.rs +++ b/libcrux-ml-dsa/src/sample.rs @@ -396,9 +396,8 @@ pub(crate) fn sample_mask_vector< >( mut seed: [u8; 66], domain_separator: &mut u16, -) -> [PolynomialRingElement; DIMENSION] { - let mut mask = [PolynomialRingElement::::ZERO(); DIMENSION]; - + mask: &mut [PolynomialRingElement; DIMENSION], +) { // DIMENSION is COLUMNS_IN_A debug_assert!(DIMENSION == 4 || DIMENSION == 5 || DIMENSION == 7); // So we can always sample 4 elements in one go first. @@ -447,8 +446,6 @@ pub(crate) fn sample_mask_vector< // TODO: For 87 we may want to do another 4 and discard 1. sample_mask_ring_element::(seed, &mut mask[i]); } - - mask } #[inline(always)] @@ -479,6 +476,7 @@ fn inside_out_shuffle( done } + #[inline(always)] pub(crate) fn sample_challenge_ring_element< SIMDUnit: Operations, diff --git a/libcrux-ml-dsa/src/simd/avx2.rs b/libcrux-ml-dsa/src/simd/avx2.rs index 2359a4671..7a36b7bad 100644 --- a/libcrux-ml-dsa/src/simd/avx2.rs +++ b/libcrux-ml-dsa/src/simd/avx2.rs @@ -55,10 +55,8 @@ impl Operations for AVX2SIMDUnit { } #[inline(always)] - fn decompose(simd_unit: Self) -> (Self, Self) { - let (lower, upper) = arithmetic::decompose::(simd_unit.coefficients); - - (lower.into(), upper.into()) + fn decompose(simd_unit: Self, low: &mut Self, high: &mut Self) { + arithmetic::decompose::(simd_unit.coefficients, &mut low.coefficients, &mut high.coefficients); } #[inline(always)] diff --git a/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs b/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs index bc7be4e87..919df4ea2 100644 --- a/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs +++ b/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs @@ -5,6 +5,8 @@ use crate::{ use libcrux_intrinsics::avx2::*; +use super::vector_type::ZERO; + fn to_unsigned_representatives(t: Vec256) -> Vec256 { let signs = mm256_srai_epi32::<31>(t); let conditional_add_field_modulus = mm256_and_si256(signs, mm256_set1_epi32(FIELD_MODULUS)); @@ -125,7 +127,7 @@ pub fn power2round(r: Vec256) -> (Vec256, Vec256) { #[allow(non_snake_case)] #[inline(always)] -pub fn decompose(r: Vec256) -> (Vec256, Vec256) { +pub fn decompose(r: Vec256, r0: &mut Vec256, r1: &mut Vec256) { let r = to_unsigned_representatives(r); let field_modulus_halved = mm256_set1_epi32((FIELD_MODULUS - 1) / 2); @@ -134,7 +136,7 @@ pub fn decompose(r: Vec256) -> (Vec256, Vec256) { // const value. let ALPHA: i32 = GAMMA2 * 2; - let r1 = { + *r1 = { let ceil_of_r_by_128 = mm256_add_epi32(r, mm256_set1_epi32(127)); let ceil_of_r_by_128 = mm256_srai_epi32::<7>(ceil_of_r_by_128); @@ -173,17 +175,15 @@ pub fn decompose(r: Vec256) -> (Vec256, Vec256) { // In the corner-case, when we set a₁=0, we will incorrectly // have a₀ > (q-1)/2 and we'll need to subtract q. As we // return a₀ + q, that comes down to adding q if a₀ < (q-1)/2. - let r0 = mm256_mullo_epi32(r1, mm256_set1_epi32(ALPHA)); - let r0 = mm256_sub_epi32(r, r0); + *r0 = mm256_mullo_epi32(*r1, mm256_set1_epi32(ALPHA)); + *r0 = mm256_sub_epi32(r, *r0); - let mask = mm256_sub_epi32(field_modulus_halved, r0); + let mask = mm256_sub_epi32(field_modulus_halved, *r0); let mask = mm256_srai_epi32::<31>(mask); let field_modulus_and_mask = mm256_and_si256(mask, mm256_set1_epi32(FIELD_MODULUS)); - let r0 = mm256_sub_epi32(r0, field_modulus_and_mask); - - (r0, r1) + *r0 = mm256_sub_epi32(*r0, field_modulus_and_mask); } #[inline(always)] @@ -214,7 +214,8 @@ pub fn compute_hint(low: Vec256, high: Vec256) -> (usize, Vec #[inline(always)] pub(crate) fn use_hint(r: Vec256, hint: Vec256) -> Vec256 { - let (r0, r1) = decompose::(r); + let (mut r0, mut r1) = (ZERO(), ZERO()); + decompose::(r, &mut r0.coefficients, &mut r1.coefficients); let all_zeros = mm256_setzero_si256(); @@ -223,7 +224,7 @@ pub(crate) fn use_hint(r: Vec256, hint: Vec256) -> Vec256 { // // With this step, |negate_hints| will match |hint| in only those lanes in // which the corresponding r0 value is negative, and will be 0 elsewhere. - let negate_hints = vec256_blendv_epi32(all_zeros, hint, r0); + let negate_hints = vec256_blendv_epi32(all_zeros, hint, r0.coefficients); // If a lane in |negate_hints| is 1, it means the corresponding hint was 1, // and the lane value will be doubled. It will remain 0 otherwise. @@ -234,7 +235,7 @@ pub(crate) fn use_hint(r: Vec256, hint: Vec256) -> Vec256 { let hints = mm256_sub_epi32(hint, negate_hints); // Now add the hints to r1 - let mut r1_plus_hints = mm256_add_epi32(r1, hints); + let mut r1_plus_hints = mm256_add_epi32(r1.coefficients, hints); match GAMMA2 { 95_232 => { diff --git a/libcrux-ml-dsa/src/simd/portable.rs b/libcrux-ml-dsa/src/simd/portable.rs index fff2c9b98..66bd4fcb0 100644 --- a/libcrux-ml-dsa/src/simd/portable.rs +++ b/libcrux-ml-dsa/src/simd/portable.rs @@ -48,8 +48,8 @@ impl Operations for PortableSIMDUnit { arithmetic::infinity_norm_exceeds(simd_unit, bound) } - fn decompose(simd_unit: Self) -> (Self, Self) { - arithmetic::decompose::(simd_unit) + fn decompose(simd_unit: Self, low: &mut Self, high: &mut Self) { + arithmetic::decompose::(simd_unit, low, high) } fn compute_hint(low: Self, high: Self) -> (usize, Self) { diff --git a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs index d803487a8..f07401b40 100644 --- a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs +++ b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs @@ -223,7 +223,7 @@ pub fn compute_hint( // Note that 0 ≤ r₁ < (q-1)/α. #[allow(non_snake_case)] #[inline(always)] -fn decompose_element(r: i32) -> (i32, i32) { +fn decompose_element(r: i32, r0: &mut i32, r1: &mut i32) { debug_assert!(r > -FIELD_MODULUS && r < FIELD_MODULUS); // Convert the signed representative to the standard unsigned one. @@ -231,7 +231,7 @@ fn decompose_element(r: i32) -> (i32, i32) { let ALPHA = GAMMA2 * 2; - let r1 = { + *r1 = { // Compute ⌈r / 128⌉ let ceil_of_r_by_128 = (r + 127) >> 7; @@ -256,19 +256,18 @@ fn decompose_element(r: i32) -> (i32, i32) { } }; - let mut r0 = r - (r1 * ALPHA); + *r0 = r - (*r1 * ALPHA); // In the corner-case, when we set a₁=0, we will incorrectly // have a₀ > (q-1)/2 and we'll need to subtract q. As we // return a₀ + q, that comes down to adding q if a₀ < (q-1)/2. - r0 -= (((FIELD_MODULUS - 1) / 2 - r0) >> 31) & FIELD_MODULUS; - - (r0, r1) + *r0 -= (((FIELD_MODULUS - 1) / 2 - *r0) >> 31) & FIELD_MODULUS; } #[inline(always)] pub(crate) fn use_one_hint(r: i32, hint: i32) -> i32 { - let (r0, r1) = decompose_element::(r); + let (mut r0, mut r1) = (0, 0); + decompose_element::(r, &mut r0, &mut r1); if hint == 0 { return r1; @@ -304,17 +303,16 @@ pub(crate) fn use_one_hint(r: i32, hint: i32) -> i32 { #[inline(always)] pub fn decompose( simd_unit: PortableSIMDUnit, -) -> (PortableSIMDUnit, PortableSIMDUnit) { - let mut low = ZERO(); - let mut high = ZERO(); - + low: &mut PortableSIMDUnit, + high: &mut PortableSIMDUnit, +) { for i in 0..low.coefficients.len() { - let (low_part, high_part) = decompose_element::(simd_unit.coefficients[i]); - low.coefficients[i] = low_part; - high.coefficients[i] = high_part; + decompose_element::( + simd_unit.coefficients[i], + &mut low.coefficients[i], + &mut high.coefficients[i], + ); } - - (low, high) } #[inline(always)] diff --git a/libcrux-ml-dsa/src/simd/tests.rs b/libcrux-ml-dsa/src/simd/tests.rs index acd67ac45..964750189 100644 --- a/libcrux-ml-dsa/src/simd/tests.rs +++ b/libcrux-ml-dsa/src/simd/tests.rs @@ -11,7 +11,8 @@ fn test_decompose_generic() { ]); let expected_high = SIMDUnit::from_coefficient_array(&[29, 28, 1, 43, 27, 29, 18, 21]); - let (low, high) = SIMDUnit::decompose::<95_232>(input); + let (mut low, mut high) = (SIMDUnit::ZERO(), SIMDUnit::ZERO()); + SIMDUnit::decompose::<95_232>(input, &mut low, &mut high); assert_eq!( low.to_coefficient_array(), @@ -32,7 +33,7 @@ fn test_decompose_generic() { ]); let expected_high = SIMDUnit::from_coefficient_array(&[4, 14, 12, 15, 4, 0, 1, 4]); - let (low, high) = SIMDUnit::decompose::<261_888>(input); + SIMDUnit::decompose::<261_888>(input, &mut low, &mut high); assert_eq!( low.to_coefficient_array(), diff --git a/libcrux-ml-dsa/src/simd/traits.rs b/libcrux-ml-dsa/src/simd/traits.rs index 30505cedb..67f7d89f4 100644 --- a/libcrux-ml-dsa/src/simd/traits.rs +++ b/libcrux-ml-dsa/src/simd/traits.rs @@ -25,7 +25,7 @@ pub(crate) trait Operations: Copy + Clone { fn add(lhs: &Self, rhs: &Self) -> Self; fn subtract(lhs: &Self, rhs: &Self) -> Self; fn infinity_norm_exceeds(simd_unit: Self, bound: i32) -> bool; - fn decompose(simd_unit: Self) -> (Self, Self); + fn decompose(simd_unit: Self, low: &mut Self, high: &mut Self); fn compute_hint(low: Self, high: Self) -> (usize, Self); fn use_hint(simd_unit: Self, hint: Self) -> Self; From f466f47fbe473157172ac9a13dd3ffb601ec58de Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Mon, 23 Dec 2024 09:00:08 +0000 Subject: [PATCH 05/58] reworking Operations trait --- libcrux-ml-dsa/src/arithmetic.rs | 46 ++--- libcrux-ml-dsa/src/ntt.rs | 41 ++--- libcrux-ml-dsa/src/polynomial.rs | 9 +- libcrux-ml-dsa/src/simd/avx2.rs | 57 +++--- libcrux-ml-dsa/src/simd/avx2/arithmetic.rs | 78 ++++----- libcrux-ml-dsa/src/simd/avx2/invntt.rs | 61 +++---- libcrux-ml-dsa/src/simd/avx2/ntt.rs | 53 +++--- libcrux-ml-dsa/src/simd/avx2/vector_type.rs | 27 ++- libcrux-ml-dsa/src/simd/portable.rs | 44 ++--- .../src/simd/portable/arithmetic.rs | 111 ++++-------- libcrux-ml-dsa/src/simd/portable/invntt.rs | 165 ++++++++---------- libcrux-ml-dsa/src/simd/portable/ntt.rs | 163 ++++++++--------- .../src/simd/portable/vector_type.rs | 24 ++- libcrux-ml-dsa/src/simd/traits.rs | 33 ++-- 14 files changed, 417 insertions(+), 495 deletions(-) diff --git a/libcrux-ml-dsa/src/arithmetic.rs b/libcrux-ml-dsa/src/arithmetic.rs index c851000e6..5edb95735 100644 --- a/libcrux-ml-dsa/src/arithmetic.rs +++ b/libcrux-ml-dsa/src/arithmetic.rs @@ -24,43 +24,23 @@ pub(crate) fn vector_infinity_norm_exceeds( - re: PolynomialRingElement, -) -> PolynomialRingElement { - let mut out = PolynomialRingElement::ZERO(); - - cloop! { - for (i, simd_unit) in re.simd_units.iter().enumerate() { - out.simd_units[i] = SIMDUnit::shift_left_then_reduce::(*simd_unit); - } + re: &mut PolynomialRingElement, +) { + for i in 0..re.simd_units.len() { + SIMDUnit::shift_left_then_reduce::(&mut re.simd_units[i]); } - - out } #[inline(always)] pub(crate) fn power2round_vector( - t: [PolynomialRingElement; DIMENSION], -) -> ( - [PolynomialRingElement; DIMENSION], - [PolynomialRingElement; DIMENSION], + t: &mut [PolynomialRingElement; DIMENSION], + t1: &mut [PolynomialRingElement; DIMENSION], ) { - let mut t0 = [PolynomialRingElement::::ZERO(); DIMENSION]; - let mut t1 = [PolynomialRingElement::::ZERO(); DIMENSION]; - - cloop! { - for (i, ring_element) in t.iter().enumerate() { - cloop!{ - for (j, simd_unit) in ring_element.simd_units.iter().enumerate() { - let (t0_unit, t1_unit) = SIMDUnit::power2round(*simd_unit); - - t0[i].simd_units[j] = t0_unit; - t1[i].simd_units[j] = t1_unit; - } - } + for i in 0..t.len() { + for j in 0..t[i].simd_units.len() { + SIMDUnit::power2round(&mut t[i].simd_units[j], &mut t1[i].simd_units[j]); } } - - (t0, t1) } #[inline(always)] @@ -89,11 +69,11 @@ pub(crate) fn make_hint::ZERO(); for j in 0..hint_simd.simd_units.len() { let (one_hints_count, current_hint) = - SIMDUnit::compute_hint::(low[i].simd_units[j], high[i].simd_units[j]); + SIMDUnit::compute_hint::(&low[i].simd_units[j], &high[i].simd_units[j]); hint_simd.simd_units[j] = current_hint; true_hints += one_hints_count; @@ -113,11 +93,11 @@ pub(crate) fn use_hint::ZERO(); DIMENSION]; for i in 0..DIMENSION { + // XXX: Why can't we keep the hint as simd units? PolynomialRingElement::::from_i32_array(&hint[i], &mut result[i]); for j in 0..result[0].simd_units.len() { - result[i].simd_units[j] = - SIMDUnit::use_hint::(re_vector[i].simd_units[j], result[i].simd_units[j]); + SIMDUnit::use_hint::(&re_vector[i].simd_units[j], &mut result[i].simd_units[j]); } } diff --git a/libcrux-ml-dsa/src/ntt.rs b/libcrux-ml-dsa/src/ntt.rs index 6f5646cb9..2e96a67f9 100644 --- a/libcrux-ml-dsa/src/ntt.rs +++ b/libcrux-ml-dsa/src/ntt.rs @@ -1,35 +1,25 @@ use crate::{polynomial::PolynomialRingElement, simd::traits::Operations}; #[inline(always)] -pub(crate) fn ntt( - re: PolynomialRingElement, -) -> PolynomialRingElement { - PolynomialRingElement { - simd_units: SIMDUnit::ntt(re.simd_units), - } +pub(crate) fn ntt(re: &mut PolynomialRingElement) { + SIMDUnit::ntt(&mut re.simd_units); } #[inline(always)] pub(crate) fn invert_ntt_montgomery( - re: PolynomialRingElement, -) -> PolynomialRingElement { - PolynomialRingElement { - simd_units: SIMDUnit::invert_ntt_montgomery(re.simd_units), - } + re: &mut PolynomialRingElement, +) { + SIMDUnit::invert_ntt_montgomery(&mut re.simd_units); } #[inline(always)] pub(crate) fn ntt_multiply_montgomery( - lhs: &PolynomialRingElement, + lhs: &mut PolynomialRingElement, rhs: &PolynomialRingElement, -) -> PolynomialRingElement { - let mut out = PolynomialRingElement::ZERO(); - - for i in 0..out.simd_units.len() { - out.simd_units[i] = SIMDUnit::montgomery_multiply(lhs.simd_units[i], rhs.simd_units[i]); +) { + for i in 0..lhs.simd_units.len() { + SIMDUnit::montgomery_multiply(&mut lhs.simd_units[i], &rhs.simd_units[i]); } - - out } #[cfg(test)] @@ -67,7 +57,7 @@ mod tests { -391807, 392057, -132521, -441664, -349459, -373059, -296519, 274235, 42417, 47385, -104540, 142532, 246380, -515363, -422665, ]; - let re = PolynomialRingElement::::from_i32_array_test(&coefficients); + let mut re = PolynomialRingElement::::from_i32_array_test(&coefficients); let expected_coefficients = [ -17129289, -17188287, -11027856, -7293060, -14589541, -12369669, -1420304, -9409026, @@ -101,7 +91,8 @@ mod tests { 15979738, 1459696, 8351548, 3335586, 1150210, -2462074, -4642922, 4538634, 1858098, ]; - assert_eq!(ntt(re).to_i32_array(), expected_coefficients); + ntt(&mut re); + assert_eq!(re.to_i32_array(), expected_coefficients); } fn test_invert_ntt_montgomery_generic() { @@ -136,7 +127,7 @@ mod tests { -3881813, 2536840, -2924666, 2425664, 2635292, 2752536, -136653, 4057087, -633680, 3039079, -2733512, 1734173, -2109687, ]; - let re = PolynomialRingElement::::from_i32_array_test(&coefficients); + let mut re = PolynomialRingElement::::from_i32_array_test(&coefficients); let expected_coefficients = [ 3966085, -2067161, 579114, -3597478, 2232818, -17588, 1194752, -1205114, -4058138, @@ -170,10 +161,8 @@ mod tests { -3909173, 1453538, -4079655, ]; - assert_eq!( - invert_ntt_montgomery(re).to_i32_array(), - expected_coefficients - ); + invert_ntt_montgomery(&mut re); + assert_eq!(re.to_i32_array(), expected_coefficients); } #[cfg(not(feature = "simd256"))] diff --git a/libcrux-ml-dsa/src/polynomial.rs b/libcrux-ml-dsa/src/polynomial.rs index d5b206fa3..1a4ec3595 100644 --- a/libcrux-ml-dsa/src/polynomial.rs +++ b/libcrux-ml-dsa/src/polynomial.rs @@ -5,7 +5,7 @@ use crate::{ #[derive(Clone, Copy)] pub(crate) struct PolynomialRingElement { - pub(crate) simd_units: [SIMDUnit; SIMD_UNITS_IN_RING_ELEMENT], + pub(crate) simd_units: [SIMDUnit::Coefficient; SIMD_UNITS_IN_RING_ELEMENT], } impl PolynomialRingElement { @@ -17,14 +17,13 @@ impl PolynomialRingElement { } // This is useful for debugging. - #[allow(dead_code)] + // XXX: Used in `make_int` pub(crate) fn to_i32_array(&self) -> [i32; 256] { let mut result = [0i32; 256]; cloop! { for (i, simd_unit) in self.simd_units.iter().enumerate() { - result[i * COEFFICIENTS_IN_SIMD_UNIT..(i + 1) * COEFFICIENTS_IN_SIMD_UNIT] - .copy_from_slice(&simd_unit.to_coefficient_array()); + SIMDUnit::to_coefficient_array(&simd_unit, &mut result[i * COEFFICIENTS_IN_SIMD_UNIT..(i + 1) * COEFFICIENTS_IN_SIMD_UNIT]); } } @@ -51,7 +50,7 @@ impl PolynomialRingElement { let mut exceeds = false; for i in 0..self.simd_units.len() { - exceeds = exceeds || SIMDUnit::infinity_norm_exceeds(self.simd_units[i], bound); + exceeds = exceeds || SIMDUnit::infinity_norm_exceeds(&self.simd_units[i], bound); } exceeds diff --git a/libcrux-ml-dsa/src/simd/avx2.rs b/libcrux-ml-dsa/src/simd/avx2.rs index 7a36b7bad..400df740f 100644 --- a/libcrux-ml-dsa/src/simd/avx2.rs +++ b/libcrux-ml-dsa/src/simd/avx2.rs @@ -7,67 +7,70 @@ mod ntt; mod rejection_sample; mod vector_type; -pub(crate) use vector_type::AVX2SIMDUnit; +use vector_type::Vec256; +pub(crate) use vector_type::{AVX2RingElement, AVX2SIMDUnit}; impl Operations for AVX2SIMDUnit { + type Coefficient = Vec256; + #[inline(always)] - fn ZERO() -> Self { - vector_type::ZERO() + fn ZERO() -> Vec256 { + vector_type::zero() } #[inline(always)] - fn from_coefficient_array(coefficient_array: &[i32]) -> Self { + fn from_coefficient_array(coefficient_array: &[i32]) -> Vec256 { vector_type::from_coefficient_array(coefficient_array) } #[inline(always)] - fn to_coefficient_array(&self) -> [i32; 8] { - vector_type::to_coefficient_array(&self) + fn to_coefficient_array(value: &Vec256, out: &mut [i32]) { + vector_type::to_coefficient_array(value, out) } #[inline(always)] - fn add(lhs: &Self, rhs: &Self) -> Self { - arithmetic::add(lhs.coefficients, rhs.coefficients).into() + fn add(lhs: &Vec256, rhs: &Vec256) -> Vec256 { + arithmetic::add(lhs, rhs) } #[inline(always)] - fn subtract(lhs: &Self, rhs: &Self) -> Self { - arithmetic::subtract(lhs.coefficients, rhs.coefficients).into() + fn subtract(lhs: &Vec256, rhs: &Vec256) -> Vec256 { + arithmetic::subtract(lhs, rhs) } #[inline(always)] - fn montgomery_multiply(lhs: Self, rhs: Self) -> Self { - arithmetic::montgomery_multiply(lhs.coefficients, rhs.coefficients).into() + fn montgomery_multiply(lhs: &mut Vec256, rhs: &Vec256) { + arithmetic::montgomery_multiply(lhs, rhs); } #[inline(always)] - fn shift_left_then_reduce(simd_unit: Self) -> Self { - arithmetic::shift_left_then_reduce::(simd_unit.coefficients).into() + fn shift_left_then_reduce(simd_unit: &mut Vec256) { + arithmetic::shift_left_then_reduce::(simd_unit) } #[inline(always)] - fn power2round(simd_unit: Self) -> (Self, Self) { - let (lower, upper) = arithmetic::power2round(simd_unit.coefficients); - - (lower.into(), upper.into()) + fn power2round(t0: &mut Vec256, t1: &mut Vec256) { + arithmetic::power2round(t0, t1); } #[inline(always)] - fn infinity_norm_exceeds(simd_unit: Self, bound: i32) -> bool { - arithmetic::infinity_norm_exceeds(simd_unit.coefficients, bound) + fn infinity_norm_exceeds(simd_unit: &Vec256, bound: i32) -> bool { + arithmetic::infinity_norm_exceeds(simd_unit, bound) } #[inline(always)] fn decompose(simd_unit: Self, low: &mut Self, high: &mut Self) { - arithmetic::decompose::(simd_unit.coefficients, &mut low.coefficients, &mut high.coefficients); + arithmetic::decompose::( + simd_unit.coefficients, + &mut low.coefficients, + &mut high.coefficients, + ); } #[inline(always)] - fn compute_hint(low: Self, high: Self) -> (usize, Self) { - let (count, hint) = arithmetic::compute_hint::(low.coefficients, high.coefficients); - - (count, hint.into()) + fn compute_hint(low: &Vec256, high: &Vec256) -> (usize, Vec256) { + arithmetic::compute_hint::(low, high) } #[inline(always)] - fn use_hint(simd_unit: Self, hint: Self) -> Self { - arithmetic::use_hint::(simd_unit.coefficients, hint.coefficients).into() + fn use_hint(simd_unit: &Vec256, hint: &mut Vec256) { + arithmetic::use_hint::(simd_unit, hint); } #[inline(always)] diff --git a/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs b/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs index 919df4ea2..6756fe977 100644 --- a/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs +++ b/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs @@ -7,21 +7,22 @@ use libcrux_intrinsics::avx2::*; use super::vector_type::ZERO; -fn to_unsigned_representatives(t: Vec256) -> Vec256 { - let signs = mm256_srai_epi32::<31>(t); +#[inline(always)] +fn to_unsigned_representatives(t: &mut Vec256) { + let signs = mm256_srai_epi32::<31>(*t); let conditional_add_field_modulus = mm256_and_si256(signs, mm256_set1_epi32(FIELD_MODULUS)); - mm256_add_epi32(t, conditional_add_field_modulus) + *t = mm256_add_epi32(*t, conditional_add_field_modulus); } #[inline(always)] -pub fn add(lhs: Vec256, rhs: Vec256) -> Vec256 { - mm256_add_epi32(lhs, rhs) +pub fn add(lhs: &Vec256, rhs: &Vec256) -> Vec256 { + mm256_add_epi32(*lhs, *rhs) } #[inline(always)] -pub fn subtract(lhs: Vec256, rhs: Vec256) -> Vec256 { - mm256_sub_epi32(lhs, rhs) +pub fn subtract(lhs: &Vec256, rhs: &Vec256) -> Vec256 { + mm256_sub_epi32(*lhs, *rhs) } #[inline(always)] @@ -51,15 +52,15 @@ pub fn montgomery_multiply_by_constant(lhs: Vec256, constant: i32) -> Vec256 { } #[inline(always)] -pub fn montgomery_multiply(lhs: Vec256, rhs: Vec256) -> Vec256 { +pub fn montgomery_multiply(lhs: &mut Vec256, rhs: &Vec256) { let field_modulus = mm256_set1_epi32(FIELD_MODULUS); let inverse_of_modulus_mod_montgomery_r = mm256_set1_epi32(INVERSE_OF_MODULUS_MOD_MONTGOMERY_R as i32); - let prod02 = mm256_mul_epi32(lhs, rhs); + let prod02 = mm256_mul_epi32(*lhs, *rhs); let prod13 = mm256_mul_epi32( - mm256_shuffle_epi32::<0b11_11_01_01>(lhs), - mm256_shuffle_epi32::<0b11_11_01_01>(rhs), + mm256_shuffle_epi32::<0b11_11_01_01>(*lhs), + mm256_shuffle_epi32::<0b11_11_01_01>(*rhs), ); let k02 = mm256_mul_epi32(prod02, inverse_of_modulus_mod_montgomery_r); let k13 = mm256_mul_epi32(prod13, inverse_of_modulus_mod_montgomery_r); @@ -70,13 +71,12 @@ pub fn montgomery_multiply(lhs: Vec256, rhs: Vec256) -> Vec256 { let res02 = mm256_sub_epi32(prod02, c02); let res13 = mm256_sub_epi32(prod13, c13); let res02_shifted = mm256_shuffle_epi32::<0b11_11_01_01>(res02); - let res = mm256_blend_epi32::<0b10101010>(res02_shifted, res13); - res + *lhs = mm256_blend_epi32::<0b10101010>(res02_shifted, res13); } #[inline(always)] -pub fn shift_left_then_reduce(simd_unit: Vec256) -> Vec256 { - let shifted = mm256_slli_epi32::(simd_unit); +pub fn shift_left_then_reduce(simd_unit: &mut Vec256) { + let shifted = mm256_slli_epi32::(*simd_unit); let quotient = mm256_add_epi32(shifted, mm256_set1_epi32(1 << 22)); let quotient = mm256_srai_epi32::<23>(quotient); @@ -84,14 +84,14 @@ pub fn shift_left_then_reduce(simd_unit: Vec256) -> Vec256 let quotient_times_field_modulus = mm256_mullo_epi32(quotient, mm256_set1_epi32(FIELD_MODULUS as i32)); - mm256_sub_epi32(shifted, quotient_times_field_modulus) + *simd_unit = mm256_sub_epi32(shifted, quotient_times_field_modulus); } // TODO: Revisit this function when doing the range analysis and testing // additional KATs. #[inline(always)] -pub fn infinity_norm_exceeds(simd_unit: Vec256, bound: i32) -> bool { - let absolute_values = mm256_abs_epi32(simd_unit); +pub fn infinity_norm_exceeds(simd_unit: &Vec256, bound: i32) -> bool { + let absolute_values = mm256_abs_epi32(*simd_unit); // We will test if |simd_unit| > bound - 1, because if this is the case then // it follows that |simd_unit| >= bound @@ -110,25 +110,23 @@ pub fn infinity_norm_exceeds(simd_unit: Vec256, bound: i32) -> bool { } #[inline(always)] -pub fn power2round(r: Vec256) -> (Vec256, Vec256) { - let r = to_unsigned_representatives(r); +pub fn power2round(r0: &mut Vec256, r1: &mut Vec256) { + to_unsigned_representatives(r0); - let r1 = mm256_add_epi32( - r, + *r1 = mm256_add_epi32( + *r0, mm256_set1_epi32((1 << (BITS_IN_LOWER_PART_OF_T - 1)) - 1), ); - let r1 = mm256_srai_epi32::<{ BITS_IN_LOWER_PART_OF_T as i32 }>(r1); + *r1 = mm256_srai_epi32::<{ BITS_IN_LOWER_PART_OF_T as i32 }>(*r1); - let r0 = mm256_slli_epi32::<{ BITS_IN_LOWER_PART_OF_T as i32 }>(r1); - let r0 = mm256_sub_epi32(r, r0); - - (r0, r1) + *r0 = mm256_slli_epi32::<{ BITS_IN_LOWER_PART_OF_T as i32 }>(*r1); + *r0 = mm256_sub_epi32(*r0, *r0); } #[allow(non_snake_case)] #[inline(always)] -pub fn decompose(r: Vec256, r0: &mut Vec256, r1: &mut Vec256) { - let r = to_unsigned_representatives(r); +pub fn decompose(mut r: Vec256, r0: &mut Vec256, r1: &mut Vec256) { + to_unsigned_representatives(&mut r); let field_modulus_halved = mm256_set1_epi32((FIELD_MODULUS - 1) / 2); @@ -187,17 +185,17 @@ pub fn decompose(r: Vec256, r0: &mut Vec256, r1: &mut Vec256) } #[inline(always)] -pub fn compute_hint(low: Vec256, high: Vec256) -> (usize, Vec256) { +pub fn compute_hint(low: &Vec256, high: &Vec256) -> (usize, Vec256) { let gamma2 = mm256_set1_epi32(GAMMA2); let minus_gamma2 = mm256_set1_epi32(-GAMMA2); - let low_within_bound = mm256_cmpgt_epi32(mm256_abs_epi32(low), gamma2); - let low_equals_minus_gamma2 = mm256_cmpeq_epi32(low, minus_gamma2); + let low_within_bound = mm256_cmpgt_epi32(mm256_abs_epi32(*low), gamma2); + let low_equals_minus_gamma2 = mm256_cmpeq_epi32(*low, minus_gamma2); // If a lane in |high| is 0, the corresponding output will be 0; the output // will have its most significant bit set to 1 otherwise. let low_equals_minus_gamma2_and_high_is_nonzero = - mm256_sign_epi32(low_equals_minus_gamma2, high); + mm256_sign_epi32(low_equals_minus_gamma2, *high); let hints = mm256_or_si256( low_within_bound, @@ -213,9 +211,9 @@ pub fn compute_hint(low: Vec256, high: Vec256) -> (usize, Vec } #[inline(always)] -pub(crate) fn use_hint(r: Vec256, hint: Vec256) -> Vec256 { +pub(crate) fn use_hint(r: &Vec256, hint: &mut Vec256) { let (mut r0, mut r1) = (ZERO(), ZERO()); - decompose::(r, &mut r0.coefficients, &mut r1.coefficients); + decompose::(r.clone(), &mut r0.coefficients, &mut r1.coefficients); let all_zeros = mm256_setzero_si256(); @@ -224,7 +222,7 @@ pub(crate) fn use_hint(r: Vec256, hint: Vec256) -> Vec256 { // // With this step, |negate_hints| will match |hint| in only those lanes in // which the corresponding r0 value is negative, and will be 0 elsewhere. - let negate_hints = vec256_blendv_epi32(all_zeros, hint, r0.coefficients); + let negate_hints = vec256_blendv_epi32(all_zeros, *hint, r0.coefficients); // If a lane in |negate_hints| is 1, it means the corresponding hint was 1, // and the lane value will be doubled. It will remain 0 otherwise. @@ -232,7 +230,7 @@ pub(crate) fn use_hint(r: Vec256, hint: Vec256) -> Vec256 { // Suppose |hints[0]| = 1, and |r0[0]| = 1, then this will set |hints[0]| = -1. // (we're indexing into an AVX2 vector, as it were). - let hints = mm256_sub_epi32(hint, negate_hints); + let hints = mm256_sub_epi32(*hint, negate_hints); // Now add the hints to r1 let mut r1_plus_hints = mm256_add_epi32(r1.coefficients, hints); @@ -248,9 +246,11 @@ pub(crate) fn use_hint(r: Vec256, hint: Vec256) -> Vec256 { let greater_than_or_equal_to_max = mm256_cmpgt_epi32(r1_plus_hints, max); // If r1 is greater than equal to 43, we need to set the result to 0. - vec256_blendv_epi32(r1_plus_hints, all_zeros, greater_than_or_equal_to_max) + *hint = vec256_blendv_epi32(r1_plus_hints, all_zeros, greater_than_or_equal_to_max); + } + 261_888 => { + *hint = mm256_and_si256(r1_plus_hints, mm256_set1_epi32(15)); } - 261_888 => mm256_and_si256(r1_plus_hints, mm256_set1_epi32(15)), _ => unreachable!(), } diff --git a/libcrux-ml-dsa/src/simd/avx2/invntt.rs b/libcrux-ml-dsa/src/simd/avx2/invntt.rs index 4d01c7fe1..f2b50daf3 100644 --- a/libcrux-ml-dsa/src/simd/avx2/invntt.rs +++ b/libcrux-ml-dsa/src/simd/avx2/invntt.rs @@ -1,22 +1,20 @@ -use super::arithmetic; +use super::{arithmetic, AVX2RingElement}; use crate::simd::traits::{COEFFICIENTS_IN_SIMD_UNIT, SIMD_UNITS_IN_RING_ELEMENT}; use libcrux_intrinsics::avx2::*; #[inline(always)] #[allow(unsafe_code)] -pub(crate) fn invert_ntt_montgomery( - mut re: [Vec256; SIMD_UNITS_IN_RING_ELEMENT], -) -> [Vec256; SIMD_UNITS_IN_RING_ELEMENT] { +pub(crate) fn invert_ntt_montgomery(re: &mut AVX2RingElement) { unsafe { - invert_ntt_at_layer_0(&mut re); - invert_ntt_at_layer_1(&mut re); - invert_ntt_at_layer_2(&mut re); - invert_ntt_at_layer_3(&mut re); - invert_ntt_at_layer_4(&mut re); - invert_ntt_at_layer_5(&mut re); - invert_ntt_at_layer_6(&mut re); - invert_ntt_at_layer_7(&mut re); + invert_ntt_at_layer_0(re); + invert_ntt_at_layer_1(re); + invert_ntt_at_layer_2(re); + invert_ntt_at_layer_3(re); + invert_ntt_at_layer_4(re); + invert_ntt_at_layer_5(re); + invert_ntt_at_layer_6(re); + invert_ntt_at_layer_7(re); } for i in 0..re.len() { // After invert_ntt_at_layer, elements are of the form a * MONTGOMERY_R^{-1} @@ -24,10 +22,9 @@ pub(crate) fn invert_ntt_montgomery( // // - Divide the elements by 256 and // - Convert the elements form montgomery domain to the standard domain. - re[i] = arithmetic::montgomery_multiply_by_constant(re[i], 41_978); + const FACTOR: i32 = 41_978; + re[i] = arithmetic::montgomery_multiply_by_constant(re[i], FACTOR); } - - re } #[inline(always)] @@ -50,16 +47,16 @@ fn simd_unit_invert_ntt_at_layer_0( let lo_values = mm256_unpacklo_epi64(a_shuffled, b_shuffled); let hi_values = mm256_unpackhi_epi64(a_shuffled, b_shuffled); - let sums = arithmetic::add(lo_values, hi_values); - let differences = arithmetic::subtract(hi_values, lo_values); + let sums = arithmetic::add(&lo_values, &hi_values); + let mut differences = arithmetic::subtract(&hi_values, &lo_values); let zetas = mm256_set_epi32( zeta13, zeta12, zeta03, zeta02, zeta11, zeta10, zeta01, zeta00, ); - let products = arithmetic::montgomery_multiply(differences, zetas); + arithmetic::montgomery_multiply(&mut differences, &zetas); - let a_shuffled = mm256_unpacklo_epi64(sums, products); - let b_shuffled = mm256_unpackhi_epi64(sums, products); + let a_shuffled = mm256_unpacklo_epi64(sums, differences); + let b_shuffled = mm256_unpackhi_epi64(sums, differences); let a = mm256_shuffle_epi32::(a_shuffled); let b = mm256_shuffle_epi32::(b_shuffled); @@ -79,16 +76,16 @@ fn simd_unit_invert_ntt_at_layer_1( let lo_values = mm256_unpacklo_epi64(simd_unit0, simd_unit1); let hi_values = mm256_unpackhi_epi64(simd_unit0, simd_unit1); - let sums = arithmetic::add(lo_values, hi_values); - let differences = arithmetic::subtract(hi_values, lo_values); + let sums = arithmetic::add(&lo_values, &hi_values); + let mut differences = arithmetic::subtract(&hi_values, &lo_values); let zetas = mm256_set_epi32( zeta11, zeta11, zeta01, zeta01, zeta10, zeta10, zeta00, zeta00, ); - let products = arithmetic::montgomery_multiply(differences, zetas); + arithmetic::montgomery_multiply(&mut differences, &zetas); - let a = mm256_unpacklo_epi64(sums, products); - let b = mm256_unpackhi_epi64(sums, products); + let a = mm256_unpacklo_epi64(sums, differences); + let b = mm256_unpackhi_epi64(sums, differences); (a, b) } @@ -103,14 +100,14 @@ fn simd_unit_invert_ntt_at_layer_2( let lo_values = mm256_permute2x128_si256::<0x20>(simd_unit0, simd_unit1); let hi_values = mm256_permute2x128_si256::<0x31>(simd_unit0, simd_unit1); - let sums = arithmetic::add(lo_values, hi_values); - let differences = arithmetic::subtract(hi_values, lo_values); + let sums = arithmetic::add(&lo_values, &hi_values); + let mut differences = arithmetic::subtract(&hi_values, &lo_values); let zetas = mm256_set_epi32(zeta1, zeta1, zeta1, zeta1, zeta0, zeta0, zeta0, zeta0); - let products = arithmetic::montgomery_multiply(differences, zetas); + arithmetic::montgomery_multiply(&mut differences, &zetas); - let a = mm256_permute2x128_si256::<0x20>(sums, products); - let b = mm256_permute2x128_si256::<0x31>(sums, products); + let a = mm256_permute2x128_si256::<0x20>(sums, differences); + let b = mm256_permute2x128_si256::<0x31>(sums, differences); (a, b) } @@ -267,8 +264,8 @@ fn outer_3_plus( re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT], ) { for j in OFFSET..OFFSET + STEP_BY { - let a_minus_b = arithmetic::subtract(re[j + STEP_BY], re[j]); - re[j] = arithmetic::add(re[j], re[j + STEP_BY]); + let a_minus_b = arithmetic::subtract(&re[j + STEP_BY], &re[j]); + re[j] = arithmetic::add(&re[j], &re[j + STEP_BY]); re[j + STEP_BY] = arithmetic::montgomery_multiply_by_constant(a_minus_b, ZETA); } () diff --git a/libcrux-ml-dsa/src/simd/avx2/ntt.rs b/libcrux-ml-dsa/src/simd/avx2/ntt.rs index 799eb0247..ab01fad61 100644 --- a/libcrux-ml-dsa/src/simd/avx2/ntt.rs +++ b/libcrux-ml-dsa/src/simd/avx2/ntt.rs @@ -1,4 +1,4 @@ -use super::arithmetic; +use super::{arithmetic, AVX2RingElement}; use crate::simd::traits::{COEFFICIENTS_IN_SIMD_UNIT, SIMD_UNITS_IN_RING_ELEMENT}; use libcrux_intrinsics::avx2::*; @@ -30,15 +30,15 @@ fn butterfly_2( // Now we can use the same approach as for `butterfly_4`, only // zetas need to be adjusted. let summands = mm256_unpacklo_epi64(a_shuffled, b_shuffled); - let zeta_multiplicands = mm256_unpackhi_epi64(a_shuffled, b_shuffled); + let mut zeta_products = mm256_unpackhi_epi64(a_shuffled, b_shuffled); let zetas = mm256_set_epi32( zeta_b3, zeta_b2, zeta_a3, zeta_a2, zeta_b1, zeta_b0, zeta_a1, zeta_a0, ); - let zeta_products = arithmetic::montgomery_multiply(zeta_multiplicands, zetas); + arithmetic::montgomery_multiply(&mut zeta_products, &zetas); - let add_terms = arithmetic::add(summands, zeta_products); - let sub_terms = arithmetic::subtract(summands, zeta_products); + let add_terms = arithmetic::add(&summands, &zeta_products); + let sub_terms = arithmetic::subtract(&summands, &zeta_products); let a_terms_shuffled = mm256_unpacklo_epi64(add_terms, sub_terms); let b_terms_shuffled = mm256_unpackhi_epi64(add_terms, sub_terms); @@ -61,15 +61,15 @@ fn butterfly_4( zeta_b1: i32, ) -> (Vec256, Vec256) { let summands = mm256_unpacklo_epi64(a, b); - let zeta_multiplicands = mm256_unpackhi_epi64(a, b); + let mut zeta_products = mm256_unpackhi_epi64(a, b); let zetas = mm256_set_epi32( zeta_b1, zeta_b1, zeta_a1, zeta_a1, zeta_b0, zeta_b0, zeta_a0, zeta_a0, ); - let zeta_products = arithmetic::montgomery_multiply(zeta_multiplicands, zetas); + arithmetic::montgomery_multiply(&mut zeta_products, &zetas); - let add_terms = arithmetic::add(summands, zeta_products); - let sub_terms = arithmetic::subtract(summands, zeta_products); + let add_terms = arithmetic::add(&summands, &zeta_products); + let sub_terms = arithmetic::subtract(&summands, &zeta_products); // Results are shuffled across the two SIMD registers. // We need to bring them in the right order. @@ -83,13 +83,13 @@ fn butterfly_4( #[inline(always)] fn butterfly_8(a: Vec256, b: Vec256, zeta0: i32, zeta1: i32) -> (Vec256, Vec256) { let summands = mm256_set_m128i(mm256_castsi256_si128(b), mm256_castsi256_si128(a)); - let zeta_multiplicands = mm256_permute2x128_si256::<0b0001_0011>(b, a); + let mut zeta_products = mm256_permute2x128_si256::<0b0001_0011>(b, a); let zetas = mm256_set_epi32(zeta1, zeta1, zeta1, zeta1, zeta0, zeta0, zeta0, zeta0); - let zeta_products = arithmetic::montgomery_multiply(zeta_multiplicands, zetas); + arithmetic::montgomery_multiply(&mut zeta_products, &zetas); - let add_terms = arithmetic::add(summands, zeta_products); - let sub_terms = arithmetic::subtract(summands, zeta_products); + let add_terms = arithmetic::add(&summands, &zeta_products); + let sub_terms = arithmetic::subtract(&summands, &zeta_products); let a_out = mm256_set_m128i( mm256_castsi256_si128(sub_terms), @@ -286,8 +286,8 @@ unsafe fn ntt_at_layer_7_and_6(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { let res02_shifted = mm256_shuffle_epi32::<0b11_11_01_01>(res02); // 0xF5 let t = mm256_blend_epi32::<0b10101010>(res02_shifted, res13); // 0xAA - re[index + step_by] = arithmetic::subtract(re[index], t); - re[index] = arithmetic::add(re[index], t); + re[index + step_by] = arithmetic::subtract(&re[index], &t); + re[index] = arithmetic::add(&re[index], &t); } macro_rules! layer { @@ -362,10 +362,11 @@ unsafe fn ntt_at_layer_5_to_3(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { let offset = (index * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT; for j in offset..offset + STEP_BY { - let t = arithmetic::montgomery_multiply(re[j + STEP_BY], rhs); + let mut t = re[j + STEP_BY]; + arithmetic::montgomery_multiply(&mut t, &rhs); - re[j + STEP_BY] = arithmetic::subtract(re[j], t); - re[j] = arithmetic::add(re[j], t); + re[j + STEP_BY] = arithmetic::subtract(&re[j], &t); + re[j] = arithmetic::add(&re[j], &t); } () // Needed because of https://github.com/hacspec/hax/issues/720 } @@ -436,16 +437,12 @@ unsafe fn ntt_at_layer_5_to_3(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { #[allow(unsafe_code)] #[inline(always)] -pub(crate) fn ntt( - mut re: [Vec256; SIMD_UNITS_IN_RING_ELEMENT], -) -> [Vec256; SIMD_UNITS_IN_RING_ELEMENT] { +pub(crate) fn ntt(re: &mut AVX2RingElement) { unsafe { - ntt_at_layer_7_and_6(&mut re); - ntt_at_layer_5_to_3(&mut re); - ntt_at_layer_2(&mut re); - ntt_at_layer_1(&mut re); - ntt_at_layer_0(&mut re); + ntt_at_layer_7_and_6(re); + ntt_at_layer_5_to_3(re); + ntt_at_layer_2(re); + ntt_at_layer_1(re); + ntt_at_layer_0(re); } - - re } diff --git a/libcrux-ml-dsa/src/simd/avx2/vector_type.rs b/libcrux-ml-dsa/src/simd/avx2/vector_type.rs index 13fa15372..8dc487018 100644 --- a/libcrux-ml-dsa/src/simd/avx2/vector_type.rs +++ b/libcrux-ml-dsa/src/simd/avx2/vector_type.rs @@ -1,25 +1,34 @@ +use super::SIMD_UNITS_IN_RING_ELEMENT; + +pub(super) use libcrux_intrinsics::avx2::Vec256; + #[derive(Clone, Copy)] pub struct AVX2SIMDUnit { - pub(crate) coefficients: libcrux_intrinsics::avx2::Vec256, + pub(crate) coefficients: Vec256, } -impl From for AVX2SIMDUnit { - fn from(coefficients: libcrux_intrinsics::avx2::Vec256) -> Self { +pub(crate) type AVX2RingElement = [Vec256; SIMD_UNITS_IN_RING_ELEMENT]; + +impl From for AVX2SIMDUnit { + fn from(coefficients: Vec256) -> Self { Self { coefficients } } } +pub(crate) fn zero() -> Vec256 { + libcrux_intrinsics::avx2::mm256_setzero_si256() +} + #[allow(non_snake_case)] pub(crate) fn ZERO() -> AVX2SIMDUnit { libcrux_intrinsics::avx2::mm256_setzero_si256().into() } -pub(crate) fn from_coefficient_array(coefficient_array: &[i32]) -> AVX2SIMDUnit { - libcrux_intrinsics::avx2::mm256_loadu_si256_i32(coefficient_array).into() +pub(crate) fn from_coefficient_array(coefficient_array: &[i32]) -> Vec256 { + libcrux_intrinsics::avx2::mm256_loadu_si256_i32(coefficient_array) } -pub(crate) fn to_coefficient_array(x: &AVX2SIMDUnit) -> [i32; 8] { - let mut coefficient_array = [0i32; 8]; - libcrux_intrinsics::avx2::mm256_storeu_si256_i32(&mut coefficient_array, x.coefficients); - coefficient_array +#[inline(always)] +pub(crate) fn to_coefficient_array(value: &Vec256, out: &mut [i32]) { + libcrux_intrinsics::avx2::mm256_storeu_si256_i32(out, *value); } diff --git a/libcrux-ml-dsa/src/simd/portable.rs b/libcrux-ml-dsa/src/simd/portable.rs index 66bd4fcb0..3aad0d3a0 100644 --- a/libcrux-ml-dsa/src/simd/portable.rs +++ b/libcrux-ml-dsa/src/simd/portable.rs @@ -9,42 +9,45 @@ mod invntt; mod ntt; mod sample; +use vector_type::Coefficients; pub(crate) use vector_type::PortableSIMDUnit; impl Operations for PortableSIMDUnit { - fn ZERO() -> Self { - vector_type::ZERO() + type Coefficient = Coefficients; + + fn ZERO() -> Coefficients { + vector_type::zero() } - fn from_coefficient_array(array: &[i32]) -> Self { + fn from_coefficient_array(array: &[i32]) -> Coefficients { vector_type::from_coefficient_array(array) } - fn to_coefficient_array(&self) -> [i32; 8] { - vector_type::to_coefficient_array(&self) + fn to_coefficient_array(value: &Coefficients, out: &mut [i32]) { + vector_type::to_coefficient_array(value, out) } - fn add(lhs: &Self, rhs: &Self) -> Self { + fn add(lhs: &Coefficients, rhs: &Coefficients) -> Coefficients { arithmetic::add(lhs, rhs) } - fn subtract(lhs: &Self, rhs: &Self) -> Self { + fn subtract(lhs: &Coefficients, rhs: &Coefficients) -> Coefficients { arithmetic::subtract(lhs, rhs) } - fn montgomery_multiply(lhs: Self, rhs: Self) -> Self { - arithmetic::montgomery_multiply(&lhs, &rhs) + fn montgomery_multiply(lhs: &mut Coefficients, rhs: &Coefficients) { + arithmetic::montgomery_multiply(lhs, rhs); } - fn shift_left_then_reduce(simd_unit: Self) -> Self { - arithmetic::shift_left_then_reduce::(simd_unit) + fn shift_left_then_reduce(simd_unit: &mut Coefficients) { + arithmetic::shift_left_then_reduce::(simd_unit); } - fn power2round(simd_unit: Self) -> (Self, Self) { - arithmetic::power2round(simd_unit) + fn power2round(t0: &mut Coefficients, t1: &mut Coefficients) { + arithmetic::power2round(t0, t1) } - fn infinity_norm_exceeds(simd_unit: Self, bound: i32) -> bool { + fn infinity_norm_exceeds(simd_unit: &Coefficients, bound: i32) -> bool { arithmetic::infinity_norm_exceeds(simd_unit, bound) } @@ -52,10 +55,13 @@ impl Operations for PortableSIMDUnit { arithmetic::decompose::(simd_unit, low, high) } - fn compute_hint(low: Self, high: Self) -> (usize, Self) { + fn compute_hint( + low: &Coefficients, + high: &Coefficients, + ) -> (usize, Coefficients) { arithmetic::compute_hint::(low, high) } - fn use_hint(simd_unit: Self, hint: Self) -> Self { + fn use_hint(simd_unit: &Coefficients, hint: &mut Coefficients) { arithmetic::use_hint::(simd_unit, hint) } @@ -101,13 +107,11 @@ impl Operations for PortableSIMDUnit { encoding::t1::deserialize(serialized) } - fn ntt(simd_units: [Self; SIMD_UNITS_IN_RING_ELEMENT]) -> [Self; SIMD_UNITS_IN_RING_ELEMENT] { + fn ntt(simd_units: &mut [Coefficients; SIMD_UNITS_IN_RING_ELEMENT]) { ntt::ntt(simd_units) } - fn invert_ntt_montgomery( - simd_units: [Self; SIMD_UNITS_IN_RING_ELEMENT], - ) -> [Self; SIMD_UNITS_IN_RING_ELEMENT] { + fn invert_ntt_montgomery(simd_units: &mut [Coefficients; SIMD_UNITS_IN_RING_ELEMENT]) { invntt::invert_ntt_montgomery(simd_units) } } diff --git a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs index f07401b40..0fbe1ba3b 100644 --- a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs +++ b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs @@ -1,4 +1,4 @@ -use super::vector_type::{FieldElement, PortableSIMDUnit, ZERO}; +use super::vector_type::{zero, Coefficients, FieldElement, PortableSIMDUnit, ZERO}; use crate::{ constants::BITS_IN_LOWER_PART_OF_T, helper::cloop, @@ -10,22 +10,22 @@ use crate::{ pub(crate) const MONTGOMERY_SHIFT: u8 = 32; #[inline(always)] -pub fn add(lhs: &PortableSIMDUnit, rhs: &PortableSIMDUnit) -> PortableSIMDUnit { - let mut sum = ZERO(); +pub fn add(lhs: &Coefficients, rhs: &Coefficients) -> Coefficients { + let mut sum = zero(); - for i in 0..sum.coefficients.len() { - sum.coefficients[i] = lhs.coefficients[i] + rhs.coefficients[i]; + for i in 0..sum.len() { + sum[i] = lhs[i] + rhs[i]; } sum } #[inline(always)] -pub fn subtract(lhs: &PortableSIMDUnit, rhs: &PortableSIMDUnit) -> PortableSIMDUnit { - let mut difference = ZERO(); +pub fn subtract(lhs: &Coefficients, rhs: &Coefficients) -> Coefficients { + let mut difference = zero(); - for i in 0..difference.coefficients.len() { - difference.coefficients[i] = lhs.coefficients[i] - rhs.coefficients[i]; + for i in 0..difference.len() { + difference[i] = lhs[i] - rhs[i]; } difference @@ -35,6 +35,7 @@ pub fn subtract(lhs: &PortableSIMDUnit, rhs: &PortableSIMDUnit) -> PortableSIMDU pub(crate) fn get_n_least_significant_bits(n: u8, value: u64) -> u64 { value & ((1 << n) - 1) } + #[inline(always)] pub(crate) fn montgomery_reduce_element(value: i64) -> FieldElementTimesMontgomeryR { let t = get_n_least_significant_bits(MONTGOMERY_SHIFT, value as u64) @@ -58,31 +59,17 @@ pub(crate) fn montgomery_multiply_fe_by_fer( } #[inline(always)] -pub(crate) fn montgomery_multiply_by_constant( - mut simd_unit: PortableSIMDUnit, - c: i32, -) -> PortableSIMDUnit { - for i in 0..simd_unit.coefficients.len() { - simd_unit.coefficients[i] = - montgomery_reduce_element((simd_unit.coefficients[i] as i64) * (c as i64)) +pub(crate) fn montgomery_multiply_by_constant(simd_unit: &mut Coefficients, c: i32) { + for i in 0..simd_unit.len() { + simd_unit[i] = montgomery_reduce_element((simd_unit[i] as i64) * (c as i64)) } - - simd_unit } #[inline(always)] -pub(crate) fn montgomery_multiply( - lhs: &PortableSIMDUnit, - rhs: &PortableSIMDUnit, -) -> PortableSIMDUnit { - let mut product = ZERO(); - - for i in 0..product.coefficients.len() { - product.coefficients[i] = - montgomery_reduce_element((lhs.coefficients[i] as i64) * (rhs.coefficients[i] as i64)) +pub(crate) fn montgomery_multiply(lhs: &mut Coefficients, rhs: &Coefficients) { + for i in 0..lhs.len() { + lhs[i] = montgomery_reduce_element((lhs[i] as i64) * (rhs[i] as i64)) } - - product } // Splits t ∈ {0, ..., q-1} into t0 and t1 with a = t1*2ᴰ + t0 @@ -112,26 +99,17 @@ fn power2round_element(t: i32) -> (i32, i32) { (t0, t1) } -pub fn power2round(simd_unit: PortableSIMDUnit) -> (PortableSIMDUnit, PortableSIMDUnit) { - let mut t0_simd_unit = ZERO(); - let mut t1_simd_unit = ZERO(); - - cloop! { - for (i, t) in simd_unit.coefficients.into_iter().enumerate() { - let (t0, t1) = power2round_element(t); - - t0_simd_unit.coefficients[i] = t0; - t1_simd_unit.coefficients[i] = t1; - } +#[inline(always)] +pub(super) fn power2round(t0: &mut Coefficients, t1: &mut Coefficients) { + for i in 0..t0.len() { + (t0[i], t1[1]) = power2round_element(t0[i]); } - - (t0_simd_unit, t1_simd_unit) } // TODO: Revisit this function when doing the range analysis and testing // additional KATs. #[inline(always)] -pub fn infinity_norm_exceeds(simd_unit: PortableSIMDUnit, bound: i32) -> bool { +pub(super) fn infinity_norm_exceeds(simd_unit: &Coefficients, bound: i32) -> bool { let mut exceeds = false; // It is ok to leak which coefficient violates the bound since @@ -142,8 +120,8 @@ pub fn infinity_norm_exceeds(simd_unit: PortableSIMDUnit, bound: i32) -> bool { // straightforward way to do so (returning false) will not go through hax; // revisit if performance is impacted. cloop! { - for coefficient in simd_unit.coefficients.into_iter() { - debug_assert!(coefficient > -FIELD_MODULUS && coefficient < FIELD_MODULUS); + for coefficient in simd_unit.iter() { + debug_assert!(*coefficient > -FIELD_MODULUS && *coefficient < FIELD_MODULUS); // This norm is calculated using the absolute value of the // signed representative in the range: // @@ -169,16 +147,10 @@ fn reduce_element(fe: FieldElement) -> FieldElement { } #[inline(always)] -pub fn shift_left_then_reduce( - simd_unit: PortableSIMDUnit, -) -> PortableSIMDUnit { - let mut out = ZERO(); - - for i in 0..simd_unit.coefficients.len() { - out.coefficients[i] = reduce_element(simd_unit.coefficients[i] << SHIFT_BY); +pub(super) fn shift_left_then_reduce(simd_unit: &mut Coefficients) { + for i in 0..simd_unit.len() { + simd_unit[i] = reduce_element(simd_unit[i] << SHIFT_BY); } - - out } #[inline(always)] @@ -191,17 +163,16 @@ fn compute_one_hint(low: i32, high: i32) -> i32 { } #[inline(always)] -pub fn compute_hint( - low: PortableSIMDUnit, - high: PortableSIMDUnit, -) -> (usize, PortableSIMDUnit) { - let mut hint = ZERO(); +pub(super) fn compute_hint( + low: &Coefficients, + high: &Coefficients, +) -> (usize, Coefficients) { + let mut hint = zero(); let mut one_hints_count = 0; - for i in 0..hint.coefficients.len() { - hint.coefficients[i] = - compute_one_hint::(low.coefficients[i], high.coefficients[i]); - one_hints_count += hint.coefficients[i] as usize; + for i in 0..hint.len() { + hint[i] = compute_one_hint::(low[i], high[i]); + one_hints_count += hint[i] as usize; } (one_hints_count, hint) @@ -316,18 +287,10 @@ pub fn decompose( } #[inline(always)] -pub fn use_hint( - simd_unit: PortableSIMDUnit, - hint: PortableSIMDUnit, -) -> PortableSIMDUnit { - let mut result = ZERO(); - - for i in 0..result.coefficients.len() { - result.coefficients[i] = - use_one_hint::(simd_unit.coefficients[i], hint.coefficients[i]); +pub fn use_hint(simd_unit: &Coefficients, hint: &mut Coefficients) { + for i in 0..hint.len() { + hint[i] = use_one_hint::(simd_unit[i], hint[i]); } - - result } #[cfg(test)] diff --git a/libcrux-ml-dsa/src/simd/portable/invntt.rs b/libcrux-ml-dsa/src/simd/portable/invntt.rs index 2cef94c7f..19a7a3fef 100644 --- a/libcrux-ml-dsa/src/simd/portable/invntt.rs +++ b/libcrux-ml-dsa/src/simd/portable/invntt.rs @@ -1,95 +1,82 @@ use super::arithmetic::{self, montgomery_multiply_fe_by_fer}; -use super::vector_type::PortableSIMDUnit; +use super::vector_type::{Coefficients, PortableSIMDUnit}; use crate::simd::traits::{COEFFICIENTS_IN_SIMD_UNIT, SIMD_UNITS_IN_RING_ELEMENT}; #[inline(always)] pub fn simd_unit_invert_ntt_at_layer_0( - mut simd_unit: PortableSIMDUnit, + simd_unit: &mut Coefficients, zeta0: i32, zeta1: i32, zeta2: i32, zeta3: i32, -) -> PortableSIMDUnit { - let a_minus_b = simd_unit.coefficients[1] - simd_unit.coefficients[0]; - simd_unit.coefficients[0] = simd_unit.coefficients[0] + simd_unit.coefficients[1]; - simd_unit.coefficients[1] = montgomery_multiply_fe_by_fer(a_minus_b, zeta0); - - let a_minus_b = simd_unit.coefficients[3] - simd_unit.coefficients[2]; - simd_unit.coefficients[2] = simd_unit.coefficients[2] + simd_unit.coefficients[3]; - simd_unit.coefficients[3] = montgomery_multiply_fe_by_fer(a_minus_b, zeta1); +) { + let a_minus_b = simd_unit[1] - simd_unit[0]; + simd_unit[0] = simd_unit[0] + simd_unit[1]; + simd_unit[1] = montgomery_multiply_fe_by_fer(a_minus_b, zeta0); - let a_minus_b = simd_unit.coefficients[5] - simd_unit.coefficients[4]; - simd_unit.coefficients[4] = simd_unit.coefficients[4] + simd_unit.coefficients[5]; - simd_unit.coefficients[5] = montgomery_multiply_fe_by_fer(a_minus_b, zeta2); + let a_minus_b = simd_unit[3] - simd_unit[2]; + simd_unit[2] = simd_unit[2] + simd_unit[3]; + simd_unit[3] = montgomery_multiply_fe_by_fer(a_minus_b, zeta1); - let a_minus_b = simd_unit.coefficients[7] - simd_unit.coefficients[6]; - simd_unit.coefficients[6] = simd_unit.coefficients[6] + simd_unit.coefficients[7]; - simd_unit.coefficients[7] = montgomery_multiply_fe_by_fer(a_minus_b, zeta3); + let a_minus_b = simd_unit[5] - simd_unit[4]; + simd_unit[4] = simd_unit[4] + simd_unit[5]; + simd_unit[5] = montgomery_multiply_fe_by_fer(a_minus_b, zeta2); - simd_unit + let a_minus_b = simd_unit[7] - simd_unit[6]; + simd_unit[6] = simd_unit[6] + simd_unit[7]; + simd_unit[7] = montgomery_multiply_fe_by_fer(a_minus_b, zeta3); } #[inline(always)] -pub fn simd_unit_invert_ntt_at_layer_1( - mut simd_unit: PortableSIMDUnit, - zeta0: i32, - zeta1: i32, -) -> PortableSIMDUnit { - let a_minus_b = simd_unit.coefficients[2] - simd_unit.coefficients[0]; - simd_unit.coefficients[0] = simd_unit.coefficients[0] + simd_unit.coefficients[2]; - simd_unit.coefficients[2] = montgomery_multiply_fe_by_fer(a_minus_b, zeta0); - - let a_minus_b = simd_unit.coefficients[3] - simd_unit.coefficients[1]; - simd_unit.coefficients[1] = simd_unit.coefficients[1] + simd_unit.coefficients[3]; - simd_unit.coefficients[3] = montgomery_multiply_fe_by_fer(a_minus_b, zeta0); - - let a_minus_b = simd_unit.coefficients[6] - simd_unit.coefficients[4]; - simd_unit.coefficients[4] = simd_unit.coefficients[4] + simd_unit.coefficients[6]; - simd_unit.coefficients[6] = montgomery_multiply_fe_by_fer(a_minus_b, zeta1); - - let a_minus_b = simd_unit.coefficients[7] - simd_unit.coefficients[5]; - simd_unit.coefficients[5] = simd_unit.coefficients[5] + simd_unit.coefficients[7]; - simd_unit.coefficients[7] = montgomery_multiply_fe_by_fer(a_minus_b, zeta1); - - simd_unit +pub fn simd_unit_invert_ntt_at_layer_1(simd_unit: &mut Coefficients, zeta0: i32, zeta1: i32) { + let a_minus_b = simd_unit[2] - simd_unit[0]; + simd_unit[0] = simd_unit[0] + simd_unit[2]; + simd_unit[2] = montgomery_multiply_fe_by_fer(a_minus_b, zeta0); + + let a_minus_b = simd_unit[3] - simd_unit[1]; + simd_unit[1] = simd_unit[1] + simd_unit[3]; + simd_unit[3] = montgomery_multiply_fe_by_fer(a_minus_b, zeta0); + + let a_minus_b = simd_unit[6] - simd_unit[4]; + simd_unit[4] = simd_unit[4] + simd_unit[6]; + simd_unit[6] = montgomery_multiply_fe_by_fer(a_minus_b, zeta1); + + let a_minus_b = simd_unit[7] - simd_unit[5]; + simd_unit[5] = simd_unit[5] + simd_unit[7]; + simd_unit[7] = montgomery_multiply_fe_by_fer(a_minus_b, zeta1); } #[inline(always)] -pub fn simd_unit_invert_ntt_at_layer_2( - mut simd_unit: PortableSIMDUnit, - zeta: i32, -) -> PortableSIMDUnit { - let a_minus_b = simd_unit.coefficients[4] - simd_unit.coefficients[0]; - simd_unit.coefficients[0] = simd_unit.coefficients[0] + simd_unit.coefficients[4]; - simd_unit.coefficients[4] = montgomery_multiply_fe_by_fer(a_minus_b, zeta); - - let a_minus_b = simd_unit.coefficients[5] - simd_unit.coefficients[1]; - simd_unit.coefficients[1] = simd_unit.coefficients[1] + simd_unit.coefficients[5]; - simd_unit.coefficients[5] = montgomery_multiply_fe_by_fer(a_minus_b, zeta); - - let a_minus_b = simd_unit.coefficients[6] - simd_unit.coefficients[2]; - simd_unit.coefficients[2] = simd_unit.coefficients[2] + simd_unit.coefficients[6]; - simd_unit.coefficients[6] = montgomery_multiply_fe_by_fer(a_minus_b, zeta); - - let a_minus_b = simd_unit.coefficients[7] - simd_unit.coefficients[3]; - simd_unit.coefficients[3] = simd_unit.coefficients[3] + simd_unit.coefficients[7]; - simd_unit.coefficients[7] = montgomery_multiply_fe_by_fer(a_minus_b, zeta); - - simd_unit +pub fn simd_unit_invert_ntt_at_layer_2(simd_unit: &mut Coefficients, zeta: i32) { + let a_minus_b = simd_unit[4] - simd_unit[0]; + simd_unit[0] = simd_unit[0] + simd_unit[4]; + simd_unit[4] = montgomery_multiply_fe_by_fer(a_minus_b, zeta); + + let a_minus_b = simd_unit[5] - simd_unit[1]; + simd_unit[1] = simd_unit[1] + simd_unit[5]; + simd_unit[5] = montgomery_multiply_fe_by_fer(a_minus_b, zeta); + + let a_minus_b = simd_unit[6] - simd_unit[2]; + simd_unit[2] = simd_unit[2] + simd_unit[6]; + simd_unit[6] = montgomery_multiply_fe_by_fer(a_minus_b, zeta); + + let a_minus_b = simd_unit[7] - simd_unit[3]; + simd_unit[3] = simd_unit[3] + simd_unit[7]; + simd_unit[7] = montgomery_multiply_fe_by_fer(a_minus_b, zeta); } #[inline(always)] -fn invert_ntt_at_layer_0(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { +fn invert_ntt_at_layer_0(re: &mut [Coefficients; SIMD_UNITS_IN_RING_ELEMENT]) { #[inline(always)] fn round( - re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT], + re: &mut [Coefficients; SIMD_UNITS_IN_RING_ELEMENT], index: usize, zeta0: i32, zeta1: i32, zeta2: i32, zeta3: i32, ) { - re[index] = simd_unit_invert_ntt_at_layer_0(re[index], zeta0, zeta1, zeta2, zeta3); + simd_unit_invert_ntt_at_layer_0(&mut re[index], zeta0, zeta1, zeta2, zeta3); } round(re, 0, 1976782, -846154, 1400424, 3937738); @@ -127,15 +114,15 @@ fn invert_ntt_at_layer_0(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT] } #[inline(always)] -fn invert_ntt_at_layer_1(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { +fn invert_ntt_at_layer_1(re: &mut [Coefficients; SIMD_UNITS_IN_RING_ELEMENT]) { #[inline(always)] fn round( - re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT], + re: &mut [Coefficients; SIMD_UNITS_IN_RING_ELEMENT], index: usize, zeta_00: i32, zeta_01: i32, ) { - re[index] = simd_unit_invert_ntt_at_layer_1(re[index], zeta_00, zeta_01); + simd_unit_invert_ntt_at_layer_1(&mut re[index], zeta_00, zeta_01); } round(re, 0, 3839961, -3628969); @@ -173,9 +160,9 @@ fn invert_ntt_at_layer_1(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT] } #[inline(always)] -fn invert_ntt_at_layer_2(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { - fn round(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT], index: usize, zeta1: i32) { - re[index] = simd_unit_invert_ntt_at_layer_2(re[index], zeta1); +fn invert_ntt_at_layer_2(re: &mut [Coefficients; SIMD_UNITS_IN_RING_ELEMENT]) { + fn round(re: &mut [Coefficients; SIMD_UNITS_IN_RING_ELEMENT], index: usize, zeta1: i32) { + simd_unit_invert_ntt_at_layer_2(&mut re[index], zeta1); } round(re, 0, -2797779); @@ -214,18 +201,18 @@ fn invert_ntt_at_layer_2(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT] #[inline(always)] fn outer_3_plus( - re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT], + re: &mut [Coefficients; SIMD_UNITS_IN_RING_ELEMENT], ) { for j in OFFSET..OFFSET + STEP_BY { - let a_minus_b = arithmetic::subtract(&re[j + STEP_BY], &re[j]); + re[j + STEP_BY] = arithmetic::subtract(&re[j + STEP_BY], &re[j]); re[j] = arithmetic::add(&re[j], &re[j + STEP_BY]); - re[j + STEP_BY] = arithmetic::montgomery_multiply_by_constant(a_minus_b, ZETA); + arithmetic::montgomery_multiply_by_constant(&mut re[j + STEP_BY], ZETA); } () } #[inline(always)] -fn invert_ntt_at_layer_3(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { +fn invert_ntt_at_layer_3(re: &mut [Coefficients; SIMD_UNITS_IN_RING_ELEMENT]) { const STEP: usize = 8; // 1 << LAYER; const STEP_BY: usize = 1; // step / COEFFICIENTS_IN_SIMD_UNIT; @@ -248,7 +235,7 @@ fn invert_ntt_at_layer_3(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT] } #[inline(always)] -fn invert_ntt_at_layer_4(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { +fn invert_ntt_at_layer_4(re: &mut [Coefficients; SIMD_UNITS_IN_RING_ELEMENT]) { const STEP: usize = 16; // 1 << LAYER; const STEP_BY: usize = 2; // step / COEFFICIENTS_IN_SIMD_UNIT; @@ -263,7 +250,7 @@ fn invert_ntt_at_layer_4(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT] } #[inline(always)] -fn invert_ntt_at_layer_5(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { +fn invert_ntt_at_layer_5(re: &mut [Coefficients; SIMD_UNITS_IN_RING_ELEMENT]) { const STEP: usize = 32; // 1 << LAYER; const STEP_BY: usize = 4; // step / COEFFICIENTS_IN_SIMD_UNIT; @@ -274,7 +261,7 @@ fn invert_ntt_at_layer_5(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT] } #[inline(always)] -fn invert_ntt_at_layer_6(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { +fn invert_ntt_at_layer_6(re: &mut [Coefficients; SIMD_UNITS_IN_RING_ELEMENT]) { const STEP: usize = 64; // 1 << LAYER; const STEP_BY: usize = 8; // step / COEFFICIENTS_IN_SIMD_UNIT; @@ -283,24 +270,22 @@ fn invert_ntt_at_layer_6(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT] } #[inline(always)] -fn invert_ntt_at_layer_7(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { +fn invert_ntt_at_layer_7(re: &mut [Coefficients; SIMD_UNITS_IN_RING_ELEMENT]) { const STEP: usize = 128; // 1 << LAYER; const STEP_BY: usize = 16; // step / COEFFICIENTS_IN_SIMD_UNIT; outer_3_plus::<{ (0 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 25847>(re); } -pub(crate) fn invert_ntt_montgomery( - mut re: [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT], -) -> [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT] { - invert_ntt_at_layer_0(&mut re); - invert_ntt_at_layer_1(&mut re); - invert_ntt_at_layer_2(&mut re); - invert_ntt_at_layer_3(&mut re); - invert_ntt_at_layer_4(&mut re); - invert_ntt_at_layer_5(&mut re); - invert_ntt_at_layer_6(&mut re); - invert_ntt_at_layer_7(&mut re); +pub(crate) fn invert_ntt_montgomery(re: &mut [Coefficients; SIMD_UNITS_IN_RING_ELEMENT]) { + invert_ntt_at_layer_0(re); + invert_ntt_at_layer_1(re); + invert_ntt_at_layer_2(re); + invert_ntt_at_layer_3(re); + invert_ntt_at_layer_4(re); + invert_ntt_at_layer_5(re); + invert_ntt_at_layer_6(re); + invert_ntt_at_layer_7(re); for i in 0..re.len() { // After invert_ntt_at_layer, elements are of the form a * MONTGOMERY_R^{-1} @@ -308,8 +293,6 @@ pub(crate) fn invert_ntt_montgomery( // // - Divide the elements by 256 and // - Convert the elements form montgomery domain to the standard domain. - re[i] = arithmetic::montgomery_multiply_by_constant(re[i], 41_978); + arithmetic::montgomery_multiply_by_constant(&mut re[i], 41_978); } - - re } diff --git a/libcrux-ml-dsa/src/simd/portable/ntt.rs b/libcrux-ml-dsa/src/simd/portable/ntt.rs index c632f3cf8..d6f50474d 100644 --- a/libcrux-ml-dsa/src/simd/portable/ntt.rs +++ b/libcrux-ml-dsa/src/simd/portable/ntt.rs @@ -1,92 +1,82 @@ use super::arithmetic::{self, montgomery_multiply_by_constant, montgomery_multiply_fe_by_fer}; -use super::vector_type::PortableSIMDUnit; +use super::vector_type::{Coefficients, PortableSIMDUnit}; use crate::simd::traits::{COEFFICIENTS_IN_SIMD_UNIT, SIMD_UNITS_IN_RING_ELEMENT}; #[inline(always)] pub fn simd_unit_ntt_at_layer_0( - mut simd_unit: PortableSIMDUnit, + simd_unit: &mut Coefficients, zeta0: i32, zeta1: i32, zeta2: i32, zeta3: i32, -) -> PortableSIMDUnit { - let t = montgomery_multiply_fe_by_fer(simd_unit.coefficients[1], zeta0); - simd_unit.coefficients[1] = simd_unit.coefficients[0] - t; - simd_unit.coefficients[0] = simd_unit.coefficients[0] + t; - - let t = montgomery_multiply_fe_by_fer(simd_unit.coefficients[3], zeta1); - simd_unit.coefficients[3] = simd_unit.coefficients[2] - t; - simd_unit.coefficients[2] = simd_unit.coefficients[2] + t; +) { + let t = montgomery_multiply_fe_by_fer(simd_unit[1], zeta0); + simd_unit[1] = simd_unit[0] - t; + simd_unit[0] = simd_unit[0] + t; - let t = montgomery_multiply_fe_by_fer(simd_unit.coefficients[5], zeta2); - simd_unit.coefficients[5] = simd_unit.coefficients[4] - t; - simd_unit.coefficients[4] = simd_unit.coefficients[4] + t; + let t = montgomery_multiply_fe_by_fer(simd_unit[3], zeta1); + simd_unit[3] = simd_unit[2] - t; + simd_unit[2] = simd_unit[2] + t; - let t = montgomery_multiply_fe_by_fer(simd_unit.coefficients[7], zeta3); - simd_unit.coefficients[7] = simd_unit.coefficients[6] - t; - simd_unit.coefficients[6] = simd_unit.coefficients[6] + t; + let t = montgomery_multiply_fe_by_fer(simd_unit[5], zeta2); + simd_unit[5] = simd_unit[4] - t; + simd_unit[4] = simd_unit[4] + t; - simd_unit + let t = montgomery_multiply_fe_by_fer(simd_unit[7], zeta3); + simd_unit[7] = simd_unit[6] - t; + simd_unit[6] = simd_unit[6] + t; } #[inline(always)] -pub fn simd_unit_ntt_at_layer_1( - mut simd_unit: PortableSIMDUnit, - zeta1: i32, - zeta2: i32, -) -> PortableSIMDUnit { - let t = montgomery_multiply_fe_by_fer(simd_unit.coefficients[2], zeta1); - simd_unit.coefficients[2] = simd_unit.coefficients[0] - t; - simd_unit.coefficients[0] = simd_unit.coefficients[0] + t; - - let t = montgomery_multiply_fe_by_fer(simd_unit.coefficients[3], zeta1); - simd_unit.coefficients[3] = simd_unit.coefficients[1] - t; - simd_unit.coefficients[1] = simd_unit.coefficients[1] + t; - - let t = montgomery_multiply_fe_by_fer(simd_unit.coefficients[6], zeta2); - simd_unit.coefficients[6] = simd_unit.coefficients[4] - t; - simd_unit.coefficients[4] = simd_unit.coefficients[4] + t; - - let t = montgomery_multiply_fe_by_fer(simd_unit.coefficients[7], zeta2); - simd_unit.coefficients[7] = simd_unit.coefficients[5] - t; - simd_unit.coefficients[5] = simd_unit.coefficients[5] + t; - - simd_unit +pub fn simd_unit_ntt_at_layer_1(simd_unit: &mut Coefficients, zeta1: i32, zeta2: i32) { + let t = montgomery_multiply_fe_by_fer(simd_unit[2], zeta1); + simd_unit[2] = simd_unit[0] - t; + simd_unit[0] = simd_unit[0] + t; + + let t = montgomery_multiply_fe_by_fer(simd_unit[3], zeta1); + simd_unit[3] = simd_unit[1] - t; + simd_unit[1] = simd_unit[1] + t; + + let t = montgomery_multiply_fe_by_fer(simd_unit[6], zeta2); + simd_unit[6] = simd_unit[4] - t; + simd_unit[4] = simd_unit[4] + t; + + let t = montgomery_multiply_fe_by_fer(simd_unit[7], zeta2); + simd_unit[7] = simd_unit[5] - t; + simd_unit[5] = simd_unit[5] + t; } #[inline(always)] -pub fn simd_unit_ntt_at_layer_2(mut simd_unit: PortableSIMDUnit, zeta: i32) -> PortableSIMDUnit { - let t = montgomery_multiply_fe_by_fer(simd_unit.coefficients[4], zeta); - simd_unit.coefficients[4] = simd_unit.coefficients[0] - t; - simd_unit.coefficients[0] = simd_unit.coefficients[0] + t; - - let t = montgomery_multiply_fe_by_fer(simd_unit.coefficients[5], zeta); - simd_unit.coefficients[5] = simd_unit.coefficients[1] - t; - simd_unit.coefficients[1] = simd_unit.coefficients[1] + t; - - let t = montgomery_multiply_fe_by_fer(simd_unit.coefficients[6], zeta); - simd_unit.coefficients[6] = simd_unit.coefficients[2] - t; - simd_unit.coefficients[2] = simd_unit.coefficients[2] + t; - - let t = montgomery_multiply_fe_by_fer(simd_unit.coefficients[7], zeta); - simd_unit.coefficients[7] = simd_unit.coefficients[3] - t; - simd_unit.coefficients[3] = simd_unit.coefficients[3] + t; - - simd_unit +pub fn simd_unit_ntt_at_layer_2(simd_unit: &mut Coefficients, zeta: i32) { + let t = montgomery_multiply_fe_by_fer(simd_unit[4], zeta); + simd_unit[4] = simd_unit[0] - t; + simd_unit[0] = simd_unit[0] + t; + + let t = montgomery_multiply_fe_by_fer(simd_unit[5], zeta); + simd_unit[5] = simd_unit[1] - t; + simd_unit[1] = simd_unit[1] + t; + + let t = montgomery_multiply_fe_by_fer(simd_unit[6], zeta); + simd_unit[6] = simd_unit[2] - t; + simd_unit[2] = simd_unit[2] + t; + + let t = montgomery_multiply_fe_by_fer(simd_unit[7], zeta); + simd_unit[7] = simd_unit[3] - t; + simd_unit[3] = simd_unit[3] + t; } #[inline(always)] -fn ntt_at_layer_0(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { +fn ntt_at_layer_0(re: &mut [Coefficients; SIMD_UNITS_IN_RING_ELEMENT]) { #[inline(always)] fn round( - re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT], + re: &mut [Coefficients; SIMD_UNITS_IN_RING_ELEMENT], index: usize, zeta_0: i32, zeta_1: i32, zeta_2: i32, zeta_3: i32, ) { - re[index] = simd_unit_ntt_at_layer_0(re[index], zeta_0, zeta_1, zeta_2, zeta_3); + simd_unit_ntt_at_layer_0(&mut re[index], zeta_0, zeta_1, zeta_2, zeta_3); } round(re, 0, 2091667, 3407706, 2316500, 3817976); @@ -124,15 +114,15 @@ fn ntt_at_layer_0(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { } #[inline(always)] -fn ntt_at_layer_1(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { +fn ntt_at_layer_1(re: &mut [Coefficients; SIMD_UNITS_IN_RING_ELEMENT]) { #[inline(always)] fn round( - re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT], + re: &mut [Coefficients; SIMD_UNITS_IN_RING_ELEMENT], index: usize, zeta_0: i32, zeta_1: i32, ) { - re[index] = simd_unit_ntt_at_layer_1(re[index], zeta_0, zeta_1); + simd_unit_ntt_at_layer_1(&mut re[index], zeta_0, zeta_1); } round(re, 0, -3930395, -1528703); @@ -170,10 +160,10 @@ fn ntt_at_layer_1(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { } #[inline(always)] -fn ntt_at_layer_2(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { +fn ntt_at_layer_2(re: &mut [Coefficients; SIMD_UNITS_IN_RING_ELEMENT]) { #[inline(always)] - fn round(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT], index: usize, zeta: i32) { - re[index] = simd_unit_ntt_at_layer_2(re[index], zeta); + fn round(re: &mut [Coefficients; SIMD_UNITS_IN_RING_ELEMENT], index: usize, zeta: i32) { + simd_unit_ntt_at_layer_2(&mut re[index], zeta); } round(re, 0, 2706023); @@ -212,19 +202,20 @@ fn ntt_at_layer_2(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { #[inline(always)] fn outer_3_plus( - re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT], + re: &mut [Coefficients; SIMD_UNITS_IN_RING_ELEMENT], ) { for j in OFFSET..OFFSET + STEP_BY { - let t = montgomery_multiply_by_constant(re[j + STEP_BY], ZETA); + let mut tmp = re[j + STEP_BY]; + montgomery_multiply_by_constant(&mut tmp, ZETA); - re[j + STEP_BY] = arithmetic::subtract(&re[j], &t); - re[j] = arithmetic::add(&re[j], &t); + re[j + STEP_BY] = arithmetic::subtract(&re[j], &tmp); + re[j] = arithmetic::add(&re[j], &tmp); } () // Needed because of https://github.com/hacspec/hax/issues/720 } #[inline(always)] -fn ntt_at_layer_3(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { +fn ntt_at_layer_3(re: &mut [Coefficients; SIMD_UNITS_IN_RING_ELEMENT]) { const STEP: usize = 8; // 1 << LAYER; const STEP_BY: usize = 1; // step / COEFFICIENTS_IN_SIMD_UNIT; @@ -247,7 +238,7 @@ fn ntt_at_layer_3(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { } #[inline(always)] -fn ntt_at_layer_4(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { +fn ntt_at_layer_4(re: &mut [Coefficients; SIMD_UNITS_IN_RING_ELEMENT]) { const STEP: usize = 16; // 1 << LAYER; const STEP_BY: usize = 2; // step / COEFFICIENTS_IN_SIMD_UNIT; @@ -262,7 +253,7 @@ fn ntt_at_layer_4(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { } #[inline(always)] -fn ntt_at_layer_5(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { +fn ntt_at_layer_5(re: &mut [Coefficients; SIMD_UNITS_IN_RING_ELEMENT]) { const STEP: usize = 32; // 1 << LAYER; const STEP_BY: usize = 4; // step / COEFFICIENTS_IN_SIMD_UNIT; @@ -273,7 +264,7 @@ fn ntt_at_layer_5(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { } #[inline(always)] -fn ntt_at_layer_6(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { +fn ntt_at_layer_6(re: &mut [Coefficients; SIMD_UNITS_IN_RING_ELEMENT]) { const STEP: usize = 64; // 1 << LAYER; const STEP_BY: usize = 8; // step / COEFFICIENTS_IN_SIMD_UNIT; @@ -282,7 +273,7 @@ fn ntt_at_layer_6(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { } #[inline(always)] -fn ntt_at_layer_7(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { +fn ntt_at_layer_7(re: &mut [Coefficients; SIMD_UNITS_IN_RING_ELEMENT]) { const STEP: usize = 128; // 1 << LAYER; const STEP_BY: usize = 16; // step / COEFFICIENTS_IN_SIMD_UNIT; @@ -290,17 +281,13 @@ fn ntt_at_layer_7(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { } #[inline(always)] -pub(crate) fn ntt( - mut re: [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT], -) -> [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT] { - ntt_at_layer_7(&mut re); - ntt_at_layer_6(&mut re); - ntt_at_layer_5(&mut re); - ntt_at_layer_4(&mut re); - ntt_at_layer_3(&mut re); - ntt_at_layer_2(&mut re); - ntt_at_layer_1(&mut re); - ntt_at_layer_0(&mut re); - - re +pub(crate) fn ntt(re: &mut [Coefficients; SIMD_UNITS_IN_RING_ELEMENT]) { + ntt_at_layer_7(re); + ntt_at_layer_6(re); + ntt_at_layer_5(re); + ntt_at_layer_4(re); + ntt_at_layer_3(re); + ntt_at_layer_2(re); + ntt_at_layer_1(re); + ntt_at_layer_0(re); } diff --git a/libcrux-ml-dsa/src/simd/portable/vector_type.rs b/libcrux-ml-dsa/src/simd/portable/vector_type.rs index 3a71624d9..8f1b9b820 100644 --- a/libcrux-ml-dsa/src/simd/portable/vector_type.rs +++ b/libcrux-ml-dsa/src/simd/portable/vector_type.rs @@ -4,8 +4,14 @@ use crate::simd::traits::COEFFICIENTS_IN_SIMD_UNIT; pub(crate) type FieldElement = i32; #[derive(Clone, Copy)] -pub struct PortableSIMDUnit { - pub(crate) coefficients: [FieldElement; COEFFICIENTS_IN_SIMD_UNIT], +pub(crate) struct PortableSIMDUnit { + pub(crate) coefficients: Coefficients, +} + +pub(super) type Coefficients = [FieldElement; COEFFICIENTS_IN_SIMD_UNIT]; + +pub(crate) fn zero() -> Coefficients { + [0i32; COEFFICIENTS_IN_SIMD_UNIT] } #[allow(non_snake_case)] @@ -15,12 +21,14 @@ pub(crate) fn ZERO() -> PortableSIMDUnit { } } -pub(crate) fn from_coefficient_array(array: &[i32]) -> PortableSIMDUnit { - PortableSIMDUnit { - coefficients: array[0..8].try_into().unwrap(), - } +pub(crate) fn from_coefficient_array(array: &[i32]) -> Coefficients { + array[0..8].try_into().unwrap() } -pub(crate) fn to_coefficient_array(x: &PortableSIMDUnit) -> [i32; 8] { - x.coefficients +#[inline(always)] +pub(crate) fn to_coefficient_array( + value: &Coefficients, + out: &mut [i32], // len: COEFFICIENTS_IN_SIMD_UNIT +) { + out.copy_from_slice(value); } diff --git a/libcrux-ml-dsa/src/simd/traits.rs b/libcrux-ml-dsa/src/simd/traits.rs index 67f7d89f4..eab412cc7 100644 --- a/libcrux-ml-dsa/src/simd/traits.rs +++ b/libcrux-ml-dsa/src/simd/traits.rs @@ -15,26 +15,31 @@ pub const INVERSE_OF_MODULUS_MOD_MONTGOMERY_R: u64 = 58_728_449; pub(crate) type FieldElementTimesMontgomeryR = i32; pub(crate) trait Operations: Copy + Clone { + type Coefficient: Copy; // XXX: make generic? drop copy? + #[allow(non_snake_case)] - fn ZERO() -> Self; + fn ZERO() -> Self::Coefficient; - fn from_coefficient_array(array: &[i32]) -> Self; - fn to_coefficient_array(&self) -> [i32; COEFFICIENTS_IN_SIMD_UNIT]; + fn from_coefficient_array(array: &[i32]) -> Self::Coefficient; + fn to_coefficient_array(value: &Self::Coefficient, out: &mut [i32]); // Arithmetic - fn add(lhs: &Self, rhs: &Self) -> Self; - fn subtract(lhs: &Self, rhs: &Self) -> Self; - fn infinity_norm_exceeds(simd_unit: Self, bound: i32) -> bool; + fn add(lhs: &Self::Coefficient, rhs: &Self::Coefficient) -> Self::Coefficient; + fn subtract(lhs: &Self::Coefficient, rhs: &Self::Coefficient) -> Self::Coefficient; + fn infinity_norm_exceeds(simd_unit: &Self::Coefficient, bound: i32) -> bool; fn decompose(simd_unit: Self, low: &mut Self, high: &mut Self); - fn compute_hint(low: Self, high: Self) -> (usize, Self); - fn use_hint(simd_unit: Self, hint: Self) -> Self; + fn compute_hint( + low: &Self::Coefficient, + high: &Self::Coefficient, + ) -> (usize, Self::Coefficient); + fn use_hint(simd_unit: &Self::Coefficient, hint: &mut Self::Coefficient); // Modular operations - fn montgomery_multiply(lhs: Self, rhs: Self) -> Self; - fn shift_left_then_reduce(simd_unit: Self) -> Self; + fn montgomery_multiply(lhs: &mut Self::Coefficient, rhs: &Self::Coefficient); + fn shift_left_then_reduce(simd_unit: &mut Self::Coefficient); // Decomposition operations - fn power2round(simd_unit: Self) -> (Self, Self); + fn power2round(t0: &mut Self::Coefficient, t1: &mut Self::Coefficient); // Sampling // @@ -72,10 +77,8 @@ pub(crate) trait Operations: Copy + Clone { fn t1_deserialize(serialized: &[u8]) -> Self; // NTT - fn ntt(simd_units: [Self; SIMD_UNITS_IN_RING_ELEMENT]) -> [Self; SIMD_UNITS_IN_RING_ELEMENT]; + fn ntt(simd_units: &mut [Self::Coefficient; SIMD_UNITS_IN_RING_ELEMENT]); // invert NTT and convert to standard domain - fn invert_ntt_montgomery( - simd_units: [Self; SIMD_UNITS_IN_RING_ELEMENT], - ) -> [Self; SIMD_UNITS_IN_RING_ELEMENT]; + fn invert_ntt_montgomery(simd_units: &mut [Self::Coefficient; SIMD_UNITS_IN_RING_ELEMENT]); } From d33c7417f5b17949830394722bcfd6503afa5548 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Mon, 23 Dec 2024 10:57:53 +0000 Subject: [PATCH 06/58] wip: avx2 working | portable broken --- libcrux-ml-dsa/src/arithmetic.rs | 2 +- libcrux-ml-dsa/src/encoding/commitment.rs | 2 +- libcrux-ml-dsa/src/encoding/error.rs | 11 ++- libcrux-ml-dsa/src/encoding/gamma1.rs | 5 +- libcrux-ml-dsa/src/encoding/t0.rs | 9 +-- libcrux-ml-dsa/src/encoding/t1.rs | 8 +- libcrux-ml-dsa/src/matrix.rs | 73 ++++++++++-------- libcrux-ml-dsa/src/ml_dsa_generic.rs | 36 +++++---- libcrux-ml-dsa/src/polynomial.rs | 14 ++++ libcrux-ml-dsa/src/simd/avx2.rs | 45 +++++------ libcrux-ml-dsa/src/simd/avx2/arithmetic.rs | 9 ++- .../src/simd/avx2/encoding/commitment.rs | 6 +- .../src/simd/avx2/encoding/error.rs | 10 +-- .../src/simd/avx2/encoding/gamma1.rs | 25 +++--- libcrux-ml-dsa/src/simd/avx2/encoding/t0.rs | 13 ++-- libcrux-ml-dsa/src/simd/avx2/encoding/t1.rs | 13 ++-- libcrux-ml-dsa/src/simd/portable.rs | 32 ++++---- .../src/simd/portable/arithmetic.rs | 14 ++-- .../src/simd/portable/encoding/commitment.rs | 10 +-- .../src/simd/portable/encoding/error.rs | 62 +++++++-------- .../src/simd/portable/encoding/gamma1.rs | 44 +++++------ .../src/simd/portable/encoding/t0.rs | 48 +++++------- .../src/simd/portable/encoding/t1.rs | 27 +++---- libcrux-ml-dsa/src/simd/tests.rs | 76 +++++++++---------- libcrux-ml-dsa/src/simd/traits.rs | 30 +++++--- 25 files changed, 311 insertions(+), 313 deletions(-) diff --git a/libcrux-ml-dsa/src/arithmetic.rs b/libcrux-ml-dsa/src/arithmetic.rs index 5edb95735..2b24e5036 100644 --- a/libcrux-ml-dsa/src/arithmetic.rs +++ b/libcrux-ml-dsa/src/arithmetic.rs @@ -52,7 +52,7 @@ pub(crate) fn decompose_vector( - t[i].simd_units[j], + &t[i].simd_units[j], &mut low[i].simd_units[j], &mut high[i].simd_units[j], ); diff --git a/libcrux-ml-dsa/src/encoding/commitment.rs b/libcrux-ml-dsa/src/encoding/commitment.rs index 2f94a98c8..d540d9f15 100644 --- a/libcrux-ml-dsa/src/encoding/commitment.rs +++ b/libcrux-ml-dsa/src/encoding/commitment.rs @@ -7,7 +7,7 @@ fn serialize(re: PolynomialRingElement, serializ cloop! { for (i, simd_unit) in re.simd_units.iter().enumerate() { SIMDUnit::commitment_serialize( - *simd_unit, + simd_unit, &mut serialized[i * output_bytes_per_simd_unit..(i + 1) * output_bytes_per_simd_unit], ); } diff --git a/libcrux-ml-dsa/src/encoding/error.rs b/libcrux-ml-dsa/src/encoding/error.rs index 3accde086..9dba0a715 100644 --- a/libcrux-ml-dsa/src/encoding/error.rs +++ b/libcrux-ml-dsa/src/encoding/error.rs @@ -11,7 +11,8 @@ pub(crate) fn serialize( - *simd_unit,&mut serialized[i * output_bytes_per_simd_unit..(i + 1) * output_bytes_per_simd_unit] + simd_unit, + &mut serialized[i * output_bytes_per_simd_unit..(i + 1) * output_bytes_per_simd_unit] ); } } @@ -26,8 +27,10 @@ fn deserialize( let chunk_size = if ETA == 2 { 3 } else { 4 }; for i in 0..result.simd_units.len() { - result.simd_units[i] = - SIMDUnit::error_deserialize::(&serialized[i * chunk_size..(i + 1) * chunk_size]); + SIMDUnit::error_deserialize::( + &serialized[i * chunk_size..(i + 1) * chunk_size], + &mut result.simd_units[i], + ); } () } @@ -46,7 +49,7 @@ pub(crate) fn deserialize_to_vector_then_ntt< cloop! { for (i, bytes) in serialized.chunks_exact(RING_ELEMENT_SIZE).enumerate() { deserialize::(bytes, &mut ring_elements[i]); - ring_elements[i] = ntt(ring_elements[i]); + ntt(&mut ring_elements[i]); } } diff --git a/libcrux-ml-dsa/src/encoding/gamma1.rs b/libcrux-ml-dsa/src/encoding/gamma1.rs index 4dd9dcd49..103dab0b0 100644 --- a/libcrux-ml-dsa/src/encoding/gamma1.rs +++ b/libcrux-ml-dsa/src/encoding/gamma1.rs @@ -8,7 +8,7 @@ pub(crate) fn serialize( cloop! { for (i, simd_unit) in re.simd_units.iter().enumerate() { SIMDUnit::gamma1_serialize::( - *simd_unit, + simd_unit, &mut serialized[i * (GAMMA1_EXPONENT + 1)..(i + 1) * (GAMMA1_EXPONENT + 1)], ); } @@ -22,8 +22,9 @@ pub(crate) fn deserialize( result: &mut PolynomialRingElement, ) { for i in 0..result.simd_units.len() { - result.simd_units[i] = SIMDUnit::gamma1_deserialize::( + SIMDUnit::gamma1_deserialize::( &serialized[i * (GAMMA1_EXPONENT + 1)..(i + 1) * (GAMMA1_EXPONENT + 1)], + &mut result.simd_units[i], ); } () diff --git a/libcrux-ml-dsa/src/encoding/t0.rs b/libcrux-ml-dsa/src/encoding/t0.rs index 08a20970b..de11ae3eb 100644 --- a/libcrux-ml-dsa/src/encoding/t0.rs +++ b/libcrux-ml-dsa/src/encoding/t0.rs @@ -16,9 +16,7 @@ pub(crate) fn serialize( ) { cloop! { for (i, simd_unit) in re.simd_units.iter().enumerate() { - // XXX: make t0_deserialize take &mut serialized? - serialized[i * OUTPUT_BYTES_PER_SIMD_UNIT..(i + 1) * OUTPUT_BYTES_PER_SIMD_UNIT] - .copy_from_slice(&SIMDUnit::t0_serialize(*simd_unit)); + SIMDUnit::t0_serialize(simd_unit, &mut serialized[i * OUTPUT_BYTES_PER_SIMD_UNIT..(i + 1) * OUTPUT_BYTES_PER_SIMD_UNIT]); } } () @@ -30,8 +28,9 @@ fn deserialize( result: &mut PolynomialRingElement, ) { for i in 0..result.simd_units.len() { - result.simd_units[i] = SIMDUnit::t0_deserialize( + SIMDUnit::t0_deserialize( &serialized[i * OUTPUT_BYTES_PER_SIMD_UNIT..(i + 1) * OUTPUT_BYTES_PER_SIMD_UNIT], + &mut result.simd_units[i], ); } () @@ -46,7 +45,7 @@ pub(crate) fn deserialize_to_vector_then_ntt(bytes, &mut ring_elements[i]); - ring_elements[i] = ntt(ring_elements[i]); + ntt(&mut ring_elements[i]); } } diff --git a/libcrux-ml-dsa/src/encoding/t1.rs b/libcrux-ml-dsa/src/encoding/t1.rs index 9896d44ac..dadc7ae21 100644 --- a/libcrux-ml-dsa/src/encoding/t1.rs +++ b/libcrux-ml-dsa/src/encoding/t1.rs @@ -15,8 +15,7 @@ pub(crate) fn serialize( cloop! { for (i, simd_unit) in re.simd_units.iter().enumerate() { - serialized[i * OUTPUT_BYTES_PER_SIMD_UNIT..(i + 1) * OUTPUT_BYTES_PER_SIMD_UNIT] - .copy_from_slice(&SIMDUnit::t1_serialize(*simd_unit)); + SIMDUnit::t1_serialize(simd_unit, &mut serialized[i * OUTPUT_BYTES_PER_SIMD_UNIT..(i + 1) * OUTPUT_BYTES_PER_SIMD_UNIT]); } } @@ -29,7 +28,10 @@ pub(crate) fn deserialize( ) { const WINDOW: usize = 10; for i in 0..result.simd_units.len() { - result.simd_units[i] = SIMDUnit::t1_deserialize(&serialized[i * WINDOW..(i + 1) * WINDOW]); + SIMDUnit::t1_deserialize( + &serialized[i * WINDOW..(i + 1) * WINDOW], + &mut result.simd_units[i], + ); } () } diff --git a/libcrux-ml-dsa/src/matrix.rs b/libcrux-ml-dsa/src/matrix.rs index ac6b70713..612cf7577 100644 --- a/libcrux-ml-dsa/src/matrix.rs +++ b/libcrux-ml-dsa/src/matrix.rs @@ -19,18 +19,24 @@ pub(crate) fn compute_As1_plus_s2< s1_s2: &[PolynomialRingElement], result: &mut [PolynomialRingElement; ROWS_IN_A], ) { - let s1_ntt: [PolynomialRingElement; COLUMNS_IN_A] = - core::array::from_fn(|i| ntt::(s1_s2[i])); + // XXX: Make this better + let mut s1_ntt = [PolynomialRingElement::::ZERO(); COLUMNS_IN_A]; + for i in 0..s1_ntt.len() { + s1_ntt[i] = s1_s2[i]; + ntt(&mut s1_ntt[i]); + } for i in 0..ROWS_IN_A { for j in 0..COLUMNS_IN_A { - let product = ntt_multiply_montgomery::(&a_as_ntt[i][j], &s1_ntt[j]); + // XXX: Make this better + let mut product = a_as_ntt[i][j]; + ntt_multiply_montgomery::(&mut product, &s1_ntt[j]); result[i] = PolynomialRingElement::add(&result[i], &product); } } for i in 0..result.len() { - result[i] = invert_ntt_montgomery::(result[i]); + invert_ntt_montgomery::(&mut result[i]); result[i] = PolynomialRingElement::add(&result[i], &s1_s2[COLUMNS_IN_A + i]); } } @@ -46,18 +52,24 @@ pub(crate) fn compute_matrix_x_mask< mask: &[PolynomialRingElement; COLUMNS_IN_A], result: &mut [PolynomialRingElement; ROWS_IN_A], ) { - let mask_ntt = mask.map(|s| ntt::(s)); + // XXX: Make this better + let mut mask_ntt = mask.clone(); + for i in 0..mask_ntt.len() { + ntt(&mut mask_ntt[i]); + } cloop! { for (i, row) in matrix.iter().enumerate() { cloop! { for (j, ring_element) in row.iter().enumerate() { - let product = ntt_multiply_montgomery(&ring_element, &mask_ntt[j]); + // XXX: Make this better + let mut product = mask_ntt[j]; + ntt_multiply_montgomery(&mut product, &ring_element); result[i] = PolynomialRingElement::::add(&result[i], &product); } } - result[i] = invert_ntt_montgomery(result[i]); + invert_ntt_montgomery(&mut result[i]); } } } @@ -68,13 +80,12 @@ pub(crate) fn vector_times_ring_element; DIMENSION], ring_element: &PolynomialRingElement, ) -> [PolynomialRingElement; DIMENSION] { - let mut result = [PolynomialRingElement::::ZERO(); DIMENSION]; + // XXX: pull out the result to dsa generic + let mut result = vector.clone(); - cloop! { - for (i, vector_ring_element) in vector.iter().enumerate() { - result[i] = - invert_ntt_montgomery(ntt_multiply_montgomery(vector_ring_element, ring_element)); - } + for i in 0..vector.len() { + ntt_multiply_montgomery(&mut result[i], ring_element); + invert_ntt_montgomery(&mut result[i]); } result @@ -120,37 +131,35 @@ pub(crate) fn compute_w_approx< >( A_as_ntt: &[[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A], mut signer_response: [PolynomialRingElement; COLUMNS_IN_A], - verifier_challenge_as_ntt: PolynomialRingElement, - t1: [PolynomialRingElement; ROWS_IN_A], -) -> [PolynomialRingElement; ROWS_IN_A] { - let mut result = [PolynomialRingElement::::ZERO(); ROWS_IN_A]; - + verifier_challenge_as_ntt: &PolynomialRingElement, + t1: &mut [PolynomialRingElement; ROWS_IN_A], +) { // Move signer response into NTT for i in 0..signer_response.len() { - signer_response[i] = ntt(signer_response[i]); + ntt(&mut signer_response[i]); } cloop! { for (i, row) in A_as_ntt.iter().enumerate() { + let mut inner_result = PolynomialRingElement::::ZERO(); cloop! { for (j, ring_element) in row.iter().enumerate() { - let product = ntt_multiply_montgomery(&ring_element, &signer_response[j]); + // XXX: make nicer + let mut product = ring_element.clone(); + ntt_multiply_montgomery(&mut product, &signer_response[j]); - result[i] = PolynomialRingElement::::add(&result[i], &product); + PolynomialRingElement::::add_mut(&mut inner_result, &product); } } - let t1_shifted = - shift_left_then_reduce::(t1[i]); - let t1_shifted = ntt(t1_shifted); - let challenge_times_t1_shifted = - ntt_multiply_montgomery(&verifier_challenge_as_ntt, &t1_shifted); - result[i] = invert_ntt_montgomery(PolynomialRingElement::::subtract( - &result[i], - &challenge_times_t1_shifted, - )); + shift_left_then_reduce::(&mut t1[i]); + ntt(&mut t1[i]); + ntt_multiply_montgomery(&mut t1[i], verifier_challenge_as_ntt); + t1[i] = PolynomialRingElement::::subtract( + &inner_result, + &t1[i], + ); + invert_ntt_montgomery(&mut t1[i]); } } - - result } diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index 18537a8a4..08e792108 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -66,10 +66,12 @@ pub(crate) fn generate_key_pair< &mut s1_s2, ); - let mut t = [PolynomialRingElement::::ZERO(); ROWS_IN_A]; - compute_As1_plus_s2::(&a_as_ntt, &s1_s2, &mut t); + let mut t0 = [PolynomialRingElement::::ZERO(); ROWS_IN_A]; + compute_As1_plus_s2::(&a_as_ntt, &s1_s2, &mut t0); - let (t0, t1) = power2round_vector::(t); + // let (t0, t1) = + let mut t1 = [PolynomialRingElement::::ZERO(); ROWS_IN_A]; + power2round_vector::(&mut t0, &mut t1); let verification_key_serialized = encoding::verification_key::generate_serialized::< SIMDUnit, @@ -352,16 +354,12 @@ pub(crate) fn sign_internal< ONES_IN_VERIFIER_CHALLENGE, COMMITMENT_HASH_SIZE, >(commitment_hash_candidate, &mut verifier_challenge); - let verifier_challenge_as_ntt = ntt(verifier_challenge); + ntt(&mut verifier_challenge); - let challenge_times_s1 = vector_times_ring_element::( - &s1_as_ntt, - &verifier_challenge_as_ntt, - ); - let challenge_times_s2 = vector_times_ring_element::( - &s2_as_ntt, - &verifier_challenge_as_ntt, - ); + let challenge_times_s1 = + vector_times_ring_element::(&s1_as_ntt, &verifier_challenge); + let challenge_times_s2 = + vector_times_ring_element::(&s2_as_ntt, &verifier_challenge); let signer_response_candidate = add_vectors::(&mask, &challenge_times_s1); @@ -385,7 +383,7 @@ pub(crate) fn sign_internal< } else { let challenge_times_t0 = vector_times_ring_element::( &t0_as_ntt, - &verifier_challenge_as_ntt, + &verifier_challenge, ); if vector_infinity_norm_exceeds::(challenge_times_t0, GAMMA2) { // XXX: https://github.com/hacspec/hax/issues/1171 @@ -512,7 +510,7 @@ pub(crate) fn verify_internal< domain_separation_context: Option, signature_serialized: &[u8; SIGNATURE_SIZE], ) -> Result<(), VerificationError> { - let (seed_for_a, t1) = + let (seed_for_a, mut t1) = encoding::verification_key::deserialize::( verification_key_serialized, ); @@ -559,18 +557,18 @@ pub(crate) fn verify_internal< ONES_IN_VERIFIER_CHALLENGE, COMMITMENT_HASH_SIZE, >(signature.commitment_hash, &mut verifier_challenge); - let verifier_challenge_as_ntt = ntt(verifier_challenge); + ntt(&mut verifier_challenge); - let w_approx = compute_w_approx::( + compute_w_approx::( &matrix, signature.signer_response, - verifier_challenge_as_ntt, - t1, + &verifier_challenge, + &mut t1, ); let mut commitment_hash = [0; COMMITMENT_HASH_SIZE]; { - let commitment = use_hint::(signature.hint, w_approx); + let commitment = use_hint::(signature.hint, t1); let commitment_serialized = encoding::commitment::serialize_vector::< SIMDUnit, ROWS_IN_A, diff --git a/libcrux-ml-dsa/src/polynomial.rs b/libcrux-ml-dsa/src/polynomial.rs index 1a4ec3595..9625fcbe6 100644 --- a/libcrux-ml-dsa/src/polynomial.rs +++ b/libcrux-ml-dsa/src/polynomial.rs @@ -67,6 +67,13 @@ impl PolynomialRingElement { sum } + #[inline(always)] + pub(crate) fn add_mut(&mut self, rhs: &Self) { + for i in 0..self.simd_units.len() { + self.simd_units[i] = SIMDUnit::add(&self.simd_units[i], &rhs.simd_units[i]); + } + } + #[inline(always)] pub(crate) fn subtract(&self, rhs: &Self) -> Self { let mut difference = Self::ZERO(); @@ -77,4 +84,11 @@ impl PolynomialRingElement { difference } + + #[inline(always)] + pub(crate) fn subtract_mut(&mut self, rhs: &Self) { + for i in 0..self.simd_units.len() { + self.simd_units[i] = SIMDUnit::subtract(&self.simd_units[i], &rhs.simd_units[i]); + } + } } diff --git a/libcrux-ml-dsa/src/simd/avx2.rs b/libcrux-ml-dsa/src/simd/avx2.rs index 400df740f..23db57220 100644 --- a/libcrux-ml-dsa/src/simd/avx2.rs +++ b/libcrux-ml-dsa/src/simd/avx2.rs @@ -56,12 +56,8 @@ impl Operations for AVX2SIMDUnit { } #[inline(always)] - fn decompose(simd_unit: Self, low: &mut Self, high: &mut Self) { - arithmetic::decompose::( - simd_unit.coefficients, - &mut low.coefficients, - &mut high.coefficients, - ); + fn decompose(simd_unit: &Vec256, low: &mut Vec256, high: &mut Vec256) { + arithmetic::decompose::(simd_unit, low, high); } #[inline(always)] @@ -87,44 +83,45 @@ impl Operations for AVX2SIMDUnit { } #[inline(always)] - fn gamma1_serialize(simd_unit: Self, serialized: &mut [u8]) { - encoding::gamma1::serialize::(simd_unit.coefficients, serialized) + fn gamma1_serialize(simd_unit: &Vec256, serialized: &mut [u8]) { + encoding::gamma1::serialize::(simd_unit, serialized) } #[inline(always)] - fn gamma1_deserialize(serialized: &[u8]) -> Self { - encoding::gamma1::deserialize::(serialized).into() + fn gamma1_deserialize(serialized: &[u8], out: &mut Vec256) { + encoding::gamma1::deserialize::(serialized, out); } #[inline(always)] - fn commitment_serialize(simd_unit: Self, serialized: &mut [u8]) { - encoding::commitment::serialize(simd_unit.coefficients, serialized) + fn commitment_serialize(simd_unit: &Vec256, serialized: &mut [u8]) { + encoding::commitment::serialize(simd_unit, serialized) } #[inline(always)] - fn error_serialize(simd_unit: Self, serialized: &mut [u8]) { - encoding::error::serialize::(simd_unit.coefficients, serialized) + fn error_serialize(simd_unit: &Vec256, serialized: &mut [u8]) { + encoding::error::serialize::(simd_unit, serialized) } #[inline(always)] - fn error_deserialize(serialized: &[u8]) -> Self { - encoding::error::deserialize::(serialized).into() + fn error_deserialize(serialized: &[u8], out: &mut Self::Coefficient) { + encoding::error::deserialize::(serialized, out); } #[inline(always)] - fn t0_serialize(simd_unit: Self) -> [u8; 13] { - encoding::t0::serialize(simd_unit.coefficients) + fn t0_serialize(simd_unit: &Self::Coefficient, out: &mut [u8]) { + // out len 13 + encoding::t0::serialize(simd_unit, out); } #[inline(always)] - fn t0_deserialize(serialized: &[u8]) -> Self { - encoding::t0::deserialize(serialized).into() + fn t0_deserialize(serialized: &[u8], out: &mut Self::Coefficient) { + encoding::t0::deserialize(serialized, out); } #[inline(always)] - fn t1_serialize(simd_unit: Self) -> [u8; 10] { - encoding::t1::serialize(simd_unit.coefficients) + fn t1_serialize(simd_unit: &Self::Coefficient, out: &mut [u8]) { + encoding::t1::serialize(simd_unit, out); } #[inline(always)] - fn t1_deserialize(serialized: &[u8]) -> Self { - encoding::t1::deserialize(serialized).into() + fn t1_deserialize(serialized: &[u8], out: &mut Self::Coefficient) { + encoding::t1::deserialize(serialized, out); } #[inline(always)] diff --git a/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs b/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs index 6756fe977..352da5d53 100644 --- a/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs +++ b/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs @@ -119,13 +119,14 @@ pub fn power2round(r0: &mut Vec256, r1: &mut Vec256) { ); *r1 = mm256_srai_epi32::<{ BITS_IN_LOWER_PART_OF_T as i32 }>(*r1); - *r0 = mm256_slli_epi32::<{ BITS_IN_LOWER_PART_OF_T as i32 }>(*r1); - *r0 = mm256_sub_epi32(*r0, *r0); + let tmp = mm256_slli_epi32::<{ BITS_IN_LOWER_PART_OF_T as i32 }>(*r1); + *r0 = mm256_sub_epi32(*r0, tmp); } #[allow(non_snake_case)] #[inline(always)] -pub fn decompose(mut r: Vec256, r0: &mut Vec256, r1: &mut Vec256) { +pub fn decompose(r: &Vec256, r0: &mut Vec256, r1: &mut Vec256) { + let mut r = r.clone(); to_unsigned_representatives(&mut r); let field_modulus_halved = mm256_set1_epi32((FIELD_MODULUS - 1) / 2); @@ -213,7 +214,7 @@ pub fn compute_hint(low: &Vec256, high: &Vec256) -> (usize, V #[inline(always)] pub(crate) fn use_hint(r: &Vec256, hint: &mut Vec256) { let (mut r0, mut r1) = (ZERO(), ZERO()); - decompose::(r.clone(), &mut r0.coefficients, &mut r1.coefficients); + decompose::(r, &mut r0.coefficients, &mut r1.coefficients); let all_zeros = mm256_setzero_si256(); diff --git a/libcrux-ml-dsa/src/simd/avx2/encoding/commitment.rs b/libcrux-ml-dsa/src/simd/avx2/encoding/commitment.rs index de6f45d6e..a373300e7 100644 --- a/libcrux-ml-dsa/src/simd/avx2/encoding/commitment.rs +++ b/libcrux-ml-dsa/src/simd/avx2/encoding/commitment.rs @@ -1,13 +1,13 @@ use libcrux_intrinsics::avx2::*; #[inline(always)] -pub(in crate::simd::avx2) fn serialize(simd_unit: Vec256, out: &mut [u8]) { +pub(in crate::simd::avx2) fn serialize(simd_unit: &Vec256, out: &mut [u8]) { let mut serialized = [0u8; 19]; match out.len() as u8 { 4 => { let adjacent_2_combined = - mm256_sllv_epi32(simd_unit, mm256_set_epi32(0, 28, 0, 28, 0, 28, 0, 28)); + mm256_sllv_epi32(*simd_unit, mm256_set_epi32(0, 28, 0, 28, 0, 28, 0, 28)); let adjacent_2_combined = mm256_srli_epi64::<28>(adjacent_2_combined); let adjacent_4_combined = mm256_permutevar8x32_epi32( @@ -30,7 +30,7 @@ pub(in crate::simd::avx2) fn serialize(simd_unit: Vec256, out: &mut [u8]) { 6 => { let adjacent_2_combined = - mm256_sllv_epi32(simd_unit, mm256_set_epi32(0, 26, 0, 26, 0, 26, 0, 26)); + mm256_sllv_epi32(*simd_unit, mm256_set_epi32(0, 26, 0, 26, 0, 26, 0, 26)); let adjacent_2_combined = mm256_srli_epi64::<26>(adjacent_2_combined); let adjacent_3_combined = mm256_shuffle_epi8( diff --git a/libcrux-ml-dsa/src/simd/avx2/encoding/error.rs b/libcrux-ml-dsa/src/simd/avx2/encoding/error.rs index 1bbf3ab75..243b74c8e 100644 --- a/libcrux-ml-dsa/src/simd/avx2/encoding/error.rs +++ b/libcrux-ml-dsa/src/simd/avx2/encoding/error.rs @@ -1,11 +1,11 @@ use libcrux_intrinsics::avx2::*; #[inline(always)] -fn serialize_when_eta_is_2(simd_unit: Vec256, out: &mut [u8]) { +fn serialize_when_eta_is_2(simd_unit: &Vec256, out: &mut [u8]) { let mut serialized = [0u8; 16]; const ETA: i32 = 2; - let simd_unit_shifted = mm256_sub_epi32(mm256_set1_epi32(ETA), simd_unit); + let simd_unit_shifted = mm256_sub_epi32(mm256_set1_epi32(ETA), *simd_unit); let adjacent_2_combined = mm256_sllv_epi32( simd_unit_shifted, @@ -38,11 +38,11 @@ fn serialize_when_eta_is_2(simd_unit: Vec256, out: &mut [u8]) { } #[inline(always)] -fn serialize_when_eta_is_4(simd_unit: Vec256, out: &mut [u8]) { +fn serialize_when_eta_is_4(simd_unit: &Vec256, out: &mut [u8]) { let mut serialized = [0u8; 16]; const ETA: i32 = 4; - let simd_unit_shifted = mm256_sub_epi32(mm256_set1_epi32(ETA), simd_unit); + let simd_unit_shifted = mm256_sub_epi32(mm256_set1_epi32(ETA), *simd_unit); let adjacent_2_combined = mm256_sllv_epi32( simd_unit_shifted, @@ -66,7 +66,7 @@ fn serialize_when_eta_is_4(simd_unit: Vec256, out: &mut [u8]) { } #[inline(always)] -pub fn serialize(simd_unit: Vec256, serialized: &mut [u8]) { +pub fn serialize(simd_unit: &Vec256, serialized: &mut [u8]) { match ETA as u8 { 2 => serialize_when_eta_is_2(simd_unit, serialized), 4 => serialize_when_eta_is_4(simd_unit, serialized), diff --git a/libcrux-ml-dsa/src/simd/avx2/encoding/gamma1.rs b/libcrux-ml-dsa/src/simd/avx2/encoding/gamma1.rs index dae75a905..bed98d7e3 100644 --- a/libcrux-ml-dsa/src/simd/avx2/encoding/gamma1.rs +++ b/libcrux-ml-dsa/src/simd/avx2/encoding/gamma1.rs @@ -1,11 +1,11 @@ use libcrux_intrinsics::avx2::*; #[inline(always)] -fn serialize_when_gamma1_is_2_pow_17(simd_unit: Vec256, out: &mut [u8]) { +fn serialize_when_gamma1_is_2_pow_17(simd_unit: &Vec256, out: &mut [u8]) { let mut serialized = [0u8; 32]; const GAMMA1: i32 = 1 << 17; - let simd_unit_shifted = mm256_sub_epi32(mm256_set1_epi32(GAMMA1), simd_unit); + let simd_unit_shifted = mm256_sub_epi32(mm256_set1_epi32(GAMMA1), *simd_unit); let adjacent_2_combined = mm256_sllv_epi32( simd_unit_shifted, @@ -29,11 +29,11 @@ fn serialize_when_gamma1_is_2_pow_17(simd_unit: Vec256, out: &mut [u8]) { } #[inline(always)] -fn serialize_when_gamma1_is_2_pow_19(simd_unit: Vec256, out: &mut [u8]) { +fn serialize_when_gamma1_is_2_pow_19(simd_unit: &Vec256, out: &mut [u8]) { let mut serialized = [0u8; 32]; const GAMMA1: i32 = 1 << 19; - let simd_unit_shifted = mm256_sub_epi32(mm256_set1_epi32(GAMMA1), simd_unit); + let simd_unit_shifted = mm256_sub_epi32(mm256_set1_epi32(GAMMA1), *simd_unit); let adjacent_2_combined = mm256_sllv_epi32( simd_unit_shifted, @@ -61,7 +61,7 @@ fn serialize_when_gamma1_is_2_pow_19(simd_unit: Vec256, out: &mut [u8]) { } #[inline(always)] -pub(crate) fn serialize(simd_unit: Vec256, serialized: &mut [u8]) { +pub(crate) fn serialize(simd_unit: &Vec256, serialized: &mut [u8]) { match GAMMA1_EXPONENT as u8 { 17 => serialize_when_gamma1_is_2_pow_17(simd_unit, serialized), 19 => serialize_when_gamma1_is_2_pow_19(simd_unit, serialized), @@ -70,7 +70,7 @@ pub(crate) fn serialize(simd_unit: Vec256, seriali } #[inline(always)] -fn deserialize_when_gamma1_is_2_pow_17(serialized: &[u8]) -> Vec256 { +fn deserialize_when_gamma1_is_2_pow_17(serialized: &[u8], out: &mut Vec256) { debug_assert!(serialized.len() == 18); const GAMMA1: i32 = 1 << 17; @@ -81,6 +81,7 @@ fn deserialize_when_gamma1_is_2_pow_17(serialized: &[u8]) -> Vec256 { let serialized = mm256_set_m128i(serialized_upper, serialized_lower); + // XXX: use out here let coefficients = mm256_shuffle_epi8( serialized, mm256_set_epi8( @@ -92,11 +93,11 @@ fn deserialize_when_gamma1_is_2_pow_17(serialized: &[u8]) -> Vec256 { let coefficients = mm256_srlv_epi32(coefficients, mm256_set_epi32(6, 4, 2, 0, 6, 4, 2, 0)); let coefficients = mm256_and_si256(coefficients, mm256_set1_epi32(GAMMA1_TIMES_2_MASK)); - mm256_sub_epi32(mm256_set1_epi32(GAMMA1), coefficients) + *out = mm256_sub_epi32(mm256_set1_epi32(GAMMA1), coefficients); } #[inline(always)] -fn deserialize_when_gamma1_is_2_pow_19(serialized: &[u8]) -> Vec256 { +fn deserialize_when_gamma1_is_2_pow_19(serialized: &[u8], out: &mut Vec256) { // Each set of 5 bytes deserializes to 2 coefficients, and since each Vec256 // can hold 8 such coefficients, we process 5 * (8 / 2) = 20 bytes in this // function. @@ -121,14 +122,14 @@ fn deserialize_when_gamma1_is_2_pow_19(serialized: &[u8]) -> Vec256 { let coefficients = mm256_srlv_epi32(coefficients, mm256_set_epi32(4, 0, 4, 0, 4, 0, 4, 0)); let coefficients = mm256_and_si256(coefficients, mm256_set1_epi32(GAMMA1_TIMES_2_MASK)); - mm256_sub_epi32(mm256_set1_epi32(GAMMA1), coefficients) + *out = mm256_sub_epi32(mm256_set1_epi32(GAMMA1), coefficients) } #[inline(always)] -pub(crate) fn deserialize(serialized: &[u8]) -> Vec256 { +pub(crate) fn deserialize(serialized: &[u8], out: &mut Vec256) { match GAMMA1_EXPONENT as u8 { - 17 => deserialize_when_gamma1_is_2_pow_17(serialized), - 19 => deserialize_when_gamma1_is_2_pow_19(serialized), + 17 => deserialize_when_gamma1_is_2_pow_17(serialized, out), + 19 => deserialize_when_gamma1_is_2_pow_19(serialized, out), _ => unreachable!(), } } diff --git a/libcrux-ml-dsa/src/simd/avx2/encoding/t0.rs b/libcrux-ml-dsa/src/simd/avx2/encoding/t0.rs index 4d3786146..2c45f67e4 100644 --- a/libcrux-ml-dsa/src/simd/avx2/encoding/t0.rs +++ b/libcrux-ml-dsa/src/simd/avx2/encoding/t0.rs @@ -3,14 +3,14 @@ use libcrux_intrinsics::avx2::*; use crate::constants::BITS_IN_LOWER_PART_OF_T; #[inline(always)] -fn change_interval(simd_unit: Vec256) -> Vec256 { +fn change_interval(simd_unit: &Vec256) -> Vec256 { let interval_end = mm256_set1_epi32(1 << (BITS_IN_LOWER_PART_OF_T - 1)); - mm256_sub_epi32(interval_end, simd_unit) + mm256_sub_epi32(interval_end, *simd_unit) } #[inline(always)] -pub(crate) fn serialize(simd_unit: Vec256) -> [u8; 13] { +pub(crate) fn serialize(simd_unit: &Vec256, out: &mut [u8]) { let mut serialized = [0u8; 16]; let simd_unit = change_interval(simd_unit); @@ -34,11 +34,11 @@ pub(crate) fn serialize(simd_unit: Vec256) -> [u8; 13] { let bits_sequential = mm256_castsi256_si128(bits_sequential); mm_storeu_bytes_si128(&mut serialized, bits_sequential); - serialized[0..13].try_into().unwrap() + out.copy_from_slice(&serialized[0..13]) } #[inline(always)] -pub(crate) fn deserialize(serialized: &[u8]) -> Vec256 { +pub(crate) fn deserialize(serialized: &[u8], out: &mut Vec256) { debug_assert_eq!(serialized.len(), 13); const COEFFICIENT_MASK: i32 = (1 << 13) - 1; @@ -49,6 +49,7 @@ pub(crate) fn deserialize(serialized: &[u8]) -> Vec256 { let serialized = mm_loadu_si128(&serialized_extended); let serialized = mm256_set_m128i(serialized, serialized); + // XXX: re-use out variable let coefficients = mm256_shuffle_epi8( serialized, mm256_set_epi8( @@ -60,5 +61,5 @@ pub(crate) fn deserialize(serialized: &[u8]) -> Vec256 { let coefficients = mm256_srlv_epi32(coefficients, mm256_set_epi32(3, 6, 1, 4, 7, 2, 5, 0)); let coefficients = mm256_and_si256(coefficients, mm256_set1_epi32(COEFFICIENT_MASK)); - change_interval(coefficients) + *out = change_interval(&coefficients); } diff --git a/libcrux-ml-dsa/src/simd/avx2/encoding/t1.rs b/libcrux-ml-dsa/src/simd/avx2/encoding/t1.rs index 92a511016..9b70584ae 100644 --- a/libcrux-ml-dsa/src/simd/avx2/encoding/t1.rs +++ b/libcrux-ml-dsa/src/simd/avx2/encoding/t1.rs @@ -1,11 +1,13 @@ use libcrux_intrinsics::avx2::*; #[inline(always)] -pub(crate) fn serialize(simd_unit: Vec256) -> [u8; 10] { +pub(crate) fn serialize(simd_unit: &Vec256, out: &mut [u8]) { + debug_assert!(out.len() == 10); + let mut serialized = [0u8; 24]; let adjacent_2_combined = - mm256_sllv_epi32(simd_unit, mm256_set_epi32(0, 22, 0, 22, 0, 22, 0, 22)); + mm256_sllv_epi32(*simd_unit, mm256_set_epi32(0, 22, 0, 22, 0, 22, 0, 22)); let adjacent_2_combined = mm256_srli_epi64::<22>(adjacent_2_combined); let adjacent_4_combined = @@ -24,11 +26,11 @@ pub(crate) fn serialize(simd_unit: Vec256) -> [u8; 10] { let upper_4 = mm256_extracti128_si256::<1>(adjacent_4_combined); mm_storeu_bytes_si128(&mut serialized[5..21], upper_4); - serialized[0..10].try_into().unwrap() + out.copy_from_slice(&serialized[0..10]); } #[inline(always)] -pub(crate) fn deserialize(bytes: &[u8]) -> Vec256 { +pub(crate) fn deserialize(bytes: &[u8], out: &mut Vec256) { debug_assert_eq!(bytes.len(), 10); const COEFFICIENT_MASK: i32 = (1 << 10) - 1; @@ -39,6 +41,7 @@ pub(crate) fn deserialize(bytes: &[u8]) -> Vec256 { let bytes_loaded = mm_loadu_si128(&bytes_extended); let bytes_loaded = mm256_set_m128i(bytes_loaded, bytes_loaded); + // XXX: re-use out let coefficients = mm256_shuffle_epi8( bytes_loaded, mm256_set_epi8( @@ -49,5 +52,5 @@ pub(crate) fn deserialize(bytes: &[u8]) -> Vec256 { let coefficients = mm256_srlv_epi32(coefficients, mm256_set_epi32(6, 4, 2, 0, 6, 4, 2, 0)); - mm256_and_si256(coefficients, mm256_set1_epi32(COEFFICIENT_MASK)) + *out = mm256_and_si256(coefficients, mm256_set1_epi32(COEFFICIENT_MASK)); } diff --git a/libcrux-ml-dsa/src/simd/portable.rs b/libcrux-ml-dsa/src/simd/portable.rs index 3aad0d3a0..79a13d786 100644 --- a/libcrux-ml-dsa/src/simd/portable.rs +++ b/libcrux-ml-dsa/src/simd/portable.rs @@ -51,7 +51,7 @@ impl Operations for PortableSIMDUnit { arithmetic::infinity_norm_exceeds(simd_unit, bound) } - fn decompose(simd_unit: Self, low: &mut Self, high: &mut Self) { + fn decompose(simd_unit: &Self::Coefficient, low: &mut Self::Coefficient, high: &mut Self::Coefficient) { arithmetic::decompose::(simd_unit, low, high) } @@ -75,36 +75,36 @@ impl Operations for PortableSIMDUnit { sample::rejection_sample_less_than_eta_equals_4(randomness, out) } - fn gamma1_serialize(simd_unit: Self, serialized: &mut [u8]) { + fn gamma1_serialize(simd_unit: &Coefficients, serialized: &mut [u8]) { encoding::gamma1::serialize::(simd_unit, serialized) } - fn gamma1_deserialize(serialized: &[u8]) -> Self { - encoding::gamma1::deserialize::(serialized) + fn gamma1_deserialize(serialized: &[u8], out: &mut Coefficients) { + encoding::gamma1::deserialize::(serialized, out) } - fn commitment_serialize(simd_unit: Self, serialized: &mut [u8]) { + fn commitment_serialize(simd_unit: &Coefficients, serialized: &mut [u8]) { encoding::commitment::serialize(simd_unit, serialized) } - fn error_serialize(simd_unit: Self, serialized: &mut [u8]) { + fn error_serialize(simd_unit: &Coefficients, serialized: &mut [u8]) { encoding::error::serialize::(simd_unit, serialized) } - fn error_deserialize(serialized: &[u8]) -> Self { - encoding::error::deserialize::(serialized) + fn error_deserialize(serialized: &[u8], out: &mut Coefficients) { + encoding::error::deserialize::(serialized, out); } - fn t0_serialize(simd_unit: Self) -> [u8; 13] { - encoding::t0::serialize(simd_unit) + fn t0_serialize(simd_unit: &Coefficients, out: &mut [u8]) { + encoding::t0::serialize(simd_unit, out) } - fn t0_deserialize(serialized: &[u8]) -> Self { - encoding::t0::deserialize(serialized) + fn t0_deserialize(serialized: &[u8], out: &mut Coefficients) { + encoding::t0::deserialize(serialized, out) } - fn t1_serialize(simd_unit: Self) -> [u8; 10] { - encoding::t1::serialize(simd_unit) + fn t1_serialize(simd_unit: &Self::Coefficient, out: &mut [u8]) { + encoding::t1::serialize(simd_unit, out); } - fn t1_deserialize(serialized: &[u8]) -> Self { - encoding::t1::deserialize(serialized) + fn t1_deserialize(serialized: &[u8], out: &mut Self::Coefficient) { + encoding::t1::deserialize(serialized, out); } fn ntt(simd_units: &mut [Coefficients; SIMD_UNITS_IN_RING_ELEMENT]) { diff --git a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs index 0fbe1ba3b..34e7078c6 100644 --- a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs +++ b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs @@ -273,16 +273,12 @@ pub(crate) fn use_one_hint(r: i32, hint: i32) -> i32 { #[inline(always)] pub fn decompose( - simd_unit: PortableSIMDUnit, - low: &mut PortableSIMDUnit, - high: &mut PortableSIMDUnit, + simd_unit: &Coefficients, + low: &mut Coefficients, + high: &mut Coefficients, ) { - for i in 0..low.coefficients.len() { - decompose_element::( - simd_unit.coefficients[i], - &mut low.coefficients[i], - &mut high.coefficients[i], - ); + for i in 0..low.len() { + decompose_element::(simd_unit[i], &mut low[i], &mut high[i]); } } diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/commitment.rs b/libcrux-ml-dsa/src/simd/portable/encoding/commitment.rs index cfc65ef45..b65111ae8 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/commitment.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/commitment.rs @@ -1,15 +1,13 @@ -use crate::helper::cloop; - -use super::super::vector_type::PortableSIMDUnit; +use crate::{helper::cloop, simd::portable::vector_type::Coefficients}; #[inline(always)] -pub fn serialize(simd_unit: PortableSIMDUnit, serialized: &mut [u8]) { +pub fn serialize(simd_unit: &Coefficients, serialized: &mut [u8]) { match serialized.len() as u8 { 4 => { // The commitment has coefficients in [0,15] => each coefficient occupies // 4 bits. cloop! { - for (i, coefficients) in simd_unit.coefficients.chunks_exact(2).enumerate() { + for (i, coefficients) in simd_unit.chunks_exact(2).enumerate() { let coefficient0 = coefficients[0] as u8; let coefficient1 = coefficients[1] as u8; @@ -23,7 +21,7 @@ pub fn serialize(simd_unit: PortableSIMDUnit, serialized: &mut [u8]) { // The commitment has coefficients in [0,43] => each coefficient occupies // 6 bits. cloop! { - for (i, coefficients) in simd_unit.coefficients.chunks_exact(4).enumerate() { + for (i, coefficients) in simd_unit.chunks_exact(4).enumerate() { let coefficient0 = coefficients[0] as u8; let coefficient1 = coefficients[1] as u8; let coefficient2 = coefficients[2] as u8; diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/error.rs b/libcrux-ml-dsa/src/simd/portable/encoding/error.rs index 5e84a571a..5afeb47dc 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/error.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/error.rs @@ -1,19 +1,19 @@ -use crate::helper::cloop; +use crate::{helper::cloop, simd::portable::vector_type::Coefficients}; use super::super::vector_type::{PortableSIMDUnit, ZERO}; #[inline(always)] -fn serialize_when_eta_is_2(simd_unit: PortableSIMDUnit, serialized: &mut [u8]) { +fn serialize_when_eta_is_2(simd_unit: &Coefficients, serialized: &mut [u8]) { const ETA: i32 = 2; - let coefficient0 = (ETA - simd_unit.coefficients[0]) as u8; - let coefficient1 = (ETA - simd_unit.coefficients[1]) as u8; - let coefficient2 = (ETA - simd_unit.coefficients[2]) as u8; - let coefficient3 = (ETA - simd_unit.coefficients[3]) as u8; - let coefficient4 = (ETA - simd_unit.coefficients[4]) as u8; - let coefficient5 = (ETA - simd_unit.coefficients[5]) as u8; - let coefficient6 = (ETA - simd_unit.coefficients[6]) as u8; - let coefficient7 = (ETA - simd_unit.coefficients[7]) as u8; + let coefficient0 = (ETA - simd_unit[0]) as u8; + let coefficient1 = (ETA - simd_unit[1]) as u8; + let coefficient2 = (ETA - simd_unit[2]) as u8; + let coefficient3 = (ETA - simd_unit[3]) as u8; + let coefficient4 = (ETA - simd_unit[4]) as u8; + let coefficient5 = (ETA - simd_unit[5]) as u8; + let coefficient6 = (ETA - simd_unit[6]) as u8; + let coefficient7 = (ETA - simd_unit[7]) as u8; serialized[0] = (coefficient2 << 6) | (coefficient1 << 3) | coefficient0; serialized[1] = @@ -22,11 +22,11 @@ fn serialize_when_eta_is_2(simd_unit: PortableSIMDUnit, serialized: &mut [u8]) { } #[inline(always)] -fn serialize_when_eta_is_4(simd_unit: PortableSIMDUnit, serialized: &mut [u8]) { +fn serialize_when_eta_is_4(simd_unit: &Coefficients, serialized: &mut [u8]) { const ETA: i32 = 4; cloop! { - for (i, coefficients) in simd_unit.coefficients.chunks_exact(2).enumerate() { + for (i, coefficients) in simd_unit.chunks_exact(2).enumerate() { let coefficient0 = (ETA - coefficients[0]) as u8; let coefficient1 = (ETA - coefficients[1]) as u8; @@ -37,7 +37,7 @@ fn serialize_when_eta_is_4(simd_unit: PortableSIMDUnit, serialized: &mut [u8]) { } #[inline(always)] -pub(crate) fn serialize(simd_unit: PortableSIMDUnit, serialized: &mut [u8]) { +pub(crate) fn serialize(simd_unit: &Coefficients, serialized: &mut [u8]) { match ETA as u8 { 2 => serialize_when_eta_is_2(simd_unit, serialized), 4 => serialize_when_eta_is_4(simd_unit, serialized), @@ -46,49 +46,43 @@ pub(crate) fn serialize(simd_unit: PortableSIMDUnit, serialize } #[inline(always)] -fn deserialize_when_eta_is_2(serialized: &[u8]) -> PortableSIMDUnit { +fn deserialize_when_eta_is_2(serialized: &[u8], simd_unit: &mut Coefficients) { debug_assert!(serialized.len() == 3); - let mut simd_unit = ZERO(); const ETA: i32 = 2; let byte0 = serialized[0] as i32; let byte1 = serialized[1] as i32; let byte2 = serialized[2] as i32; - simd_unit.coefficients[0] = ETA - (byte0 & 7); - simd_unit.coefficients[1] = ETA - ((byte0 >> 3) & 7); - simd_unit.coefficients[2] = ETA - (((byte0 >> 6) | (byte1 << 2)) & 7); - simd_unit.coefficients[3] = ETA - ((byte1 >> 1) & 7); - simd_unit.coefficients[4] = ETA - ((byte1 >> 4) & 7); - simd_unit.coefficients[5] = ETA - (((byte1 >> 7) | (byte2 << 1)) & 7); - simd_unit.coefficients[6] = ETA - ((byte2 >> 2) & 7); - simd_unit.coefficients[7] = ETA - ((byte2 >> 5) & 7); - - simd_unit + simd_unit[0] = ETA - (byte0 & 7); + simd_unit[1] = ETA - ((byte0 >> 3) & 7); + simd_unit[2] = ETA - (((byte0 >> 6) | (byte1 << 2)) & 7); + simd_unit[3] = ETA - ((byte1 >> 1) & 7); + simd_unit[4] = ETA - ((byte1 >> 4) & 7); + simd_unit[5] = ETA - (((byte1 >> 7) | (byte2 << 1)) & 7); + simd_unit[6] = ETA - ((byte2 >> 2) & 7); + simd_unit[7] = ETA - ((byte2 >> 5) & 7); } #[inline(always)] -fn deserialize_when_eta_is_4(serialized: &[u8]) -> PortableSIMDUnit { +fn deserialize_when_eta_is_4(serialized: &[u8], simd_units: &mut Coefficients) { debug_assert!(serialized.len() == 4); - let mut simd_unit = ZERO(); const ETA: i32 = 4; cloop! { for (i, byte) in serialized.iter().enumerate() { - simd_unit.coefficients[2 * i] = ETA - ((byte & 0xF) as i32); - simd_unit.coefficients[2 * i + 1] = ETA - ((byte >> 4) as i32); + simd_units[2 * i] = ETA - ((byte & 0xF) as i32); + simd_units[2 * i + 1] = ETA - ((byte >> 4) as i32); } } - - simd_unit } #[inline(always)] -pub(crate) fn deserialize(serialized: &[u8]) -> PortableSIMDUnit { +pub(crate) fn deserialize(serialized: &[u8], out: &mut Coefficients) { match ETA as u8 { - 2 => deserialize_when_eta_is_2(serialized), - 4 => deserialize_when_eta_is_4(serialized), + 2 => deserialize_when_eta_is_2(serialized, out), + 4 => deserialize_when_eta_is_4(serialized, out), _ => unreachable!(), } } diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs b/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs index 5cb53f344..77f86dca5 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs @@ -1,13 +1,11 @@ -use crate::helper::cloop; - -use super::super::vector_type::{PortableSIMDUnit, ZERO}; +use crate::{helper::cloop, simd::portable::vector_type::Coefficients}; #[inline(always)] -fn serialize_when_gamma1_is_2_pow_17(simd_unit: PortableSIMDUnit, serialized: &mut [u8]) { +fn serialize_when_gamma1_is_2_pow_17(simd_unit: &Coefficients, serialized: &mut [u8]) { const GAMMA1: i32 = 1 << 17; cloop! { - for (i, coefficients) in simd_unit.coefficients.chunks_exact(4).enumerate() { + for (i, coefficients) in simd_unit.chunks_exact(4).enumerate() { let coefficient0 = GAMMA1 - coefficients[0]; let coefficient1 = GAMMA1 - coefficients[1]; let coefficient2 = GAMMA1 - coefficients[2]; @@ -37,11 +35,11 @@ fn serialize_when_gamma1_is_2_pow_17(simd_unit: PortableSIMDUnit, serialized: &m } #[inline(always)] -fn serialize_when_gamma1_is_2_pow_19(simd_unit: PortableSIMDUnit, serialized: &mut [u8]) { +fn serialize_when_gamma1_is_2_pow_19(simd_unit: &Coefficients, serialized: &mut [u8]) { const GAMMA1: i32 = 1 << 19; cloop! { - for (i, coefficients) in simd_unit.coefficients.chunks_exact(2).enumerate() { + for (i, coefficients) in simd_unit.chunks_exact(2).enumerate() { let coefficient0 = GAMMA1 - coefficients[0]; let coefficient1 = GAMMA1 - coefficients[1]; @@ -60,7 +58,7 @@ fn serialize_when_gamma1_is_2_pow_19(simd_unit: PortableSIMDUnit, serialized: &m #[inline(always)] pub(crate) fn serialize( - simd_unit: PortableSIMDUnit, + simd_unit: &Coefficients, serialized: &mut [u8], ) { match GAMMA1_EXPONENT as u8 { @@ -71,7 +69,7 @@ pub(crate) fn serialize( } #[inline(always)] -fn deserialize_when_gamma1_is_2_pow_17(serialized: &[u8]) -> PortableSIMDUnit { +fn deserialize_when_gamma1_is_2_pow_17(serialized: &[u8], simd_unit: &mut Coefficients) { // Each set of 9 bytes deserializes to 4 elements, and since each PortableSIMDUnit // can hold 8, we process 18 bytes in this function. debug_assert!(serialized.len() == 18); @@ -79,8 +77,6 @@ fn deserialize_when_gamma1_is_2_pow_17(serialized: &[u8]) -> PortableSIMDUnit { const GAMMA1: i32 = 1 << 17; const GAMMA1_TIMES_2_BITMASK: i32 = (GAMMA1 << 1) - 1; - let mut simd_unit = ZERO(); - cloop! { for (i, bytes) in serialized.chunks_exact(9).enumerate() { let mut coefficient0 = bytes[0] as i32; @@ -103,18 +99,16 @@ fn deserialize_when_gamma1_is_2_pow_17(serialized: &[u8]) -> PortableSIMDUnit { coefficient3 |= (bytes[8] as i32) << 10; coefficient3 &= GAMMA1_TIMES_2_BITMASK; - simd_unit.coefficients[4 * i] = GAMMA1 - coefficient0; - simd_unit.coefficients[4 * i + 1] = GAMMA1 - coefficient1; - simd_unit.coefficients[4 * i + 2] = GAMMA1 - coefficient2; - simd_unit.coefficients[4 * i + 3] = GAMMA1 - coefficient3; + simd_unit[4 * i] = GAMMA1 - coefficient0; + simd_unit[4 * i + 1] = GAMMA1 - coefficient1; + simd_unit[4 * i + 2] = GAMMA1 - coefficient2; + simd_unit[4 * i + 3] = GAMMA1 - coefficient3; } } - - simd_unit } #[inline(always)] -fn deserialize_when_gamma1_is_2_pow_19(serialized: &[u8]) -> PortableSIMDUnit { +fn deserialize_when_gamma1_is_2_pow_19(serialized: &[u8], simd_unit: &mut Coefficients) { // Each set of 5 bytes deserializes to 2 elements, and since each PortableSIMDUnit // can hold 8, we process 5 * (8 / 2) = 20 bytes in this function. debug_assert!(serialized.len() == 20); @@ -122,8 +116,6 @@ fn deserialize_when_gamma1_is_2_pow_19(serialized: &[u8]) -> PortableSIMDUnit { const GAMMA1: i32 = 1 << 19; const GAMMA1_TIMES_2_BITMASK: i32 = (GAMMA1 << 1) - 1; - let mut simd_unit = ZERO(); - cloop! { for (i, bytes) in serialized.chunks_exact(5).enumerate() { let mut coefficient0 = bytes[0] as i32; @@ -135,18 +127,16 @@ fn deserialize_when_gamma1_is_2_pow_19(serialized: &[u8]) -> PortableSIMDUnit { coefficient1 |= (bytes[3] as i32) << 4; coefficient1 |= (bytes[4] as i32) << 12; - simd_unit.coefficients[2 * i] = GAMMA1 - coefficient0; - simd_unit.coefficients[2 * i + 1] = GAMMA1 - coefficient1; + simd_unit[2 * i] = GAMMA1 - coefficient0; + simd_unit[2 * i + 1] = GAMMA1 - coefficient1; } } - - simd_unit } #[inline(always)] -pub(crate) fn deserialize(serialized: &[u8]) -> PortableSIMDUnit { +pub(crate) fn deserialize(serialized: &[u8], out: &mut Coefficients) { match GAMMA1_EXPONENT as u8 { - 17 => deserialize_when_gamma1_is_2_pow_17(serialized), - 19 => deserialize_when_gamma1_is_2_pow_19(serialized), + 17 => deserialize_when_gamma1_is_2_pow_17(serialized, out), + 19 => deserialize_when_gamma1_is_2_pow_19(serialized, out), _ => unreachable!(), } } diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/t0.rs b/libcrux-ml-dsa/src/simd/portable/encoding/t0.rs index 626f14c43..a22a153e9 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/t0.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/t0.rs @@ -1,6 +1,4 @@ -use crate::constants::BITS_IN_LOWER_PART_OF_T; - -use super::super::vector_type::{PortableSIMDUnit, ZERO}; +use crate::{constants::BITS_IN_LOWER_PART_OF_T, simd::portable::vector_type::Coefficients}; // If t0 is a signed representative, change it to an unsigned one and // vice versa. @@ -10,17 +8,15 @@ fn change_t0_interval(t0: i32) -> i32 { } #[inline(always)] -pub fn serialize(simd_unit: PortableSIMDUnit) -> [u8; 13] { - let mut serialized = [0u8; 13]; - - let coefficient0 = change_t0_interval(simd_unit.coefficients[0]); - let coefficient1 = change_t0_interval(simd_unit.coefficients[1]); - let coefficient2 = change_t0_interval(simd_unit.coefficients[2]); - let coefficient3 = change_t0_interval(simd_unit.coefficients[3]); - let coefficient4 = change_t0_interval(simd_unit.coefficients[4]); - let coefficient5 = change_t0_interval(simd_unit.coefficients[5]); - let coefficient6 = change_t0_interval(simd_unit.coefficients[6]); - let coefficient7 = change_t0_interval(simd_unit.coefficients[7]); +pub fn serialize(simd_unit: &Coefficients, serialized: &mut [u8]) { + let coefficient0 = change_t0_interval(simd_unit[0]); + let coefficient1 = change_t0_interval(simd_unit[1]); + let coefficient2 = change_t0_interval(simd_unit[2]); + let coefficient3 = change_t0_interval(simd_unit[3]); + let coefficient4 = change_t0_interval(simd_unit[4]); + let coefficient5 = change_t0_interval(simd_unit[5]); + let coefficient6 = change_t0_interval(simd_unit[6]); + let coefficient7 = change_t0_interval(simd_unit[7]); serialized[0] = coefficient0 as u8; @@ -54,12 +50,10 @@ pub fn serialize(simd_unit: PortableSIMDUnit) -> [u8; 13] { serialized[11] |= (coefficient7 << 3) as u8; serialized[12] = (coefficient7 >> 5) as u8; - - serialized } #[inline(always)] -pub fn deserialize(serialized: &[u8]) -> PortableSIMDUnit { +pub fn deserialize(serialized: &[u8], simd_unit: &mut Coefficients) { debug_assert!(serialized.len() == 13); const BITS_IN_LOWER_PART_OF_T_MASK: i32 = (1 << (BITS_IN_LOWER_PART_OF_T as i32)) - 1; @@ -114,16 +108,12 @@ pub fn deserialize(serialized: &[u8]) -> PortableSIMDUnit { coefficient7 |= byte12 << 5; coefficient7 &= BITS_IN_LOWER_PART_OF_T_MASK; - let mut simd_unit = ZERO(); - - simd_unit.coefficients[0] = change_t0_interval(coefficient0); - simd_unit.coefficients[1] = change_t0_interval(coefficient1); - simd_unit.coefficients[2] = change_t0_interval(coefficient2); - simd_unit.coefficients[3] = change_t0_interval(coefficient3); - simd_unit.coefficients[4] = change_t0_interval(coefficient4); - simd_unit.coefficients[5] = change_t0_interval(coefficient5); - simd_unit.coefficients[6] = change_t0_interval(coefficient6); - simd_unit.coefficients[7] = change_t0_interval(coefficient7); - - simd_unit + simd_unit[0] = change_t0_interval(coefficient0); + simd_unit[1] = change_t0_interval(coefficient1); + simd_unit[2] = change_t0_interval(coefficient2); + simd_unit[3] = change_t0_interval(coefficient3); + simd_unit[4] = change_t0_interval(coefficient4); + simd_unit[5] = change_t0_interval(coefficient5); + simd_unit[6] = change_t0_interval(coefficient6); + simd_unit[7] = change_t0_interval(coefficient7); } diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/t1.rs b/libcrux-ml-dsa/src/simd/portable/encoding/t1.rs index 5e39a338c..bc01abda6 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/t1.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/t1.rs @@ -1,13 +1,13 @@ -use crate::{constants::BITS_IN_UPPER_PART_OF_T, helper::cloop}; - -use super::super::vector_type::{PortableSIMDUnit, ZERO}; +use crate::{ + constants::BITS_IN_UPPER_PART_OF_T, helper::cloop, simd::portable::vector_type::Coefficients, +}; #[inline(always)] -pub fn serialize(simd_unit: PortableSIMDUnit) -> [u8; 10] { - let mut serialized = [0u8; 10]; +pub fn serialize(simd_unit: &Coefficients, serialized: &mut [u8]) { + debug_assert!(serialized.len() == 10); cloop! { - for (i, coefficients) in simd_unit.coefficients.chunks_exact(4).enumerate() { + for (i, coefficients) in simd_unit.chunks_exact(4).enumerate() { serialized[5 * i] = (coefficients[0] & 0xFF) as u8; serialized[5 * i + 1] = ((coefficients[1] & 0x3F) as u8) << 2 | ((coefficients[0] >> 8) & 0x03) as u8; @@ -18,15 +18,12 @@ pub fn serialize(simd_unit: PortableSIMDUnit) -> [u8; 10] { serialized[5 * i + 4] = ((coefficients[3] >> 2) & 0xFF) as u8; } } - - serialized } #[inline(always)] -pub fn deserialize(serialized: &[u8]) -> PortableSIMDUnit { +pub fn deserialize(serialized: &[u8], simd_unit: &mut Coefficients) { debug_assert!(serialized.len() == 10); - let mut simd_unit = ZERO(); let mask = (1 << BITS_IN_UPPER_PART_OF_T) - 1; cloop! { @@ -37,12 +34,10 @@ pub fn deserialize(serialized: &[u8]) -> PortableSIMDUnit { let byte3 = bytes[3] as i32; let byte4 = bytes[4] as i32; - simd_unit.coefficients[4 * i] = (byte0 | (byte1 << 8)) & mask; - simd_unit.coefficients[4 * i + 1] = ((byte1 >> 2) | (byte2 << 6)) & mask; - simd_unit.coefficients[4 * i + 2] = ((byte2 >> 4) | (byte3 << 4)) & mask; - simd_unit.coefficients[4 * i + 3] = ((byte3 >> 6) | (byte4 << 2)) & mask; + simd_unit[4 * i] = (byte0 | (byte1 << 8)) & mask; + simd_unit[4 * i + 1] = ((byte1 >> 2) | (byte2 << 6)) & mask; + simd_unit[4 * i + 2] = ((byte2 >> 4) | (byte3 << 4)) & mask; + simd_unit[4 * i + 3] = ((byte3 >> 6) | (byte4 << 2)) & mask; } } - - simd_unit } diff --git a/libcrux-ml-dsa/src/simd/tests.rs b/libcrux-ml-dsa/src/simd/tests.rs index 964750189..3fc8cb70e 100644 --- a/libcrux-ml-dsa/src/simd/tests.rs +++ b/libcrux-ml-dsa/src/simd/tests.rs @@ -6,64 +6,60 @@ fn test_decompose_generic() { 5520769, 5416853, 180455, 8127421, 5159850, 5553986, 3391280, 3968290, ]); - let expected_low = SIMDUnit::from_coefficient_array(&[ - -2687, 83861, -10009, -62531, 17322, 30530, -37072, -31454, - ]); - let expected_high = SIMDUnit::from_coefficient_array(&[29, 28, 1, 43, 27, 29, 18, 21]); + let expected_low = [-2687, 83861, -10009, -62531, 17322, 30530, -37072, -31454]; + let expected_high = [29, 28, 1, 43, 27, 29, 18, 21]; let (mut low, mut high) = (SIMDUnit::ZERO(), SIMDUnit::ZERO()); - SIMDUnit::decompose::<95_232>(input, &mut low, &mut high); + SIMDUnit::decompose::<95_232>(&input, &mut low, &mut high); + + let mut out = [0i32; COEFFICIENTS_IN_SIMD_UNIT]; + SIMDUnit::to_coefficient_array(&low, &mut out); + assert_eq!(out, expected_low); - assert_eq!( - low.to_coefficient_array(), - expected_low.to_coefficient_array() - ); - assert_eq!( - high.to_coefficient_array(), - expected_high.to_coefficient_array() - ); + let mut out = [0i32; COEFFICIENTS_IN_SIMD_UNIT]; + SIMDUnit::to_coefficient_array(&high, &mut out); + assert_eq!(out, expected_high); // When GAMMA2 = 261,888 let input = SIMDUnit::from_coefficient_array(&[ 2108939, 7162128, 6506792, 7957464, 2350341, 8333084, 496214, 2168929, ]); - let expected_low = SIMDUnit::from_coefficient_array(&[ + let expected_low = [ 13835, -170736, 221480, 100824, 255237, -47333, -27562, 73825, - ]); - let expected_high = SIMDUnit::from_coefficient_array(&[4, 14, 12, 15, 4, 0, 1, 4]); - - SIMDUnit::decompose::<261_888>(input, &mut low, &mut high); - - assert_eq!( - low.to_coefficient_array(), - expected_low.to_coefficient_array() - ); - assert_eq!( - high.to_coefficient_array(), - expected_high.to_coefficient_array() - ); + ]; + let expected_high = [4, 14, 12, 15, 4, 0, 1, 4]; + + SIMDUnit::decompose::<261_888>(&input, &mut low, &mut high); + + let mut out = [0i32; COEFFICIENTS_IN_SIMD_UNIT]; + SIMDUnit::to_coefficient_array(&low, &mut out); + assert_eq!(out, expected_low); + + let mut out = [0i32; COEFFICIENTS_IN_SIMD_UNIT]; + SIMDUnit::to_coefficient_array(&high, &mut out); + assert_eq!(out, expected_high); } fn test_power2round_generic() { - let input = SIMDUnit::from_coefficient_array(&[ + let mut input = SIMDUnit::from_coefficient_array(&[ 6950677, 3362411, 5783989, 5909314, 6459529, 5751812, 864332, 3667708, ]); - let expected_low = - SIMDUnit::from_coefficient_array(&[3861, 3691, 437, 2882, -3959, 1028, -4020, -2308]); - let expected_high = SIMDUnit::from_coefficient_array(&[848, 410, 706, 721, 789, 702, 106, 448]); + let expected_low = [3861, 3691, 437, 2882, -3959, 1028, -4020, -2308]; + let expected_high = [848, 410, 706, 721, 789, 702, 106, 448]; + + let mut high = SIMDUnit::from_coefficient_array(&[0; 8]); + SIMDUnit::power2round(&mut input, &mut high); + let low = input; - let (low, high) = SIMDUnit::power2round(input); + let mut out = [0i32; COEFFICIENTS_IN_SIMD_UNIT]; + SIMDUnit::to_coefficient_array(&low, &mut out); + assert_eq!(out, expected_low); - assert_eq!( - low.to_coefficient_array(), - expected_low.to_coefficient_array() - ); - assert_eq!( - high.to_coefficient_array(), - expected_high.to_coefficient_array() - ); + let mut out = [0i32; COEFFICIENTS_IN_SIMD_UNIT]; + SIMDUnit::to_coefficient_array(&high, &mut out); + assert_eq!(out, expected_high); } #[cfg(not(feature = "simd256"))] diff --git a/libcrux-ml-dsa/src/simd/traits.rs b/libcrux-ml-dsa/src/simd/traits.rs index eab412cc7..65d03967c 100644 --- a/libcrux-ml-dsa/src/simd/traits.rs +++ b/libcrux-ml-dsa/src/simd/traits.rs @@ -27,7 +27,11 @@ pub(crate) trait Operations: Copy + Clone { fn add(lhs: &Self::Coefficient, rhs: &Self::Coefficient) -> Self::Coefficient; fn subtract(lhs: &Self::Coefficient, rhs: &Self::Coefficient) -> Self::Coefficient; fn infinity_norm_exceeds(simd_unit: &Self::Coefficient, bound: i32) -> bool; - fn decompose(simd_unit: Self, low: &mut Self, high: &mut Self); + fn decompose( + simd_unit: &Self::Coefficient, + low: &mut Self::Coefficient, + high: &mut Self::Coefficient, + ); fn compute_hint( low: &Self::Coefficient, high: &Self::Coefficient, @@ -58,23 +62,29 @@ pub(crate) trait Operations: Copy + Clone { // Encoding operations // Gamma1 - fn gamma1_serialize(simd_unit: Self, serialized: &mut [u8]); - fn gamma1_deserialize(serialized: &[u8]) -> Self; + fn gamma1_serialize( + simd_unit: &Self::Coefficient, + serialized: &mut [u8], + ); + fn gamma1_deserialize( + serialized: &[u8], + out: &mut Self::Coefficient, + ); // Commitment - fn commitment_serialize(simd_unit: Self, serialized: &mut [u8]); + fn commitment_serialize(simd_unit: &Self::Coefficient, serialized: &mut [u8]); // Error - fn error_serialize(simd_unit: Self, serialized: &mut [u8]); - fn error_deserialize(serialized: &[u8]) -> Self; + fn error_serialize(simd_unit: &Self::Coefficient, serialized: &mut [u8]); + fn error_deserialize(serialized: &[u8], out: &mut Self::Coefficient); // t0 - fn t0_serialize(simd_unit: Self) -> [u8; 13]; - fn t0_deserialize(serialized: &[u8]) -> Self; + fn t0_serialize(simd_unit: &Self::Coefficient, out: &mut [u8]); // out len 13 + fn t0_deserialize(serialized: &[u8], out: &mut Self::Coefficient); // t1 - fn t1_serialize(simd_unit: Self) -> [u8; 10]; - fn t1_deserialize(serialized: &[u8]) -> Self; + fn t1_serialize(simd_unit: &Self::Coefficient, out: &mut [u8]); // out len 10 + fn t1_deserialize(serialized: &[u8], out: &mut Self::Coefficient); // NTT fn ntt(simd_units: &mut [Self::Coefficient; SIMD_UNITS_IN_RING_ELEMENT]); From 6689ac2a0218f779614b1034bb0ac6e74d7499a3 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Mon, 23 Dec 2024 12:13:37 +0000 Subject: [PATCH 07/58] cleanup | portable still broken --- libcrux-ml-dsa/benches/manual65.rs | 12 ++++++------ libcrux-ml-dsa/src/ml_dsa_generic.rs | 1 - libcrux-ml-dsa/src/simd/avx2/arithmetic.rs | 16 ++++++---------- libcrux-ml-dsa/src/simd/avx2/vector_type.rs | 15 +-------------- libcrux-ml-dsa/src/simd/portable/arithmetic.rs | 17 +++++++++-------- .../src/simd/portable/encoding/error.rs | 4 ++-- libcrux-ml-dsa/src/simd/portable/encoding/t0.rs | 2 ++ libcrux-ml-dsa/src/simd/portable/invntt.rs | 6 ++++-- libcrux-ml-dsa/src/simd/portable/ntt.rs | 2 +- libcrux-ml-dsa/src/simd/portable/vector_type.rs | 13 ++----------- 10 files changed, 33 insertions(+), 55 deletions(-) diff --git a/libcrux-ml-dsa/benches/manual65.rs b/libcrux-ml-dsa/benches/manual65.rs index bec7eac45..268afa187 100644 --- a/libcrux-ml-dsa/benches/manual65.rs +++ b/libcrux-ml-dsa/benches/manual65.rs @@ -8,12 +8,12 @@ use pqcrypto_dilithium; mod bench_utils; fn main() { - bench_group_libcrux!( - "65 portable", - ml_dsa_65::portable, - MLDSA65KeyPair, - MLDSA65Signature - ); + // bench_group_libcrux!( + // "65 portable", + // ml_dsa_65::portable, + // MLDSA65KeyPair, + // MLDSA65Signature + // ); #[cfg(feature = "simd128")] bench_group_libcrux!( "65 sim1d28", diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index 08e792108..5ab54ca76 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -69,7 +69,6 @@ pub(crate) fn generate_key_pair< let mut t0 = [PolynomialRingElement::::ZERO(); ROWS_IN_A]; compute_As1_plus_s2::(&a_as_ntt, &s1_s2, &mut t0); - // let (t0, t1) = let mut t1 = [PolynomialRingElement::::ZERO(); ROWS_IN_A]; power2round_vector::(&mut t0, &mut t1); diff --git a/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs b/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs index 352da5d53..da2c8f3bd 100644 --- a/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs +++ b/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs @@ -5,7 +5,7 @@ use crate::{ use libcrux_intrinsics::avx2::*; -use super::vector_type::ZERO; +use super::vector_type::zero; #[inline(always)] fn to_unsigned_representatives(t: &mut Vec256) { @@ -102,11 +102,7 @@ pub fn infinity_norm_exceeds(simd_unit: &Vec256, bound: i32) -> bool { // If every lane of |result| is 0, all coefficients are <= bound - 1 let result = mm256_testz_si256(compare_with_bound, compare_with_bound); - if result == 1 { - false - } else { - true - } + result != 1 } #[inline(always)] @@ -213,8 +209,8 @@ pub fn compute_hint(low: &Vec256, high: &Vec256) -> (usize, V #[inline(always)] pub(crate) fn use_hint(r: &Vec256, hint: &mut Vec256) { - let (mut r0, mut r1) = (ZERO(), ZERO()); - decompose::(r, &mut r0.coefficients, &mut r1.coefficients); + let (mut r0, mut r1) = (zero(), zero()); + decompose::(r, &mut r0, &mut r1); let all_zeros = mm256_setzero_si256(); @@ -223,7 +219,7 @@ pub(crate) fn use_hint(r: &Vec256, hint: &mut Vec256) { // // With this step, |negate_hints| will match |hint| in only those lanes in // which the corresponding r0 value is negative, and will be 0 elsewhere. - let negate_hints = vec256_blendv_epi32(all_zeros, *hint, r0.coefficients); + let negate_hints = vec256_blendv_epi32(all_zeros, *hint, r0); // If a lane in |negate_hints| is 1, it means the corresponding hint was 1, // and the lane value will be doubled. It will remain 0 otherwise. @@ -234,7 +230,7 @@ pub(crate) fn use_hint(r: &Vec256, hint: &mut Vec256) { let hints = mm256_sub_epi32(*hint, negate_hints); // Now add the hints to r1 - let mut r1_plus_hints = mm256_add_epi32(r1.coefficients, hints); + let mut r1_plus_hints = mm256_add_epi32(r1, hints); match GAMMA2 { 95_232 => { diff --git a/libcrux-ml-dsa/src/simd/avx2/vector_type.rs b/libcrux-ml-dsa/src/simd/avx2/vector_type.rs index 8dc487018..4736369d8 100644 --- a/libcrux-ml-dsa/src/simd/avx2/vector_type.rs +++ b/libcrux-ml-dsa/src/simd/avx2/vector_type.rs @@ -3,27 +3,14 @@ use super::SIMD_UNITS_IN_RING_ELEMENT; pub(super) use libcrux_intrinsics::avx2::Vec256; #[derive(Clone, Copy)] -pub struct AVX2SIMDUnit { - pub(crate) coefficients: Vec256, -} +pub struct AVX2SIMDUnit {} pub(crate) type AVX2RingElement = [Vec256; SIMD_UNITS_IN_RING_ELEMENT]; -impl From for AVX2SIMDUnit { - fn from(coefficients: Vec256) -> Self { - Self { coefficients } - } -} - pub(crate) fn zero() -> Vec256 { libcrux_intrinsics::avx2::mm256_setzero_si256() } -#[allow(non_snake_case)] -pub(crate) fn ZERO() -> AVX2SIMDUnit { - libcrux_intrinsics::avx2::mm256_setzero_si256().into() -} - pub(crate) fn from_coefficient_array(coefficient_array: &[i32]) -> Vec256 { libcrux_intrinsics::avx2::mm256_loadu_si256_i32(coefficient_array) } diff --git a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs index 34e7078c6..55fd0e614 100644 --- a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs +++ b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs @@ -1,4 +1,4 @@ -use super::vector_type::{zero, Coefficients, FieldElement, PortableSIMDUnit, ZERO}; +use super::vector_type::{zero, Coefficients, FieldElement}; use crate::{ constants::BITS_IN_LOWER_PART_OF_T, helper::cloop, @@ -194,7 +194,7 @@ pub(super) fn compute_hint( // Note that 0 ≤ r₁ < (q-1)/α. #[allow(non_snake_case)] #[inline(always)] -fn decompose_element(r: i32, r0: &mut i32, r1: &mut i32) { +fn decompose_element(r: i32) -> (i32, i32) { debug_assert!(r > -FIELD_MODULUS && r < FIELD_MODULUS); // Convert the signed representative to the standard unsigned one. @@ -202,7 +202,7 @@ fn decompose_element(r: i32, r0: &mut i32, r1: &mut i32) { let ALPHA = GAMMA2 * 2; - *r1 = { + let r1 = { // Compute ⌈r / 128⌉ let ceil_of_r_by_128 = (r + 127) >> 7; @@ -227,18 +227,19 @@ fn decompose_element(r: i32, r0: &mut i32, r1: &mut i32) { } }; - *r0 = r - (*r1 * ALPHA); + let mut r0 = r - (r1 * ALPHA); // In the corner-case, when we set a₁=0, we will incorrectly // have a₀ > (q-1)/2 and we'll need to subtract q. As we // return a₀ + q, that comes down to adding q if a₀ < (q-1)/2. - *r0 -= (((FIELD_MODULUS - 1) / 2 - *r0) >> 31) & FIELD_MODULUS; + r0 -= (((FIELD_MODULUS - 1) / 2 - r0) >> 31) & FIELD_MODULUS; + + (r0, r1) } #[inline(always)] pub(crate) fn use_one_hint(r: i32, hint: i32) -> i32 { - let (mut r0, mut r1) = (0, 0); - decompose_element::(r, &mut r0, &mut r1); + let (r0, r1) = decompose_element::(r); if hint == 0 { return r1; @@ -278,7 +279,7 @@ pub fn decompose( high: &mut Coefficients, ) { for i in 0..low.len() { - decompose_element::(simd_unit[i], &mut low[i], &mut high[i]); + (low[i], high[i]) = decompose_element::(simd_unit[i]); } } diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/error.rs b/libcrux-ml-dsa/src/simd/portable/encoding/error.rs index 5afeb47dc..34320e662 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/error.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/error.rs @@ -1,9 +1,9 @@ use crate::{helper::cloop, simd::portable::vector_type::Coefficients}; -use super::super::vector_type::{PortableSIMDUnit, ZERO}; - #[inline(always)] fn serialize_when_eta_is_2(simd_unit: &Coefficients, serialized: &mut [u8]) { + debug_assert!(serialized.len() == 3); + const ETA: i32 = 2; let coefficient0 = (ETA - simd_unit[0]) as u8; diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/t0.rs b/libcrux-ml-dsa/src/simd/portable/encoding/t0.rs index a22a153e9..fff245cc7 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/t0.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/t0.rs @@ -9,6 +9,8 @@ fn change_t0_interval(t0: i32) -> i32 { #[inline(always)] pub fn serialize(simd_unit: &Coefficients, serialized: &mut [u8]) { + debug_assert!(serialized.len() == 13); + let coefficient0 = change_t0_interval(simd_unit[0]); let coefficient1 = change_t0_interval(simd_unit[1]); let coefficient2 = change_t0_interval(simd_unit[2]); diff --git a/libcrux-ml-dsa/src/simd/portable/invntt.rs b/libcrux-ml-dsa/src/simd/portable/invntt.rs index 19a7a3fef..90993df81 100644 --- a/libcrux-ml-dsa/src/simd/portable/invntt.rs +++ b/libcrux-ml-dsa/src/simd/portable/invntt.rs @@ -1,5 +1,5 @@ use super::arithmetic::{self, montgomery_multiply_fe_by_fer}; -use super::vector_type::{Coefficients, PortableSIMDUnit}; +use super::vector_type::Coefficients; use crate::simd::traits::{COEFFICIENTS_IN_SIMD_UNIT, SIMD_UNITS_IN_RING_ELEMENT}; #[inline(always)] @@ -204,8 +204,10 @@ fn outer_3_plus( re: &mut [Coefficients; SIMD_UNITS_IN_RING_ELEMENT], ) { for j in OFFSET..OFFSET + STEP_BY { - re[j + STEP_BY] = arithmetic::subtract(&re[j + STEP_BY], &re[j]); + // XXX: make nicer + let a_minus_b = arithmetic::subtract(&re[j + STEP_BY], &re[j]); re[j] = arithmetic::add(&re[j], &re[j + STEP_BY]); + re[j + STEP_BY] = a_minus_b; arithmetic::montgomery_multiply_by_constant(&mut re[j + STEP_BY], ZETA); } () diff --git a/libcrux-ml-dsa/src/simd/portable/ntt.rs b/libcrux-ml-dsa/src/simd/portable/ntt.rs index d6f50474d..9d3f96cd1 100644 --- a/libcrux-ml-dsa/src/simd/portable/ntt.rs +++ b/libcrux-ml-dsa/src/simd/portable/ntt.rs @@ -1,5 +1,5 @@ use super::arithmetic::{self, montgomery_multiply_by_constant, montgomery_multiply_fe_by_fer}; -use super::vector_type::{Coefficients, PortableSIMDUnit}; +use super::vector_type::Coefficients; use crate::simd::traits::{COEFFICIENTS_IN_SIMD_UNIT, SIMD_UNITS_IN_RING_ELEMENT}; #[inline(always)] diff --git a/libcrux-ml-dsa/src/simd/portable/vector_type.rs b/libcrux-ml-dsa/src/simd/portable/vector_type.rs index 8f1b9b820..6a3abf05f 100644 --- a/libcrux-ml-dsa/src/simd/portable/vector_type.rs +++ b/libcrux-ml-dsa/src/simd/portable/vector_type.rs @@ -4,9 +4,7 @@ use crate::simd::traits::COEFFICIENTS_IN_SIMD_UNIT; pub(crate) type FieldElement = i32; #[derive(Clone, Copy)] -pub(crate) struct PortableSIMDUnit { - pub(crate) coefficients: Coefficients, -} +pub(crate) struct PortableSIMDUnit {} pub(super) type Coefficients = [FieldElement; COEFFICIENTS_IN_SIMD_UNIT]; @@ -14,15 +12,8 @@ pub(crate) fn zero() -> Coefficients { [0i32; COEFFICIENTS_IN_SIMD_UNIT] } -#[allow(non_snake_case)] -pub(crate) fn ZERO() -> PortableSIMDUnit { - PortableSIMDUnit { - coefficients: [0i32; COEFFICIENTS_IN_SIMD_UNIT], - } -} - pub(crate) fn from_coefficient_array(array: &[i32]) -> Coefficients { - array[0..8].try_into().unwrap() + array[0..COEFFICIENTS_IN_SIMD_UNIT].try_into().unwrap() } #[inline(always)] From ebffd6c5afc2c8c725b56165b319c0b392db63d2 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Mon, 23 Dec 2024 12:47:30 +0000 Subject: [PATCH 08/58] fix portable --- libcrux-ml-dsa/Cargo.toml | 1 + libcrux-ml-dsa/benches/manual65.rs | 12 +++++----- libcrux-ml-dsa/src/simd/avx2.rs | 10 +++++++++ libcrux-ml-dsa/src/simd/portable.rs | 22 ++++++++++++++++--- .../src/simd/portable/arithmetic.rs | 10 ++++----- libcrux-ml-dsa/src/simd/traits.rs | 2 ++ 6 files changed, 43 insertions(+), 14 deletions(-) diff --git a/libcrux-ml-dsa/Cargo.toml b/libcrux-ml-dsa/Cargo.toml index 03104549f..c261861ba 100644 --- a/libcrux-ml-dsa/Cargo.toml +++ b/libcrux-ml-dsa/Cargo.toml @@ -34,6 +34,7 @@ default = ["std", "mldsa44", "mldsa65", "mldsa87"] simd128 = ["libcrux-sha3/simd128", "libcrux-intrinsics/simd128"] simd256 = ["libcrux-sha3/simd256", "libcrux-intrinsics/simd256"] acvp = [] # expose internal API for ACVP testing +test-utils = [] # exposing internal functions for testing # Features for the different key sizes of ML-DSA mldsa44 = [] diff --git a/libcrux-ml-dsa/benches/manual65.rs b/libcrux-ml-dsa/benches/manual65.rs index 268afa187..bec7eac45 100644 --- a/libcrux-ml-dsa/benches/manual65.rs +++ b/libcrux-ml-dsa/benches/manual65.rs @@ -8,12 +8,12 @@ use pqcrypto_dilithium; mod bench_utils; fn main() { - // bench_group_libcrux!( - // "65 portable", - // ml_dsa_65::portable, - // MLDSA65KeyPair, - // MLDSA65Signature - // ); + bench_group_libcrux!( + "65 portable", + ml_dsa_65::portable, + MLDSA65KeyPair, + MLDSA65Signature + ); #[cfg(feature = "simd128")] bench_group_libcrux!( "65 sim1d28", diff --git a/libcrux-ml-dsa/src/simd/avx2.rs b/libcrux-ml-dsa/src/simd/avx2.rs index 23db57220..bbe077e2e 100644 --- a/libcrux-ml-dsa/src/simd/avx2.rs +++ b/libcrux-ml-dsa/src/simd/avx2.rs @@ -27,6 +27,16 @@ impl Operations for AVX2SIMDUnit { fn to_coefficient_array(value: &Vec256, out: &mut [i32]) { vector_type::to_coefficient_array(value, out) } + + #[cfg(any(test, feature = "test-utils"))] + fn to_coefficient_array_test( + value: &Self::Coefficient, + ) -> [i32; super::traits::COEFFICIENTS_IN_SIMD_UNIT] { + let mut out = [0i32; super::traits::COEFFICIENTS_IN_SIMD_UNIT]; + libcrux_intrinsics::avx2::mm256_storeu_si256_i32(&mut out, *value); + out + } + #[inline(always)] fn add(lhs: &Vec256, rhs: &Vec256) -> Vec256 { arithmetic::add(lhs, rhs) diff --git a/libcrux-ml-dsa/src/simd/portable.rs b/libcrux-ml-dsa/src/simd/portable.rs index 79a13d786..e5d4ddef3 100644 --- a/libcrux-ml-dsa/src/simd/portable.rs +++ b/libcrux-ml-dsa/src/simd/portable.rs @@ -27,6 +27,15 @@ impl Operations for PortableSIMDUnit { vector_type::to_coefficient_array(value, out) } + #[cfg(any(test, feature = "test-utils"))] + fn to_coefficient_array_test( + value: &Self::Coefficient, + ) -> [i32; super::traits::COEFFICIENTS_IN_SIMD_UNIT] { + let mut out = [0i32; super::traits::COEFFICIENTS_IN_SIMD_UNIT]; + out.copy_from_slice(value); + out + } + fn add(lhs: &Coefficients, rhs: &Coefficients) -> Coefficients { arithmetic::add(lhs, rhs) } @@ -51,7 +60,11 @@ impl Operations for PortableSIMDUnit { arithmetic::infinity_norm_exceeds(simd_unit, bound) } - fn decompose(simd_unit: &Self::Coefficient, low: &mut Self::Coefficient, high: &mut Self::Coefficient) { + fn decompose( + simd_unit: &Self::Coefficient, + low: &mut Self::Coefficient, + high: &mut Self::Coefficient, + ) { arithmetic::decompose::(simd_unit, low, high) } @@ -75,7 +88,10 @@ impl Operations for PortableSIMDUnit { sample::rejection_sample_less_than_eta_equals_4(randomness, out) } - fn gamma1_serialize(simd_unit: &Coefficients, serialized: &mut [u8]) { + fn gamma1_serialize( + simd_unit: &Coefficients, + serialized: &mut [u8], + ) { encoding::gamma1::serialize::(simd_unit, serialized) } fn gamma1_deserialize(serialized: &[u8], out: &mut Coefficients) { @@ -93,7 +109,7 @@ impl Operations for PortableSIMDUnit { encoding::error::deserialize::(serialized, out); } - fn t0_serialize(simd_unit: &Coefficients, out: &mut [u8]) { + fn t0_serialize(simd_unit: &Coefficients, out: &mut [u8]) { encoding::t0::serialize(simd_unit, out) } fn t0_deserialize(serialized: &[u8], out: &mut Coefficients) { diff --git a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs index 55fd0e614..53f80c646 100644 --- a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs +++ b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs @@ -102,7 +102,7 @@ fn power2round_element(t: i32) -> (i32, i32) { #[inline(always)] pub(super) fn power2round(t0: &mut Coefficients, t1: &mut Coefficients) { for i in 0..t0.len() { - (t0[i], t1[1]) = power2round_element(t0[i]); + (t0[i], t1[i]) = power2round_element(t0[i]); } } @@ -132,6 +132,7 @@ pub(super) fn infinity_norm_exceeds(simd_unit: &Coefficients, bound: i32) -> boo let sign = coefficient >> 31; let normalized = coefficient - (sign & (2 * coefficient)); + // FIXME: return exceeds = exceeds || normalized >= bound; } } @@ -192,7 +193,6 @@ pub(super) fn compute_hint( // - α/2 ≤ r₀ < 0. // // Note that 0 ≤ r₁ < (q-1)/α. -#[allow(non_snake_case)] #[inline(always)] fn decompose_element(r: i32) -> (i32, i32) { debug_assert!(r > -FIELD_MODULUS && r < FIELD_MODULUS); @@ -200,13 +200,13 @@ fn decompose_element(r: i32) -> (i32, i32) { // Convert the signed representative to the standard unsigned one. let r = r + ((r >> 31) & FIELD_MODULUS); - let ALPHA = GAMMA2 * 2; + let alpha = GAMMA2 * 2; let r1 = { // Compute ⌈r / 128⌉ let ceil_of_r_by_128 = (r + 127) >> 7; - match ALPHA { + match alpha { 190_464 => { // We approximate 1 / 1488 as: // ⌊2²⁴ / 1488⌋ / 2²⁴ = 11,275 / 2²⁴ @@ -227,7 +227,7 @@ fn decompose_element(r: i32) -> (i32, i32) { } }; - let mut r0 = r - (r1 * ALPHA); + let mut r0 = r - (r1 * alpha); // In the corner-case, when we set a₁=0, we will incorrectly // have a₀ > (q-1)/2 and we'll need to subtract q. As we diff --git a/libcrux-ml-dsa/src/simd/traits.rs b/libcrux-ml-dsa/src/simd/traits.rs index 65d03967c..dea3bcb94 100644 --- a/libcrux-ml-dsa/src/simd/traits.rs +++ b/libcrux-ml-dsa/src/simd/traits.rs @@ -22,6 +22,8 @@ pub(crate) trait Operations: Copy + Clone { fn from_coefficient_array(array: &[i32]) -> Self::Coefficient; fn to_coefficient_array(value: &Self::Coefficient, out: &mut [i32]); + #[cfg(any(test, feature = "test-utils"))] + fn to_coefficient_array_test(value: &Self::Coefficient) -> [i32; COEFFICIENTS_IN_SIMD_UNIT]; // Arithmetic fn add(lhs: &Self::Coefficient, rhs: &Self::Coefficient) -> Self::Coefficient; From f68928907edf492a6205d110cc81fada1c1b2b4b Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Mon, 23 Dec 2024 12:57:21 +0000 Subject: [PATCH 09/58] fixup neon --- libcrux-ml-dsa/src/samplex4.rs | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libcrux-ml-dsa/src/samplex4.rs b/libcrux-ml-dsa/src/samplex4.rs index 3c6246c5f..e2b9f814b 100644 --- a/libcrux-ml-dsa/src/samplex4.rs +++ b/libcrux-ml-dsa/src/samplex4.rs @@ -386,15 +386,16 @@ pub(crate) mod neon { pub(crate) struct NeonSampler {} impl X4Sampler for NeonSampler { #[inline(always)] - fn matrix_A( - seed: [u8; 34], - ) -> [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A] { + fn matrix( + seed: &[u8], + matrix: &mut [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A], + ) { matrix_generic::< SIMDUnit, crate::hash_functions::neon::Shake128x4, ROWS_IN_A, COLUMNS_IN_A, - >(seed) + >(seed, matrix) } } } From 2c4102be85668a3edbb2c774ae5a4a2b9ca4e396 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Mon, 23 Dec 2024 13:15:13 +0000 Subject: [PATCH 10/58] more mut --- libcrux-ml-dsa/src/arithmetic.rs | 6 ++-- libcrux-ml-dsa/src/matrix.rs | 24 ++++++---------- libcrux-ml-dsa/src/ml_dsa_generic.rs | 28 +++++++++---------- libcrux-ml-dsa/src/polynomial.rs | 15 ++-------- libcrux-ml-dsa/src/simd/avx2.rs | 11 +------- libcrux-ml-dsa/src/simd/avx2/arithmetic.rs | 4 +-- libcrux-ml-dsa/src/simd/avx2/invntt.rs | 21 ++++++++------ libcrux-ml-dsa/src/simd/avx2/ntt.rs | 19 +++++++------ libcrux-ml-dsa/src/simd/portable.rs | 11 +------- .../src/simd/portable/arithmetic.rs | 10 ++----- libcrux-ml-dsa/src/simd/portable/invntt.rs | 5 ++-- libcrux-ml-dsa/src/simd/portable/ntt.rs | 2 +- libcrux-ml-dsa/src/simd/traits.rs | 4 +-- 13 files changed, 63 insertions(+), 97 deletions(-) diff --git a/libcrux-ml-dsa/src/arithmetic.rs b/libcrux-ml-dsa/src/arithmetic.rs index 2b24e5036..da4c106b7 100644 --- a/libcrux-ml-dsa/src/arithmetic.rs +++ b/libcrux-ml-dsa/src/arithmetic.rs @@ -5,7 +5,7 @@ use crate::{ #[inline(always)] pub(crate) fn vector_infinity_norm_exceeds( - vector: [PolynomialRingElement; DIMENSION], + vector: &[PolynomialRingElement; DIMENSION], bound: i32, ) -> bool { let mut exceeds = false; @@ -62,8 +62,8 @@ pub(crate) fn decompose_vector( - low: [PolynomialRingElement; DIMENSION], - high: [PolynomialRingElement; DIMENSION], + low: &[PolynomialRingElement; DIMENSION], + high: &[PolynomialRingElement; DIMENSION], ) -> ([[i32; COEFFICIENTS_IN_RING_ELEMENT]; DIMENSION], usize) { let mut hint = [[0; COEFFICIENTS_IN_RING_ELEMENT]; DIMENSION]; let mut true_hints = 0; diff --git a/libcrux-ml-dsa/src/matrix.rs b/libcrux-ml-dsa/src/matrix.rs index 612cf7577..28e086f50 100644 --- a/libcrux-ml-dsa/src/matrix.rs +++ b/libcrux-ml-dsa/src/matrix.rs @@ -8,9 +8,8 @@ use crate::{ }; /// Compute InvertNTT(Â ◦ ŝ₁) + s₂ -#[allow(non_snake_case)] #[inline(always)] -pub(crate) fn compute_As1_plus_s2< +pub(crate) fn compute_as1_plus_s2< SIMDUnit: Operations, const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, @@ -31,13 +30,13 @@ pub(crate) fn compute_As1_plus_s2< // XXX: Make this better let mut product = a_as_ntt[i][j]; ntt_multiply_montgomery::(&mut product, &s1_ntt[j]); - result[i] = PolynomialRingElement::add(&result[i], &product); + PolynomialRingElement::add(&mut result[i], &product); } } for i in 0..result.len() { invert_ntt_montgomery::(&mut result[i]); - result[i] = PolynomialRingElement::add(&result[i], &s1_s2[COLUMNS_IN_A + i]); + PolynomialRingElement::add(&mut result[i], &s1_s2[COLUMNS_IN_A + i]); } } @@ -65,7 +64,7 @@ pub(crate) fn compute_matrix_x_mask< // XXX: Make this better let mut product = mask_ntt[j]; ntt_multiply_montgomery(&mut product, &ring_element); - result[i] = PolynomialRingElement::::add(&result[i], &product); + PolynomialRingElement::::add(&mut result[i], &product); } } @@ -91,22 +90,16 @@ pub(crate) fn vector_times_ring_element( - lhs: &[PolynomialRingElement; DIMENSION], + lhs: &mut [PolynomialRingElement; DIMENSION], rhs: &[PolynomialRingElement; DIMENSION], -) -> [PolynomialRingElement; DIMENSION] { - let mut result = [PolynomialRingElement::::ZERO(); DIMENSION]; - +) { for i in 0..DIMENSION { - result[i] = PolynomialRingElement::::add(&lhs[i], &rhs[i]); + PolynomialRingElement::::add(&mut lhs[i], &rhs[i]); } - - result } -#[allow(non_snake_case)] #[inline(always)] pub(crate) fn subtract_vectors( lhs: &[PolynomialRingElement; DIMENSION], @@ -147,8 +140,7 @@ pub(crate) fn compute_w_approx< // XXX: make nicer let mut product = ring_element.clone(); ntt_multiply_montgomery(&mut product, &signer_response[j]); - - PolynomialRingElement::::add_mut(&mut inner_result, &product); + PolynomialRingElement::::add(&mut inner_result, &product); } } diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index 5ab54ca76..fb7c1e1f7 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -6,7 +6,7 @@ use crate::{ encoding::{self, signature::Signature}, hash_functions::{shake128, shake256}, matrix::{ - add_vectors, compute_As1_plus_s2, compute_matrix_x_mask, compute_w_approx, + add_vectors, compute_as1_plus_s2, compute_matrix_x_mask, compute_w_approx, subtract_vectors, vector_times_ring_element, }, ntt::ntt, @@ -67,7 +67,7 @@ pub(crate) fn generate_key_pair< ); let mut t0 = [PolynomialRingElement::::ZERO(); ROWS_IN_A]; - compute_As1_plus_s2::(&a_as_ntt, &s1_s2, &mut t0); + compute_as1_plus_s2::(&a_as_ntt, &s1_s2, &mut t0); let mut t1 = [PolynomialRingElement::::ZERO(); ROWS_IN_A]; power2round_vector::(&mut t0, &mut t1); @@ -360,21 +360,20 @@ pub(crate) fn sign_internal< let challenge_times_s2 = vector_times_ring_element::(&s2_as_ntt, &verifier_challenge); - let signer_response_candidate = - add_vectors::(&mask, &challenge_times_s1); + add_vectors::(&mut mask, &challenge_times_s1); - let w0_minus_challenge_times_s2 = + let mut w0_minus_challenge_times_s2 = subtract_vectors::(&w0, &challenge_times_s2); if vector_infinity_norm_exceeds::( - signer_response_candidate, + &mask, (1 << GAMMA1_EXPONENT) - BETA, ) { // XXX: https://github.com/hacspec/hax/issues/1171 // continue; } else { if vector_infinity_norm_exceeds::( - w0_minus_challenge_times_s2, + &w0_minus_challenge_times_s2, GAMMA2 - BETA, ) { // XXX: https://github.com/hacspec/hax/issues/1171 @@ -384,17 +383,18 @@ pub(crate) fn sign_internal< &t0_as_ntt, &verifier_challenge, ); - if vector_infinity_norm_exceeds::(challenge_times_t0, GAMMA2) { + if vector_infinity_norm_exceeds::(&challenge_times_t0, GAMMA2) + { // XXX: https://github.com/hacspec/hax/issues/1171 // continue; } else { - let w0_minus_c_times_s2_plus_c_times_t0 = add_vectors::( - &w0_minus_challenge_times_s2, + add_vectors::( + &mut w0_minus_challenge_times_s2, &challenge_times_t0, ); let (hint_candidate, ones_in_hint) = make_hint::( - w0_minus_c_times_s2_plus_c_times_t0, - commitment, + &w0_minus_challenge_times_s2, + &commitment, ); if ones_in_hint > MAX_ONES_IN_HINT { @@ -403,7 +403,7 @@ pub(crate) fn sign_internal< } else { attempt = REJECTION_SAMPLE_BOUND_SIGN; // exit loop now commitment_hash = Some(commitment_hash_candidate); - signer_response = Some(signer_response_candidate); + signer_response = Some(mask); hint = Some(hint_candidate); } } @@ -528,7 +528,7 @@ pub(crate) fn verify_internal< // We use if-else branches because early returns will not go through hax. if vector_infinity_norm_exceeds::( - signature.signer_response, + &signature.signer_response, (2 << GAMMA1_EXPONENT) - BETA, ) { return Err(VerificationError::SignerResponseExceedsBoundError); diff --git a/libcrux-ml-dsa/src/polynomial.rs b/libcrux-ml-dsa/src/polynomial.rs index 9625fcbe6..45507de8e 100644 --- a/libcrux-ml-dsa/src/polynomial.rs +++ b/libcrux-ml-dsa/src/polynomial.rs @@ -57,20 +57,9 @@ impl PolynomialRingElement { } #[inline(always)] - pub(crate) fn add(&self, rhs: &Self) -> Self { - let mut sum = Self::ZERO(); - - for i in 0..sum.simd_units.len() { - sum.simd_units[i] = SIMDUnit::add(&self.simd_units[i], &rhs.simd_units[i]); - } - - sum - } - - #[inline(always)] - pub(crate) fn add_mut(&mut self, rhs: &Self) { + pub(crate) fn add(&mut self, rhs: &Self) { for i in 0..self.simd_units.len() { - self.simd_units[i] = SIMDUnit::add(&self.simd_units[i], &rhs.simd_units[i]); + SIMDUnit::add(&mut self.simd_units[i], &rhs.simd_units[i]); } } diff --git a/libcrux-ml-dsa/src/simd/avx2.rs b/libcrux-ml-dsa/src/simd/avx2.rs index bbe077e2e..ade225e5e 100644 --- a/libcrux-ml-dsa/src/simd/avx2.rs +++ b/libcrux-ml-dsa/src/simd/avx2.rs @@ -28,17 +28,8 @@ impl Operations for AVX2SIMDUnit { vector_type::to_coefficient_array(value, out) } - #[cfg(any(test, feature = "test-utils"))] - fn to_coefficient_array_test( - value: &Self::Coefficient, - ) -> [i32; super::traits::COEFFICIENTS_IN_SIMD_UNIT] { - let mut out = [0i32; super::traits::COEFFICIENTS_IN_SIMD_UNIT]; - libcrux_intrinsics::avx2::mm256_storeu_si256_i32(&mut out, *value); - out - } - #[inline(always)] - fn add(lhs: &Vec256, rhs: &Vec256) -> Vec256 { + fn add(lhs: &mut Vec256, rhs: &Vec256) { arithmetic::add(lhs, rhs) } #[inline(always)] diff --git a/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs b/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs index da2c8f3bd..d93773018 100644 --- a/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs +++ b/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs @@ -16,8 +16,8 @@ fn to_unsigned_representatives(t: &mut Vec256) { } #[inline(always)] -pub fn add(lhs: &Vec256, rhs: &Vec256) -> Vec256 { - mm256_add_epi32(*lhs, *rhs) +pub fn add(lhs: &mut Vec256, rhs: &Vec256) { + *lhs = mm256_add_epi32(*lhs, *rhs) } #[inline(always)] diff --git a/libcrux-ml-dsa/src/simd/avx2/invntt.rs b/libcrux-ml-dsa/src/simd/avx2/invntt.rs index f2b50daf3..18c911a11 100644 --- a/libcrux-ml-dsa/src/simd/avx2/invntt.rs +++ b/libcrux-ml-dsa/src/simd/avx2/invntt.rs @@ -44,11 +44,12 @@ fn simd_unit_invert_ntt_at_layer_0( let a_shuffled = mm256_shuffle_epi32::(simd_unit0); let b_shuffled = mm256_shuffle_epi32::(simd_unit1); - let lo_values = mm256_unpacklo_epi64(a_shuffled, b_shuffled); + let mut lo_values = mm256_unpacklo_epi64(a_shuffled, b_shuffled); let hi_values = mm256_unpackhi_epi64(a_shuffled, b_shuffled); - let sums = arithmetic::add(&lo_values, &hi_values); let mut differences = arithmetic::subtract(&hi_values, &lo_values); + arithmetic::add(&mut lo_values, &hi_values); + let sums = lo_values; let zetas = mm256_set_epi32( zeta13, zeta12, zeta03, zeta02, zeta11, zeta10, zeta01, zeta00, @@ -73,11 +74,12 @@ fn simd_unit_invert_ntt_at_layer_1( zeta10: i32, zeta11: i32, ) -> (Vec256, Vec256) { - let lo_values = mm256_unpacklo_epi64(simd_unit0, simd_unit1); + let mut lo_values = mm256_unpacklo_epi64(simd_unit0, simd_unit1); let hi_values = mm256_unpackhi_epi64(simd_unit0, simd_unit1); - let sums = arithmetic::add(&lo_values, &hi_values); let mut differences = arithmetic::subtract(&hi_values, &lo_values); + arithmetic::add(&mut lo_values, &hi_values); + let sums = lo_values; let zetas = mm256_set_epi32( zeta11, zeta11, zeta01, zeta01, zeta10, zeta10, zeta00, zeta00, @@ -97,11 +99,12 @@ fn simd_unit_invert_ntt_at_layer_2( zeta0: i32, zeta1: i32, ) -> (Vec256, Vec256) { - let lo_values = mm256_permute2x128_si256::<0x20>(simd_unit0, simd_unit1); + let mut lo_values = mm256_permute2x128_si256::<0x20>(simd_unit0, simd_unit1); let hi_values = mm256_permute2x128_si256::<0x31>(simd_unit0, simd_unit1); - let sums = arithmetic::add(&lo_values, &hi_values); let mut differences = arithmetic::subtract(&hi_values, &lo_values); + arithmetic::add(&mut lo_values, &hi_values); + let sums = lo_values; let zetas = mm256_set_epi32(zeta1, zeta1, zeta1, zeta1, zeta0, zeta0, zeta0, zeta0); arithmetic::montgomery_multiply(&mut differences, &zetas); @@ -264,8 +267,10 @@ fn outer_3_plus( re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT], ) { for j in OFFSET..OFFSET + STEP_BY { - let a_minus_b = arithmetic::subtract(&re[j + STEP_BY], &re[j]); - re[j] = arithmetic::add(&re[j], &re[j + STEP_BY]); + // XXX: make nicer + let rejs = re[j + STEP_BY]; + let a_minus_b = arithmetic::subtract(&rejs, &re[j]); + arithmetic::add(&mut re[j], &rejs); re[j + STEP_BY] = arithmetic::montgomery_multiply_by_constant(a_minus_b, ZETA); } () diff --git a/libcrux-ml-dsa/src/simd/avx2/ntt.rs b/libcrux-ml-dsa/src/simd/avx2/ntt.rs index ab01fad61..2fb02d4a7 100644 --- a/libcrux-ml-dsa/src/simd/avx2/ntt.rs +++ b/libcrux-ml-dsa/src/simd/avx2/ntt.rs @@ -29,7 +29,7 @@ fn butterfly_2( // Now we can use the same approach as for `butterfly_4`, only // zetas need to be adjusted. - let summands = mm256_unpacklo_epi64(a_shuffled, b_shuffled); + let mut summands = mm256_unpacklo_epi64(a_shuffled, b_shuffled); let mut zeta_products = mm256_unpackhi_epi64(a_shuffled, b_shuffled); let zetas = mm256_set_epi32( zeta_b3, zeta_b2, zeta_a3, zeta_a2, zeta_b1, zeta_b0, zeta_a1, zeta_a0, @@ -37,8 +37,9 @@ fn butterfly_2( arithmetic::montgomery_multiply(&mut zeta_products, &zetas); - let add_terms = arithmetic::add(&summands, &zeta_products); let sub_terms = arithmetic::subtract(&summands, &zeta_products); + arithmetic::add(&mut summands, &zeta_products); + let add_terms = summands; let a_terms_shuffled = mm256_unpacklo_epi64(add_terms, sub_terms); let b_terms_shuffled = mm256_unpackhi_epi64(add_terms, sub_terms); @@ -60,7 +61,7 @@ fn butterfly_4( zeta_b0: i32, zeta_b1: i32, ) -> (Vec256, Vec256) { - let summands = mm256_unpacklo_epi64(a, b); + let mut summands = mm256_unpacklo_epi64(a, b); let mut zeta_products = mm256_unpackhi_epi64(a, b); let zetas = mm256_set_epi32( @@ -68,8 +69,9 @@ fn butterfly_4( ); arithmetic::montgomery_multiply(&mut zeta_products, &zetas); - let add_terms = arithmetic::add(&summands, &zeta_products); let sub_terms = arithmetic::subtract(&summands, &zeta_products); + arithmetic::add(&mut summands, &zeta_products); + let add_terms = summands; // Results are shuffled across the two SIMD registers. // We need to bring them in the right order. @@ -82,14 +84,15 @@ fn butterfly_4( // Compute (a,b) ↦ (a + ζb, a - ζb) at layer 2 for 2 SIMD Units in one go. #[inline(always)] fn butterfly_8(a: Vec256, b: Vec256, zeta0: i32, zeta1: i32) -> (Vec256, Vec256) { - let summands = mm256_set_m128i(mm256_castsi256_si128(b), mm256_castsi256_si128(a)); + let mut summands = mm256_set_m128i(mm256_castsi256_si128(b), mm256_castsi256_si128(a)); let mut zeta_products = mm256_permute2x128_si256::<0b0001_0011>(b, a); let zetas = mm256_set_epi32(zeta1, zeta1, zeta1, zeta1, zeta0, zeta0, zeta0, zeta0); arithmetic::montgomery_multiply(&mut zeta_products, &zetas); - let add_terms = arithmetic::add(&summands, &zeta_products); let sub_terms = arithmetic::subtract(&summands, &zeta_products); + arithmetic::add(&mut summands, &zeta_products); + let add_terms = summands; let a_out = mm256_set_m128i( mm256_castsi256_si128(sub_terms), @@ -287,7 +290,7 @@ unsafe fn ntt_at_layer_7_and_6(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { let t = mm256_blend_epi32::<0b10101010>(res02_shifted, res13); // 0xAA re[index + step_by] = arithmetic::subtract(&re[index], &t); - re[index] = arithmetic::add(&re[index], &t); + arithmetic::add(&mut re[index], &t); } macro_rules! layer { @@ -366,7 +369,7 @@ unsafe fn ntt_at_layer_5_to_3(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { arithmetic::montgomery_multiply(&mut t, &rhs); re[j + STEP_BY] = arithmetic::subtract(&re[j], &t); - re[j] = arithmetic::add(&re[j], &t); + arithmetic::add(&mut re[j], &t); } () // Needed because of https://github.com/hacspec/hax/issues/720 } diff --git a/libcrux-ml-dsa/src/simd/portable.rs b/libcrux-ml-dsa/src/simd/portable.rs index e5d4ddef3..c1d26cfb2 100644 --- a/libcrux-ml-dsa/src/simd/portable.rs +++ b/libcrux-ml-dsa/src/simd/portable.rs @@ -27,16 +27,7 @@ impl Operations for PortableSIMDUnit { vector_type::to_coefficient_array(value, out) } - #[cfg(any(test, feature = "test-utils"))] - fn to_coefficient_array_test( - value: &Self::Coefficient, - ) -> [i32; super::traits::COEFFICIENTS_IN_SIMD_UNIT] { - let mut out = [0i32; super::traits::COEFFICIENTS_IN_SIMD_UNIT]; - out.copy_from_slice(value); - out - } - - fn add(lhs: &Coefficients, rhs: &Coefficients) -> Coefficients { + fn add(lhs: &mut Coefficients, rhs: &Coefficients) { arithmetic::add(lhs, rhs) } diff --git a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs index 53f80c646..8202397e4 100644 --- a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs +++ b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs @@ -10,14 +10,10 @@ use crate::{ pub(crate) const MONTGOMERY_SHIFT: u8 = 32; #[inline(always)] -pub fn add(lhs: &Coefficients, rhs: &Coefficients) -> Coefficients { - let mut sum = zero(); - - for i in 0..sum.len() { - sum[i] = lhs[i] + rhs[i]; +pub fn add(lhs: &mut Coefficients, rhs: &Coefficients) { + for i in 0..lhs.len() { + lhs[i] += rhs[i]; } - - sum } #[inline(always)] diff --git a/libcrux-ml-dsa/src/simd/portable/invntt.rs b/libcrux-ml-dsa/src/simd/portable/invntt.rs index 90993df81..2efff9e2f 100644 --- a/libcrux-ml-dsa/src/simd/portable/invntt.rs +++ b/libcrux-ml-dsa/src/simd/portable/invntt.rs @@ -205,8 +205,9 @@ fn outer_3_plus( ) { for j in OFFSET..OFFSET + STEP_BY { // XXX: make nicer - let a_minus_b = arithmetic::subtract(&re[j + STEP_BY], &re[j]); - re[j] = arithmetic::add(&re[j], &re[j + STEP_BY]); + let rejs = &re[j + STEP_BY].clone(); + let a_minus_b = arithmetic::subtract(&rejs, &re[j]); + arithmetic::add(&mut re[j], &rejs); re[j + STEP_BY] = a_minus_b; arithmetic::montgomery_multiply_by_constant(&mut re[j + STEP_BY], ZETA); } diff --git a/libcrux-ml-dsa/src/simd/portable/ntt.rs b/libcrux-ml-dsa/src/simd/portable/ntt.rs index 9d3f96cd1..ef5992c58 100644 --- a/libcrux-ml-dsa/src/simd/portable/ntt.rs +++ b/libcrux-ml-dsa/src/simd/portable/ntt.rs @@ -209,7 +209,7 @@ fn outer_3_plus( montgomery_multiply_by_constant(&mut tmp, ZETA); re[j + STEP_BY] = arithmetic::subtract(&re[j], &tmp); - re[j] = arithmetic::add(&re[j], &tmp); + arithmetic::add(&mut re[j], &tmp); } () // Needed because of https://github.com/hacspec/hax/issues/720 } diff --git a/libcrux-ml-dsa/src/simd/traits.rs b/libcrux-ml-dsa/src/simd/traits.rs index dea3bcb94..7ac062421 100644 --- a/libcrux-ml-dsa/src/simd/traits.rs +++ b/libcrux-ml-dsa/src/simd/traits.rs @@ -22,11 +22,9 @@ pub(crate) trait Operations: Copy + Clone { fn from_coefficient_array(array: &[i32]) -> Self::Coefficient; fn to_coefficient_array(value: &Self::Coefficient, out: &mut [i32]); - #[cfg(any(test, feature = "test-utils"))] - fn to_coefficient_array_test(value: &Self::Coefficient) -> [i32; COEFFICIENTS_IN_SIMD_UNIT]; // Arithmetic - fn add(lhs: &Self::Coefficient, rhs: &Self::Coefficient) -> Self::Coefficient; + fn add(lhs: &mut Self::Coefficient, rhs: &Self::Coefficient); fn subtract(lhs: &Self::Coefficient, rhs: &Self::Coefficient) -> Self::Coefficient; fn infinity_norm_exceeds(simd_unit: &Self::Coefficient, bound: i32) -> bool; fn decompose( From 73065612f9c04e1cdb950bc3660dc4aba89342bf Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Mon, 23 Dec 2024 13:17:18 +0000 Subject: [PATCH 11/58] more mut --- libcrux-ml-dsa/src/matrix.rs | 10 +++------- libcrux-ml-dsa/src/ml_dsa_generic.rs | 20 +++++--------------- 2 files changed, 8 insertions(+), 22 deletions(-) diff --git a/libcrux-ml-dsa/src/matrix.rs b/libcrux-ml-dsa/src/matrix.rs index 28e086f50..d4a4f28ab 100644 --- a/libcrux-ml-dsa/src/matrix.rs +++ b/libcrux-ml-dsa/src/matrix.rs @@ -102,16 +102,12 @@ pub(crate) fn add_vectors( #[inline(always)] pub(crate) fn subtract_vectors( - lhs: &[PolynomialRingElement; DIMENSION], + lhs: &mut [PolynomialRingElement; DIMENSION], rhs: &[PolynomialRingElement; DIMENSION], -) -> [PolynomialRingElement; DIMENSION] { - let mut result = [PolynomialRingElement::::ZERO(); DIMENSION]; - +) { for i in 0..DIMENSION { - result[i] = PolynomialRingElement::::subtract(&lhs[i], &rhs[i]); + PolynomialRingElement::::subtract_mut(&mut lhs[i], &rhs[i]); } - - result } /// Compute InvertNTT(Â ◦ ẑ - ĉ ◦ NTT(t₁2ᵈ)) diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index fb7c1e1f7..4b06c37a5 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -361,9 +361,7 @@ pub(crate) fn sign_internal< vector_times_ring_element::(&s2_as_ntt, &verifier_challenge); add_vectors::(&mut mask, &challenge_times_s1); - - let mut w0_minus_challenge_times_s2 = - subtract_vectors::(&w0, &challenge_times_s2); + subtract_vectors::(&mut w0, &challenge_times_s2); if vector_infinity_norm_exceeds::( &mask, @@ -372,10 +370,7 @@ pub(crate) fn sign_internal< // XXX: https://github.com/hacspec/hax/issues/1171 // continue; } else { - if vector_infinity_norm_exceeds::( - &w0_minus_challenge_times_s2, - GAMMA2 - BETA, - ) { + if vector_infinity_norm_exceeds::(&w0, GAMMA2 - BETA) { // XXX: https://github.com/hacspec/hax/issues/1171 // continue; } else { @@ -388,14 +383,9 @@ pub(crate) fn sign_internal< // XXX: https://github.com/hacspec/hax/issues/1171 // continue; } else { - add_vectors::( - &mut w0_minus_challenge_times_s2, - &challenge_times_t0, - ); - let (hint_candidate, ones_in_hint) = make_hint::( - &w0_minus_challenge_times_s2, - &commitment, - ); + add_vectors::(&mut w0, &challenge_times_t0); + let (hint_candidate, ones_in_hint) = + make_hint::(&w0, &commitment); if ones_in_hint > MAX_ONES_IN_HINT { // XXX: https://github.com/hacspec/hax/issues/1171 From b0e86adccd0b4f9ad5228a7404d93f4d8c169645 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Mon, 23 Dec 2024 14:07:33 +0000 Subject: [PATCH 12/58] mroe mut --- libcrux-ml-dsa/src/matrix.rs | 8 +++----- libcrux-ml-dsa/src/polynomial.rs | 15 ++------------- libcrux-ml-dsa/src/simd/avx2.rs | 2 +- libcrux-ml-dsa/src/simd/avx2/arithmetic.rs | 4 ++-- libcrux-ml-dsa/src/simd/avx2/invntt.rs | 12 ++++++++---- libcrux-ml-dsa/src/simd/avx2/ntt.rs | 15 ++++++++++----- libcrux-ml-dsa/src/simd/portable.rs | 2 +- libcrux-ml-dsa/src/simd/portable/arithmetic.rs | 10 +++------- libcrux-ml-dsa/src/simd/portable/invntt.rs | 5 +++-- libcrux-ml-dsa/src/simd/portable/ntt.rs | 3 ++- libcrux-ml-dsa/src/simd/traits.rs | 2 +- 11 files changed, 36 insertions(+), 42 deletions(-) diff --git a/libcrux-ml-dsa/src/matrix.rs b/libcrux-ml-dsa/src/matrix.rs index d4a4f28ab..bab4340c5 100644 --- a/libcrux-ml-dsa/src/matrix.rs +++ b/libcrux-ml-dsa/src/matrix.rs @@ -106,7 +106,7 @@ pub(crate) fn subtract_vectors( rhs: &[PolynomialRingElement; DIMENSION], ) { for i in 0..DIMENSION { - PolynomialRingElement::::subtract_mut(&mut lhs[i], &rhs[i]); + PolynomialRingElement::::subtract(&mut lhs[i], &rhs[i]); } } @@ -143,10 +143,8 @@ pub(crate) fn compute_w_approx< shift_left_then_reduce::(&mut t1[i]); ntt(&mut t1[i]); ntt_multiply_montgomery(&mut t1[i], verifier_challenge_as_ntt); - t1[i] = PolynomialRingElement::::subtract( - &inner_result, - &t1[i], - ); + PolynomialRingElement::::subtract(&mut inner_result, &t1[i]); + t1[i] = inner_result; invert_ntt_montgomery(&mut t1[i]); } } diff --git a/libcrux-ml-dsa/src/polynomial.rs b/libcrux-ml-dsa/src/polynomial.rs index 45507de8e..3e30aff4f 100644 --- a/libcrux-ml-dsa/src/polynomial.rs +++ b/libcrux-ml-dsa/src/polynomial.rs @@ -64,20 +64,9 @@ impl PolynomialRingElement { } #[inline(always)] - pub(crate) fn subtract(&self, rhs: &Self) -> Self { - let mut difference = Self::ZERO(); - - for i in 0..difference.simd_units.len() { - difference.simd_units[i] = SIMDUnit::subtract(&self.simd_units[i], &rhs.simd_units[i]); - } - - difference - } - - #[inline(always)] - pub(crate) fn subtract_mut(&mut self, rhs: &Self) { + pub(crate) fn subtract(&mut self, rhs: &Self) { for i in 0..self.simd_units.len() { - self.simd_units[i] = SIMDUnit::subtract(&self.simd_units[i], &rhs.simd_units[i]); + SIMDUnit::subtract(&mut self.simd_units[i], &rhs.simd_units[i]); } } } diff --git a/libcrux-ml-dsa/src/simd/avx2.rs b/libcrux-ml-dsa/src/simd/avx2.rs index ade225e5e..197cf59d4 100644 --- a/libcrux-ml-dsa/src/simd/avx2.rs +++ b/libcrux-ml-dsa/src/simd/avx2.rs @@ -33,7 +33,7 @@ impl Operations for AVX2SIMDUnit { arithmetic::add(lhs, rhs) } #[inline(always)] - fn subtract(lhs: &Vec256, rhs: &Vec256) -> Vec256 { + fn subtract(lhs: &mut Vec256, rhs: &Vec256) { arithmetic::subtract(lhs, rhs) } diff --git a/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs b/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs index d93773018..37012da13 100644 --- a/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs +++ b/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs @@ -21,8 +21,8 @@ pub fn add(lhs: &mut Vec256, rhs: &Vec256) { } #[inline(always)] -pub fn subtract(lhs: &Vec256, rhs: &Vec256) -> Vec256 { - mm256_sub_epi32(*lhs, *rhs) +pub fn subtract(lhs: &mut Vec256, rhs: &Vec256) { + *lhs = mm256_sub_epi32(*lhs, *rhs) } #[inline(always)] diff --git a/libcrux-ml-dsa/src/simd/avx2/invntt.rs b/libcrux-ml-dsa/src/simd/avx2/invntt.rs index 18c911a11..53f08c830 100644 --- a/libcrux-ml-dsa/src/simd/avx2/invntt.rs +++ b/libcrux-ml-dsa/src/simd/avx2/invntt.rs @@ -47,7 +47,8 @@ fn simd_unit_invert_ntt_at_layer_0( let mut lo_values = mm256_unpacklo_epi64(a_shuffled, b_shuffled); let hi_values = mm256_unpackhi_epi64(a_shuffled, b_shuffled); - let mut differences = arithmetic::subtract(&hi_values, &lo_values); + let mut differences = hi_values; + arithmetic::subtract(&mut differences, &lo_values); arithmetic::add(&mut lo_values, &hi_values); let sums = lo_values; @@ -77,7 +78,8 @@ fn simd_unit_invert_ntt_at_layer_1( let mut lo_values = mm256_unpacklo_epi64(simd_unit0, simd_unit1); let hi_values = mm256_unpackhi_epi64(simd_unit0, simd_unit1); - let mut differences = arithmetic::subtract(&hi_values, &lo_values); + let mut differences = hi_values; + arithmetic::subtract(&mut differences, &lo_values); arithmetic::add(&mut lo_values, &hi_values); let sums = lo_values; @@ -102,7 +104,8 @@ fn simd_unit_invert_ntt_at_layer_2( let mut lo_values = mm256_permute2x128_si256::<0x20>(simd_unit0, simd_unit1); let hi_values = mm256_permute2x128_si256::<0x31>(simd_unit0, simd_unit1); - let mut differences = arithmetic::subtract(&hi_values, &lo_values); + let mut differences = hi_values; + arithmetic::subtract(&mut differences, &lo_values); arithmetic::add(&mut lo_values, &hi_values); let sums = lo_values; @@ -269,7 +272,8 @@ fn outer_3_plus( for j in OFFSET..OFFSET + STEP_BY { // XXX: make nicer let rejs = re[j + STEP_BY]; - let a_minus_b = arithmetic::subtract(&rejs, &re[j]); + let mut a_minus_b = rejs; + arithmetic::subtract(&mut a_minus_b, &re[j]); arithmetic::add(&mut re[j], &rejs); re[j + STEP_BY] = arithmetic::montgomery_multiply_by_constant(a_minus_b, ZETA); } diff --git a/libcrux-ml-dsa/src/simd/avx2/ntt.rs b/libcrux-ml-dsa/src/simd/avx2/ntt.rs index 2fb02d4a7..cf64b0088 100644 --- a/libcrux-ml-dsa/src/simd/avx2/ntt.rs +++ b/libcrux-ml-dsa/src/simd/avx2/ntt.rs @@ -37,7 +37,8 @@ fn butterfly_2( arithmetic::montgomery_multiply(&mut zeta_products, &zetas); - let sub_terms = arithmetic::subtract(&summands, &zeta_products); + let mut sub_terms = summands; + arithmetic::subtract(&mut sub_terms, &zeta_products); arithmetic::add(&mut summands, &zeta_products); let add_terms = summands; @@ -69,7 +70,8 @@ fn butterfly_4( ); arithmetic::montgomery_multiply(&mut zeta_products, &zetas); - let sub_terms = arithmetic::subtract(&summands, &zeta_products); + let mut sub_terms = summands; + arithmetic::subtract(&mut sub_terms, &zeta_products); arithmetic::add(&mut summands, &zeta_products); let add_terms = summands; @@ -90,7 +92,8 @@ fn butterfly_8(a: Vec256, b: Vec256, zeta0: i32, zeta1: i32) -> (Vec256, Vec256) let zetas = mm256_set_epi32(zeta1, zeta1, zeta1, zeta1, zeta0, zeta0, zeta0, zeta0); arithmetic::montgomery_multiply(&mut zeta_products, &zetas); - let sub_terms = arithmetic::subtract(&summands, &zeta_products); + let mut sub_terms = summands; + arithmetic::subtract(&mut sub_terms, &zeta_products); arithmetic::add(&mut summands, &zeta_products); let add_terms = summands; @@ -289,7 +292,8 @@ unsafe fn ntt_at_layer_7_and_6(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { let res02_shifted = mm256_shuffle_epi32::<0b11_11_01_01>(res02); // 0xF5 let t = mm256_blend_epi32::<0b10101010>(res02_shifted, res13); // 0xAA - re[index + step_by] = arithmetic::subtract(&re[index], &t); + re[index + step_by] = re[index]; + arithmetic::subtract(&mut re[index + step_by], &t); arithmetic::add(&mut re[index], &t); } @@ -368,7 +372,8 @@ unsafe fn ntt_at_layer_5_to_3(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { let mut t = re[j + STEP_BY]; arithmetic::montgomery_multiply(&mut t, &rhs); - re[j + STEP_BY] = arithmetic::subtract(&re[j], &t); + re[j + STEP_BY] = re[j]; + arithmetic::subtract(&mut re[j + STEP_BY], &t); arithmetic::add(&mut re[j], &t); } () // Needed because of https://github.com/hacspec/hax/issues/720 diff --git a/libcrux-ml-dsa/src/simd/portable.rs b/libcrux-ml-dsa/src/simd/portable.rs index c1d26cfb2..1dbb79daa 100644 --- a/libcrux-ml-dsa/src/simd/portable.rs +++ b/libcrux-ml-dsa/src/simd/portable.rs @@ -31,7 +31,7 @@ impl Operations for PortableSIMDUnit { arithmetic::add(lhs, rhs) } - fn subtract(lhs: &Coefficients, rhs: &Coefficients) -> Coefficients { + fn subtract(lhs: &mut Coefficients, rhs: &Coefficients) { arithmetic::subtract(lhs, rhs) } diff --git a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs index 8202397e4..4ced8c1c7 100644 --- a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs +++ b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs @@ -17,14 +17,10 @@ pub fn add(lhs: &mut Coefficients, rhs: &Coefficients) { } #[inline(always)] -pub fn subtract(lhs: &Coefficients, rhs: &Coefficients) -> Coefficients { - let mut difference = zero(); - - for i in 0..difference.len() { - difference[i] = lhs[i] - rhs[i]; +pub fn subtract(lhs: &mut Coefficients, rhs: &Coefficients) { + for i in 0..lhs.len() { + lhs[i] -= rhs[i]; } - - difference } #[inline(always)] diff --git a/libcrux-ml-dsa/src/simd/portable/invntt.rs b/libcrux-ml-dsa/src/simd/portable/invntt.rs index 2efff9e2f..82f37e592 100644 --- a/libcrux-ml-dsa/src/simd/portable/invntt.rs +++ b/libcrux-ml-dsa/src/simd/portable/invntt.rs @@ -205,8 +205,9 @@ fn outer_3_plus( ) { for j in OFFSET..OFFSET + STEP_BY { // XXX: make nicer - let rejs = &re[j + STEP_BY].clone(); - let a_minus_b = arithmetic::subtract(&rejs, &re[j]); + let rejs = re[j + STEP_BY].clone(); + let mut a_minus_b = rejs.clone(); + arithmetic::subtract(&mut a_minus_b, &re[j]); arithmetic::add(&mut re[j], &rejs); re[j + STEP_BY] = a_minus_b; arithmetic::montgomery_multiply_by_constant(&mut re[j + STEP_BY], ZETA); diff --git a/libcrux-ml-dsa/src/simd/portable/ntt.rs b/libcrux-ml-dsa/src/simd/portable/ntt.rs index ef5992c58..77fd2f7e5 100644 --- a/libcrux-ml-dsa/src/simd/portable/ntt.rs +++ b/libcrux-ml-dsa/src/simd/portable/ntt.rs @@ -208,7 +208,8 @@ fn outer_3_plus( let mut tmp = re[j + STEP_BY]; montgomery_multiply_by_constant(&mut tmp, ZETA); - re[j + STEP_BY] = arithmetic::subtract(&re[j], &tmp); + re[j + STEP_BY] = re[j]; + arithmetic::subtract(&mut re[j + STEP_BY], &tmp); arithmetic::add(&mut re[j], &tmp); } () // Needed because of https://github.com/hacspec/hax/issues/720 diff --git a/libcrux-ml-dsa/src/simd/traits.rs b/libcrux-ml-dsa/src/simd/traits.rs index 7ac062421..8e482fb5c 100644 --- a/libcrux-ml-dsa/src/simd/traits.rs +++ b/libcrux-ml-dsa/src/simd/traits.rs @@ -25,7 +25,7 @@ pub(crate) trait Operations: Copy + Clone { // Arithmetic fn add(lhs: &mut Self::Coefficient, rhs: &Self::Coefficient); - fn subtract(lhs: &Self::Coefficient, rhs: &Self::Coefficient) -> Self::Coefficient; + fn subtract(lhs: &mut Self::Coefficient, rhs: &Self::Coefficient); fn infinity_norm_exceeds(simd_unit: &Self::Coefficient, bound: i32) -> bool; fn decompose( simd_unit: &Self::Coefficient, From 92135f4013426b7e2f4aa9ed1c5251e4d2b41179 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Mon, 23 Dec 2024 14:21:22 +0000 Subject: [PATCH 13/58] more --- libcrux-ml-dsa/src/arithmetic.rs | 15 ++-- libcrux-ml-dsa/src/encoding/error.rs | 11 +-- libcrux-ml-dsa/src/encoding/gamma1.rs | 4 +- libcrux-ml-dsa/src/encoding/signature.rs | 2 +- libcrux-ml-dsa/src/encoding/signing_key.rs | 57 ------------- libcrux-ml-dsa/src/encoding/t0.rs | 9 +- libcrux-ml-dsa/src/encoding/t1.rs | 2 +- .../src/encoding/verification_key.rs | 2 +- libcrux-ml-dsa/src/matrix.rs | 4 +- libcrux-ml-dsa/src/ml_dsa_generic.rs | 84 ++++++++++++------- libcrux-ml-dsa/src/polynomial.rs | 16 ++-- libcrux-ml-dsa/src/sample.rs | 10 +-- libcrux-ml-dsa/src/simd/avx2.rs | 2 +- libcrux-ml-dsa/src/simd/portable.rs | 2 +- .../src/simd/portable/arithmetic.rs | 12 +-- libcrux-ml-dsa/src/simd/tests.rs | 2 +- libcrux-ml-dsa/src/simd/traits.rs | 2 +- 17 files changed, 97 insertions(+), 139 deletions(-) diff --git a/libcrux-ml-dsa/src/arithmetic.rs b/libcrux-ml-dsa/src/arithmetic.rs index da4c106b7..a40f1f668 100644 --- a/libcrux-ml-dsa/src/arithmetic.rs +++ b/libcrux-ml-dsa/src/arithmetic.rs @@ -8,18 +8,15 @@ pub(crate) fn vector_infinity_norm_exceeds; DIMENSION], bound: i32, ) -> bool { - let mut exceeds = false; - - // TODO: We can break out of this loop early if need be, but the most - // straightforward way to do so (returning false) will not go through hax; - // revisit if performance is impacted. cloop! { for ring_element in vector.iter() { - exceeds = exceeds || ring_element.infinity_norm_exceeds(bound); + if ring_element.infinity_norm_exceeds(bound) { + return true; + } } } - exceeds + false } #[inline(always)] @@ -69,7 +66,7 @@ pub(crate) fn make_hint::ZERO(); + let mut hint_simd = PolynomialRingElement::::zero(); for j in 0..hint_simd.simd_units.len() { let (one_hints_count, current_hint) = @@ -90,7 +87,7 @@ pub(crate) fn use_hint; DIMENSION], ) -> [PolynomialRingElement; DIMENSION] { - let mut result = [PolynomialRingElement::::ZERO(); DIMENSION]; + let mut result = [PolynomialRingElement::::zero(); DIMENSION]; for i in 0..DIMENSION { // XXX: Why can't we keep the hint as simd units? diff --git a/libcrux-ml-dsa/src/encoding/error.rs b/libcrux-ml-dsa/src/encoding/error.rs index 9dba0a715..37b52a833 100644 --- a/libcrux-ml-dsa/src/encoding/error.rs +++ b/libcrux-ml-dsa/src/encoding/error.rs @@ -43,17 +43,14 @@ pub(crate) fn deserialize_to_vector_then_ntt< const RING_ELEMENT_SIZE: usize, >( serialized: &[u8], -) -> [PolynomialRingElement; DIMENSION] { - let mut ring_elements = [PolynomialRingElement::::ZERO(); DIMENSION]; - + ring_elements: &mut [PolynomialRingElement; DIMENSION], +) { cloop! { for (i, bytes) in serialized.chunks_exact(RING_ELEMENT_SIZE).enumerate() { deserialize::(bytes, &mut ring_elements[i]); ntt(&mut ring_elements[i]); } } - - ring_elements } #[cfg(test)] @@ -85,7 +82,7 @@ mod tests { 0, 2, -1, ]; - let mut deserialized = PolynomialRingElement::::ZERO(); + let mut deserialized = PolynomialRingElement::::zero(); deserialize::(&serialized, &mut deserialized); assert_eq!(deserialized.to_i32_array(), expected_coefficients); @@ -113,7 +110,7 @@ mod tests { 1, 3, ]; - let mut deserialized = PolynomialRingElement::::ZERO(); + let mut deserialized = PolynomialRingElement::::zero(); deserialize::(&serialized, &mut deserialized); assert_eq!(deserialized.to_i32_array(), expected_coefficients); } diff --git a/libcrux-ml-dsa/src/encoding/gamma1.rs b/libcrux-ml-dsa/src/encoding/gamma1.rs index 103dab0b0..1d5530c44 100644 --- a/libcrux-ml-dsa/src/encoding/gamma1.rs +++ b/libcrux-ml-dsa/src/encoding/gamma1.rs @@ -172,7 +172,7 @@ mod tests { -69944, -100373, 94602, ]; - let mut result = PolynomialRingElement::::ZERO(); + let mut result = PolynomialRingElement::::zero(); deserialize::(&bytes, &mut result); assert_eq!(result.to_i32_array(), expected_coefficients); @@ -242,7 +242,7 @@ mod tests { -138892, -414002, 42982, ]; - let mut result = PolynomialRingElement::::ZERO(); + let mut result = PolynomialRingElement::::zero(); deserialize::(&bytes, &mut result); assert_eq!(result.to_i32_array(), expected_coefficients); } diff --git a/libcrux-ml-dsa/src/encoding/signature.rs b/libcrux-ml-dsa/src/encoding/signature.rs index 6fc115d02..e2a84ffe7 100644 --- a/libcrux-ml-dsa/src/encoding/signature.rs +++ b/libcrux-ml-dsa/src/encoding/signature.rs @@ -83,7 +83,7 @@ impl< let (signer_response_serialized, hint_serialized) = rest_of_serialized.split_at(GAMMA1_RING_ELEMENT_SIZE * COLUMNS_IN_A); - let mut signer_response = [PolynomialRingElement::::ZERO(); COLUMNS_IN_A]; + let mut signer_response = [PolynomialRingElement::::zero(); COLUMNS_IN_A]; for i in 0..COLUMNS_IN_A { encoding::gamma1::deserialize::( diff --git a/libcrux-ml-dsa/src/encoding/signing_key.rs b/libcrux-ml-dsa/src/encoding/signing_key.rs index 7aeb7ee62..8630401ba 100644 --- a/libcrux-ml-dsa/src/encoding/signing_key.rs +++ b/libcrux-ml-dsa/src/encoding/signing_key.rs @@ -66,60 +66,3 @@ pub(crate) fn generate_serialized< signing_key_serialized } - -#[allow(non_snake_case)] -#[inline(always)] -pub(crate) fn deserialize_then_ntt< - SIMDUnit: Operations, - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, - const ETA: usize, - const ERROR_RING_ELEMENT_SIZE: usize, - const SIGNING_KEY_SIZE: usize, ->( - serialized: &[u8; SIGNING_KEY_SIZE], -) -> ( - [u8; SEED_FOR_A_SIZE], // seed_for_A - [u8; SEED_FOR_SIGNING_SIZE], // seed_for_signing - [u8; BYTES_FOR_VERIFICATION_KEY_HASH], // verification_key_hash - [PolynomialRingElement; COLUMNS_IN_A], // s1 - [PolynomialRingElement; ROWS_IN_A], // s2 - [PolynomialRingElement; ROWS_IN_A], // t0_as_ntt -) { - let (seed_for_A, remaining_serialized) = serialized.split_at(SEED_FOR_A_SIZE); - let (seed_for_signing, remaining_serialized) = - remaining_serialized.split_at(SEED_FOR_SIGNING_SIZE); - let (verification_key_hash, remaining_serialized) = - remaining_serialized.split_at(BYTES_FOR_VERIFICATION_KEY_HASH); - - let (s1_serialized, remaining_serialized) = - remaining_serialized.split_at(ERROR_RING_ELEMENT_SIZE * COLUMNS_IN_A); - let (s2_serialized, t0_serialized) = - remaining_serialized.split_at(ERROR_RING_ELEMENT_SIZE * ROWS_IN_A); - - let s1_as_ntt = encoding::error::deserialize_to_vector_then_ntt::< - SIMDUnit, - COLUMNS_IN_A, - ETA, - ERROR_RING_ELEMENT_SIZE, - >(s1_serialized); - let s2_as_ntt = encoding::error::deserialize_to_vector_then_ntt::< - SIMDUnit, - ROWS_IN_A, - ETA, - ERROR_RING_ELEMENT_SIZE, - >(s2_serialized); - - // XXX: write *_as_ntt directly into the output above - let t0_as_ntt = - encoding::t0::deserialize_to_vector_then_ntt::(t0_serialized); - - ( - seed_for_A.try_into().unwrap(), - seed_for_signing.try_into().unwrap(), - verification_key_hash.try_into().unwrap(), - s1_as_ntt, - s2_as_ntt, - t0_as_ntt, - ) -} diff --git a/libcrux-ml-dsa/src/encoding/t0.rs b/libcrux-ml-dsa/src/encoding/t0.rs index de11ae3eb..43c2c0b5a 100644 --- a/libcrux-ml-dsa/src/encoding/t0.rs +++ b/libcrux-ml-dsa/src/encoding/t0.rs @@ -39,17 +39,14 @@ fn deserialize( #[inline(always)] pub(crate) fn deserialize_to_vector_then_ntt( serialized: &[u8], -) -> [PolynomialRingElement; DIMENSION] { - let mut ring_elements = [PolynomialRingElement::::ZERO(); DIMENSION]; - + ring_elements: &mut [PolynomialRingElement; DIMENSION], +) { cloop! { for (i, bytes) in serialized.chunks_exact(RING_ELEMENT_OF_T0S_SIZE).enumerate() { deserialize::(bytes, &mut ring_elements[i]); ntt(&mut ring_elements[i]); } } - - ring_elements } #[cfg(test)] @@ -159,7 +156,7 @@ mod tests { 2487, -1527, 2834, -3089, 1724, 3858, -2130, 3301, -1565, ]; - let mut deserialized = PolynomialRingElement::::ZERO(); + let mut deserialized = PolynomialRingElement::::zero(); deserialize::(&serialized, &mut deserialized); assert_eq!(deserialized.to_i32_array(), expected_coefficients); } diff --git a/libcrux-ml-dsa/src/encoding/t1.rs b/libcrux-ml-dsa/src/encoding/t1.rs index dadc7ae21..c2154d705 100644 --- a/libcrux-ml-dsa/src/encoding/t1.rs +++ b/libcrux-ml-dsa/src/encoding/t1.rs @@ -125,7 +125,7 @@ mod tests { 226, 479, 381, 932, 464, 451, 915, 206, 410, 402, 900, ]; - let mut deserialized = PolynomialRingElement::::ZERO(); + let mut deserialized = PolynomialRingElement::::zero(); deserialize::(&serialized, &mut deserialized); assert_eq!(deserialized.to_i32_array(), expected_coefficients); } diff --git a/libcrux-ml-dsa/src/encoding/verification_key.rs b/libcrux-ml-dsa/src/encoding/verification_key.rs index 82fe68a53..48e76334b 100644 --- a/libcrux-ml-dsa/src/encoding/verification_key.rs +++ b/libcrux-ml-dsa/src/encoding/verification_key.rs @@ -42,7 +42,7 @@ pub(crate) fn deserialize< [u8; SEED_FOR_A_SIZE], [PolynomialRingElement; ROWS_IN_A], ) { - let mut t1 = [PolynomialRingElement::::ZERO(); ROWS_IN_A]; + let mut t1 = [PolynomialRingElement::::zero(); ROWS_IN_A]; let (seed_for_A, serialized_remaining) = serialized.split_at(SEED_FOR_A_SIZE); for i in 0..ROWS_IN_A { diff --git a/libcrux-ml-dsa/src/matrix.rs b/libcrux-ml-dsa/src/matrix.rs index bab4340c5..1e5444c9a 100644 --- a/libcrux-ml-dsa/src/matrix.rs +++ b/libcrux-ml-dsa/src/matrix.rs @@ -19,7 +19,7 @@ pub(crate) fn compute_as1_plus_s2< result: &mut [PolynomialRingElement; ROWS_IN_A], ) { // XXX: Make this better - let mut s1_ntt = [PolynomialRingElement::::ZERO(); COLUMNS_IN_A]; + let mut s1_ntt = [PolynomialRingElement::::zero(); COLUMNS_IN_A]; for i in 0..s1_ntt.len() { s1_ntt[i] = s1_s2[i]; ntt(&mut s1_ntt[i]); @@ -130,7 +130,7 @@ pub(crate) fn compute_w_approx< cloop! { for (i, row) in A_as_ntt.iter().enumerate() { - let mut inner_result = PolynomialRingElement::::ZERO(); + let mut inner_result = PolynomialRingElement::::zero(); cloop! { for (j, ring_element) in row.iter().enumerate() { // XXX: make nicer diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index 4b06c37a5..7c4c621fe 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -57,19 +57,19 @@ pub(crate) fn generate_key_pair< let (seed_for_error_vectors, seed_for_signing) = seed_expanded.split_at(SEED_FOR_ERROR_VECTORS_SIZE); - let mut a_as_ntt = [[PolynomialRingElement::::ZERO(); COLUMNS_IN_A]; ROWS_IN_A]; + let mut a_as_ntt = [[PolynomialRingElement::::zero(); COLUMNS_IN_A]; ROWS_IN_A]; Sampler::matrix::(seed_for_a, &mut a_as_ntt); - let mut s1_s2 = [PolynomialRingElement::::ZERO(); ROW_COLUMN]; + let mut s1_s2 = [PolynomialRingElement::::zero(); ROW_COLUMN]; samplex4::sample_s1_and_s2::( seed_for_error_vectors, &mut s1_s2, ); - let mut t0 = [PolynomialRingElement::::ZERO(); ROWS_IN_A]; + let mut t0 = [PolynomialRingElement::::zero(); ROWS_IN_A]; compute_as1_plus_s2::(&a_as_ntt, &s1_s2, &mut t0); - let mut t1 = [PolynomialRingElement::::ZERO(); ROWS_IN_A]; + let mut t1 = [PolynomialRingElement::::zero(); ROWS_IN_A]; power2round_vector::(&mut t0, &mut t1); let verification_key_serialized = encoding::verification_key::generate_serialized::< @@ -261,17 +261,42 @@ pub(crate) fn sign_internal< domain_separation_context: Option, randomness: [u8; SIGNING_RANDOMNESS_SIZE], ) -> Result, SigningError> { - let (seed_for_a, seed_for_signing, verification_key_hash, s1_as_ntt, s2_as_ntt, t0_as_ntt) = - encoding::signing_key::deserialize_then_ntt::< - SIMDUnit, - ROWS_IN_A, - COLUMNS_IN_A, - ETA, - ERROR_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - >(signing_key); + // Split the signing key into its parts. + let (seed_for_a, remaining_serialized) = signing_key.split_at(SEED_FOR_A_SIZE); + let (seed_for_signing, remaining_serialized) = + remaining_serialized.split_at(SEED_FOR_SIGNING_SIZE); + let (verification_key_hash, remaining_serialized) = + remaining_serialized.split_at(BYTES_FOR_VERIFICATION_KEY_HASH); + + let (s1_serialized, remaining_serialized) = + remaining_serialized.split_at(ERROR_RING_ELEMENT_SIZE * COLUMNS_IN_A); + let (s2_serialized, t0_serialized) = + remaining_serialized.split_at(ERROR_RING_ELEMENT_SIZE * ROWS_IN_A); + + // Deserialize s1, s2, and t0. + let mut s1_as_ntt = [PolynomialRingElement::zero(); COLUMNS_IN_A]; + let mut s2_as_ntt = [PolynomialRingElement::zero(); ROWS_IN_A]; + let mut t0_as_ntt = [PolynomialRingElement::zero(); ROWS_IN_A]; + + encoding::error::deserialize_to_vector_then_ntt::< + SIMDUnit, + COLUMNS_IN_A, + ETA, + ERROR_RING_ELEMENT_SIZE, + >(s1_serialized, &mut s1_as_ntt); + encoding::error::deserialize_to_vector_then_ntt::< + SIMDUnit, + ROWS_IN_A, + ETA, + ERROR_RING_ELEMENT_SIZE, + >(s2_serialized, &mut s2_as_ntt); + encoding::t0::deserialize_to_vector_then_ntt::( + t0_serialized, + &mut t0_as_ntt, + ); - let mut matrix = [[PolynomialRingElement::::ZERO(); COLUMNS_IN_A]; ROWS_IN_A]; + // Sample matrix A. + let mut matrix = [[PolynomialRingElement::::zero(); COLUMNS_IN_A]; ROWS_IN_A]; Sampler::matrix::(&seed_for_a, &mut matrix); let mut message_representative = [0; MESSAGE_REPRESENTATIVE_SIZE]; @@ -293,11 +318,12 @@ pub(crate) fn sign_internal< } let mut domain_separator_for_mask: u16 = 0; - - let BETA = (ONES_IN_VERIFIER_CHALLENGE * ETA) as i32; - + let beta = (ONES_IN_VERIFIER_CHALLENGE * ETA) as i32; let mut attempt = 0; + // Return values. + // Required because we can't return early. + // See https://github.com/hacspec/hax/issues/1171 let mut commitment_hash = None; let mut signer_response = None; let mut hint = None; @@ -310,7 +336,7 @@ pub(crate) fn sign_internal< while attempt < REJECTION_SAMPLE_BOUND_SIGN { attempt += 1; - let mut mask = [PolynomialRingElement::ZERO(); COLUMNS_IN_A]; + let mut mask = [PolynomialRingElement::zero(); COLUMNS_IN_A]; sample_mask_vector::( into_padded_array(&mask_seed), @@ -318,10 +344,10 @@ pub(crate) fn sign_internal< &mut mask, ); - let mut w0 = [PolynomialRingElement::ZERO(); ROWS_IN_A]; - let mut commitment = [PolynomialRingElement::ZERO(); ROWS_IN_A]; + let mut w0 = [PolynomialRingElement::zero(); ROWS_IN_A]; + let mut commitment = [PolynomialRingElement::zero(); ROWS_IN_A]; { - let mut a_x_mask = [PolynomialRingElement::ZERO(); ROWS_IN_A]; + let mut a_x_mask = [PolynomialRingElement::zero(); ROWS_IN_A]; compute_matrix_x_mask::( &matrix, &mask, @@ -346,7 +372,7 @@ pub(crate) fn sign_internal< shake.squeeze(&mut commitment_hash_candidate); } - let mut verifier_challenge = PolynomialRingElement::ZERO(); + let mut verifier_challenge = PolynomialRingElement::zero(); sample_challenge_ring_element::< SIMDUnit, Shake256, @@ -365,12 +391,12 @@ pub(crate) fn sign_internal< if vector_infinity_norm_exceeds::( &mask, - (1 << GAMMA1_EXPONENT) - BETA, + (1 << GAMMA1_EXPONENT) - beta, ) { // XXX: https://github.com/hacspec/hax/issues/1171 // continue; } else { - if vector_infinity_norm_exceeds::(&w0, GAMMA2 - BETA) { + if vector_infinity_norm_exceeds::(&w0, GAMMA2 - beta) { // XXX: https://github.com/hacspec/hax/issues/1171 // continue; } else { @@ -448,11 +474,13 @@ pub(crate) fn sign_internal< /// variant. #[inline(always)] fn derive_message_representative( - verification_key_hash: [u8; 64], + verification_key_hash: &[u8], domain_separation_context: Option, message: &[u8], message_representative: &mut [u8; 64], ) { + debug_assert!(verification_key_hash.len() == 64); + let mut shake = Shake256Xof::init(); shake.absorb(&verification_key_hash); if let Some(domain_separation_context) = domain_separation_context { @@ -523,7 +551,7 @@ pub(crate) fn verify_internal< ) { return Err(VerificationError::SignerResponseExceedsBoundError); } - let mut matrix = [[PolynomialRingElement::::ZERO(); COLUMNS_IN_A]; ROWS_IN_A]; + let mut matrix = [[PolynomialRingElement::::zero(); COLUMNS_IN_A]; ROWS_IN_A]; Sampler::matrix::(&seed_for_a, &mut matrix); let mut verification_key_hash = [0; BYTES_FOR_VERIFICATION_KEY_HASH]; @@ -533,13 +561,13 @@ pub(crate) fn verify_internal< ); let mut message_representative = [0; MESSAGE_REPRESENTATIVE_SIZE]; derive_message_representative::( - verification_key_hash, + &verification_key_hash, domain_separation_context, message, &mut message_representative, ); - let mut verifier_challenge = PolynomialRingElement::ZERO(); + let mut verifier_challenge = PolynomialRingElement::zero(); sample_challenge_ring_element::< SIMDUnit, Shake256, diff --git a/libcrux-ml-dsa/src/polynomial.rs b/libcrux-ml-dsa/src/polynomial.rs index 3e30aff4f..b42a441b3 100644 --- a/libcrux-ml-dsa/src/polynomial.rs +++ b/libcrux-ml-dsa/src/polynomial.rs @@ -9,10 +9,9 @@ pub(crate) struct PolynomialRingElement { } impl PolynomialRingElement { - #[allow(non_snake_case)] - pub(crate) fn ZERO() -> Self { + pub(crate) fn zero() -> Self { Self { - simd_units: [SIMDUnit::ZERO(); SIMD_UNITS_IN_RING_ELEMENT], + simd_units: [SIMDUnit::zero(); SIMD_UNITS_IN_RING_ELEMENT], } } @@ -41,19 +40,20 @@ impl PolynomialRingElement { #[cfg(test)] pub(crate) fn from_i32_array_test(array: &[i32]) -> Self { - let mut result = PolynomialRingElement::ZERO(); + let mut result = PolynomialRingElement::zero(); Self::from_i32_array(array, &mut result); result } + #[inline(always)] pub(crate) fn infinity_norm_exceeds(&self, bound: i32) -> bool { - let mut exceeds = false; - for i in 0..self.simd_units.len() { - exceeds = exceeds || SIMDUnit::infinity_norm_exceeds(&self.simd_units[i], bound); + if SIMDUnit::infinity_norm_exceeds(&self.simd_units[i], bound) { + return true; + } } - exceeds + false } #[inline(always)] diff --git a/libcrux-ml-dsa/src/sample.rs b/libcrux-ml-dsa/src/sample.rs index 84a10c1ee..2fed434d2 100644 --- a/libcrux-ml-dsa/src/sample.rs +++ b/libcrux-ml-dsa/src/sample.rs @@ -615,7 +615,7 @@ mod tests { 703698, 5147821, 7632328, 5993194, 6329638, 5959986, 3073141, 675737, 7364844, 4124952, ]; - let mut re = PolynomialRingElement::ZERO(); + let mut re = PolynomialRingElement::zero(); sample_ring_element_uniform::(seed, &mut re); assert_eq!(re.to_i32_array(), expected_coefficients); @@ -629,7 +629,7 @@ mod tests { 0xB1, 0x83, 0x9B, 0x86, 0x06, 0xF5, 0x94, 0x8B, 0x9D, 0x72, 0xA9, 0x56, 0xDC, 0xF1, 0x01, 0x16, 0xDA, 0x9E, 0x01, 0x00, ]; - let mut re = PolynomialRingElement::ZERO(); + let mut re = PolynomialRingElement::zero(); sample_ring_element_uniform::(seed, &mut re); let actual_coefficients = re.to_i32_array(); @@ -751,7 +751,7 @@ mod tests { 0, ]; - let mut re = PolynomialRingElement::ZERO(); + let mut re = PolynomialRingElement::zero(); sample_challenge_ring_element::(seed, &mut re); assert_eq!(re.to_i32_array(), expected_coefficients); @@ -774,7 +774,7 @@ mod tests { 0, -1, 0, 0, 0, ]; - let mut re = PolynomialRingElement::ZERO(); + let mut re = PolynomialRingElement::zero(); sample_challenge_ring_element::(seed, &mut re); assert_eq!(re.to_i32_array(), expected_coefficients); @@ -797,7 +797,7 @@ mod tests { 0, 0, 0, 1, -1, 0, ]; - let mut re = PolynomialRingElement::ZERO(); + let mut re = PolynomialRingElement::zero(); sample_challenge_ring_element::(seed, &mut re); assert_eq!(re.to_i32_array(), expected_coefficients); } diff --git a/libcrux-ml-dsa/src/simd/avx2.rs b/libcrux-ml-dsa/src/simd/avx2.rs index 197cf59d4..1f4558da1 100644 --- a/libcrux-ml-dsa/src/simd/avx2.rs +++ b/libcrux-ml-dsa/src/simd/avx2.rs @@ -14,7 +14,7 @@ impl Operations for AVX2SIMDUnit { type Coefficient = Vec256; #[inline(always)] - fn ZERO() -> Vec256 { + fn zero() -> Vec256 { vector_type::zero() } diff --git a/libcrux-ml-dsa/src/simd/portable.rs b/libcrux-ml-dsa/src/simd/portable.rs index 1dbb79daa..55ebc577b 100644 --- a/libcrux-ml-dsa/src/simd/portable.rs +++ b/libcrux-ml-dsa/src/simd/portable.rs @@ -15,7 +15,7 @@ pub(crate) use vector_type::PortableSIMDUnit; impl Operations for PortableSIMDUnit { type Coefficient = Coefficients; - fn ZERO() -> Coefficients { + fn zero() -> Coefficients { vector_type::zero() } diff --git a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs index 4ced8c1c7..f753133b1 100644 --- a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs +++ b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs @@ -102,15 +102,9 @@ pub(super) fn power2round(t0: &mut Coefficients, t1: &mut Coefficients) { // additional KATs. #[inline(always)] pub(super) fn infinity_norm_exceeds(simd_unit: &Coefficients, bound: i32) -> bool { - let mut exceeds = false; - // It is ok to leak which coefficient violates the bound since // the probability for each coefficient is independent of secret // data but we must not leak the sign of the centralized representative. - // - // TODO: We can break out of this loop early if need be, but the most - // straightforward way to do so (returning false) will not go through hax; - // revisit if performance is impacted. cloop! { for coefficient in simd_unit.iter() { debug_assert!(*coefficient > -FIELD_MODULUS && *coefficient < FIELD_MODULUS); @@ -125,11 +119,13 @@ pub(super) fn infinity_norm_exceeds(simd_unit: &Coefficients, bound: i32) -> boo let normalized = coefficient - (sign & (2 * coefficient)); // FIXME: return - exceeds = exceeds || normalized >= bound; + if normalized >= bound { + return true; + } } } - exceeds + false } #[inline(always)] diff --git a/libcrux-ml-dsa/src/simd/tests.rs b/libcrux-ml-dsa/src/simd/tests.rs index 3fc8cb70e..6673a663f 100644 --- a/libcrux-ml-dsa/src/simd/tests.rs +++ b/libcrux-ml-dsa/src/simd/tests.rs @@ -9,7 +9,7 @@ fn test_decompose_generic() { let expected_low = [-2687, 83861, -10009, -62531, 17322, 30530, -37072, -31454]; let expected_high = [29, 28, 1, 43, 27, 29, 18, 21]; - let (mut low, mut high) = (SIMDUnit::ZERO(), SIMDUnit::ZERO()); + let (mut low, mut high) = (SIMDUnit::zero(), SIMDUnit::zero()); SIMDUnit::decompose::<95_232>(&input, &mut low, &mut high); let mut out = [0i32; COEFFICIENTS_IN_SIMD_UNIT]; diff --git a/libcrux-ml-dsa/src/simd/traits.rs b/libcrux-ml-dsa/src/simd/traits.rs index 8e482fb5c..8c30b099d 100644 --- a/libcrux-ml-dsa/src/simd/traits.rs +++ b/libcrux-ml-dsa/src/simd/traits.rs @@ -18,7 +18,7 @@ pub(crate) trait Operations: Copy + Clone { type Coefficient: Copy; // XXX: make generic? drop copy? #[allow(non_snake_case)] - fn ZERO() -> Self::Coefficient; + fn zero() -> Self::Coefficient; fn from_coefficient_array(array: &[i32]) -> Self::Coefficient; fn to_coefficient_array(value: &Self::Coefficient, out: &mut [i32]); From a3f9daecb19d471639e6e5564907f7eefca4de3d Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Mon, 23 Dec 2024 14:33:48 +0000 Subject: [PATCH 14/58] wip --- libcrux-ml-dsa/src/lib.rs | 1 - libcrux-ml-dsa/src/ml_dsa_generic.rs | 7 +++-- libcrux-ml-dsa/src/sample.rs | 38 ++++++++++++++-------------- libcrux-ml-dsa/src/utils.rs | 8 ------ 4 files changed, 22 insertions(+), 32 deletions(-) diff --git a/libcrux-ml-dsa/src/lib.rs b/libcrux-ml-dsa/src/lib.rs index 7a6a58f9a..8d339a929 100644 --- a/libcrux-ml-dsa/src/lib.rs +++ b/libcrux-ml-dsa/src/lib.rs @@ -18,7 +18,6 @@ mod sample; mod samplex4; mod simd; mod types; -mod utils; // Public interface diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index 7c4c621fe..4f88bcc2e 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -16,7 +16,6 @@ use crate::{ samplex4::{self, X4Sampler}, simd::traits::Operations, types::{SigningError, VerificationError}, - utils::into_padded_array, MLDSASignature, }; @@ -337,15 +336,15 @@ pub(crate) fn sign_internal< attempt += 1; let mut mask = [PolynomialRingElement::zero(); COLUMNS_IN_A]; + let mut w0 = [PolynomialRingElement::zero(); ROWS_IN_A]; + let mut commitment = [PolynomialRingElement::zero(); ROWS_IN_A]; sample_mask_vector::( - into_padded_array(&mask_seed), + &mask_seed, &mut domain_separator_for_mask, &mut mask, ); - let mut w0 = [PolynomialRingElement::zero(); ROWS_IN_A]; - let mut commitment = [PolynomialRingElement::zero(); ROWS_IN_A]; { let mut a_x_mask = [PolynomialRingElement::zero(); ROWS_IN_A]; compute_matrix_x_mask::( diff --git a/libcrux-ml-dsa/src/sample.rs b/libcrux-ml-dsa/src/sample.rs index 2fed434d2..fd740d217 100644 --- a/libcrux-ml-dsa/src/sample.rs +++ b/libcrux-ml-dsa/src/sample.rs @@ -261,6 +261,14 @@ pub(crate) fn add_error_domain_separator(slice: &[u8], domain_separator: u16) -> out } +// #[inline(always)] +// fn update_seed(mut seed: [u8; 66], domain_separator: &mut u16) -> [u8; 66] { +// seed[64] = *domain_separator as u8; +// seed[65] = (*domain_separator >> 8) as u8; +// *domain_separator += 1; +// seed +// } + #[inline(always)] pub(crate) fn sample_four_error_ring_elements< SIMDUnit: Operations, @@ -354,32 +362,24 @@ pub(crate) fn sample_four_error_ring_elements< } } -#[inline(always)] -fn update_seed(mut seed: [u8; 66], domain_separator: &mut u16) -> [u8; 66] { - seed[64] = *domain_separator as u8; - seed[65] = (*domain_separator >> 8) as u8; - *domain_separator += 1; - seed -} - #[inline(always)] fn sample_mask_ring_element< SIMDUnit: Operations, Shake256: shake256::DsaXof, const GAMMA1_EXPONENT: usize, >( - seed: [u8; 66], + seed: &[u8; 66], result: &mut PolynomialRingElement, ) { match GAMMA1_EXPONENT as u8 { 17 => { let mut out = [0u8; 576]; - Shake256::shake256::<576>(&seed, &mut out); + Shake256::shake256::<576>(seed, &mut out); encoding::gamma1::deserialize::(&out, result); } 19 => { let mut out = [0u8; 640]; - Shake256::shake256::<640>(&seed, &mut out); + Shake256::shake256::<640>(seed, &mut out); encoding::gamma1::deserialize::(&out, result); } _ => unreachable!(), @@ -394,7 +394,7 @@ pub(crate) fn sample_mask_vector< const DIMENSION: usize, const GAMMA1_EXPONENT: usize, >( - mut seed: [u8; 66], + seed: &[u8; 64], domain_separator: &mut u16, mask: &mut [PolynomialRingElement; DIMENSION], ) { @@ -402,10 +402,11 @@ pub(crate) fn sample_mask_vector< debug_assert!(DIMENSION == 4 || DIMENSION == 5 || DIMENSION == 7); // So we can always sample 4 elements in one go first. - let seed0 = update_seed(seed, domain_separator); - let seed1 = update_seed(seed, domain_separator); - let seed2 = update_seed(seed, domain_separator); - let seed3 = update_seed(seed, domain_separator); + let seed0 = add_error_domain_separator(seed, *domain_separator); + let seed1 = add_error_domain_separator(seed, *domain_separator + 1); + let seed2 = add_error_domain_separator(seed, *domain_separator + 2); + let seed3 = add_error_domain_separator(seed, *domain_separator + 3); + *domain_separator += 4; match GAMMA1_EXPONENT as u8 { 17 => { @@ -439,12 +440,11 @@ pub(crate) fn sample_mask_vector< #[allow(clippy::needless_range_loop)] for i in 4..DIMENSION { - seed[64] = *domain_separator as u8; - seed[65] = (*domain_separator >> 8) as u8; + let seed = add_error_domain_separator(seed, *domain_separator); *domain_separator += 1; // TODO: For 87 we may want to do another 4 and discard 1. - sample_mask_ring_element::(seed, &mut mask[i]); + sample_mask_ring_element::(&seed, &mut mask[i]); } } diff --git a/libcrux-ml-dsa/src/utils.rs b/libcrux-ml-dsa/src/utils.rs index 8d4754d19..e69de29bb 100644 --- a/libcrux-ml-dsa/src/utils.rs +++ b/libcrux-ml-dsa/src/utils.rs @@ -1,8 +0,0 @@ -/// Pad the `slice` with `0`s at the end. -#[inline(always)] -pub(crate) fn into_padded_array(slice: &[u8]) -> [u8; LEN] { - debug_assert!(slice.len() <= LEN); - let mut out = [0u8; LEN]; - out[0..slice.len()].copy_from_slice(slice); - out -} From 2a9e32e249f538e7782e6641e0ae2b00dfe71f18 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Mon, 23 Dec 2024 14:40:30 +0000 Subject: [PATCH 15/58] wip --- libcrux-ml-dsa/src/arithmetic.rs | 2 +- libcrux-ml-dsa/src/matrix.rs | 14 ++++---------- libcrux-ml-dsa/src/ml_dsa_generic.rs | 26 +++++++++++++++++++------- 3 files changed, 24 insertions(+), 18 deletions(-) diff --git a/libcrux-ml-dsa/src/arithmetic.rs b/libcrux-ml-dsa/src/arithmetic.rs index a40f1f668..63ca097ac 100644 --- a/libcrux-ml-dsa/src/arithmetic.rs +++ b/libcrux-ml-dsa/src/arithmetic.rs @@ -42,7 +42,7 @@ pub(crate) fn power2round_vector( #[inline(always)] pub(crate) fn decompose_vector( - t: [PolynomialRingElement; DIMENSION], + t: &[PolynomialRingElement; DIMENSION], low: &mut [PolynomialRingElement; DIMENSION], high: &mut [PolynomialRingElement; DIMENSION], ) { diff --git a/libcrux-ml-dsa/src/matrix.rs b/libcrux-ml-dsa/src/matrix.rs index 1e5444c9a..0728c56ee 100644 --- a/libcrux-ml-dsa/src/matrix.rs +++ b/libcrux-ml-dsa/src/matrix.rs @@ -73,21 +73,15 @@ pub(crate) fn compute_matrix_x_mask< } } -#[allow(non_snake_case)] #[inline(always)] pub(crate) fn vector_times_ring_element( - vector: &[PolynomialRingElement; DIMENSION], + vector: &mut [PolynomialRingElement; DIMENSION], ring_element: &PolynomialRingElement, -) -> [PolynomialRingElement; DIMENSION] { - // XXX: pull out the result to dsa generic - let mut result = vector.clone(); - +) { for i in 0..vector.len() { - ntt_multiply_montgomery(&mut result[i], ring_element); - invert_ntt_montgomery(&mut result[i]); + ntt_multiply_montgomery(&mut vector[i], ring_element); + invert_ntt_montgomery(&mut vector[i]); } - - result } #[inline(always)] diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index 4f88bcc2e..0b73f2e62 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -352,7 +352,7 @@ pub(crate) fn sign_internal< &mask, &mut a_x_mask, ); - decompose_vector::(a_x_mask, &mut w0, &mut commitment); + decompose_vector::(&a_x_mask, &mut w0, &mut commitment); } let mut commitment_hash_candidate = [0; COMMITMENT_HASH_SIZE]; @@ -380,10 +380,19 @@ pub(crate) fn sign_internal< >(commitment_hash_candidate, &mut verifier_challenge); ntt(&mut verifier_challenge); - let challenge_times_s1 = - vector_times_ring_element::(&s1_as_ntt, &verifier_challenge); - let challenge_times_s2 = - vector_times_ring_element::(&s2_as_ntt, &verifier_challenge); + // We need to clone here in case we need s1_as_ntt or s2_as_ntt again in + // another iteration of the loop. + let mut challenge_times_s1 = s1_as_ntt.clone(); + let mut challenge_times_s2 = s2_as_ntt.clone(); + + vector_times_ring_element::( + &mut challenge_times_s1, + &verifier_challenge, + ); + vector_times_ring_element::( + &mut challenge_times_s2, + &verifier_challenge, + ); add_vectors::(&mut mask, &challenge_times_s1); subtract_vectors::(&mut w0, &challenge_times_s2); @@ -399,8 +408,11 @@ pub(crate) fn sign_internal< // XXX: https://github.com/hacspec/hax/issues/1171 // continue; } else { - let challenge_times_t0 = vector_times_ring_element::( - &t0_as_ntt, + // We need to clone here in case we need t0_as_ntt again in another iteration + // of the loop. + let mut challenge_times_t0 = t0_as_ntt.clone(); + vector_times_ring_element::( + &mut challenge_times_t0, &verifier_challenge, ); if vector_infinity_norm_exceeds::(&challenge_times_t0, GAMMA2) From e6eb2c3adb0ce4734e1e6508ecb082810c88690b Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Mon, 23 Dec 2024 14:57:31 +0000 Subject: [PATCH 16/58] more --- libcrux-ml-dsa/src/arithmetic.rs | 17 +++++++++-------- libcrux-ml-dsa/src/encoding/signature.rs | 7 ++----- libcrux-ml-dsa/src/ml_dsa_generic.rs | 15 +++++++++++---- libcrux-ml-dsa/src/simd/avx2.rs | 4 ++-- libcrux-ml-dsa/src/simd/avx2/arithmetic.rs | 12 +++++------- libcrux-ml-dsa/src/simd/portable.rs | 5 +++-- libcrux-ml-dsa/src/simd/portable/arithmetic.rs | 8 ++++---- libcrux-ml-dsa/src/simd/traits.rs | 3 ++- 8 files changed, 38 insertions(+), 33 deletions(-) diff --git a/libcrux-ml-dsa/src/arithmetic.rs b/libcrux-ml-dsa/src/arithmetic.rs index 63ca097ac..f69a2bf95 100644 --- a/libcrux-ml-dsa/src/arithmetic.rs +++ b/libcrux-ml-dsa/src/arithmetic.rs @@ -61,17 +61,18 @@ pub(crate) fn decompose_vector( low: &[PolynomialRingElement; DIMENSION], high: &[PolynomialRingElement; DIMENSION], -) -> ([[i32; COEFFICIENTS_IN_RING_ELEMENT]; DIMENSION], usize) { - let mut hint = [[0; COEFFICIENTS_IN_RING_ELEMENT]; DIMENSION]; + hint: &mut [[i32; COEFFICIENTS_IN_RING_ELEMENT]; DIMENSION], +) -> usize { let mut true_hints = 0; + let mut hint_simd = PolynomialRingElement::::zero(); for i in 0..DIMENSION { - let mut hint_simd = PolynomialRingElement::::zero(); - for j in 0..hint_simd.simd_units.len() { - let (one_hints_count, current_hint) = - SIMDUnit::compute_hint::(&low[i].simd_units[j], &high[i].simd_units[j]); - hint_simd.simd_units[j] = current_hint; + let one_hints_count = SIMDUnit::compute_hint::( + &low[i].simd_units[j], + &high[i].simd_units[j], + &mut hint_simd.simd_units[j], + ); true_hints += one_hints_count; } @@ -79,7 +80,7 @@ pub(crate) fn make_hint Signature { - #[allow(non_snake_case)] #[inline(always)] pub(crate) fn serialize< const GAMMA1_EXPONENT: usize, @@ -33,8 +32,8 @@ impl< const SIGNATURE_SIZE: usize, >( &self, - ) -> [u8; SIGNATURE_SIZE] { - let mut signature = [0u8; SIGNATURE_SIZE]; + signature: &mut [u8; SIGNATURE_SIZE], + ) { let mut offset = 0; signature[offset..offset + COMMITMENT_HASH_SIZE].copy_from_slice(&self.commitment_hash); @@ -65,8 +64,6 @@ impl< } signature[offset + MAX_ONES_IN_HINT + i] = true_hints_seen as u8; } - - signature } #[allow(non_snake_case)] diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index 0b73f2e62..ba3b314d3 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -421,8 +421,12 @@ pub(crate) fn sign_internal< // continue; } else { add_vectors::(&mut w0, &challenge_times_t0); - let (hint_candidate, ones_in_hint) = - make_hint::(&w0, &commitment); + let mut hint_candidate = [[0; COEFFICIENTS_IN_RING_ELEMENT]; ROWS_IN_A]; + let ones_in_hint = make_hint::( + &w0, + &commitment, + &mut hint_candidate, + ); if ones_in_hint > MAX_ONES_IN_HINT { // XXX: https://github.com/hacspec/hax/issues/1171 @@ -453,12 +457,15 @@ pub(crate) fn sign_internal< None => return Err(SigningError::RejectionSamplingError), }; - let signature = Signature:: { + let mut signature = [0u8; SIGNATURE_SIZE]; + Signature:: { commitment_hash, signer_response, hint, } - .serialize::(); + .serialize::( + &mut signature, + ); Ok(MLDSASignature::new(signature)) } diff --git a/libcrux-ml-dsa/src/simd/avx2.rs b/libcrux-ml-dsa/src/simd/avx2.rs index 1f4558da1..96f0f0dbd 100644 --- a/libcrux-ml-dsa/src/simd/avx2.rs +++ b/libcrux-ml-dsa/src/simd/avx2.rs @@ -62,8 +62,8 @@ impl Operations for AVX2SIMDUnit { } #[inline(always)] - fn compute_hint(low: &Vec256, high: &Vec256) -> (usize, Vec256) { - arithmetic::compute_hint::(low, high) + fn compute_hint(low: &Vec256, high: &Vec256,hint: &mut Self::Coefficient,) -> usize { + arithmetic::compute_hint::(low, high, hint) } #[inline(always)] fn use_hint(simd_unit: &Vec256, hint: &mut Vec256) { diff --git a/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs b/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs index 37012da13..b67140c46 100644 --- a/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs +++ b/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs @@ -182,7 +182,7 @@ pub fn decompose(r: &Vec256, r0: &mut Vec256, r1: &mut Vec256 } #[inline(always)] -pub fn compute_hint(low: &Vec256, high: &Vec256) -> (usize, Vec256) { +pub fn compute_hint(low: &Vec256, high: &Vec256, hint: &mut Vec256) -> usize { let gamma2 = mm256_set1_epi32(GAMMA2); let minus_gamma2 = mm256_set1_epi32(-GAMMA2); @@ -194,17 +194,15 @@ pub fn compute_hint(low: &Vec256, high: &Vec256) -> (usize, V let low_equals_minus_gamma2_and_high_is_nonzero = mm256_sign_epi32(low_equals_minus_gamma2, *high); - let hints = mm256_or_si256( + *hint = mm256_or_si256( low_within_bound, low_equals_minus_gamma2_and_high_is_nonzero, ); - let hints_mask = mm256_movemask_ps(mm256_castsi256_ps(hints)); + let hints_mask = mm256_movemask_ps(mm256_castsi256_ps(*hint)); + *hint = mm256_and_si256(*hint, mm256_set1_epi32(0x1)); - ( - hints_mask.count_ones() as usize, - mm256_and_si256(hints, mm256_set1_epi32(0x1)), - ) + hints_mask.count_ones() as usize } #[inline(always)] diff --git a/libcrux-ml-dsa/src/simd/portable.rs b/libcrux-ml-dsa/src/simd/portable.rs index 55ebc577b..eb3b8fd48 100644 --- a/libcrux-ml-dsa/src/simd/portable.rs +++ b/libcrux-ml-dsa/src/simd/portable.rs @@ -62,8 +62,9 @@ impl Operations for PortableSIMDUnit { fn compute_hint( low: &Coefficients, high: &Coefficients, - ) -> (usize, Coefficients) { - arithmetic::compute_hint::(low, high) + hint: &mut Self::Coefficient, + ) -> usize { + arithmetic::compute_hint::(low, high, hint) } fn use_hint(simd_unit: &Coefficients, hint: &mut Coefficients) { arithmetic::use_hint::(simd_unit, hint) diff --git a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs index f753133b1..4dd2482c8 100644 --- a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs +++ b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs @@ -1,4 +1,4 @@ -use super::vector_type::{zero, Coefficients, FieldElement}; +use super::vector_type::{Coefficients, FieldElement}; use crate::{ constants::BITS_IN_LOWER_PART_OF_T, helper::cloop, @@ -155,8 +155,8 @@ fn compute_one_hint(low: i32, high: i32) -> i32 { pub(super) fn compute_hint( low: &Coefficients, high: &Coefficients, -) -> (usize, Coefficients) { - let mut hint = zero(); + hint: &mut Coefficients, +) -> usize { let mut one_hints_count = 0; for i in 0..hint.len() { @@ -164,7 +164,7 @@ pub(super) fn compute_hint( one_hints_count += hint[i] as usize; } - (one_hints_count, hint) + one_hints_count } // Take a representative -q < r < q and convert it diff --git a/libcrux-ml-dsa/src/simd/traits.rs b/libcrux-ml-dsa/src/simd/traits.rs index 8c30b099d..b53c9464e 100644 --- a/libcrux-ml-dsa/src/simd/traits.rs +++ b/libcrux-ml-dsa/src/simd/traits.rs @@ -35,7 +35,8 @@ pub(crate) trait Operations: Copy + Clone { fn compute_hint( low: &Self::Coefficient, high: &Self::Coefficient, - ) -> (usize, Self::Coefficient); + hint: &mut Self::Coefficient, + ) -> usize; fn use_hint(simd_unit: &Self::Coefficient, hint: &mut Self::Coefficient); // Modular operations From 13738556d5fab788f9c397e9f05044a4022a1f28 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Mon, 23 Dec 2024 15:23:51 +0000 Subject: [PATCH 17/58] more --- libcrux-ml-dsa/cg/libcrux_core.h | 242 +- libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h | 4462 ++++++---- libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h | 7607 +++++++---------- libcrux-ml-dsa/profile.json | 1 - libcrux-ml-dsa/src/arithmetic.rs | 17 +- libcrux-ml-dsa/src/encoding/commitment.rs | 16 +- .../src/encoding/verification_key.rs | 5 +- libcrux-ml-dsa/src/ml_dsa_generic.rs | 12 +- 8 files changed, 5915 insertions(+), 6447 deletions(-) delete mode 100644 libcrux-ml-dsa/profile.json diff --git a/libcrux-ml-dsa/cg/libcrux_core.h b/libcrux-ml-dsa/cg/libcrux_core.h index e0f52883c..3db8579a3 100644 --- a/libcrux-ml-dsa/cg/libcrux_core.h +++ b/libcrux-ml-dsa/cg/libcrux_core.h @@ -60,20 +60,18 @@ static inline uint64_t core_num__u64_9__from_le_bytes(uint8_t x0[8U]); static inline void core_num__u64_9__to_le_bytes(uint64_t x0, uint8_t x1[8U]); -static inline size_t core_num__usize_11__div_ceil(size_t x0, size_t x1); - /** A monomorphic instance of core.result.Result -with types uint8_t[10size_t], core_array_TryFromSliceError +with types int32_t[8size_t], core_array_TryFromSliceError */ -typedef struct Result_9d_s { +typedef struct Result_6c_s { Result_a9_tags tag; union { - uint8_t case_Ok[10U]; + int32_t case_Ok[8U]; TryFromSliceError case_Err; } val; -} Result_9d; +} Result_6c; /** This function found in impl {core::result::Result[TraitClause@0, @@ -81,14 +79,14 @@ TraitClause@1]} */ /** A monomorphic instance of core.result.unwrap_26 -with types uint8_t[10size_t], core_array_TryFromSliceError +with types int32_t[8size_t], core_array_TryFromSliceError */ -static inline void unwrap_26_ce(Result_9d self, uint8_t ret[10U]) { +static inline void unwrap_26_55(Result_6c self, int32_t ret[8U]) { if (self.tag == Ok) { - uint8_t f0[10U]; - memcpy(f0, self.val.case_Ok, (size_t)10U * sizeof(uint8_t)); - memcpy(ret, f0, (size_t)10U * sizeof(uint8_t)); + int32_t f0[8U]; + memcpy(f0, self.val.case_Ok, (size_t)8U * sizeof(int32_t)); + memcpy(ret, f0, (size_t)8U * sizeof(int32_t)); } else { KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, "unwrap not Ok"); @@ -97,38 +95,14 @@ static inline void unwrap_26_ce(Result_9d self, uint8_t ret[10U]) { } /** -A monomorphic instance of core.result.Result -with types uint8_t[13size_t], core_array_TryFromSliceError - -*/ -typedef struct Result_b0_s { - Result_a9_tags tag; - union { - uint8_t case_Ok[13U]; - TryFromSliceError case_Err; - } val; -} Result_b0; - -/** -This function found in impl {core::result::Result[TraitClause@0, -TraitClause@1]} -*/ -/** -A monomorphic instance of core.result.unwrap_26 -with types uint8_t[13size_t], core_array_TryFromSliceError +A monomorphic instance of core.option.Option +with types uint8_t[11size_t] */ -static inline void unwrap_26_23(Result_b0 self, uint8_t ret[13U]) { - if (self.tag == Ok) { - uint8_t f0[13U]; - memcpy(f0, self.val.case_Ok, (size_t)13U * sizeof(uint8_t)); - memcpy(ret, f0, (size_t)13U * sizeof(uint8_t)); - } else { - KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "unwrap not Ok"); - KRML_HOST_EXIT(255U); - } -} +typedef struct Option_30_s { + Option_d8_tags tag; + uint8_t f0[11U]; +} Option_30; typedef struct libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature_s { uint8_t value[3309U]; @@ -167,40 +141,6 @@ typedef struct Result_41_s { libcrux_ml_dsa_types_VerificationError f0; } Result_41; -/** -A monomorphic instance of core.result.Result -with types uint8_t[48size_t], core_array_TryFromSliceError - -*/ -typedef struct Result_ae_s { - Result_a9_tags tag; - union { - uint8_t case_Ok[48U]; - TryFromSliceError case_Err; - } val; -} Result_ae; - -/** -This function found in impl {core::result::Result[TraitClause@0, -TraitClause@1]} -*/ -/** -A monomorphic instance of core.result.unwrap_26 -with types uint8_t[48size_t], core_array_TryFromSliceError - -*/ -static inline void unwrap_26_28(Result_ae self, uint8_t ret[48U]) { - if (self.tag == Ok) { - uint8_t f0[48U]; - memcpy(f0, self.val.case_Ok, (size_t)48U * sizeof(uint8_t)); - memcpy(ret, f0, (size_t)48U * sizeof(uint8_t)); - } else { - KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "unwrap not Ok"); - KRML_HOST_EXIT(255U); - } -} - /** A monomorphic instance of libcrux_ml_dsa.types.MLDSAVerificationKey with const generics @@ -266,114 +206,6 @@ typedef struct Result_2e_s { } val; } Result_2e; -/** - Build -*/ -/** -This function found in impl {libcrux_ml_dsa::types::MLDSASignature#4} -*/ -/** -A monomorphic instance of libcrux_ml_dsa.types.new_8f -with const generics -- SIZE= 3309 -*/ -static inline libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature -libcrux_ml_dsa_types_new_8f_fa(uint8_t value[3309U]) { - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_value[3309U]; - memcpy(copy_of_value, value, (size_t)3309U * sizeof(uint8_t)); - libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature lit; - memcpy(lit.value, copy_of_value, (size_t)3309U * sizeof(uint8_t)); - return lit; -} - -/** - Pad the `slice` with `0`s at the end. -*/ -/** -A monomorphic instance of libcrux_ml_dsa.utils.into_padded_array -with const generics -- LEN= 66 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_utils_into_padded_array_20( - Eurydice_slice slice, uint8_t ret[66U]) { - uint8_t out[66U] = {0U}; - uint8_t *uu____0 = out; - Eurydice_slice_copy( - Eurydice_array_to_subslice2(uu____0, (size_t)0U, - Eurydice_slice_len(slice, uint8_t), uint8_t), - slice, uint8_t); - memcpy(ret, out, (size_t)66U * sizeof(uint8_t)); -} - -/** -A monomorphic instance of core.result.Result -with types uint8_t[64size_t], core_array_TryFromSliceError - -*/ -typedef struct Result_f2_s { - Result_a9_tags tag; - union { - uint8_t case_Ok[64U]; - TryFromSliceError case_Err; - } val; -} Result_f2; - -/** -This function found in impl {core::result::Result[TraitClause@0, -TraitClause@1]} -*/ -/** -A monomorphic instance of core.result.unwrap_26 -with types uint8_t[64size_t], core_array_TryFromSliceError - -*/ -static inline void unwrap_26_4b(Result_f2 self, uint8_t ret[64U]) { - if (self.tag == Ok) { - uint8_t f0[64U]; - memcpy(f0, self.val.case_Ok, (size_t)64U * sizeof(uint8_t)); - memcpy(ret, f0, (size_t)64U * sizeof(uint8_t)); - } else { - KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "unwrap not Ok"); - KRML_HOST_EXIT(255U); - } -} - -/** -A monomorphic instance of core.result.Result -with types uint8_t[32size_t], core_array_TryFromSliceError - -*/ -typedef struct Result_fb_s { - Result_a9_tags tag; - union { - uint8_t case_Ok[32U]; - TryFromSliceError case_Err; - } val; -} Result_fb; - -/** -This function found in impl {core::result::Result[TraitClause@0, -TraitClause@1]} -*/ -/** -A monomorphic instance of core.result.unwrap_26 -with types uint8_t[32size_t], core_array_TryFromSliceError - -*/ -static inline void unwrap_26_b3(Result_fb self, uint8_t ret[32U]) { - if (self.tag == Ok) { - uint8_t f0[32U]; - memcpy(f0, self.val.case_Ok, (size_t)32U * sizeof(uint8_t)); - memcpy(ret, f0, (size_t)32U * sizeof(uint8_t)); - } else { - KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "unwrap not Ok"); - KRML_HOST_EXIT(255U); - } -} - /** A monomorphic instance of libcrux_ml_dsa.types.MLDSASigningKey with const generics @@ -442,50 +274,6 @@ libcrux_ml_dsa_types_new_9b_09(uint8_t value[4032U]) { return lit; } -/** -A monomorphic instance of core.result.Result -with types int32_t[8size_t], core_array_TryFromSliceError - -*/ -typedef struct Result_6c_s { - Result_a9_tags tag; - union { - int32_t case_Ok[8U]; - TryFromSliceError case_Err; - } val; -} Result_6c; - -/** -This function found in impl {core::result::Result[TraitClause@0, -TraitClause@1]} -*/ -/** -A monomorphic instance of core.result.unwrap_26 -with types int32_t[8size_t], core_array_TryFromSliceError - -*/ -static inline void unwrap_26_55(Result_6c self, int32_t ret[8U]) { - if (self.tag == Ok) { - int32_t f0[8U]; - memcpy(f0, self.val.case_Ok, (size_t)8U * sizeof(int32_t)); - memcpy(ret, f0, (size_t)8U * sizeof(int32_t)); - } else { - KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "unwrap not Ok"); - KRML_HOST_EXIT(255U); - } -} - -/** -A monomorphic instance of core.option.Option -with types uint8_t[11size_t] - -*/ -typedef struct Option_30_s { - Option_d8_tags tag; - uint8_t f0[11U]; -} Option_30; - typedef struct libcrux_ml_dsa_ml_dsa_65_MLDSA65KeyPair_s { libcrux_ml_dsa_types_MLDSASigningKey_22 signing_key; libcrux_ml_dsa_types_MLDSAVerificationKey_ea verification_key; diff --git a/libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h b/libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h index dec4fec61..2b52f015d 100644 --- a/libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h +++ b/libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h @@ -315,139 +315,496 @@ libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_x4_fb( return libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_x4(self); } -typedef __m256i libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit; - -KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_ml_dsa_simd_avx2_vector_type_ZERO(void) { - return libcrux_intrinsics_avx2_mm256_setzero_si256(); -} - /** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} + Generate key pair. */ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_ml_dsa_simd_avx2_ZERO_a2(void) { - return libcrux_ml_dsa_simd_avx2_vector_type_ZERO(); -} - -KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i -libcrux_ml_dsa_simd_avx2_vector_type_from_coefficient_array( - Eurydice_slice coefficient_array) { - return libcrux_intrinsics_avx2_mm256_loadu_si256_i32(coefficient_array); -} - /** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +A monomorphic instance of +libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.avx2_feature.generate_key_pair +with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- ROW_COLUMN= 11 +- ETA= 4 +- ERROR_RING_ELEMENT_SIZE= 128 +- SIGNING_KEY_SIZE= 4032 +- VERIFICATION_KEY_SIZE= 1952 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_dsa_simd_avx2_from_coefficient_array_a2( - Eurydice_slice coefficient_array) { - return libcrux_ml_dsa_simd_avx2_vector_type_from_coefficient_array( - coefficient_array); +static inline tuple_a0 +libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_generate_key_pair_c9( + uint8_t randomness[32U]) { + KRML_HOST_EPRINTF( + "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "Eurydice error: Failure(\"TODO: TraitTypes Self::Coefficient\")\n"); + KRML_HOST_EXIT(255U); } +/** + Generate key pair. +*/ +/** +A monomorphic instance of +libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.generate_key_pair with const +generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- ROW_COLUMN= 11 +- ETA= 4 +- ERROR_RING_ELEMENT_SIZE= 128 +- SIGNING_KEY_SIZE= 4032 +- VERIFICATION_KEY_SIZE= 1952 +*/ KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_ml_dsa_simd_avx2_vector_type_to_coefficient_array( - __m256i *x, int32_t ret[8U]) { - int32_t coefficient_array[8U] = {0U}; - libcrux_intrinsics_avx2_mm256_storeu_si256_i32( - Eurydice_array_to_slice((size_t)8U, coefficient_array, int32_t), x[0U]); - memcpy(ret, coefficient_array, (size_t)8U * sizeof(int32_t)); +static inline tuple_a0 +libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_generate_key_pair_c9( + uint8_t randomness[32U]) { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_generate_key_pair_c9( + copy_of_randomness); } /** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} + Generate an ML-DSA-65 Key Pair */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_to_coefficient_array_a2( - __m256i *self, int32_t ret[8U]) { - libcrux_ml_dsa_simd_avx2_vector_type_to_coefficient_array(self, ret); +static inline libcrux_ml_dsa_ml_dsa_65_MLDSA65KeyPair +libcrux_ml_dsa_ml_dsa_65_avx2_generate_key_pair(uint8_t randomness[32U]) { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + tuple_a0 uu____1 = + libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_generate_key_pair_c9( + copy_of_randomness); + uint8_t signing_key[4032U]; + memcpy(signing_key, uu____1.fst, (size_t)4032U * sizeof(uint8_t)); + uint8_t verification_key[1952U]; + memcpy(verification_key, uu____1.snd, (size_t)1952U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_signing_key[4032U]; + memcpy(copy_of_signing_key, signing_key, (size_t)4032U * sizeof(uint8_t)); + libcrux_ml_dsa_types_MLDSASigningKey_22 uu____3 = + libcrux_ml_dsa_types_new_9b_09(copy_of_signing_key); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_verification_key[1952U]; + memcpy(copy_of_verification_key, verification_key, + (size_t)1952U * sizeof(uint8_t)); + libcrux_ml_dsa_ml_dsa_65_MLDSA65KeyPair lit; + lit.signing_key = uu____3; + lit.verification_key = + libcrux_ml_dsa_types_new_66_97(copy_of_verification_key); + return lit; } +/** + Sign. +*/ +/** +A monomorphic instance of +libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.avx2_feature.sign with const +generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- ETA= 4 +- ERROR_RING_ELEMENT_SIZE= 128 +- GAMMA1_EXPONENT= 19 +- GAMMA2= 261888 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- SIGNING_KEY_SIZE= 4032 +- SIGNATURE_SIZE= 3309 +*/ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_dsa_simd_avx2_arithmetic_add(__m256i lhs, __m256i rhs) { - return libcrux_intrinsics_avx2_mm256_add_epi32(lhs, rhs); +static inline Result_2e +libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_sign_f3( + uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, + uint8_t randomness[32U]) { + KRML_HOST_EPRINTF( + "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "Eurydice error: Failure(\"TODO: TraitTypes Self::Coefficient\")\n"); + KRML_HOST_EXIT(255U); } /** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} + Sign. +*/ +/** +A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.sign +with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- ETA= 4 +- ERROR_RING_ELEMENT_SIZE= 128 +- GAMMA1_EXPONENT= 19 +- GAMMA2= 261888 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- SIGNING_KEY_SIZE= 4032 +- SIGNATURE_SIZE= 3309 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_ml_dsa_simd_avx2_add_a2(__m256i *lhs, - __m256i *rhs) { - return libcrux_ml_dsa_simd_avx2_arithmetic_add(lhs[0U], rhs[0U]); +static KRML_MUSTINLINE Result_2e +libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_sign_f3( + uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, + uint8_t randomness[32U]) { + uint8_t *uu____0 = signing_key; + Eurydice_slice uu____1 = message; + Eurydice_slice uu____2 = context; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_sign_f3( + uu____0, uu____1, uu____2, copy_of_randomness); } +/** + Generate an ML-DSA-65 Signature + + The parameter `context` is used for domain separation + and is a byte string of length at most 255 bytes. It + may also be empty. +*/ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_dsa_simd_avx2_arithmetic_subtract(__m256i lhs, __m256i rhs) { - return libcrux_intrinsics_avx2_mm256_sub_epi32(lhs, rhs); +static inline Result_2e libcrux_ml_dsa_ml_dsa_65_avx2_sign( + libcrux_ml_dsa_types_MLDSASigningKey_22 *signing_key, + Eurydice_slice message, Eurydice_slice context, uint8_t randomness[32U]) { + uint8_t *uu____0 = libcrux_ml_dsa_types_as_ref_9b_09(signing_key); + Eurydice_slice uu____1 = message; + Eurydice_slice uu____2 = context; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_sign_f3( + uu____0, uu____1, uu____2, copy_of_randomness); } /** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} + Sign (pre-hashed). +*/ +/** +A monomorphic instance of +libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.avx2_feature.sign_pre_hashed_shake128 +with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- ETA= 4 +- ERROR_RING_ELEMENT_SIZE= 128 +- GAMMA1_EXPONENT= 19 +- GAMMA2= 261888 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- SIGNING_KEY_SIZE= 4032 +- SIGNATURE_SIZE= 3309 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_dsa_simd_avx2_subtract_a2(__m256i *lhs, __m256i *rhs) { - return libcrux_ml_dsa_simd_avx2_arithmetic_subtract(lhs[0U], rhs[0U]); +static inline Result_2e +libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_sign_pre_hashed_shake128_f3( + uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, + uint8_t randomness[32U]) { + KRML_HOST_EPRINTF( + "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "Eurydice error: Failure(\"TODO: TraitTypes Self::Coefficient\")\n"); + KRML_HOST_EXIT(255U); } +/** + Sign (pre-hashed). +*/ +/** +A monomorphic instance of +libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.sign_pre_hashed_shake128 with +const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- ETA= 4 +- ERROR_RING_ELEMENT_SIZE= 128 +- GAMMA1_EXPONENT= 19 +- GAMMA2= 261888 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- SIGNING_KEY_SIZE= 4032 +- SIGNATURE_SIZE= 3309 +*/ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE bool -libcrux_ml_dsa_simd_avx2_arithmetic_infinity_norm_exceeds(__m256i simd_unit, - int32_t bound) { - __m256i absolute_values = libcrux_intrinsics_avx2_mm256_abs_epi32(simd_unit); - __m256i bound0 = libcrux_intrinsics_avx2_mm256_set1_epi32(bound - (int32_t)1); - __m256i compare_with_bound = - libcrux_intrinsics_avx2_mm256_cmpgt_epi32(absolute_values, bound0); - int32_t result = libcrux_intrinsics_avx2_mm256_testz_si256( - compare_with_bound, compare_with_bound); - bool uu____0; - if (result == (int32_t)1) { - uu____0 = false; - } else { - uu____0 = true; - } - return uu____0; +static inline Result_2e +libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_sign_pre_hashed_shake128_f3( + uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, + uint8_t randomness[32U]) { + uint8_t *uu____0 = signing_key; + Eurydice_slice uu____1 = message; + Eurydice_slice uu____2 = context; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_sign_pre_hashed_shake128_f3( + uu____0, uu____1, uu____2, copy_of_randomness); } /** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} + Generate a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing + + The parameter `context` is used for domain separation + and is a byte string of length at most 255 bytes. It + may also be empty. */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE bool libcrux_ml_dsa_simd_avx2_infinity_norm_exceeds_a2( - __m256i simd_unit, int32_t bound) { - return libcrux_ml_dsa_simd_avx2_arithmetic_infinity_norm_exceeds(simd_unit, - bound); -} - +static inline Result_2e libcrux_ml_dsa_ml_dsa_65_avx2_sign_pre_hashed_shake128( + libcrux_ml_dsa_types_MLDSASigningKey_22 *signing_key, + Eurydice_slice message, Eurydice_slice context, uint8_t randomness[32U]) { + uint8_t *uu____0 = libcrux_ml_dsa_types_as_ref_9b_09(signing_key); + Eurydice_slice uu____1 = message; + Eurydice_slice uu____2 = context; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_sign_pre_hashed_shake128_f3( + uu____0, uu____1, uu____2, copy_of_randomness); +} + +/** + Verify. +*/ +/** +A monomorphic instance of +libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.avx2_feature.verify with const +generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- SIGNATURE_SIZE= 3309 +- VERIFICATION_KEY_SIZE= 1952 +- GAMMA1_EXPONENT= 19 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- GAMMA2= 261888 +- BETA= 196 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +*/ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i -libcrux_ml_dsa_simd_avx2_arithmetic_to_unsigned_representatives(__m256i t) { +static inline Result_41 +libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_verify_01( + uint8_t *verification_key, Eurydice_slice message, Eurydice_slice context, + uint8_t *signature) { + KRML_HOST_EPRINTF( + "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "Eurydice error: Failure(\"TODO: TraitTypes Self::Coefficient\")\n"); + KRML_HOST_EXIT(255U); +} + +/** + Verify. +*/ +/** +A monomorphic instance of +libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.verify with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- SIGNATURE_SIZE= 3309 +- VERIFICATION_KEY_SIZE= 1952 +- GAMMA1_EXPONENT= 19 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- GAMMA2= 261888 +- BETA= 196 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline Result_41 +libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_verify_01( + uint8_t *verification_key, Eurydice_slice message, Eurydice_slice context, + uint8_t *signature) { + return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_verify_01( + verification_key, message, context, signature); +} + +/** + Verify an ML-DSA-65 Signature + + The parameter `context` is used for domain separation + and is a byte string of length at most 255 bytes. It + may also be empty. +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline Result_41 libcrux_ml_dsa_ml_dsa_65_avx2_verify( + libcrux_ml_dsa_types_MLDSAVerificationKey_ea *verification_key, + Eurydice_slice message, Eurydice_slice context, + libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature *signature) { + return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_verify_01( + libcrux_ml_dsa_types_as_ref_66_97(verification_key), message, context, + libcrux_ml_dsa_types_as_ref_8f_fa(signature)); +} + +/** + Verify (pre-hashed with SHAKE-128). +*/ +/** +A monomorphic instance of +libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.avx2_feature.verify_pre_hashed_shake128 +with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- SIGNATURE_SIZE= 3309 +- VERIFICATION_KEY_SIZE= 1952 +- GAMMA1_EXPONENT= 19 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- GAMMA2= 261888 +- BETA= 196 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline Result_41 +libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_verify_pre_hashed_shake128_01( + uint8_t *verification_key, Eurydice_slice message, Eurydice_slice context, + uint8_t *signature) { + KRML_HOST_EPRINTF( + "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "Eurydice error: Failure(\"TODO: TraitTypes Self::Coefficient\")\n"); + KRML_HOST_EXIT(255U); +} + +/** + Verify (pre-hashed with SHAKE-128). +*/ +/** +A monomorphic instance of +libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.verify_pre_hashed_shake128 +with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- SIGNATURE_SIZE= 3309 +- VERIFICATION_KEY_SIZE= 1952 +- GAMMA1_EXPONENT= 19 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- GAMMA2= 261888 +- BETA= 196 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline Result_41 +libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_verify_pre_hashed_shake128_01( + uint8_t *verification_key, Eurydice_slice message, Eurydice_slice context, + uint8_t *signature) { + return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_verify_pre_hashed_shake128_01( + verification_key, message, context, signature); +} + +/** + Verify a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing + + The parameter `context` is used for domain separation + and is a byte string of length at most 255 bytes. It + may also be empty. +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline Result_41 +libcrux_ml_dsa_ml_dsa_65_avx2_verify_pre_hashed_shake128( + libcrux_ml_dsa_types_MLDSAVerificationKey_ea *verification_key, + Eurydice_slice message, Eurydice_slice context, + libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature *signature) { + return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_verify_pre_hashed_shake128_01( + libcrux_ml_dsa_types_as_ref_66_97(verification_key), message, context, + libcrux_ml_dsa_types_as_ref_8f_fa(signature)); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_arithmetic_add( + __m256i *lhs, __m256i *rhs) { + lhs[0U] = libcrux_intrinsics_avx2_mm256_add_epi32(lhs[0U], rhs[0U]); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_avx2_arithmetic_to_unsigned_representatives(__m256i *t) { __m256i signs = - libcrux_intrinsics_avx2_mm256_srai_epi32((int32_t)31, t, __m256i); + libcrux_intrinsics_avx2_mm256_srai_epi32((int32_t)31, t[0U], __m256i); __m256i conditional_add_field_modulus = libcrux_intrinsics_avx2_mm256_and_si256( signs, libcrux_intrinsics_avx2_mm256_set1_epi32( LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS)); - return libcrux_intrinsics_avx2_mm256_add_epi32(t, - conditional_add_field_modulus); + t[0U] = libcrux_intrinsics_avx2_mm256_add_epi32( + t[0U], conditional_add_field_modulus); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE bool +libcrux_ml_dsa_simd_avx2_arithmetic_infinity_norm_exceeds(__m256i *simd_unit, + int32_t bound) { + __m256i absolute_values = + libcrux_intrinsics_avx2_mm256_abs_epi32(simd_unit[0U]); + __m256i bound0 = libcrux_intrinsics_avx2_mm256_set1_epi32(bound - (int32_t)1); + __m256i compare_with_bound = + libcrux_intrinsics_avx2_mm256_cmpgt_epi32(absolute_values, bound0); + int32_t result = libcrux_intrinsics_avx2_mm256_testz_si256( + compare_with_bound, compare_with_bound); + return result != (int32_t)1; +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(__m256i *lhs, + __m256i *rhs) { + __m256i field_modulus = libcrux_intrinsics_avx2_mm256_set1_epi32( + LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS); + __m256i inverse_of_modulus_mod_montgomery_r = + libcrux_intrinsics_avx2_mm256_set1_epi32( + (int32_t) + LIBCRUX_ML_DSA_SIMD_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R); + __m256i prod02 = libcrux_intrinsics_avx2_mm256_mul_epi32(lhs[0U], rhs[0U]); + __m256i prod13 = libcrux_intrinsics_avx2_mm256_mul_epi32( + libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)245, lhs[0U], + __m256i), + libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)245, rhs[0U], + __m256i)); + __m256i k02 = libcrux_intrinsics_avx2_mm256_mul_epi32( + prod02, inverse_of_modulus_mod_montgomery_r); + __m256i k13 = libcrux_intrinsics_avx2_mm256_mul_epi32( + prod13, inverse_of_modulus_mod_montgomery_r); + __m256i c02 = libcrux_intrinsics_avx2_mm256_mul_epi32(k02, field_modulus); + __m256i c13 = libcrux_intrinsics_avx2_mm256_mul_epi32(k13, field_modulus); + __m256i res02 = libcrux_intrinsics_avx2_mm256_sub_epi32(prod02, c02); + __m256i res13 = libcrux_intrinsics_avx2_mm256_sub_epi32(prod13, c13); + __m256i res02_shifted = + libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)245, res02, __m256i); + lhs[0U] = libcrux_intrinsics_avx2_mm256_blend_epi32( + (int32_t)170, res02_shifted, res13, __m256i); } KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(__m256i lhs, - __m256i rhs) { +libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + __m256i lhs, int32_t constant) { + __m256i rhs = libcrux_intrinsics_avx2_mm256_set1_epi32(constant); __m256i field_modulus = libcrux_intrinsics_avx2_mm256_set1_epi32( LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS); __m256i inverse_of_modulus_mod_montgomery_r = @@ -472,187 +829,126 @@ libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(__m256i lhs, res13, __m256i); } -/** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} -*/ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_dsa_simd_avx2_montgomery_multiply_a2(__m256i lhs, __m256i rhs) { - return libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(lhs, rhs); +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_arithmetic_power2round( + __m256i *r0, __m256i *r1) { + libcrux_ml_dsa_simd_avx2_arithmetic_to_unsigned_representatives(r0); + r1[0U] = libcrux_intrinsics_avx2_mm256_add_epi32( + r0[0U], + libcrux_intrinsics_avx2_mm256_set1_epi32( + ((int32_t)1 + << (uint32_t)(LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T - + (size_t)1U)) - + (int32_t)1)); + r1[0U] = + libcrux_intrinsics_avx2_mm256_srai_epi32((int32_t)13, r1[0U], __m256i); + __m256i tmp = + libcrux_intrinsics_avx2_mm256_slli_epi32((int32_t)13, r1[0U], __m256i); + r0[0U] = libcrux_intrinsics_avx2_mm256_sub_epi32(r0[0U], tmp); } -typedef struct core_core_arch_x86___m256i_x2_s { - __m256i fst; - __m256i snd; -} core_core_arch_x86___m256i_x2; - KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE core_core_arch_x86___m256i_x2 -libcrux_ml_dsa_simd_avx2_arithmetic_power2round(__m256i r) { - __m256i r2 = - libcrux_ml_dsa_simd_avx2_arithmetic_to_unsigned_representatives(r); - __m256i r1 = libcrux_intrinsics_avx2_mm256_add_epi32( - r2, libcrux_intrinsics_avx2_mm256_set1_epi32( - ((int32_t)1 - << (uint32_t)(LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T - - (size_t)1U)) - - (int32_t)1)); - __m256i r10 = - libcrux_intrinsics_avx2_mm256_srai_epi32((int32_t)13, r1, __m256i); - __m256i r0 = - libcrux_intrinsics_avx2_mm256_slli_epi32((int32_t)13, r10, __m256i); - __m256i r00 = libcrux_intrinsics_avx2_mm256_sub_epi32(r2, r0); - return (CLITERAL(core_core_arch_x86___m256i_x2){.fst = r00, .snd = r10}); +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_arithmetic_subtract( + __m256i *lhs, __m256i *rhs) { + lhs[0U] = libcrux_intrinsics_avx2_mm256_sub_epi32(lhs[0U], rhs[0U]); } -typedef struct libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x2_s { - __m256i fst; - __m256i snd; -} libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x2; - -/** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} -*/ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x2 -libcrux_ml_dsa_simd_avx2_power2round_a2(__m256i simd_unit) { - core_core_arch_x86___m256i_x2 uu____0 = - libcrux_ml_dsa_simd_avx2_arithmetic_power2round(simd_unit); - __m256i lower = uu____0.fst; - __m256i upper = uu____0.snd; - return (CLITERAL(libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x2){ - .fst = lower, .snd = upper}); +static inline __m256i libcrux_ml_dsa_simd_avx2_vector_type_zero(void) { + return libcrux_intrinsics_avx2_mm256_setzero_si256(); } -#define LIBCRUX_ML_DSA_SIMD_AVX2_REJECTION_SAMPLE_LESS_THAN_FIELD_MODULUS_BYTESTREAM_TO_POTENTIAL_COEFFICIENTS_COEFFICIENT_MASK \ - (((int32_t)1 << 23U) - (int32_t)1) - KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus_bytestream_to_potential_coefficients( - Eurydice_slice serialized) { - uint8_t serialized_extended[32U] = {0U}; - Eurydice_slice uu____0 = Eurydice_array_to_subslice_to( - (size_t)32U, serialized_extended, (size_t)24U, uint8_t, size_t); - Eurydice_slice_copy(uu____0, serialized, uint8_t); - __m256i coefficients = libcrux_intrinsics_avx2_mm256_loadu_si256_u8( - Eurydice_array_to_slice((size_t)32U, serialized_extended, uint8_t)); - __m256i coefficients0 = libcrux_intrinsics_avx2_mm256_permutevar8x32_epi32( - coefficients, libcrux_intrinsics_avx2_mm256_set_epi32( - (int32_t)0, (int32_t)5, (int32_t)4, (int32_t)3, - (int32_t)0, (int32_t)2, (int32_t)1, (int32_t)0)); - __m256i coefficients1 = libcrux_intrinsics_avx2_mm256_shuffle_epi8( - coefficients0, - libcrux_intrinsics_avx2_mm256_set_epi8( - (int8_t)-1, (int8_t)11, (int8_t)10, (int8_t)9, (int8_t)-1, (int8_t)8, - (int8_t)7, (int8_t)6, (int8_t)-1, (int8_t)5, (int8_t)4, (int8_t)3, - (int8_t)-1, (int8_t)2, (int8_t)1, (int8_t)0, (int8_t)-1, (int8_t)11, - (int8_t)10, (int8_t)9, (int8_t)-1, (int8_t)8, (int8_t)7, (int8_t)6, - (int8_t)-1, (int8_t)5, (int8_t)4, (int8_t)3, (int8_t)-1, (int8_t)2, - (int8_t)1, (int8_t)0)); - return libcrux_intrinsics_avx2_mm256_and_si256( - coefficients1, - libcrux_intrinsics_avx2_mm256_set1_epi32( - LIBCRUX_ML_DSA_SIMD_AVX2_REJECTION_SAMPLE_LESS_THAN_FIELD_MODULUS_BYTESTREAM_TO_POTENTIAL_COEFFICIENTS_COEFFICIENT_MASK)); -} - -static const uint8_t - libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_SHUFFLE_TABLE - [16U][16U] = {{255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, - 255U, 255U, 255U, 255U, 255U, 255U, 255U}, - {0U, 1U, 2U, 3U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, - 255U, 255U, 255U, 255U, 255U}, - {4U, 5U, 6U, 7U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, - 255U, 255U, 255U, 255U, 255U}, - {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 255U, 255U, 255U, 255U, - 255U, 255U, 255U, 255U}, - {8U, 9U, 10U, 11U, 255U, 255U, 255U, 255U, 255U, 255U, - 255U, 255U, 255U, 255U, 255U, 255U}, - {0U, 1U, 2U, 3U, 8U, 9U, 10U, 11U, 255U, 255U, 255U, 255U, - 255U, 255U, 255U, 255U}, - {4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 255U, 255U, 255U, 255U, - 255U, 255U, 255U, 255U}, - {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 255U, - 255U, 255U, 255U}, - {12U, 13U, 14U, 15U, 255U, 255U, 255U, 255U, 255U, 255U, - 255U, 255U, 255U, 255U, 255U, 255U}, - {0U, 1U, 2U, 3U, 12U, 13U, 14U, 15U, 255U, 255U, 255U, - 255U, 255U, 255U, 255U, 255U}, - {4U, 5U, 6U, 7U, 12U, 13U, 14U, 15U, 255U, 255U, 255U, - 255U, 255U, 255U, 255U, 255U}, - {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 12U, 13U, 14U, 15U, 255U, - 255U, 255U, 255U}, - {8U, 9U, 10U, 11U, 12U, 13U, 14U, 15U, 255U, 255U, 255U, - 255U, 255U, 255U, 255U, 255U}, - {0U, 1U, 2U, 3U, 8U, 9U, 10U, 11U, 12U, 13U, 14U, 15U, - 255U, 255U, 255U, 255U}, - {4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 12U, 13U, 14U, 15U, - 255U, 255U, 255U, 255U}, - {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 12U, - 13U, 14U, 15U}}; - -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE size_t -libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus_sample( - Eurydice_slice input, Eurydice_slice output) { - __m256i field_modulus = libcrux_intrinsics_avx2_mm256_set1_epi32( - LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS); - __m256i potential_coefficients = - libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus_bytestream_to_potential_coefficients( - input); - __m256i compare_with_field_modulus = - libcrux_intrinsics_avx2_mm256_cmpgt_epi32(field_modulus, - potential_coefficients); - int32_t good = libcrux_intrinsics_avx2_mm256_movemask_ps( - libcrux_intrinsics_avx2_mm256_castsi256_ps(compare_with_field_modulus)); - int32_t good_lower_half = good & (int32_t)15; - int32_t good_upper_half = good >> 4U; - uint8_t lower_shuffles[16U]; - memcpy(lower_shuffles, - libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_SHUFFLE_TABLE[( - size_t)good_lower_half], - (size_t)16U * sizeof(uint8_t)); - __m128i lower_shuffles0 = libcrux_intrinsics_avx2_mm_loadu_si128( - Eurydice_array_to_slice((size_t)16U, lower_shuffles, uint8_t)); - __m128i lower_coefficients = - libcrux_intrinsics_avx2_mm256_castsi256_si128(potential_coefficients); - __m128i lower_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( - lower_coefficients, lower_shuffles0); - libcrux_intrinsics_avx2_mm_storeu_si128_i32( - Eurydice_slice_subslice2(output, (size_t)0U, (size_t)4U, int32_t), - lower_coefficients0); - size_t sampled_count = (size_t)core_num__i32_2__count_ones(good_lower_half); - uint8_t upper_shuffles[16U]; - memcpy(upper_shuffles, - libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_SHUFFLE_TABLE[( - size_t)good_upper_half], - (size_t)16U * sizeof(uint8_t)); - __m128i upper_shuffles0 = libcrux_intrinsics_avx2_mm_loadu_si128( - Eurydice_array_to_slice((size_t)16U, upper_shuffles, uint8_t)); - __m128i upper_coefficients = libcrux_intrinsics_avx2_mm256_extracti128_si256( - (int32_t)1, potential_coefficients, __m128i); - __m128i upper_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( - upper_coefficients, upper_shuffles0); - libcrux_intrinsics_avx2_mm_storeu_si128_i32( - Eurydice_slice_subslice2(output, sampled_count, - sampled_count + (size_t)4U, int32_t), - upper_coefficients0); - size_t uu____0 = sampled_count; - return uu____0 + (size_t)core_num__i32_2__count_ones(good_upper_half); -} - -/** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE size_t -libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus_a2( - Eurydice_slice randomness, Eurydice_slice out) { - return libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus_sample( - randomness, out); +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_avx2_encoding_commitment_serialize(__m256i *simd_unit, + Eurydice_slice out) { + uint8_t serialized[19U] = {0U}; + switch ((uint8_t)Eurydice_slice_len(out, uint8_t)) { + case 4U: { + __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32( + simd_unit[0U], libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)0, (int32_t)28, (int32_t)0, (int32_t)28, + (int32_t)0, (int32_t)28, (int32_t)0, (int32_t)28)); + __m256i adjacent_2_combined0 = libcrux_intrinsics_avx2_mm256_srli_epi64( + (int32_t)28, adjacent_2_combined, __m256i); + __m256i adjacent_4_combined = + libcrux_intrinsics_avx2_mm256_permutevar8x32_epi32( + adjacent_2_combined0, + libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)6, + (int32_t)2, (int32_t)4, (int32_t)0)); + __m128i adjacent_4_combined0 = + libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_4_combined); + __m128i adjacent_4_combined1 = libcrux_intrinsics_avx2_mm_shuffle_epi8( + adjacent_4_combined0, + libcrux_intrinsics_avx2_mm_set_epi8(240U, 240U, 240U, 240U, 240U, + 240U, 240U, 240U, 240U, 240U, + 240U, 240U, 12U, 4U, 8U, 0U)); + libcrux_intrinsics_avx2_mm_storeu_bytes_si128( + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, + uint8_t), + adjacent_4_combined1); + Eurydice_slice uu____0 = out; + Eurydice_slice_copy(uu____0, + Eurydice_array_to_subslice2(serialized, (size_t)0U, + (size_t)4U, uint8_t), + uint8_t); + break; + } + case 6U: { + __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32( + simd_unit[0U], libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)0, (int32_t)26, (int32_t)0, (int32_t)26, + (int32_t)0, (int32_t)26, (int32_t)0, (int32_t)26)); + __m256i adjacent_2_combined0 = libcrux_intrinsics_avx2_mm256_srli_epi64( + (int32_t)26, adjacent_2_combined, __m256i); + __m256i adjacent_3_combined = libcrux_intrinsics_avx2_mm256_shuffle_epi8( + adjacent_2_combined0, + libcrux_intrinsics_avx2_mm256_set_epi8( + (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, + (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, + (int8_t)-1, (int8_t)-1, (int8_t)9, (int8_t)8, (int8_t)1, + (int8_t)0, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, + (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, + (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)9, (int8_t)8, + (int8_t)1, (int8_t)0)); + __m256i adjacent_3_combined0 = libcrux_intrinsics_avx2_mm256_mullo_epi16( + adjacent_3_combined, + libcrux_intrinsics_avx2_mm256_set_epi16( + (int16_t)1, (int16_t)1, (int16_t)1, (int16_t)1, (int16_t)1, + (int16_t)1, (int16_t)1, (int16_t)1 << 4U, (int16_t)1, (int16_t)1, + (int16_t)1, (int16_t)1, (int16_t)1, (int16_t)1, (int16_t)1, + (int16_t)1 << 4U)); + __m256i adjacent_3_combined1 = libcrux_intrinsics_avx2_mm256_srlv_epi32( + adjacent_3_combined0, + libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)4, (int32_t)0, + (int32_t)0, (int32_t)0, (int32_t)4)); + __m128i lower_3 = + libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_3_combined1); + libcrux_intrinsics_avx2_mm_storeu_bytes_si128( + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, + uint8_t), + lower_3); + __m128i upper_3 = libcrux_intrinsics_avx2_mm256_extracti128_si256( + (int32_t)1, adjacent_3_combined1, __m128i); + libcrux_intrinsics_avx2_mm_storeu_bytes_si128( + Eurydice_array_to_subslice2(serialized, (size_t)3U, (size_t)19U, + uint8_t), + upper_3); + Eurydice_slice uu____1 = out; + Eurydice_slice_copy(uu____1, + Eurydice_array_to_subslice2(serialized, (size_t)0U, + (size_t)6U, uint8_t), + uint8_t); + break; + } + default: { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "panic!"); + KRML_HOST_EXIT(255U); + } + } } #define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_ERROR_DESERIALIZE_TO_UNSIGNED_WHEN_ETA_IS_2_COEFFICIENT_MASK \ @@ -711,307 +1007,117 @@ libcrux_ml_dsa_simd_avx2_encoding_error_deserialize_to_unsigned_when_eta_is_4( LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_ERROR_DESERIALIZE_TO_UNSIGNED_WHEN_ETA_IS_4_COEFFICIENT_MASK)); } -/** -A monomorphic instance of -libcrux_ml_dsa.simd.avx2.encoding.error.deserialize_to_unsigned with const -generics -- ETA= 4 -*/ +#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA \ + ((int32_t)2) + KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_dsa_simd_avx2_encoding_error_deserialize_to_unsigned_ac( - Eurydice_slice serialized) { - return libcrux_ml_dsa_simd_avx2_encoding_error_deserialize_to_unsigned_when_eta_is_4( - serialized); +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_avx2_encoding_error_serialize_when_eta_is_2( + __m256i *simd_unit, Eurydice_slice out) { + uint8_t serialized[16U] = {0U}; + __m256i simd_unit_shifted = libcrux_intrinsics_avx2_mm256_sub_epi32( + libcrux_intrinsics_avx2_mm256_set1_epi32( + LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA), + simd_unit[0U]); + __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32( + simd_unit_shifted, libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)0, (int32_t)29, (int32_t)0, (int32_t)29, + (int32_t)0, (int32_t)29, (int32_t)0, (int32_t)29)); + __m256i adjacent_2_combined0 = libcrux_intrinsics_avx2_mm256_srli_epi64( + (int32_t)29, adjacent_2_combined, __m256i); + __m256i adjacent_4_combined = libcrux_intrinsics_avx2_mm256_shuffle_epi8( + adjacent_2_combined0, + libcrux_intrinsics_avx2_mm256_set_epi8( + (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, + (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, + (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)8, (int8_t)-1, (int8_t)0, + (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, + (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, + (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)8, (int8_t)-1, + (int8_t)0)); + __m256i adjacent_4_combined0 = libcrux_intrinsics_avx2_mm256_madd_epi16( + adjacent_4_combined, + libcrux_intrinsics_avx2_mm256_set_epi16( + (int16_t)0, (int16_t)0, (int16_t)0, (int16_t)0, (int16_t)0, + (int16_t)0, (int16_t)1 << 6U, (int16_t)1, (int16_t)0, (int16_t)0, + (int16_t)0, (int16_t)0, (int16_t)0, (int16_t)0, (int16_t)1 << 6U, + (int16_t)1)); + __m256i adjacent_6_combined = + libcrux_intrinsics_avx2_mm256_permutevar8x32_epi32( + adjacent_4_combined0, + libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)0, + (int32_t)0, (int32_t)4, (int32_t)0)); + __m128i adjacent_6_combined0 = + libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_6_combined); + __m128i adjacent_6_combined1 = libcrux_intrinsics_avx2_mm_sllv_epi32( + adjacent_6_combined0, + libcrux_intrinsics_avx2_mm_set_epi32((int32_t)0, (int32_t)0, (int32_t)0, + (int32_t)20)); + __m128i adjacent_6_combined2 = libcrux_intrinsics_avx2_mm_srli_epi64( + (int32_t)20, adjacent_6_combined1, __m128i); + libcrux_intrinsics_avx2_mm_storeu_bytes_si128( + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t), + adjacent_6_combined2); + Eurydice_slice uu____0 = out; + Eurydice_slice_copy( + uu____0, + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)3U, uint8_t), + uint8_t); } -/** -A monomorphic instance of -libcrux_ml_dsa.simd.avx2.rejection_sample.less_than_eta.shift_interval with -const generics -- ETA= 2 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_shift_interval_fd( - __m256i coefficients) { - __m256i uu____0; - __m256i quotient = libcrux_intrinsics_avx2_mm256_mullo_epi32( - coefficients, libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)26)); - __m256i quotient0 = - libcrux_intrinsics_avx2_mm256_srai_epi32((int32_t)7, quotient, __m256i); - __m256i quotient1 = libcrux_intrinsics_avx2_mm256_mullo_epi32( - quotient0, libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)5)); - __m256i coefficients_mod_5 = - libcrux_intrinsics_avx2_mm256_sub_epi32(coefficients, quotient1); - uu____0 = libcrux_intrinsics_avx2_mm256_sub_epi32( - libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)(size_t)2U), - coefficients_mod_5); - return uu____0; -} - -/** -A monomorphic instance of -libcrux_ml_dsa.simd.avx2.rejection_sample.less_than_eta.sample with const -generics -- ETA= 2 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE size_t -libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_sample_fd( - Eurydice_slice input, Eurydice_slice output) { - __m256i potential_coefficients = - libcrux_ml_dsa_simd_avx2_encoding_error_deserialize_to_unsigned_ac(input); - int32_t interval_boundary; - interval_boundary = (int32_t)15; - __m256i compare_with_interval_boundary = - libcrux_intrinsics_avx2_mm256_cmpgt_epi32( - libcrux_intrinsics_avx2_mm256_set1_epi32(interval_boundary), - potential_coefficients); - int32_t good = libcrux_intrinsics_avx2_mm256_movemask_ps( - libcrux_intrinsics_avx2_mm256_castsi256_ps( - compare_with_interval_boundary)); - int32_t good_lower_half = good & (int32_t)15; - int32_t good_upper_half = good >> 4U; - __m256i shifted = - libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_shift_interval_fd( - potential_coefficients); - uint8_t lower_shuffles[16U]; - memcpy(lower_shuffles, - libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_SHUFFLE_TABLE[( - size_t)good_lower_half], - (size_t)16U * sizeof(uint8_t)); - __m128i lower_shuffles0 = libcrux_intrinsics_avx2_mm_loadu_si128( - Eurydice_array_to_slice((size_t)16U, lower_shuffles, uint8_t)); - __m128i lower_coefficients = - libcrux_intrinsics_avx2_mm256_castsi256_si128(shifted); - __m128i lower_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( - lower_coefficients, lower_shuffles0); - libcrux_intrinsics_avx2_mm_storeu_si128_i32( - Eurydice_slice_subslice2(output, (size_t)0U, (size_t)4U, int32_t), - lower_coefficients0); - size_t sampled_count = (size_t)core_num__i32_2__count_ones(good_lower_half); - uint8_t upper_shuffles[16U]; - memcpy(upper_shuffles, - libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_SHUFFLE_TABLE[( - size_t)good_upper_half], - (size_t)16U * sizeof(uint8_t)); - __m128i upper_shuffles0 = libcrux_intrinsics_avx2_mm_loadu_si128( - Eurydice_array_to_slice((size_t)16U, upper_shuffles, uint8_t)); - __m128i upper_coefficients = libcrux_intrinsics_avx2_mm256_extracti128_si256( - (int32_t)1, shifted, __m128i); - __m128i upper_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( - upper_coefficients, upper_shuffles0); - libcrux_intrinsics_avx2_mm_storeu_si128_i32( - Eurydice_slice_subslice2(output, sampled_count, - sampled_count + (size_t)4U, int32_t), - upper_coefficients0); - size_t uu____0 = sampled_count; - return uu____0 + (size_t)core_num__i32_2__count_ones(good_upper_half); -} - -/** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE size_t -libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_equals_2_a2( - Eurydice_slice randomness, Eurydice_slice out) { - return libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_sample_fd( - randomness, out); -} - -/** -A monomorphic instance of -libcrux_ml_dsa.simd.avx2.rejection_sample.less_than_eta.shift_interval with -const generics -- ETA= 4 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_shift_interval_ac( - __m256i coefficients) { - return libcrux_intrinsics_avx2_mm256_sub_epi32( - libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)(size_t)4U), - coefficients); -} - -/** -A monomorphic instance of -libcrux_ml_dsa.simd.avx2.rejection_sample.less_than_eta.sample with const -generics -- ETA= 4 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE size_t -libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_sample_ac( - Eurydice_slice input, Eurydice_slice output) { - __m256i potential_coefficients = - libcrux_ml_dsa_simd_avx2_encoding_error_deserialize_to_unsigned_ac(input); - int32_t interval_boundary; - interval_boundary = (int32_t)9; - __m256i compare_with_interval_boundary = - libcrux_intrinsics_avx2_mm256_cmpgt_epi32( - libcrux_intrinsics_avx2_mm256_set1_epi32(interval_boundary), - potential_coefficients); - int32_t good = libcrux_intrinsics_avx2_mm256_movemask_ps( - libcrux_intrinsics_avx2_mm256_castsi256_ps( - compare_with_interval_boundary)); - int32_t good_lower_half = good & (int32_t)15; - int32_t good_upper_half = good >> 4U; - __m256i shifted = - libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_shift_interval_ac( - potential_coefficients); - uint8_t lower_shuffles[16U]; - memcpy(lower_shuffles, - libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_SHUFFLE_TABLE[( - size_t)good_lower_half], - (size_t)16U * sizeof(uint8_t)); - __m128i lower_shuffles0 = libcrux_intrinsics_avx2_mm_loadu_si128( - Eurydice_array_to_slice((size_t)16U, lower_shuffles, uint8_t)); - __m128i lower_coefficients = - libcrux_intrinsics_avx2_mm256_castsi256_si128(shifted); - __m128i lower_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( - lower_coefficients, lower_shuffles0); - libcrux_intrinsics_avx2_mm_storeu_si128_i32( - Eurydice_slice_subslice2(output, (size_t)0U, (size_t)4U, int32_t), - lower_coefficients0); - size_t sampled_count = (size_t)core_num__i32_2__count_ones(good_lower_half); - uint8_t upper_shuffles[16U]; - memcpy(upper_shuffles, - libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_SHUFFLE_TABLE[( - size_t)good_upper_half], - (size_t)16U * sizeof(uint8_t)); - __m128i upper_shuffles0 = libcrux_intrinsics_avx2_mm_loadu_si128( - Eurydice_array_to_slice((size_t)16U, upper_shuffles, uint8_t)); - __m128i upper_coefficients = libcrux_intrinsics_avx2_mm256_extracti128_si256( - (int32_t)1, shifted, __m128i); - __m128i upper_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( - upper_coefficients, upper_shuffles0); - libcrux_intrinsics_avx2_mm_storeu_si128_i32( - Eurydice_slice_subslice2(output, sampled_count, - sampled_count + (size_t)4U, int32_t), - upper_coefficients0); - size_t uu____0 = sampled_count; - return uu____0 + (size_t)core_num__i32_2__count_ones(good_upper_half); -} - -/** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE size_t -libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_equals_4_a2( - Eurydice_slice randomness, Eurydice_slice out) { - return libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_sample_ac( - randomness, out); -} - -#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 \ - ((int32_t)1 << 17U) +#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_4_ETA \ + ((int32_t)4) KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_avx2_encoding_gamma1_serialize_when_gamma1_is_2_pow_17( - __m256i simd_unit, Eurydice_slice out) { - uint8_t serialized[32U] = {0U}; +libcrux_ml_dsa_simd_avx2_encoding_error_serialize_when_eta_is_4( + __m256i *simd_unit, Eurydice_slice out) { + uint8_t serialized[16U] = {0U}; __m256i simd_unit_shifted = libcrux_intrinsics_avx2_mm256_sub_epi32( libcrux_intrinsics_avx2_mm256_set1_epi32( - LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1), - simd_unit); + LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_4_ETA), + simd_unit[0U]); __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32( simd_unit_shifted, libcrux_intrinsics_avx2_mm256_set_epi32( - (int32_t)0, (int32_t)14, (int32_t)0, (int32_t)14, - (int32_t)0, (int32_t)14, (int32_t)0, (int32_t)14)); + (int32_t)0, (int32_t)28, (int32_t)0, (int32_t)28, + (int32_t)0, (int32_t)28, (int32_t)0, (int32_t)28)); __m256i adjacent_2_combined0 = libcrux_intrinsics_avx2_mm256_srli_epi64( - (int32_t)14, adjacent_2_combined, __m256i); - __m256i every_second_element = libcrux_intrinsics_avx2_mm256_bsrli_epi128( - (int32_t)8, adjacent_2_combined0, __m256i); - __m256i every_second_element_shifted = - libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)36, - every_second_element, __m256i); - __m256i adjacent_4_combined = libcrux_intrinsics_avx2_mm256_add_epi64( - adjacent_2_combined0, every_second_element_shifted); - __m256i adjacent_4_combined0 = libcrux_intrinsics_avx2_mm256_srlv_epi64( - adjacent_4_combined, - libcrux_intrinsics_avx2_mm256_set_epi64x((int64_t)28, (int64_t)0, - (int64_t)28, (int64_t)0)); - __m128i lower_4 = - libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_4_combined0); + (int32_t)28, adjacent_2_combined, __m256i); + __m256i adjacent_4_combined = + libcrux_intrinsics_avx2_mm256_permutevar8x32_epi32( + adjacent_2_combined0, + libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)6, + (int32_t)2, (int32_t)4, (int32_t)0)); + __m128i adjacent_4_combined0 = + libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_4_combined); + __m128i adjacent_4_combined1 = libcrux_intrinsics_avx2_mm_shuffle_epi8( + adjacent_4_combined0, libcrux_intrinsics_avx2_mm_set_epi8( + 240U, 240U, 240U, 240U, 240U, 240U, 240U, 240U, + 240U, 240U, 240U, 240U, 12U, 4U, 8U, 0U)); libcrux_intrinsics_avx2_mm_storeu_bytes_si128( Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t), - lower_4); - __m128i upper_4 = libcrux_intrinsics_avx2_mm256_extracti128_si256( - (int32_t)1, adjacent_4_combined0, __m128i); - libcrux_intrinsics_avx2_mm_storeu_bytes_si128( - Eurydice_array_to_subslice2(serialized, (size_t)9U, (size_t)25U, uint8_t), - upper_4); + adjacent_4_combined1); Eurydice_slice uu____0 = out; Eurydice_slice_copy( uu____0, - Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)18U, uint8_t), + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)4U, uint8_t), uint8_t); } -#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 \ - ((int32_t)1 << 19U) +#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 \ + ((int32_t)1 << 17U) + +#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1_TIMES_2_MASK \ + ((LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 \ + << 1U) - \ + (int32_t)1) KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_avx2_encoding_gamma1_serialize_when_gamma1_is_2_pow_19( - __m256i simd_unit, Eurydice_slice out) { - uint8_t serialized[32U] = {0U}; - __m256i simd_unit_shifted = libcrux_intrinsics_avx2_mm256_sub_epi32( - libcrux_intrinsics_avx2_mm256_set1_epi32( - LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1), - simd_unit); - __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32( - simd_unit_shifted, libcrux_intrinsics_avx2_mm256_set_epi32( - (int32_t)0, (int32_t)12, (int32_t)0, (int32_t)12, - (int32_t)0, (int32_t)12, (int32_t)0, (int32_t)12)); - __m256i adjacent_2_combined0 = libcrux_intrinsics_avx2_mm256_srli_epi64( - (int32_t)12, adjacent_2_combined, __m256i); - __m256i adjacent_4_combined = libcrux_intrinsics_avx2_mm256_shuffle_epi8( - adjacent_2_combined0, - libcrux_intrinsics_avx2_mm256_set_epi8( - (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, - (int8_t)-1, (int8_t)12, (int8_t)11, (int8_t)10, (int8_t)9, (int8_t)8, - (int8_t)4, (int8_t)3, (int8_t)2, (int8_t)1, (int8_t)0, (int8_t)-1, - (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, - (int8_t)12, (int8_t)11, (int8_t)10, (int8_t)9, (int8_t)8, (int8_t)4, - (int8_t)3, (int8_t)2, (int8_t)1, (int8_t)0)); - __m128i lower_4 = - libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_4_combined); - libcrux_intrinsics_avx2_mm_storeu_bytes_si128( - Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t), - lower_4); - __m128i upper_4 = libcrux_intrinsics_avx2_mm256_extracti128_si256( - (int32_t)1, adjacent_4_combined, __m128i); - libcrux_intrinsics_avx2_mm_storeu_bytes_si128( - Eurydice_array_to_subslice2(serialized, (size_t)10U, (size_t)26U, - uint8_t), - upper_4); - Eurydice_slice uu____0 = out; - Eurydice_slice_copy( - uu____0, - Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)20U, uint8_t), - uint8_t); -} - -#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 \ - ((int32_t)1 << 17U) - -#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1_TIMES_2_MASK \ - ((LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 \ - << 1U) - \ - (int32_t)1) - -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_ml_dsa_simd_avx2_encoding_gamma1_deserialize_when_gamma1_is_2_pow_17( - Eurydice_slice serialized) { + Eurydice_slice serialized, __m256i *out) { __m128i serialized_lower = libcrux_intrinsics_avx2_mm_loadu_si128( Eurydice_slice_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t)); __m128i serialized_upper = libcrux_intrinsics_avx2_mm_loadu_si128( @@ -1035,7 +1141,7 @@ libcrux_ml_dsa_simd_avx2_encoding_gamma1_deserialize_when_gamma1_is_2_pow_17( coefficients0, libcrux_intrinsics_avx2_mm256_set1_epi32( LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1_TIMES_2_MASK)); - return libcrux_intrinsics_avx2_mm256_sub_epi32( + out[0U] = libcrux_intrinsics_avx2_mm256_sub_epi32( libcrux_intrinsics_avx2_mm256_set1_epi32( LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1), coefficients1); @@ -1050,9 +1156,9 @@ libcrux_ml_dsa_simd_avx2_encoding_gamma1_deserialize_when_gamma1_is_2_pow_17( (int32_t)1) KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_encoding_gamma1_deserialize_when_gamma1_is_2_pow_19( - Eurydice_slice serialized) { + Eurydice_slice serialized, __m256i *out) { __m128i serialized_lower = libcrux_intrinsics_avx2_mm_loadu_si128( Eurydice_slice_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t)); __m128i serialized_upper = libcrux_intrinsics_avx2_mm_loadu_si128( @@ -1076,315 +1182,2151 @@ libcrux_ml_dsa_simd_avx2_encoding_gamma1_deserialize_when_gamma1_is_2_pow_19( coefficients0, libcrux_intrinsics_avx2_mm256_set1_epi32( LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1_TIMES_2_MASK)); - return libcrux_intrinsics_avx2_mm256_sub_epi32( + out[0U] = libcrux_intrinsics_avx2_mm256_sub_epi32( libcrux_intrinsics_avx2_mm256_set1_epi32( LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1), coefficients1); } +#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 \ + ((int32_t)1 << 17U) + KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_avx2_encoding_commitment_serialize(__m256i simd_unit, - Eurydice_slice out) { - uint8_t serialized[19U] = {0U}; - switch ((uint8_t)Eurydice_slice_len(out, uint8_t)) { - case 4U: { - __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32( - simd_unit, libcrux_intrinsics_avx2_mm256_set_epi32( - (int32_t)0, (int32_t)28, (int32_t)0, (int32_t)28, - (int32_t)0, (int32_t)28, (int32_t)0, (int32_t)28)); - __m256i adjacent_2_combined0 = libcrux_intrinsics_avx2_mm256_srli_epi64( - (int32_t)28, adjacent_2_combined, __m256i); - __m256i adjacent_4_combined = - libcrux_intrinsics_avx2_mm256_permutevar8x32_epi32( - adjacent_2_combined0, - libcrux_intrinsics_avx2_mm256_set_epi32( - (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)6, - (int32_t)2, (int32_t)4, (int32_t)0)); - __m128i adjacent_4_combined0 = - libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_4_combined); - __m128i adjacent_4_combined1 = libcrux_intrinsics_avx2_mm_shuffle_epi8( - adjacent_4_combined0, - libcrux_intrinsics_avx2_mm_set_epi8(240U, 240U, 240U, 240U, 240U, - 240U, 240U, 240U, 240U, 240U, - 240U, 240U, 12U, 4U, 8U, 0U)); - libcrux_intrinsics_avx2_mm_storeu_bytes_si128( - Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, - uint8_t), - adjacent_4_combined1); - Eurydice_slice uu____0 = out; - Eurydice_slice_copy(uu____0, - Eurydice_array_to_subslice2(serialized, (size_t)0U, - (size_t)4U, uint8_t), - uint8_t); - break; - } - case 6U: { - __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32( - simd_unit, libcrux_intrinsics_avx2_mm256_set_epi32( - (int32_t)0, (int32_t)26, (int32_t)0, (int32_t)26, - (int32_t)0, (int32_t)26, (int32_t)0, (int32_t)26)); - __m256i adjacent_2_combined0 = libcrux_intrinsics_avx2_mm256_srli_epi64( - (int32_t)26, adjacent_2_combined, __m256i); - __m256i adjacent_3_combined = libcrux_intrinsics_avx2_mm256_shuffle_epi8( +libcrux_ml_dsa_simd_avx2_encoding_gamma1_serialize_when_gamma1_is_2_pow_17( + __m256i *simd_unit, Eurydice_slice out) { + uint8_t serialized[32U] = {0U}; + __m256i simd_unit_shifted = libcrux_intrinsics_avx2_mm256_sub_epi32( + libcrux_intrinsics_avx2_mm256_set1_epi32( + LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1), + simd_unit[0U]); + __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32( + simd_unit_shifted, libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)0, (int32_t)14, (int32_t)0, (int32_t)14, + (int32_t)0, (int32_t)14, (int32_t)0, (int32_t)14)); + __m256i adjacent_2_combined0 = libcrux_intrinsics_avx2_mm256_srli_epi64( + (int32_t)14, adjacent_2_combined, __m256i); + __m256i every_second_element = libcrux_intrinsics_avx2_mm256_bsrli_epi128( + (int32_t)8, adjacent_2_combined0, __m256i); + __m256i every_second_element_shifted = + libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)36, + every_second_element, __m256i); + __m256i adjacent_4_combined = libcrux_intrinsics_avx2_mm256_add_epi64( + adjacent_2_combined0, every_second_element_shifted); + __m256i adjacent_4_combined0 = libcrux_intrinsics_avx2_mm256_srlv_epi64( + adjacent_4_combined, + libcrux_intrinsics_avx2_mm256_set_epi64x((int64_t)28, (int64_t)0, + (int64_t)28, (int64_t)0)); + __m128i lower_4 = + libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_4_combined0); + libcrux_intrinsics_avx2_mm_storeu_bytes_si128( + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t), + lower_4); + __m128i upper_4 = libcrux_intrinsics_avx2_mm256_extracti128_si256( + (int32_t)1, adjacent_4_combined0, __m128i); + libcrux_intrinsics_avx2_mm_storeu_bytes_si128( + Eurydice_array_to_subslice2(serialized, (size_t)9U, (size_t)25U, uint8_t), + upper_4); + Eurydice_slice uu____0 = out; + Eurydice_slice_copy( + uu____0, + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)18U, uint8_t), + uint8_t); +} + +#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 \ + ((int32_t)1 << 19U) + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_avx2_encoding_gamma1_serialize_when_gamma1_is_2_pow_19( + __m256i *simd_unit, Eurydice_slice out) { + uint8_t serialized[32U] = {0U}; + __m256i simd_unit_shifted = libcrux_intrinsics_avx2_mm256_sub_epi32( + libcrux_intrinsics_avx2_mm256_set1_epi32( + LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1), + simd_unit[0U]); + __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32( + simd_unit_shifted, libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)0, (int32_t)12, (int32_t)0, (int32_t)12, + (int32_t)0, (int32_t)12, (int32_t)0, (int32_t)12)); + __m256i adjacent_2_combined0 = libcrux_intrinsics_avx2_mm256_srli_epi64( + (int32_t)12, adjacent_2_combined, __m256i); + __m256i adjacent_4_combined = libcrux_intrinsics_avx2_mm256_shuffle_epi8( + adjacent_2_combined0, + libcrux_intrinsics_avx2_mm256_set_epi8( + (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, + (int8_t)-1, (int8_t)12, (int8_t)11, (int8_t)10, (int8_t)9, (int8_t)8, + (int8_t)4, (int8_t)3, (int8_t)2, (int8_t)1, (int8_t)0, (int8_t)-1, + (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, + (int8_t)12, (int8_t)11, (int8_t)10, (int8_t)9, (int8_t)8, (int8_t)4, + (int8_t)3, (int8_t)2, (int8_t)1, (int8_t)0)); + __m128i lower_4 = + libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_4_combined); + libcrux_intrinsics_avx2_mm_storeu_bytes_si128( + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t), + lower_4); + __m128i upper_4 = libcrux_intrinsics_avx2_mm256_extracti128_si256( + (int32_t)1, adjacent_4_combined, __m128i); + libcrux_intrinsics_avx2_mm_storeu_bytes_si128( + Eurydice_array_to_subslice2(serialized, (size_t)10U, (size_t)26U, + uint8_t), + upper_4); + Eurydice_slice uu____0 = out; + Eurydice_slice_copy( + uu____0, + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)20U, uint8_t), + uint8_t); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_ml_dsa_simd_avx2_encoding_t0_change_interval(__m256i *simd_unit) { + __m256i interval_end = libcrux_intrinsics_avx2_mm256_set1_epi32( + (int32_t)1 + << (uint32_t)(LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T - + (size_t)1U)); + return libcrux_intrinsics_avx2_mm256_sub_epi32(interval_end, simd_unit[0U]); +} + +#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_T0_DESERIALIZE_COEFFICIENT_MASK \ + (((int32_t)1 << 13U) - (int32_t)1) + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_encoding_t0_deserialize( + Eurydice_slice serialized, __m256i *out) { + uint8_t serialized_extended[16U] = {0U}; + Eurydice_slice_copy( + Eurydice_array_to_subslice2(serialized_extended, (size_t)0U, (size_t)13U, + uint8_t), + serialized, uint8_t); + __m128i serialized0 = libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_array_to_slice((size_t)16U, serialized_extended, uint8_t)); + __m256i serialized1 = + libcrux_intrinsics_avx2_mm256_set_m128i(serialized0, serialized0); + __m256i coefficients = libcrux_intrinsics_avx2_mm256_shuffle_epi8( + serialized1, + libcrux_intrinsics_avx2_mm256_set_epi8( + (int8_t)-1, (int8_t)-1, (int8_t)12, (int8_t)11, (int8_t)-1, + (int8_t)11, (int8_t)10, (int8_t)9, (int8_t)-1, (int8_t)-1, (int8_t)9, + (int8_t)8, (int8_t)-1, (int8_t)8, (int8_t)7, (int8_t)6, (int8_t)-1, + (int8_t)6, (int8_t)5, (int8_t)4, (int8_t)-1, (int8_t)-1, (int8_t)4, + (int8_t)3, (int8_t)-1, (int8_t)3, (int8_t)2, (int8_t)1, (int8_t)-1, + (int8_t)-1, (int8_t)1, (int8_t)0)); + __m256i coefficients0 = libcrux_intrinsics_avx2_mm256_srlv_epi32( + coefficients, libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)3, (int32_t)6, (int32_t)1, (int32_t)4, + (int32_t)7, (int32_t)2, (int32_t)5, (int32_t)0)); + __m256i coefficients1 = libcrux_intrinsics_avx2_mm256_and_si256( + coefficients0, + libcrux_intrinsics_avx2_mm256_set1_epi32( + LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_T0_DESERIALIZE_COEFFICIENT_MASK)); + out[0U] = + libcrux_ml_dsa_simd_avx2_encoding_t0_change_interval(&coefficients1); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_encoding_t0_serialize( + __m256i *simd_unit, Eurydice_slice out) { + uint8_t serialized[16U] = {0U}; + __m256i simd_unit0 = + libcrux_ml_dsa_simd_avx2_encoding_t0_change_interval(simd_unit); + __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32( + simd_unit0, libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)0, (int32_t)19, (int32_t)0, (int32_t)19, + (int32_t)0, (int32_t)19, (int32_t)0, (int32_t)19)); + __m256i adjacent_2_combined0 = libcrux_intrinsics_avx2_mm256_srli_epi64( + (int32_t)19, adjacent_2_combined, __m256i); + __m256i adjacent_4_combined = + libcrux_intrinsics_avx2_mm256_permutevar8x32_epi32( adjacent_2_combined0, - libcrux_intrinsics_avx2_mm256_set_epi8( - (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, - (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, - (int8_t)-1, (int8_t)-1, (int8_t)9, (int8_t)8, (int8_t)1, - (int8_t)0, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, - (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, - (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)9, (int8_t)8, - (int8_t)1, (int8_t)0)); - __m256i adjacent_3_combined0 = libcrux_intrinsics_avx2_mm256_mullo_epi16( - adjacent_3_combined, - libcrux_intrinsics_avx2_mm256_set_epi16( - (int16_t)1, (int16_t)1, (int16_t)1, (int16_t)1, (int16_t)1, - (int16_t)1, (int16_t)1, (int16_t)1 << 4U, (int16_t)1, (int16_t)1, - (int16_t)1, (int16_t)1, (int16_t)1, (int16_t)1, (int16_t)1, - (int16_t)1 << 4U)); - __m256i adjacent_3_combined1 = libcrux_intrinsics_avx2_mm256_srlv_epi32( - adjacent_3_combined0, libcrux_intrinsics_avx2_mm256_set_epi32( - (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)4, (int32_t)0, - (int32_t)0, (int32_t)0, (int32_t)4)); - __m128i lower_3 = - libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_3_combined1); - libcrux_intrinsics_avx2_mm_storeu_bytes_si128( - Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, - uint8_t), - lower_3); - __m128i upper_3 = libcrux_intrinsics_avx2_mm256_extracti128_si256( - (int32_t)1, adjacent_3_combined1, __m128i); - libcrux_intrinsics_avx2_mm_storeu_bytes_si128( - Eurydice_array_to_subslice2(serialized, (size_t)3U, (size_t)19U, - uint8_t), - upper_3); - Eurydice_slice uu____1 = out; - Eurydice_slice_copy(uu____1, - Eurydice_array_to_subslice2(serialized, (size_t)0U, - (size_t)6U, uint8_t), - uint8_t); - break; - } - default: { - KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "panic!"); - KRML_HOST_EXIT(255U); + (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)6, + (int32_t)4, (int32_t)2, (int32_t)0)); + __m256i adjacent_4_combined0 = libcrux_intrinsics_avx2_mm256_sllv_epi32( + adjacent_4_combined, libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)0, (int32_t)6, (int32_t)0, (int32_t)6, + (int32_t)0, (int32_t)6, (int32_t)0, (int32_t)6)); + __m256i adjacent_4_combined1 = libcrux_intrinsics_avx2_mm256_srli_epi64( + (int32_t)6, adjacent_4_combined0, __m256i); + __m256i second_4_combined = libcrux_intrinsics_avx2_mm256_bsrli_epi128( + (int32_t)8, adjacent_4_combined1, __m256i); + __m256i least_12_bits_shifted_up = libcrux_intrinsics_avx2_mm256_slli_epi64( + (int32_t)52, second_4_combined, __m256i); + __m256i bits_sequential = libcrux_intrinsics_avx2_mm256_add_epi64( + adjacent_4_combined1, least_12_bits_shifted_up); + __m256i bits_sequential0 = libcrux_intrinsics_avx2_mm256_srlv_epi64( + bits_sequential, libcrux_intrinsics_avx2_mm256_set_epi64x( + (int64_t)0, (int64_t)0, (int64_t)12, (int64_t)0)); + __m128i bits_sequential1 = + libcrux_intrinsics_avx2_mm256_castsi256_si128(bits_sequential0); + libcrux_intrinsics_avx2_mm_storeu_bytes_si128( + Eurydice_array_to_slice((size_t)16U, serialized, uint8_t), + bits_sequential1); + Eurydice_slice uu____0 = out; + Eurydice_slice_copy( + uu____0, + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)13U, uint8_t), + uint8_t); +} + +#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_T1_DESERIALIZE_COEFFICIENT_MASK \ + (((int32_t)1 << 10U) - (int32_t)1) + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_encoding_t1_deserialize( + Eurydice_slice bytes, __m256i *out) { + uint8_t bytes_extended[16U] = {0U}; + Eurydice_slice_copy(Eurydice_array_to_subslice2(bytes_extended, (size_t)0U, + (size_t)10U, uint8_t), + bytes, uint8_t); + __m128i bytes_loaded = libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_array_to_slice((size_t)16U, bytes_extended, uint8_t)); + __m256i bytes_loaded0 = + libcrux_intrinsics_avx2_mm256_set_m128i(bytes_loaded, bytes_loaded); + __m256i coefficients = libcrux_intrinsics_avx2_mm256_shuffle_epi8( + bytes_loaded0, + libcrux_intrinsics_avx2_mm256_set_epi8( + (int8_t)-1, (int8_t)-1, (int8_t)9, (int8_t)8, (int8_t)-1, (int8_t)-1, + (int8_t)8, (int8_t)7, (int8_t)-1, (int8_t)-1, (int8_t)7, (int8_t)6, + (int8_t)-1, (int8_t)-1, (int8_t)6, (int8_t)5, (int8_t)-1, (int8_t)-1, + (int8_t)4, (int8_t)3, (int8_t)-1, (int8_t)-1, (int8_t)3, (int8_t)2, + (int8_t)-1, (int8_t)-1, (int8_t)2, (int8_t)1, (int8_t)-1, (int8_t)-1, + (int8_t)1, (int8_t)0)); + __m256i coefficients0 = libcrux_intrinsics_avx2_mm256_srlv_epi32( + coefficients, libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)6, (int32_t)4, (int32_t)2, (int32_t)0, + (int32_t)6, (int32_t)4, (int32_t)2, (int32_t)0)); + out[0U] = libcrux_intrinsics_avx2_mm256_and_si256( + coefficients0, + libcrux_intrinsics_avx2_mm256_set1_epi32( + LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_T1_DESERIALIZE_COEFFICIENT_MASK)); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_encoding_t1_serialize( + __m256i *simd_unit, Eurydice_slice out) { + uint8_t serialized[24U] = {0U}; + __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32( + simd_unit[0U], libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)0, (int32_t)22, (int32_t)0, (int32_t)22, + (int32_t)0, (int32_t)22, (int32_t)0, (int32_t)22)); + __m256i adjacent_2_combined0 = libcrux_intrinsics_avx2_mm256_srli_epi64( + (int32_t)22, adjacent_2_combined, __m256i); + __m256i adjacent_4_combined = + libcrux_intrinsics_avx2_mm256_permutevar8x32_epi32( + adjacent_2_combined0, + libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)0, (int32_t)0, (int32_t)6, (int32_t)4, (int32_t)0, + (int32_t)0, (int32_t)2, (int32_t)0)); + __m256i adjacent_4_combined0 = libcrux_intrinsics_avx2_mm256_sllv_epi32( + adjacent_4_combined, + libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)0, (int32_t)12, (int32_t)0, (int32_t)12, (int32_t)0, + (int32_t)12, (int32_t)0, (int32_t)12)); + __m256i adjacent_4_combined1 = libcrux_intrinsics_avx2_mm256_srli_epi64( + (int32_t)12, adjacent_4_combined0, __m256i); + __m128i lower_4 = + libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_4_combined1); + libcrux_intrinsics_avx2_mm_storeu_bytes_si128( + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t), + lower_4); + __m128i upper_4 = libcrux_intrinsics_avx2_mm256_extracti128_si256( + (int32_t)1, adjacent_4_combined1, __m128i); + libcrux_intrinsics_avx2_mm_storeu_bytes_si128( + Eurydice_array_to_subslice2(serialized, (size_t)5U, (size_t)21U, uint8_t), + upper_4); + Eurydice_slice uu____0 = out; + Eurydice_slice_copy( + uu____0, + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)10U, uint8_t), + uint8_t); +} + +typedef struct core_core_arch_x86___m256i_x2_s { + __m256i fst; + __m256i snd; +} core_core_arch_x86___m256i_x2; + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE core_core_arch_x86___m256i_x2 +libcrux_ml_dsa_simd_avx2_invntt_simd_unit_invert_ntt_at_layer_0( + __m256i simd_unit0, __m256i simd_unit1, int32_t zeta00, int32_t zeta01, + int32_t zeta02, int32_t zeta03, int32_t zeta10, int32_t zeta11, + int32_t zeta12, int32_t zeta13) { + __m256i a_shuffled = libcrux_intrinsics_avx2_mm256_shuffle_epi32( + (int32_t)216, simd_unit0, __m256i); + __m256i b_shuffled0 = libcrux_intrinsics_avx2_mm256_shuffle_epi32( + (int32_t)216, simd_unit1, __m256i); + __m256i lo_values = + libcrux_intrinsics_avx2_mm256_unpacklo_epi64(a_shuffled, b_shuffled0); + __m256i hi_values = + libcrux_intrinsics_avx2_mm256_unpackhi_epi64(a_shuffled, b_shuffled0); + __m256i differences = hi_values; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&differences, &lo_values); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&lo_values, &hi_values); + __m256i sums = lo_values; + __m256i zetas = libcrux_intrinsics_avx2_mm256_set_epi32( + zeta13, zeta12, zeta03, zeta02, zeta11, zeta10, zeta01, zeta00); + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(&differences, &zetas); + __m256i a_shuffled0 = + libcrux_intrinsics_avx2_mm256_unpacklo_epi64(sums, differences); + __m256i b_shuffled = + libcrux_intrinsics_avx2_mm256_unpackhi_epi64(sums, differences); + __m256i a = libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)216, + a_shuffled0, __m256i); + __m256i b = libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)216, + b_shuffled, __m256i); + return (CLITERAL(core_core_arch_x86___m256i_x2){.fst = a, .snd = b}); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( + __m256i *re, size_t index, int32_t zeta00, int32_t zeta01, int32_t zeta02, + int32_t zeta03, int32_t zeta10, int32_t zeta11, int32_t zeta12, + int32_t zeta13) { + core_core_arch_x86___m256i_x2 uu____0 = + libcrux_ml_dsa_simd_avx2_invntt_simd_unit_invert_ntt_at_layer_0( + re[index], re[index + (size_t)1U], zeta00, zeta01, zeta02, zeta03, + zeta10, zeta11, zeta12, zeta13); + __m256i lhs0 = uu____0.fst; + __m256i lhs = uu____0.snd; + re[index] = lhs0; + re[index + (size_t)1U] = lhs; +} + +KRML_ATTRIBUTE_TARGET("avx2") +static inline void libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0( + __m256i *re) { + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( + re, (size_t)0U, (int32_t)1976782, (int32_t)-846154, (int32_t)1400424, + (int32_t)3937738, (int32_t)-1362209, (int32_t)-48306, (int32_t)3919660, + (int32_t)-554416); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( + re, (size_t)2U, (int32_t)-3545687, (int32_t)1612842, (int32_t)-976891, + (int32_t)183443, (int32_t)-2286327, (int32_t)-420899, (int32_t)-2235985, + (int32_t)-2939036); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( + re, (size_t)4U, (int32_t)-3833893, (int32_t)-260646, (int32_t)-1104333, + (int32_t)-1667432, (int32_t)1910376, (int32_t)-1803090, (int32_t)1723600, + (int32_t)-426683); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( + re, (size_t)6U, (int32_t)472078, (int32_t)1717735, (int32_t)-975884, + (int32_t)2213111, (int32_t)269760, (int32_t)3866901, (int32_t)3523897, + (int32_t)-3038916); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( + re, (size_t)8U, (int32_t)-1799107, (int32_t)-3694233, (int32_t)1652634, + (int32_t)810149, (int32_t)3014001, (int32_t)1616392, (int32_t)162844, + (int32_t)-3183426); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( + re, (size_t)10U, (int32_t)-1207385, (int32_t)185531, (int32_t)3369112, + (int32_t)1957272, (int32_t)-164721, (int32_t)2454455, (int32_t)2432395, + (int32_t)-2013608); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( + re, (size_t)12U, (int32_t)-3776993, (int32_t)594136, (int32_t)-3724270, + (int32_t)-2584293, (int32_t)-1846953, (int32_t)-1671176, + (int32_t)-2831860, (int32_t)-542412); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( + re, (size_t)14U, (int32_t)3406031, (int32_t)2235880, (int32_t)777191, + (int32_t)1500165, (int32_t)-1374803, (int32_t)-2546312, (int32_t)1917081, + (int32_t)-1279661); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( + re, (size_t)16U, (int32_t)-1962642, (int32_t)3306115, (int32_t)1312455, + (int32_t)-451100, (int32_t)-1430225, (int32_t)-3318210, (int32_t)1237275, + (int32_t)-1333058); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( + re, (size_t)18U, (int32_t)-1050970, (int32_t)1903435, (int32_t)1869119, + (int32_t)-2994039, (int32_t)-3548272, (int32_t)2635921, (int32_t)1250494, + (int32_t)-3767016); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( + re, (size_t)20U, (int32_t)1595974, (int32_t)2486353, (int32_t)1247620, + (int32_t)4055324, (int32_t)1265009, (int32_t)-2590150, (int32_t)2691481, + (int32_t)2842341); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( + re, (size_t)22U, (int32_t)203044, (int32_t)1735879, (int32_t)-3342277, + (int32_t)3437287, (int32_t)4108315, (int32_t)-2437823, (int32_t)286988, + (int32_t)342297); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( + re, (size_t)24U, (int32_t)-3595838, (int32_t)-768622, (int32_t)-525098, + (int32_t)-3556995, (int32_t)3207046, (int32_t)2031748, (int32_t)-3122442, + (int32_t)-655327); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( + re, (size_t)26U, (int32_t)-522500, (int32_t)-43260, (int32_t)-1613174, + (int32_t)495491, (int32_t)819034, (int32_t)909542, (int32_t)1859098, + (int32_t)900702); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( + re, (size_t)28U, (int32_t)-3193378, (int32_t)-1197226, (int32_t)-3759364, + (int32_t)-3520352, (int32_t)3513181, (int32_t)-1235728, (int32_t)2434439, + (int32_t)266997); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( + re, (size_t)30U, (int32_t)-3562462, (int32_t)-2446433, (int32_t)2244091, + (int32_t)-3342478, (int32_t)3817976, (int32_t)2316500, (int32_t)3407706, + (int32_t)2091667); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE core_core_arch_x86___m256i_x2 +libcrux_ml_dsa_simd_avx2_invntt_simd_unit_invert_ntt_at_layer_1( + __m256i simd_unit0, __m256i simd_unit1, int32_t zeta00, int32_t zeta01, + int32_t zeta10, int32_t zeta11) { + __m256i lo_values = + libcrux_intrinsics_avx2_mm256_unpacklo_epi64(simd_unit0, simd_unit1); + __m256i hi_values = + libcrux_intrinsics_avx2_mm256_unpackhi_epi64(simd_unit0, simd_unit1); + __m256i differences = hi_values; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&differences, &lo_values); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&lo_values, &hi_values); + __m256i sums = lo_values; + __m256i zetas = libcrux_intrinsics_avx2_mm256_set_epi32( + zeta11, zeta11, zeta01, zeta01, zeta10, zeta10, zeta00, zeta00); + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(&differences, &zetas); + __m256i a = libcrux_intrinsics_avx2_mm256_unpacklo_epi64(sums, differences); + __m256i b = libcrux_intrinsics_avx2_mm256_unpackhi_epi64(sums, differences); + return (CLITERAL(core_core_arch_x86___m256i_x2){.fst = a, .snd = b}); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( + __m256i *re, size_t index, int32_t zeta_00, int32_t zeta_01, + int32_t zeta_10, int32_t zeta_11) { + core_core_arch_x86___m256i_x2 uu____0 = + libcrux_ml_dsa_simd_avx2_invntt_simd_unit_invert_ntt_at_layer_1( + re[index], re[index + (size_t)1U], zeta_00, zeta_01, zeta_10, + zeta_11); + __m256i lhs0 = uu____0.fst; + __m256i lhs = uu____0.snd; + re[index] = lhs0; + re[index + (size_t)1U] = lhs; +} + +KRML_ATTRIBUTE_TARGET("avx2") +static inline void libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1( + __m256i *re) { + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( + re, (size_t)0U, (int32_t)3839961, (int32_t)-3628969, (int32_t)-3881060, + (int32_t)-3019102); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( + re, (size_t)2U, (int32_t)-1439742, (int32_t)-812732, (int32_t)-1584928, + (int32_t)1285669); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( + re, (size_t)4U, (int32_t)1341330, (int32_t)1315589, (int32_t)-177440, + (int32_t)-2409325); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( + re, (size_t)6U, (int32_t)-1851402, (int32_t)3159746, (int32_t)-3553272, + (int32_t)189548); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( + re, (size_t)8U, (int32_t)-1316856, (int32_t)759969, (int32_t)-210977, + (int32_t)2389356); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( + re, (size_t)10U, (int32_t)-3249728, (int32_t)1653064, (int32_t)-8578, + (int32_t)-3724342); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( + re, (size_t)12U, (int32_t)3958618, (int32_t)904516, (int32_t)-1100098, + (int32_t)44288); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( + re, (size_t)14U, (int32_t)3097992, (int32_t)508951, (int32_t)264944, + (int32_t)-3343383); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( + re, (size_t)16U, (int32_t)-1430430, (int32_t)1852771, (int32_t)1349076, + (int32_t)-381987); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( + re, (size_t)18U, (int32_t)-1308169, (int32_t)-22981, (int32_t)-1228525, + (int32_t)-671102); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( + re, (size_t)20U, (int32_t)-2477047, (int32_t)-411027, (int32_t)-3693493, + (int32_t)-2967645); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( + re, (size_t)22U, (int32_t)2715295, (int32_t)2147896, (int32_t)-983419, + (int32_t)3412210); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( + re, (size_t)24U, (int32_t)126922, (int32_t)-3632928, (int32_t)-3157330, + (int32_t)-3190144); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( + re, (size_t)26U, (int32_t)-1000202, (int32_t)-4083598, (int32_t)1939314, + (int32_t)-1257611); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( + re, (size_t)28U, (int32_t)-1585221, (int32_t)2176455, (int32_t)3475950, + (int32_t)-1452451); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( + re, (size_t)30U, (int32_t)-3041255, (int32_t)-3677745, (int32_t)-1528703, + (int32_t)-3930395); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE core_core_arch_x86___m256i_x2 +libcrux_ml_dsa_simd_avx2_invntt_simd_unit_invert_ntt_at_layer_2( + __m256i simd_unit0, __m256i simd_unit1, int32_t zeta0, int32_t zeta1) { + __m256i lo_values = libcrux_intrinsics_avx2_mm256_permute2x128_si256( + (int32_t)32, simd_unit0, simd_unit1, __m256i); + __m256i hi_values = libcrux_intrinsics_avx2_mm256_permute2x128_si256( + (int32_t)49, simd_unit0, simd_unit1, __m256i); + __m256i differences = hi_values; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&differences, &lo_values); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&lo_values, &hi_values); + __m256i sums = lo_values; + __m256i zetas = libcrux_intrinsics_avx2_mm256_set_epi32( + zeta1, zeta1, zeta1, zeta1, zeta0, zeta0, zeta0, zeta0); + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(&differences, &zetas); + __m256i a = libcrux_intrinsics_avx2_mm256_permute2x128_si256( + (int32_t)32, sums, differences, __m256i); + __m256i b = libcrux_intrinsics_avx2_mm256_permute2x128_si256( + (int32_t)49, sums, differences, __m256i); + return (CLITERAL(core_core_arch_x86___m256i_x2){.fst = a, .snd = b}); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round(__m256i *re, + size_t index, + int32_t zeta1, + int32_t zeta2) { + core_core_arch_x86___m256i_x2 uu____0 = + libcrux_ml_dsa_simd_avx2_invntt_simd_unit_invert_ntt_at_layer_2( + re[index], re[index + (size_t)1U], zeta1, zeta2); + __m256i lhs0 = uu____0.fst; + __m256i lhs = uu____0.snd; + re[index] = lhs0; + re[index + (size_t)1U] = lhs; +} + +KRML_ATTRIBUTE_TARGET("avx2") +static inline void libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2( + __m256i *re) { + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( + re, (size_t)0U, (int32_t)-2797779, (int32_t)2071892); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( + re, (size_t)2U, (int32_t)-2556880, (int32_t)3900724); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( + re, (size_t)4U, (int32_t)3881043, (int32_t)954230); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( + re, (size_t)6U, (int32_t)531354, (int32_t)811944); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( + re, (size_t)8U, (int32_t)3699596, (int32_t)-1600420); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( + re, (size_t)10U, (int32_t)-2140649, (int32_t)3507263); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( + re, (size_t)12U, (int32_t)-3821735, (int32_t)3505694); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( + re, (size_t)14U, (int32_t)-1643818, (int32_t)-1699267); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( + re, (size_t)16U, (int32_t)-539299, (int32_t)2348700); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( + re, (size_t)18U, (int32_t)-300467, (int32_t)3539968); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( + re, (size_t)20U, (int32_t)-2867647, (int32_t)3574422); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( + re, (size_t)22U, (int32_t)-3043716, (int32_t)-3861115); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( + re, (size_t)24U, (int32_t)3915439, (int32_t)-2537516); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( + re, (size_t)26U, (int32_t)-3592148, (int32_t)-1661693); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( + re, (size_t)28U, (int32_t)3530437, (int32_t)3077325); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( + re, (size_t)30U, (int32_t)95776, (int32_t)2706023); +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 0 +- STEP_BY= 1 +- ZETA= 280005 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_99( + __m256i *re) { + for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)1U; i++) { + size_t j = i; + __m256i rejs = re[j + (size_t)1U]; + __m256i a_minus_b = rejs; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)280005); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 2 +- STEP_BY= 1 +- ZETA= 4010497 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_1c( + __m256i *re) { + for (size_t i = (size_t)2U; i < (size_t)2U + (size_t)1U; i++) { + size_t j = i; + __m256i rejs = re[j + (size_t)1U]; + __m256i a_minus_b = rejs; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)4010497); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 4 +- STEP_BY= 1 +- ZETA= -19422 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_6b( + __m256i *re) { + for (size_t i = (size_t)4U; i < (size_t)4U + (size_t)1U; i++) { + size_t j = i; + __m256i rejs = re[j + (size_t)1U]; + __m256i a_minus_b = rejs; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-19422); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 6 +- STEP_BY= 1 +- ZETA= 1757237 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_44( + __m256i *re) { + for (size_t i = (size_t)6U; i < (size_t)6U + (size_t)1U; i++) { + size_t j = i; + __m256i rejs = re[j + (size_t)1U]; + __m256i a_minus_b = rejs; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)1757237); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 8 +- STEP_BY= 1 +- ZETA= -3277672 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_a8( + __m256i *re) { + for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)1U; i++) { + size_t j = i; + __m256i rejs = re[j + (size_t)1U]; + __m256i a_minus_b = rejs; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-3277672); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 10 +- STEP_BY= 1 +- ZETA= -1399561 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_1f( + __m256i *re) { + for (size_t i = (size_t)10U; i < (size_t)10U + (size_t)1U; i++) { + size_t j = i; + __m256i rejs = re[j + (size_t)1U]; + __m256i a_minus_b = rejs; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-1399561); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 12 +- STEP_BY= 1 +- ZETA= -3859737 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_95( + __m256i *re) { + for (size_t i = (size_t)12U; i < (size_t)12U + (size_t)1U; i++) { + size_t j = i; + __m256i rejs = re[j + (size_t)1U]; + __m256i a_minus_b = rejs; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-3859737); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 14 +- STEP_BY= 1 +- ZETA= -2118186 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_3b( + __m256i *re) { + for (size_t i = (size_t)14U; i < (size_t)14U + (size_t)1U; i++) { + size_t j = i; + __m256i rejs = re[j + (size_t)1U]; + __m256i a_minus_b = rejs; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-2118186); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 16 +- STEP_BY= 1 +- ZETA= -2108549 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_7a( + __m256i *re) { + for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)1U; i++) { + size_t j = i; + __m256i rejs = re[j + (size_t)1U]; + __m256i a_minus_b = rejs; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-2108549); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 18 +- STEP_BY= 1 +- ZETA= 2619752 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_e4( + __m256i *re) { + for (size_t i = (size_t)18U; i < (size_t)18U + (size_t)1U; i++) { + size_t j = i; + __m256i rejs = re[j + (size_t)1U]; + __m256i a_minus_b = rejs; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)2619752); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 20 +- STEP_BY= 1 +- ZETA= -1119584 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_de( + __m256i *re) { + for (size_t i = (size_t)20U; i < (size_t)20U + (size_t)1U; i++) { + size_t j = i; + __m256i rejs = re[j + (size_t)1U]; + __m256i a_minus_b = rejs; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-1119584); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 22 +- STEP_BY= 1 +- ZETA= -549488 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_05( + __m256i *re) { + for (size_t i = (size_t)22U; i < (size_t)22U + (size_t)1U; i++) { + size_t j = i; + __m256i rejs = re[j + (size_t)1U]; + __m256i a_minus_b = rejs; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-549488); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 24 +- STEP_BY= 1 +- ZETA= 3585928 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_d9( + __m256i *re) { + for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)1U; i++) { + size_t j = i; + __m256i rejs = re[j + (size_t)1U]; + __m256i a_minus_b = rejs; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)3585928); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 26 +- STEP_BY= 1 +- ZETA= -1079900 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_3a( + __m256i *re) { + for (size_t i = (size_t)26U; i < (size_t)26U + (size_t)1U; i++) { + size_t j = i; + __m256i rejs = re[j + (size_t)1U]; + __m256i a_minus_b = rejs; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-1079900); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 28 +- STEP_BY= 1 +- ZETA= 1024112 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_3b0( + __m256i *re) { + for (size_t i = (size_t)28U; i < (size_t)28U + (size_t)1U; i++) { + size_t j = i; + __m256i rejs = re[j + (size_t)1U]; + __m256i a_minus_b = rejs; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)1024112); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 30 +- STEP_BY= 1 +- ZETA= 2725464 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_a0( + __m256i *re) { + for (size_t i = (size_t)30U; i < (size_t)30U + (size_t)1U; i++) { + size_t j = i; + __m256i rejs = re[j + (size_t)1U]; + __m256i a_minus_b = rejs; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)2725464); + } +} + +KRML_ATTRIBUTE_TARGET("avx2") +static inline void libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_3( + __m256i *re) { + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_99(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_1c(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_6b(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_44(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_a8(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_1f(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_95(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_3b(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_7a(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_e4(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_de(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_05(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_d9(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_3a(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_3b0(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_a0(re); +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 0 +- STEP_BY= 2 +- ZETA= 2680103 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_990( + __m256i *re) { + for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)2U; i++) { + size_t j = i; + __m256i rejs = re[j + (size_t)2U]; + __m256i a_minus_b = rejs; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); + re[j + (size_t)2U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)2680103); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 4 +- STEP_BY= 2 +- ZETA= 3111497 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_6b0( + __m256i *re) { + for (size_t i = (size_t)4U; i < (size_t)4U + (size_t)2U; i++) { + size_t j = i; + __m256i rejs = re[j + (size_t)2U]; + __m256i a_minus_b = rejs; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); + re[j + (size_t)2U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)3111497); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 8 +- STEP_BY= 2 +- ZETA= -2884855 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_a80( + __m256i *re) { + for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)2U; i++) { + size_t j = i; + __m256i rejs = re[j + (size_t)2U]; + __m256i a_minus_b = rejs; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); + re[j + (size_t)2U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-2884855); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 12 +- STEP_BY= 2 +- ZETA= 3119733 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_950( + __m256i *re) { + for (size_t i = (size_t)12U; i < (size_t)12U + (size_t)2U; i++) { + size_t j = i; + __m256i rejs = re[j + (size_t)2U]; + __m256i a_minus_b = rejs; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); + re[j + (size_t)2U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)3119733); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 16 +- STEP_BY= 2 +- ZETA= -2091905 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_7a0( + __m256i *re) { + for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)2U; i++) { + size_t j = i; + __m256i rejs = re[j + (size_t)2U]; + __m256i a_minus_b = rejs; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); + re[j + (size_t)2U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-2091905); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 20 +- STEP_BY= 2 +- ZETA= -359251 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_de0( + __m256i *re) { + for (size_t i = (size_t)20U; i < (size_t)20U + (size_t)2U; i++) { + size_t j = i; + __m256i rejs = re[j + (size_t)2U]; + __m256i a_minus_b = rejs; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); + re[j + (size_t)2U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-359251); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 24 +- STEP_BY= 2 +- ZETA= 2353451 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_d90( + __m256i *re) { + for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)2U; i++) { + size_t j = i; + __m256i rejs = re[j + (size_t)2U]; + __m256i a_minus_b = rejs; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); + re[j + (size_t)2U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)2353451); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 28 +- STEP_BY= 2 +- ZETA= 1826347 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_3b1( + __m256i *re) { + for (size_t i = (size_t)28U; i < (size_t)28U + (size_t)2U; i++) { + size_t j = i; + __m256i rejs = re[j + (size_t)2U]; + __m256i a_minus_b = rejs; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); + re[j + (size_t)2U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)1826347); + } +} + +KRML_ATTRIBUTE_TARGET("avx2") +static inline void libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_4( + __m256i *re) { + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_990(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_6b0(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_a80(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_950(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_7a0(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_de0(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_d90(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_3b1(re); +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 0 +- STEP_BY= 4 +- ZETA= 466468 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_991( + __m256i *re) { + for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)4U; i++) { + size_t j = i; + __m256i rejs = re[j + (size_t)4U]; + __m256i a_minus_b = rejs; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); + re[j + (size_t)4U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)466468); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 8 +- STEP_BY= 4 +- ZETA= -876248 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_a81( + __m256i *re) { + for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)4U; i++) { + size_t j = i; + __m256i rejs = re[j + (size_t)4U]; + __m256i a_minus_b = rejs; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); + re[j + (size_t)4U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-876248); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 16 +- STEP_BY= 4 +- ZETA= -777960 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_7a1( + __m256i *re) { + for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)4U; i++) { + size_t j = i; + __m256i rejs = re[j + (size_t)4U]; + __m256i a_minus_b = rejs; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); + re[j + (size_t)4U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-777960); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 24 +- STEP_BY= 4 +- ZETA= 237124 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_d91( + __m256i *re) { + for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)4U; i++) { + size_t j = i; + __m256i rejs = re[j + (size_t)4U]; + __m256i a_minus_b = rejs; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); + re[j + (size_t)4U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)237124); + } +} + +KRML_ATTRIBUTE_TARGET("avx2") +static inline void libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_5( + __m256i *re) { + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_991(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_a81(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_7a1(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_d91(re); +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 0 +- STEP_BY= 8 +- ZETA= -518909 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_992( + __m256i *re) { + for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)8U; i++) { + size_t j = i; + __m256i rejs = re[j + (size_t)8U]; + __m256i a_minus_b = rejs; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); + re[j + (size_t)8U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-518909); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 16 +- STEP_BY= 8 +- ZETA= -2608894 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_7a2( + __m256i *re) { + for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)8U; i++) { + size_t j = i; + __m256i rejs = re[j + (size_t)8U]; + __m256i a_minus_b = rejs; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); + re[j + (size_t)8U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-2608894); + } +} + +KRML_ATTRIBUTE_TARGET("avx2") +static inline void libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_6( + __m256i *re) { + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_992(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_7a2(re); +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 0 +- STEP_BY= 16 +- ZETA= 25847 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_993( + __m256i *re) { + for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)16U; i++) { + size_t j = i; + __m256i rejs = re[j + (size_t)16U]; + __m256i a_minus_b = rejs; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); + re[j + (size_t)16U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)25847); + } +} + +KRML_ATTRIBUTE_TARGET("avx2") +static inline void libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_7( + __m256i *re) { + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_993(re); +} + +#define LIBCRUX_ML_DSA_SIMD_AVX2_INVNTT_INVERT_NTT_MONTGOMERY_FACTOR \ + ((int32_t)41978) + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_montgomery(__m256i *re) { + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0(re); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1(re); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2(re); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_3(re); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_4(re); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_5(re); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_6(re); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_7(re); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(Eurydice_array_to_slice((size_t)32U, re, __m256i), + __m256i); + i++) { + size_t i0 = i; + re[i0] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + re[i0], + LIBCRUX_ML_DSA_SIMD_AVX2_INVNTT_INVERT_NTT_MONTGOMERY_FACTOR); + } +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE core_core_arch_x86___m256i_x2 +libcrux_ml_dsa_simd_avx2_ntt_butterfly_2(__m256i a, __m256i b, int32_t zeta_a0, + int32_t zeta_a1, int32_t zeta_a2, + int32_t zeta_a3, int32_t zeta_b0, + int32_t zeta_b1, int32_t zeta_b2, + int32_t zeta_b3) { + __m256i a_shuffled = + libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)216, a, __m256i); + __m256i b_shuffled = + libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)216, b, __m256i); + __m256i summands = + libcrux_intrinsics_avx2_mm256_unpacklo_epi64(a_shuffled, b_shuffled); + __m256i zeta_products = + libcrux_intrinsics_avx2_mm256_unpackhi_epi64(a_shuffled, b_shuffled); + __m256i zetas = libcrux_intrinsics_avx2_mm256_set_epi32( + zeta_b3, zeta_b2, zeta_a3, zeta_a2, zeta_b1, zeta_b0, zeta_a1, zeta_a0); + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(&zeta_products, + &zetas); + __m256i sub_terms = summands; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&sub_terms, &zeta_products); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&summands, &zeta_products); + __m256i add_terms = summands; + __m256i a_terms_shuffled = + libcrux_intrinsics_avx2_mm256_unpacklo_epi64(add_terms, sub_terms); + __m256i b_terms_shuffled = + libcrux_intrinsics_avx2_mm256_unpackhi_epi64(add_terms, sub_terms); + __m256i a_out = libcrux_intrinsics_avx2_mm256_shuffle_epi32( + (int32_t)216, a_terms_shuffled, __m256i); + __m256i b_out = libcrux_intrinsics_avx2_mm256_shuffle_epi32( + (int32_t)216, b_terms_shuffled, __m256i); + return (CLITERAL(core_core_arch_x86___m256i_x2){.fst = a_out, .snd = b_out}); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE core_core_arch_x86___m256i_x2 +libcrux_ml_dsa_simd_avx2_ntt_butterfly_4(__m256i a, __m256i b, int32_t zeta_a0, + int32_t zeta_a1, int32_t zeta_b0, + int32_t zeta_b1) { + __m256i summands = libcrux_intrinsics_avx2_mm256_unpacklo_epi64(a, b); + __m256i zeta_products = libcrux_intrinsics_avx2_mm256_unpackhi_epi64(a, b); + __m256i zetas = libcrux_intrinsics_avx2_mm256_set_epi32( + zeta_b1, zeta_b1, zeta_a1, zeta_a1, zeta_b0, zeta_b0, zeta_a0, zeta_a0); + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(&zeta_products, + &zetas); + __m256i sub_terms = summands; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&sub_terms, &zeta_products); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&summands, &zeta_products); + __m256i add_terms = summands; + __m256i a_out = + libcrux_intrinsics_avx2_mm256_unpacklo_epi64(add_terms, sub_terms); + __m256i b_out = + libcrux_intrinsics_avx2_mm256_unpackhi_epi64(add_terms, sub_terms); + return (CLITERAL(core_core_arch_x86___m256i_x2){.fst = a_out, .snd = b_out}); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE core_core_arch_x86___m256i_x2 +libcrux_ml_dsa_simd_avx2_ntt_butterfly_8(__m256i a, __m256i b, int32_t zeta0, + int32_t zeta1) { + __m256i summands = libcrux_intrinsics_avx2_mm256_set_m128i( + libcrux_intrinsics_avx2_mm256_castsi256_si128(b), + libcrux_intrinsics_avx2_mm256_castsi256_si128(a)); + __m256i zeta_products = libcrux_intrinsics_avx2_mm256_permute2x128_si256( + (int32_t)19, b, a, __m256i); + __m256i zetas = libcrux_intrinsics_avx2_mm256_set_epi32( + zeta1, zeta1, zeta1, zeta1, zeta0, zeta0, zeta0, zeta0); + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(&zeta_products, + &zetas); + __m256i sub_terms = summands; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&sub_terms, &zeta_products); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&summands, &zeta_products); + __m256i add_terms = summands; + __m256i a_out = libcrux_intrinsics_avx2_mm256_set_m128i( + libcrux_intrinsics_avx2_mm256_castsi256_si128(sub_terms), + libcrux_intrinsics_avx2_mm256_castsi256_si128(add_terms)); + __m256i b_out = libcrux_intrinsics_avx2_mm256_permute2x128_si256( + (int32_t)19, sub_terms, add_terms, __m256i); + return (CLITERAL(core_core_arch_x86___m256i_x2){.fst = a_out, .snd = b_out}); +} + +#define LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7 \ + ((size_t)2U * LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT) + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + __m256i *re, size_t index, __m256i zeta, size_t step_by, + __m256i field_modulus, __m256i inverse_of_modulus_mod_montgomery_r) { + __m256i prod02 = + libcrux_intrinsics_avx2_mm256_mul_epi32(re[index + step_by], zeta); + __m256i prod13 = libcrux_intrinsics_avx2_mm256_mul_epi32( + libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)245, + re[index + step_by], __m256i), + libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)245, zeta, __m256i)); + __m256i k02 = libcrux_intrinsics_avx2_mm256_mul_epi32( + prod02, inverse_of_modulus_mod_montgomery_r); + __m256i k13 = libcrux_intrinsics_avx2_mm256_mul_epi32( + prod13, inverse_of_modulus_mod_montgomery_r); + __m256i c02 = libcrux_intrinsics_avx2_mm256_mul_epi32(k02, field_modulus); + __m256i c13 = libcrux_intrinsics_avx2_mm256_mul_epi32(k13, field_modulus); + __m256i res02 = libcrux_intrinsics_avx2_mm256_sub_epi32(prod02, c02); + __m256i res13 = libcrux_intrinsics_avx2_mm256_sub_epi32(prod13, c13); + __m256i res02_shifted = + libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)245, res02, __m256i); + __m256i t = libcrux_intrinsics_avx2_mm256_blend_epi32( + (int32_t)170, res02_shifted, res13, __m256i); + re[index + step_by] = re[index]; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&re[index + step_by], &t); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[index], &t); +} + +#define LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6 \ + (((size_t)1U << 6U) / LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT) + +/** + This is equivalent to the pqclean 0 and 1 + + This does 32 Montgomery multiplications (192 multiplications). + This is the same as in pqclean. The only difference is locality of registers. +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6( + __m256i *re) { + __m256i field_modulus = libcrux_intrinsics_avx2_mm256_set1_epi32( + LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS); + __m256i inverse_of_modulus_mod_montgomery_r = + libcrux_intrinsics_avx2_mm256_set1_epi32( + (int32_t) + LIBCRUX_ML_DSA_SIMD_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R); + __m256i zeta7 = libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)25847); + __m256i zeta60 = libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)-2608894); + __m256i zeta61 = libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)-518909); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)0U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)0U + (size_t)1U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)0U + (size_t)2U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)0U + (size_t)3U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)8U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)8U + (size_t)1U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)8U + (size_t)2U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)8U + (size_t)3U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)0U, zeta60, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)0U + (size_t)1U, zeta60, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)0U + (size_t)2U, zeta60, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)0U + (size_t)3U, zeta60, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)16U, zeta61, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)16U + (size_t)1U, zeta61, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)16U + (size_t)2U, zeta61, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)16U + (size_t)3U, zeta61, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)4U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)4U + (size_t)1U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)4U + (size_t)2U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)4U + (size_t)3U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)12U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)12U + (size_t)1U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)12U + (size_t)2U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)12U + (size_t)3U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)4U, zeta60, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)4U + (size_t)1U, zeta60, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)4U + (size_t)2U, zeta60, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)4U + (size_t)3U, zeta60, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)20U, zeta61, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)20U + (size_t)1U, zeta61, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)20U + (size_t)2U, zeta61, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)20U + (size_t)3U, zeta61, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.ntt.ntt_at_layer_5_to_3.round +with const generics +- STEP= 32 +- STEP_BY= 4 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_f6(__m256i *re, + size_t index, + int32_t zeta) { + __m256i rhs = libcrux_intrinsics_avx2_mm256_set1_epi32(zeta); + size_t offset = index * (size_t)32U * (size_t)2U / + LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT; + for (size_t i = offset; i < offset + (size_t)4U; i++) { + size_t j = i; + __m256i t = re[j + (size_t)4U]; + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(&t, &rhs); + re[j + (size_t)4U] = re[j]; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&re[j + (size_t)4U], &t); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &t); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.ntt.ntt_at_layer_5_to_3.round +with const generics +- STEP= 16 +- STEP_BY= 2 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(__m256i *re, + size_t index, + int32_t zeta) { + __m256i rhs = libcrux_intrinsics_avx2_mm256_set1_epi32(zeta); + size_t offset = index * (size_t)16U * (size_t)2U / + LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT; + for (size_t i = offset; i < offset + (size_t)2U; i++) { + size_t j = i; + __m256i t = re[j + (size_t)2U]; + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(&t, &rhs); + re[j + (size_t)2U] = re[j]; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&re[j + (size_t)2U], &t); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &t); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.ntt.ntt_at_layer_5_to_3.round +with const generics +- STEP= 8 +- STEP_BY= 1 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(__m256i *re, + size_t index, + int32_t zeta) { + __m256i rhs = libcrux_intrinsics_avx2_mm256_set1_epi32(zeta); + size_t offset = index * (size_t)8U * (size_t)2U / + LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT; + for (size_t i = offset; i < offset + (size_t)1U; i++) { + size_t j = i; + __m256i t = re[j + (size_t)1U]; + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(&t, &rhs); + re[j + (size_t)1U] = re[j]; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&re[j + (size_t)1U], &t); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &t); + } +} + +/** + Layer 5, 4, 3 + + Each layer does 16 Montgomery multiplications -> 3*16 = 48 total + pqclean does 4 * 4 on each layer -> 48 total | plus 4 * 4 shuffles every time + (48) +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3( + __m256i *re) { + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_f6(re, (size_t)0U, + (int32_t)237124); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_f6(re, (size_t)1U, + (int32_t)-777960); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_f6(re, (size_t)2U, + (int32_t)-876248); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_f6(re, (size_t)3U, + (int32_t)466468); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)0U, + (int32_t)1826347); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)1U, + (int32_t)2353451); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)2U, + (int32_t)-359251); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)3U, + (int32_t)-2091905); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)4U, + (int32_t)3119733); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)5U, + (int32_t)-2884855); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)6U, + (int32_t)3111497); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)7U, + (int32_t)2680103); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)0U, + (int32_t)2725464); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)1U, + (int32_t)1024112); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)2U, + (int32_t)-1079900); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)3U, + (int32_t)3585928); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)4U, + (int32_t)-549488); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)5U, + (int32_t)-1119584); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)6U, + (int32_t)2619752); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)7U, + (int32_t)-2108549); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)8U, + (int32_t)-2118186); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)9U, + (int32_t)-3859737); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)10U, + (int32_t)-1399561); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)11U, + (int32_t)-3277672); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)12U, + (int32_t)1757237); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)13U, + (int32_t)-19422); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)14U, + (int32_t)4010497); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)15U, + (int32_t)280005); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( + __m256i *re, size_t index, int32_t zeta_0, int32_t zeta_1) { + core_core_arch_x86___m256i_x2 uu____0 = + libcrux_ml_dsa_simd_avx2_ntt_butterfly_8( + re[index], re[index + (size_t)1U], zeta_0, zeta_1); + __m256i a = uu____0.fst; + __m256i b = uu____0.snd; + re[index] = a; + re[index + (size_t)1U] = b; +} + +KRML_ATTRIBUTE_TARGET("avx2") +static inline void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2(__m256i *re) { + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( + re, (size_t)0U, (int32_t)2706023, (int32_t)95776); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( + re, (size_t)2U, (int32_t)3077325, (int32_t)3530437); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( + re, (size_t)4U, (int32_t)-1661693, (int32_t)-3592148); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( + re, (size_t)6U, (int32_t)-2537516, (int32_t)3915439); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( + re, (size_t)8U, (int32_t)-3861115, (int32_t)-3043716); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( + re, (size_t)10U, (int32_t)3574422, (int32_t)-2867647); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( + re, (size_t)12U, (int32_t)3539968, (int32_t)-300467); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( + re, (size_t)14U, (int32_t)2348700, (int32_t)-539299); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( + re, (size_t)16U, (int32_t)-1699267, (int32_t)-1643818); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( + re, (size_t)18U, (int32_t)3505694, (int32_t)-3821735); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( + re, (size_t)20U, (int32_t)3507263, (int32_t)-2140649); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( + re, (size_t)22U, (int32_t)-1600420, (int32_t)3699596); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( + re, (size_t)24U, (int32_t)811944, (int32_t)531354); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( + re, (size_t)26U, (int32_t)954230, (int32_t)3881043); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( + re, (size_t)28U, (int32_t)3900724, (int32_t)-2556880); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( + re, (size_t)30U, (int32_t)2071892, (int32_t)-2797779); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( + __m256i *re, size_t index, int32_t zeta_0, int32_t zeta_1, int32_t zeta_2, + int32_t zeta_3) { + core_core_arch_x86___m256i_x2 uu____0 = + libcrux_ml_dsa_simd_avx2_ntt_butterfly_4( + re[index], re[index + (size_t)1U], zeta_0, zeta_1, zeta_2, zeta_3); + __m256i a = uu____0.fst; + __m256i b = uu____0.snd; + re[index] = a; + re[index + (size_t)1U] = b; +} + +KRML_ATTRIBUTE_TARGET("avx2") +static inline void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1(__m256i *re) { + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( + re, (size_t)0U, (int32_t)-3930395, (int32_t)-1528703, (int32_t)-3677745, + (int32_t)-3041255); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( + re, (size_t)2U, (int32_t)-1452451, (int32_t)3475950, (int32_t)2176455, + (int32_t)-1585221); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( + re, (size_t)4U, (int32_t)-1257611, (int32_t)1939314, (int32_t)-4083598, + (int32_t)-1000202); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( + re, (size_t)6U, (int32_t)-3190144, (int32_t)-3157330, (int32_t)-3632928, + (int32_t)126922); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( + re, (size_t)8U, (int32_t)3412210, (int32_t)-983419, (int32_t)2147896, + (int32_t)2715295); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( + re, (size_t)10U, (int32_t)-2967645, (int32_t)-3693493, (int32_t)-411027, + (int32_t)-2477047); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( + re, (size_t)12U, (int32_t)-671102, (int32_t)-1228525, (int32_t)-22981, + (int32_t)-1308169); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( + re, (size_t)14U, (int32_t)-381987, (int32_t)1349076, (int32_t)1852771, + (int32_t)-1430430); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( + re, (size_t)16U, (int32_t)-3343383, (int32_t)264944, (int32_t)508951, + (int32_t)3097992); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( + re, (size_t)18U, (int32_t)44288, (int32_t)-1100098, (int32_t)904516, + (int32_t)3958618); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( + re, (size_t)20U, (int32_t)-3724342, (int32_t)-8578, (int32_t)1653064, + (int32_t)-3249728); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( + re, (size_t)22U, (int32_t)2389356, (int32_t)-210977, (int32_t)759969, + (int32_t)-1316856); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( + re, (size_t)24U, (int32_t)189548, (int32_t)-3553272, (int32_t)3159746, + (int32_t)-1851402); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( + re, (size_t)26U, (int32_t)-2409325, (int32_t)-177440, (int32_t)1315589, + (int32_t)1341330); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( + re, (size_t)28U, (int32_t)1285669, (int32_t)-1584928, (int32_t)-812732, + (int32_t)-1439742); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( + re, (size_t)30U, (int32_t)-3019102, (int32_t)-3881060, (int32_t)-3628969, + (int32_t)3839961); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( + __m256i *re, size_t index, int32_t zeta_0, int32_t zeta_1, int32_t zeta_2, + int32_t zeta_3, int32_t zeta_4, int32_t zeta_5, int32_t zeta_6, + int32_t zeta_7) { + core_core_arch_x86___m256i_x2 uu____0 = + libcrux_ml_dsa_simd_avx2_ntt_butterfly_2( + re[index], re[index + (size_t)1U], zeta_0, zeta_1, zeta_2, zeta_3, + zeta_4, zeta_5, zeta_6, zeta_7); + __m256i a = uu____0.fst; + __m256i b = uu____0.snd; + re[index] = a; + re[index + (size_t)1U] = b; +} + +KRML_ATTRIBUTE_TARGET("avx2") +static inline void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0(__m256i *re) { + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( + re, (size_t)0U, (int32_t)2091667, (int32_t)3407706, (int32_t)2316500, + (int32_t)3817976, (int32_t)-3342478, (int32_t)2244091, (int32_t)-2446433, + (int32_t)-3562462); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( + re, (size_t)2U, (int32_t)266997, (int32_t)2434439, (int32_t)-1235728, + (int32_t)3513181, (int32_t)-3520352, (int32_t)-3759364, (int32_t)-1197226, + (int32_t)-3193378); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( + re, (size_t)4U, (int32_t)900702, (int32_t)1859098, (int32_t)909542, + (int32_t)819034, (int32_t)495491, (int32_t)-1613174, (int32_t)-43260, + (int32_t)-522500); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( + re, (size_t)6U, (int32_t)-655327, (int32_t)-3122442, (int32_t)2031748, + (int32_t)3207046, (int32_t)-3556995, (int32_t)-525098, (int32_t)-768622, + (int32_t)-3595838); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( + re, (size_t)8U, (int32_t)342297, (int32_t)286988, (int32_t)-2437823, + (int32_t)4108315, (int32_t)3437287, (int32_t)-3342277, (int32_t)1735879, + (int32_t)203044); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( + re, (size_t)10U, (int32_t)2842341, (int32_t)2691481, (int32_t)-2590150, + (int32_t)1265009, (int32_t)4055324, (int32_t)1247620, (int32_t)2486353, + (int32_t)1595974); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( + re, (size_t)12U, (int32_t)-3767016, (int32_t)1250494, (int32_t)2635921, + (int32_t)-3548272, (int32_t)-2994039, (int32_t)1869119, (int32_t)1903435, + (int32_t)-1050970); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( + re, (size_t)14U, (int32_t)-1333058, (int32_t)1237275, (int32_t)-3318210, + (int32_t)-1430225, (int32_t)-451100, (int32_t)1312455, (int32_t)3306115, + (int32_t)-1962642); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( + re, (size_t)16U, (int32_t)-1279661, (int32_t)1917081, (int32_t)-2546312, + (int32_t)-1374803, (int32_t)1500165, (int32_t)777191, (int32_t)2235880, + (int32_t)3406031); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( + re, (size_t)18U, (int32_t)-542412, (int32_t)-2831860, (int32_t)-1671176, + (int32_t)-1846953, (int32_t)-2584293, (int32_t)-3724270, (int32_t)594136, + (int32_t)-3776993); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( + re, (size_t)20U, (int32_t)-2013608, (int32_t)2432395, (int32_t)2454455, + (int32_t)-164721, (int32_t)1957272, (int32_t)3369112, (int32_t)185531, + (int32_t)-1207385); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( + re, (size_t)22U, (int32_t)-3183426, (int32_t)162844, (int32_t)1616392, + (int32_t)3014001, (int32_t)810149, (int32_t)1652634, (int32_t)-3694233, + (int32_t)-1799107); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( + re, (size_t)24U, (int32_t)-3038916, (int32_t)3523897, (int32_t)3866901, + (int32_t)269760, (int32_t)2213111, (int32_t)-975884, (int32_t)1717735, + (int32_t)472078); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( + re, (size_t)26U, (int32_t)-426683, (int32_t)1723600, (int32_t)-1803090, + (int32_t)1910376, (int32_t)-1667432, (int32_t)-1104333, (int32_t)-260646, + (int32_t)-3833893); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( + re, (size_t)28U, (int32_t)-2939036, (int32_t)-2235985, (int32_t)-420899, + (int32_t)-2286327, (int32_t)183443, (int32_t)-976891, (int32_t)1612842, + (int32_t)-3545687); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( + re, (size_t)30U, (int32_t)-554416, (int32_t)3919660, (int32_t)-48306, + (int32_t)-1362209, (int32_t)3937738, (int32_t)1400424, (int32_t)-846154, + (int32_t)1976782); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_ntt_ntt(__m256i *re) { + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6(re); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3(re); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2(re); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1(re); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0(re); +} + +static const uint8_t + libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_SHUFFLE_TABLE + [16U][16U] = {{255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U, 255U, 255U, 255U}, + {0U, 1U, 2U, 3U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U, 255U}, + {4U, 5U, 6U, 7U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U, 255U}, + {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U}, + {8U, 9U, 10U, 11U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U, 255U, 255U}, + {0U, 1U, 2U, 3U, 8U, 9U, 10U, 11U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U}, + {4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U}, + {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 255U, + 255U, 255U, 255U}, + {12U, 13U, 14U, 15U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U, 255U, 255U}, + {0U, 1U, 2U, 3U, 12U, 13U, 14U, 15U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U, 255U}, + {4U, 5U, 6U, 7U, 12U, 13U, 14U, 15U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U, 255U}, + {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 12U, 13U, 14U, 15U, 255U, + 255U, 255U, 255U}, + {8U, 9U, 10U, 11U, 12U, 13U, 14U, 15U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U, 255U}, + {0U, 1U, 2U, 3U, 8U, 9U, 10U, 11U, 12U, 13U, 14U, 15U, + 255U, 255U, 255U, 255U}, + {4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 12U, 13U, 14U, 15U, + 255U, 255U, 255U, 255U}, + {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 12U, + 13U, 14U, 15U}}; + +#define LIBCRUX_ML_DSA_SIMD_AVX2_REJECTION_SAMPLE_LESS_THAN_FIELD_MODULUS_BYTESTREAM_TO_POTENTIAL_COEFFICIENTS_COEFFICIENT_MASK \ + (((int32_t)1 << 23U) - (int32_t)1) + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus_bytestream_to_potential_coefficients( + Eurydice_slice serialized) { + uint8_t serialized_extended[32U] = {0U}; + Eurydice_slice uu____0 = Eurydice_array_to_subslice_to( + (size_t)32U, serialized_extended, (size_t)24U, uint8_t, size_t); + Eurydice_slice_copy(uu____0, serialized, uint8_t); + __m256i coefficients = libcrux_intrinsics_avx2_mm256_loadu_si256_u8( + Eurydice_array_to_slice((size_t)32U, serialized_extended, uint8_t)); + __m256i coefficients0 = libcrux_intrinsics_avx2_mm256_permutevar8x32_epi32( + coefficients, libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)0, (int32_t)5, (int32_t)4, (int32_t)3, + (int32_t)0, (int32_t)2, (int32_t)1, (int32_t)0)); + __m256i coefficients1 = libcrux_intrinsics_avx2_mm256_shuffle_epi8( + coefficients0, + libcrux_intrinsics_avx2_mm256_set_epi8( + (int8_t)-1, (int8_t)11, (int8_t)10, (int8_t)9, (int8_t)-1, (int8_t)8, + (int8_t)7, (int8_t)6, (int8_t)-1, (int8_t)5, (int8_t)4, (int8_t)3, + (int8_t)-1, (int8_t)2, (int8_t)1, (int8_t)0, (int8_t)-1, (int8_t)11, + (int8_t)10, (int8_t)9, (int8_t)-1, (int8_t)8, (int8_t)7, (int8_t)6, + (int8_t)-1, (int8_t)5, (int8_t)4, (int8_t)3, (int8_t)-1, (int8_t)2, + (int8_t)1, (int8_t)0)); + return libcrux_intrinsics_avx2_mm256_and_si256( + coefficients1, + libcrux_intrinsics_avx2_mm256_set1_epi32( + LIBCRUX_ML_DSA_SIMD_AVX2_REJECTION_SAMPLE_LESS_THAN_FIELD_MODULUS_BYTESTREAM_TO_POTENTIAL_COEFFICIENTS_COEFFICIENT_MASK)); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE size_t +libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus_sample( + Eurydice_slice input, Eurydice_slice output) { + __m256i field_modulus = libcrux_intrinsics_avx2_mm256_set1_epi32( + LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS); + __m256i potential_coefficients = + libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus_bytestream_to_potential_coefficients( + input); + __m256i compare_with_field_modulus = + libcrux_intrinsics_avx2_mm256_cmpgt_epi32(field_modulus, + potential_coefficients); + int32_t good = libcrux_intrinsics_avx2_mm256_movemask_ps( + libcrux_intrinsics_avx2_mm256_castsi256_ps(compare_with_field_modulus)); + int32_t good_lower_half = good & (int32_t)15; + int32_t good_upper_half = good >> 4U; + uint8_t lower_shuffles[16U]; + memcpy(lower_shuffles, + libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_SHUFFLE_TABLE[( + size_t)good_lower_half], + (size_t)16U * sizeof(uint8_t)); + __m128i lower_shuffles0 = libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_array_to_slice((size_t)16U, lower_shuffles, uint8_t)); + __m128i lower_coefficients = + libcrux_intrinsics_avx2_mm256_castsi256_si128(potential_coefficients); + __m128i lower_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( + lower_coefficients, lower_shuffles0); + libcrux_intrinsics_avx2_mm_storeu_si128_i32( + Eurydice_slice_subslice2(output, (size_t)0U, (size_t)4U, int32_t), + lower_coefficients0); + size_t sampled_count = (size_t)core_num__i32_2__count_ones(good_lower_half); + uint8_t upper_shuffles[16U]; + memcpy(upper_shuffles, + libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_SHUFFLE_TABLE[( + size_t)good_upper_half], + (size_t)16U * sizeof(uint8_t)); + __m128i upper_shuffles0 = libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_array_to_slice((size_t)16U, upper_shuffles, uint8_t)); + __m128i upper_coefficients = libcrux_intrinsics_avx2_mm256_extracti128_si256( + (int32_t)1, potential_coefficients, __m128i); + __m128i upper_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( + upper_coefficients, upper_shuffles0); + libcrux_intrinsics_avx2_mm_storeu_si128_i32( + Eurydice_slice_subslice2(output, sampled_count, + sampled_count + (size_t)4U, int32_t), + upper_coefficients0); + size_t uu____0 = sampled_count; + return uu____0 + (size_t)core_num__i32_2__count_ones(good_upper_half); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static inline bool +libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_is_bit_set( + size_t number, uint8_t bit_position) { + return (number & (size_t)1U << (uint32_t)bit_position) >> + (uint32_t)bit_position == + (size_t)1U; +} + +KRML_ATTRIBUTE_TARGET("avx2") +static inline void +libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_generate_shuffle_table( + uint8_t ret[16U][16U]) { + uint8_t byte_shuffles[16U][16U] = { + {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U}, + {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U}, + {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U}, + {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U}, + {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U}, + {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U}, + {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U}, + {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U}, + {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U}, + {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U}, + {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U}, + {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U}, + {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U}, + {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U}, + {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U}, + {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U}}; + for (size_t i0 = (size_t)0U; i0 < (size_t)1U << 4U; i0++) { + size_t bit_pattern = i0; + size_t byte_shuffles_index = (size_t)0U; + for (uint8_t i = 0U; i < 4U; i = (uint32_t)i + 1U) { + uint8_t bit_position = i; + if (libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_is_bit_set( + bit_pattern, bit_position)) { + byte_shuffles[bit_pattern][byte_shuffles_index] = + (uint32_t)bit_position * 4U; + byte_shuffles_index++; + byte_shuffles[bit_pattern][byte_shuffles_index] = + (uint32_t)bit_position * 4U + 1U; + byte_shuffles_index++; + byte_shuffles[bit_pattern][byte_shuffles_index] = + (uint32_t)bit_position * 4U + 2U; + byte_shuffles_index++; + byte_shuffles[bit_pattern][byte_shuffles_index] = + (uint32_t)bit_position * 4U + 3U; + byte_shuffles_index++; + } } } + memcpy(ret, byte_shuffles, (size_t)16U * sizeof(uint8_t[16U])); } -/** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_commitment_serialize_a2( - __m256i simd_unit, Eurydice_slice serialized) { - libcrux_ml_dsa_simd_avx2_encoding_commitment_serialize(simd_unit, serialized); -} - -#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA \ - ((int32_t)2) - KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_avx2_encoding_error_serialize_when_eta_is_2( - __m256i simd_unit, Eurydice_slice out) { - uint8_t serialized[16U] = {0U}; - __m256i simd_unit_shifted = libcrux_intrinsics_avx2_mm256_sub_epi32( - libcrux_intrinsics_avx2_mm256_set1_epi32( - LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA), - simd_unit); - __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32( - simd_unit_shifted, libcrux_intrinsics_avx2_mm256_set_epi32( - (int32_t)0, (int32_t)29, (int32_t)0, (int32_t)29, - (int32_t)0, (int32_t)29, (int32_t)0, (int32_t)29)); - __m256i adjacent_2_combined0 = libcrux_intrinsics_avx2_mm256_srli_epi64( - (int32_t)29, adjacent_2_combined, __m256i); - __m256i adjacent_4_combined = libcrux_intrinsics_avx2_mm256_shuffle_epi8( - adjacent_2_combined0, - libcrux_intrinsics_avx2_mm256_set_epi8( - (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, - (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, - (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)8, (int8_t)-1, (int8_t)0, - (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, - (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, - (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)8, (int8_t)-1, - (int8_t)0)); - __m256i adjacent_4_combined0 = libcrux_intrinsics_avx2_mm256_madd_epi16( - adjacent_4_combined, - libcrux_intrinsics_avx2_mm256_set_epi16( - (int16_t)0, (int16_t)0, (int16_t)0, (int16_t)0, (int16_t)0, - (int16_t)0, (int16_t)1 << 6U, (int16_t)1, (int16_t)0, (int16_t)0, - (int16_t)0, (int16_t)0, (int16_t)0, (int16_t)0, (int16_t)1 << 6U, - (int16_t)1)); - __m256i adjacent_6_combined = - libcrux_intrinsics_avx2_mm256_permutevar8x32_epi32( - adjacent_4_combined0, - libcrux_intrinsics_avx2_mm256_set_epi32( - (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)0, - (int32_t)0, (int32_t)4, (int32_t)0)); - __m128i adjacent_6_combined0 = - libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_6_combined); - __m128i adjacent_6_combined1 = libcrux_intrinsics_avx2_mm_sllv_epi32( - adjacent_6_combined0, - libcrux_intrinsics_avx2_mm_set_epi32((int32_t)0, (int32_t)0, (int32_t)0, - (int32_t)20)); - __m128i adjacent_6_combined2 = libcrux_intrinsics_avx2_mm_srli_epi64( - (int32_t)20, adjacent_6_combined1, __m128i); - libcrux_intrinsics_avx2_mm_storeu_bytes_si128( - Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t), - adjacent_6_combined2); - Eurydice_slice uu____0 = out; - Eurydice_slice_copy( - uu____0, - Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)3U, uint8_t), - uint8_t); +static inline __m256i +libcrux_ml_dsa_simd_avx2_vector_type_from_coefficient_array( + Eurydice_slice coefficient_array) { + return libcrux_intrinsics_avx2_mm256_loadu_si256_i32(coefficient_array); } -#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_4_ETA \ - ((int32_t)4) - KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_avx2_encoding_error_serialize_when_eta_is_4( - __m256i simd_unit, Eurydice_slice out) { - uint8_t serialized[16U] = {0U}; - __m256i simd_unit_shifted = libcrux_intrinsics_avx2_mm256_sub_epi32( - libcrux_intrinsics_avx2_mm256_set1_epi32( - LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_4_ETA), - simd_unit); - __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32( - simd_unit_shifted, libcrux_intrinsics_avx2_mm256_set_epi32( - (int32_t)0, (int32_t)28, (int32_t)0, (int32_t)28, - (int32_t)0, (int32_t)28, (int32_t)0, (int32_t)28)); - __m256i adjacent_2_combined0 = libcrux_intrinsics_avx2_mm256_srli_epi64( - (int32_t)28, adjacent_2_combined, __m256i); - __m256i adjacent_4_combined = - libcrux_intrinsics_avx2_mm256_permutevar8x32_epi32( - adjacent_2_combined0, - libcrux_intrinsics_avx2_mm256_set_epi32( - (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)6, - (int32_t)2, (int32_t)4, (int32_t)0)); - __m128i adjacent_4_combined0 = - libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_4_combined); - __m128i adjacent_4_combined1 = libcrux_intrinsics_avx2_mm_shuffle_epi8( - adjacent_4_combined0, libcrux_intrinsics_avx2_mm_set_epi8( - 240U, 240U, 240U, 240U, 240U, 240U, 240U, 240U, - 240U, 240U, 240U, 240U, 12U, 4U, 8U, 0U)); - libcrux_intrinsics_avx2_mm_storeu_bytes_si128( - Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t), - adjacent_4_combined1); - Eurydice_slice uu____0 = out; - Eurydice_slice_copy( - uu____0, - Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)4U, uint8_t), - uint8_t); -} - -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_dsa_simd_avx2_encoding_t0_change_interval(__m256i simd_unit) { - __m256i interval_end = libcrux_intrinsics_avx2_mm256_set1_epi32( - (int32_t)1 - << (uint32_t)(LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T - - (size_t)1U)); - return libcrux_intrinsics_avx2_mm256_sub_epi32(interval_end, simd_unit); +libcrux_ml_dsa_simd_avx2_vector_type_to_coefficient_array(__m256i *value, + Eurydice_slice out) { + libcrux_intrinsics_avx2_mm256_storeu_si256_i32(out, value[0U]); } +/** +This function found in impl {(core::clone::Clone for +libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +*/ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_encoding_t0_serialize( - __m256i simd_unit, uint8_t ret[13U]) { - uint8_t serialized[16U] = {0U}; - __m256i simd_unit0 = - libcrux_ml_dsa_simd_avx2_encoding_t0_change_interval(simd_unit); - __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32( - simd_unit0, libcrux_intrinsics_avx2_mm256_set_epi32( - (int32_t)0, (int32_t)19, (int32_t)0, (int32_t)19, - (int32_t)0, (int32_t)19, (int32_t)0, (int32_t)19)); - __m256i adjacent_2_combined0 = libcrux_intrinsics_avx2_mm256_srli_epi64( - (int32_t)19, adjacent_2_combined, __m256i); - __m256i adjacent_4_combined = - libcrux_intrinsics_avx2_mm256_permutevar8x32_epi32( - adjacent_2_combined0, - libcrux_intrinsics_avx2_mm256_set_epi32( - (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)6, - (int32_t)4, (int32_t)2, (int32_t)0)); - __m256i adjacent_4_combined0 = libcrux_intrinsics_avx2_mm256_sllv_epi32( - adjacent_4_combined, libcrux_intrinsics_avx2_mm256_set_epi32( - (int32_t)0, (int32_t)6, (int32_t)0, (int32_t)6, - (int32_t)0, (int32_t)6, (int32_t)0, (int32_t)6)); - __m256i adjacent_4_combined1 = libcrux_intrinsics_avx2_mm256_srli_epi64( - (int32_t)6, adjacent_4_combined0, __m256i); - __m256i second_4_combined = libcrux_intrinsics_avx2_mm256_bsrli_epi128( - (int32_t)8, adjacent_4_combined1, __m256i); - __m256i least_12_bits_shifted_up = libcrux_intrinsics_avx2_mm256_slli_epi64( - (int32_t)52, second_4_combined, __m256i); - __m256i bits_sequential = libcrux_intrinsics_avx2_mm256_add_epi64( - adjacent_4_combined1, least_12_bits_shifted_up); - __m256i bits_sequential0 = libcrux_intrinsics_avx2_mm256_srlv_epi64( - bits_sequential, libcrux_intrinsics_avx2_mm256_set_epi64x( - (int64_t)0, (int64_t)0, (int64_t)12, (int64_t)0)); - __m128i bits_sequential1 = - libcrux_intrinsics_avx2_mm256_castsi256_si128(bits_sequential0); - libcrux_intrinsics_avx2_mm_storeu_bytes_si128( - Eurydice_array_to_slice((size_t)16U, serialized, uint8_t), - bits_sequential1); - uint8_t ret0[13U]; - Result_b0 dst; - Eurydice_slice_to_array2( - &dst, - Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)13U, uint8_t), - Eurydice_slice, uint8_t[13U]); - unwrap_26_23(dst, ret0); - memcpy(ret, ret0, (size_t)13U * sizeof(uint8_t)); -} +static inline void libcrux_ml_dsa_simd_avx2_vector_type_clone_ca(void **self) {} /** This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_t0_serialize_a2( - __m256i simd_unit, uint8_t ret[13U]) { - libcrux_ml_dsa_simd_avx2_encoding_t0_serialize(simd_unit, ret); +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_add_a2(__m256i *lhs, + __m256i *rhs) { + libcrux_ml_dsa_simd_avx2_arithmetic_add(lhs, rhs); } -#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_T0_DESERIALIZE_COEFFICIENT_MASK \ - (((int32_t)1 << 13U) - (int32_t)1) - +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +*/ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_dsa_simd_avx2_encoding_t0_deserialize(Eurydice_slice serialized) { - uint8_t serialized_extended[16U] = {0U}; - Eurydice_slice_copy( - Eurydice_array_to_subslice2(serialized_extended, (size_t)0U, (size_t)13U, - uint8_t), - serialized, uint8_t); - __m128i serialized0 = libcrux_intrinsics_avx2_mm_loadu_si128( - Eurydice_array_to_slice((size_t)16U, serialized_extended, uint8_t)); - __m256i serialized1 = - libcrux_intrinsics_avx2_mm256_set_m128i(serialized0, serialized0); - __m256i coefficients = libcrux_intrinsics_avx2_mm256_shuffle_epi8( - serialized1, - libcrux_intrinsics_avx2_mm256_set_epi8( - (int8_t)-1, (int8_t)-1, (int8_t)12, (int8_t)11, (int8_t)-1, - (int8_t)11, (int8_t)10, (int8_t)9, (int8_t)-1, (int8_t)-1, (int8_t)9, - (int8_t)8, (int8_t)-1, (int8_t)8, (int8_t)7, (int8_t)6, (int8_t)-1, - (int8_t)6, (int8_t)5, (int8_t)4, (int8_t)-1, (int8_t)-1, (int8_t)4, - (int8_t)3, (int8_t)-1, (int8_t)3, (int8_t)2, (int8_t)1, (int8_t)-1, - (int8_t)-1, (int8_t)1, (int8_t)0)); - __m256i coefficients0 = libcrux_intrinsics_avx2_mm256_srlv_epi32( - coefficients, libcrux_intrinsics_avx2_mm256_set_epi32( - (int32_t)3, (int32_t)6, (int32_t)1, (int32_t)4, - (int32_t)7, (int32_t)2, (int32_t)5, (int32_t)0)); - __m256i coefficients1 = libcrux_intrinsics_avx2_mm256_and_si256( - coefficients0, - libcrux_intrinsics_avx2_mm256_set1_epi32( - LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_T0_DESERIALIZE_COEFFICIENT_MASK)); - return libcrux_ml_dsa_simd_avx2_encoding_t0_change_interval(coefficients1); +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_commitment_serialize_a2( + __m256i *simd_unit, Eurydice_slice serialized) { + libcrux_ml_dsa_simd_avx2_encoding_commitment_serialize(simd_unit, serialized); } /** @@ -1393,51 +3335,21 @@ libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_dsa_simd_avx2_t0_deserialize_a2(Eurydice_slice serialized) { - return libcrux_ml_dsa_simd_avx2_encoding_t0_deserialize(serialized); +libcrux_ml_dsa_simd_avx2_from_coefficient_array_a2( + Eurydice_slice coefficient_array) { + return libcrux_ml_dsa_simd_avx2_vector_type_from_coefficient_array( + coefficient_array); } -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_encoding_t1_serialize( - __m256i simd_unit, uint8_t ret[10U]) { - uint8_t serialized[24U] = {0U}; - __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32( - simd_unit, libcrux_intrinsics_avx2_mm256_set_epi32( - (int32_t)0, (int32_t)22, (int32_t)0, (int32_t)22, - (int32_t)0, (int32_t)22, (int32_t)0, (int32_t)22)); - __m256i adjacent_2_combined0 = libcrux_intrinsics_avx2_mm256_srli_epi64( - (int32_t)22, adjacent_2_combined, __m256i); - __m256i adjacent_4_combined = - libcrux_intrinsics_avx2_mm256_permutevar8x32_epi32( - adjacent_2_combined0, - libcrux_intrinsics_avx2_mm256_set_epi32( - (int32_t)0, (int32_t)0, (int32_t)6, (int32_t)4, (int32_t)0, - (int32_t)0, (int32_t)2, (int32_t)0)); - __m256i adjacent_4_combined0 = libcrux_intrinsics_avx2_mm256_sllv_epi32( - adjacent_4_combined, - libcrux_intrinsics_avx2_mm256_set_epi32( - (int32_t)0, (int32_t)12, (int32_t)0, (int32_t)12, (int32_t)0, - (int32_t)12, (int32_t)0, (int32_t)12)); - __m256i adjacent_4_combined1 = libcrux_intrinsics_avx2_mm256_srli_epi64( - (int32_t)12, adjacent_4_combined0, __m256i); - __m128i lower_4 = - libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_4_combined1); - libcrux_intrinsics_avx2_mm_storeu_bytes_si128( - Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t), - lower_4); - __m128i upper_4 = libcrux_intrinsics_avx2_mm256_extracti128_si256( - (int32_t)1, adjacent_4_combined1, __m128i); - libcrux_intrinsics_avx2_mm_storeu_bytes_si128( - Eurydice_array_to_subslice2(serialized, (size_t)5U, (size_t)21U, uint8_t), - upper_4); - uint8_t ret0[10U]; - Result_9d dst; - Eurydice_slice_to_array2( - &dst, - Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)10U, uint8_t), - Eurydice_slice, uint8_t[10U]); - unwrap_26_ce(dst, ret0); - memcpy(ret, ret0, (size_t)10U * sizeof(uint8_t)); +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE bool libcrux_ml_dsa_simd_avx2_infinity_norm_exceeds_a2( + __m256i *simd_unit, int32_t bound) { + return libcrux_ml_dsa_simd_avx2_arithmetic_infinity_norm_exceeds(simd_unit, + bound); } /** @@ -1445,42 +3357,19 @@ This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_t1_serialize_a2( - __m256i simd_unit, uint8_t ret[10U]) { - libcrux_ml_dsa_simd_avx2_encoding_t1_serialize(simd_unit, ret); +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invert_ntt_montgomery_a2( + __m256i *simd_units) { + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_montgomery(simd_units); } -#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_T1_DESERIALIZE_COEFFICIENT_MASK \ - (((int32_t)1 << 10U) - (int32_t)1) - +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +*/ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_dsa_simd_avx2_encoding_t1_deserialize(Eurydice_slice bytes) { - uint8_t bytes_extended[16U] = {0U}; - Eurydice_slice_copy(Eurydice_array_to_subslice2(bytes_extended, (size_t)0U, - (size_t)10U, uint8_t), - bytes, uint8_t); - __m128i bytes_loaded = libcrux_intrinsics_avx2_mm_loadu_si128( - Eurydice_array_to_slice((size_t)16U, bytes_extended, uint8_t)); - __m256i bytes_loaded0 = - libcrux_intrinsics_avx2_mm256_set_m128i(bytes_loaded, bytes_loaded); - __m256i coefficients = libcrux_intrinsics_avx2_mm256_shuffle_epi8( - bytes_loaded0, - libcrux_intrinsics_avx2_mm256_set_epi8( - (int8_t)-1, (int8_t)-1, (int8_t)9, (int8_t)8, (int8_t)-1, (int8_t)-1, - (int8_t)8, (int8_t)7, (int8_t)-1, (int8_t)-1, (int8_t)7, (int8_t)6, - (int8_t)-1, (int8_t)-1, (int8_t)6, (int8_t)5, (int8_t)-1, (int8_t)-1, - (int8_t)4, (int8_t)3, (int8_t)-1, (int8_t)-1, (int8_t)3, (int8_t)2, - (int8_t)-1, (int8_t)-1, (int8_t)2, (int8_t)1, (int8_t)-1, (int8_t)-1, - (int8_t)1, (int8_t)0)); - __m256i coefficients0 = libcrux_intrinsics_avx2_mm256_srlv_epi32( - coefficients, libcrux_intrinsics_avx2_mm256_set_epi32( - (int32_t)6, (int32_t)4, (int32_t)2, (int32_t)0, - (int32_t)6, (int32_t)4, (int32_t)2, (int32_t)0)); - return libcrux_intrinsics_avx2_mm256_and_si256( - coefficients0, - libcrux_intrinsics_avx2_mm256_set1_epi32( - LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_T1_DESERIALIZE_COEFFICIENT_MASK)); +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_montgomery_multiply_a2( + __m256i *lhs, __m256i *rhs) { + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(lhs, rhs); } /** @@ -1488,620 +3377,289 @@ This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_dsa_simd_avx2_t1_deserialize_a2(Eurydice_slice serialized) { - return libcrux_ml_dsa_simd_avx2_encoding_t1_deserialize(serialized); +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_ntt_a2( + __m256i *simd_units) { + libcrux_ml_dsa_simd_avx2_ntt_ntt(simd_units); } -#define LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7 \ - ((size_t)2U * LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT) - +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +*/ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - __m256i *re, size_t index, __m256i zeta, size_t step_by, - __m256i field_modulus, __m256i inverse_of_modulus_mod_montgomery_r) { - __m256i prod02 = - libcrux_intrinsics_avx2_mm256_mul_epi32(re[index + step_by], zeta); - __m256i prod13 = libcrux_intrinsics_avx2_mm256_mul_epi32( - libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)245, - re[index + step_by], __m256i), - libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)245, zeta, __m256i)); - __m256i k02 = libcrux_intrinsics_avx2_mm256_mul_epi32( - prod02, inverse_of_modulus_mod_montgomery_r); - __m256i k13 = libcrux_intrinsics_avx2_mm256_mul_epi32( - prod13, inverse_of_modulus_mod_montgomery_r); - __m256i c02 = libcrux_intrinsics_avx2_mm256_mul_epi32(k02, field_modulus); - __m256i c13 = libcrux_intrinsics_avx2_mm256_mul_epi32(k13, field_modulus); - __m256i res02 = libcrux_intrinsics_avx2_mm256_sub_epi32(prod02, c02); - __m256i res13 = libcrux_intrinsics_avx2_mm256_sub_epi32(prod13, c13); - __m256i res02_shifted = - libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)245, res02, __m256i); - __m256i t = libcrux_intrinsics_avx2_mm256_blend_epi32( - (int32_t)170, res02_shifted, res13, __m256i); - re[index + step_by] = - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[index], t); - re[index] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[index], t); +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_power2round_a2( + __m256i *t0, __m256i *t1) { + libcrux_ml_dsa_simd_avx2_arithmetic_power2round(t0, t1); } -#define LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6 \ - (((size_t)1U << 6U) / LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT) - /** - This is equivalent to the pqclean 0 and 1 - - This does 32 Montgomery multiplications (192 multiplications). - This is the same as in pqclean. The only difference is locality of registers. +A monomorphic instance of +libcrux_ml_dsa.simd.avx2.encoding.error.deserialize_to_unsigned with const +generics +- ETA= 4 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6( - __m256i *re) { - __m256i field_modulus = libcrux_intrinsics_avx2_mm256_set1_epi32( - LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS); - __m256i inverse_of_modulus_mod_montgomery_r = - libcrux_intrinsics_avx2_mm256_set1_epi32( - (int32_t) - LIBCRUX_ML_DSA_SIMD_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R); - __m256i zeta7 = libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)25847); - __m256i zeta60 = libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)-2608894); - __m256i zeta61 = libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)-518909); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)0U, zeta7, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)0U + (size_t)1U, zeta7, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)0U + (size_t)2U, zeta7, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)0U + (size_t)3U, zeta7, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)8U, zeta7, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)8U + (size_t)1U, zeta7, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)8U + (size_t)2U, zeta7, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)8U + (size_t)3U, zeta7, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)0U, zeta60, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)0U + (size_t)1U, zeta60, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)0U + (size_t)2U, zeta60, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)0U + (size_t)3U, zeta60, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)16U, zeta61, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)16U + (size_t)1U, zeta61, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)16U + (size_t)2U, zeta61, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)16U + (size_t)3U, zeta61, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)4U, zeta7, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)4U + (size_t)1U, zeta7, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)4U + (size_t)2U, zeta7, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)4U + (size_t)3U, zeta7, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)12U, zeta7, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)12U + (size_t)1U, zeta7, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)12U + (size_t)2U, zeta7, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)12U + (size_t)3U, zeta7, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)4U, zeta60, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)4U + (size_t)1U, zeta60, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)4U + (size_t)2U, zeta60, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)4U + (size_t)3U, zeta60, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)20U, zeta61, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)20U + (size_t)1U, zeta61, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)20U + (size_t)2U, zeta61, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)20U + (size_t)3U, zeta61, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, - field_modulus, inverse_of_modulus_mod_montgomery_r); +static KRML_MUSTINLINE __m256i +libcrux_ml_dsa_simd_avx2_encoding_error_deserialize_to_unsigned_ac( + Eurydice_slice serialized) { + return libcrux_ml_dsa_simd_avx2_encoding_error_deserialize_to_unsigned_when_eta_is_4( + serialized); } /** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.ntt.ntt_at_layer_5_to_3.round -with const generics -- STEP= 32 -- STEP_BY= 4 +A monomorphic instance of +libcrux_ml_dsa.simd.avx2.rejection_sample.less_than_eta.shift_interval with +const generics +- ETA= 2 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_f6(__m256i *re, - size_t index, - int32_t zeta) { - __m256i rhs = libcrux_intrinsics_avx2_mm256_set1_epi32(zeta); - size_t offset = index * (size_t)32U * (size_t)2U / - LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT; - for (size_t i = offset; i < offset + (size_t)4U; i++) { - size_t j = i; - __m256i t = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply( - re[j + (size_t)4U], rhs); - re[j + (size_t)4U] = libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j], t); - re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], t); - } +static KRML_MUSTINLINE __m256i +libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_shift_interval_fd( + __m256i coefficients) { + __m256i uu____0; + __m256i quotient = libcrux_intrinsics_avx2_mm256_mullo_epi32( + coefficients, libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)26)); + __m256i quotient0 = + libcrux_intrinsics_avx2_mm256_srai_epi32((int32_t)7, quotient, __m256i); + __m256i quotient1 = libcrux_intrinsics_avx2_mm256_mullo_epi32( + quotient0, libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)5)); + __m256i coefficients_mod_5 = + libcrux_intrinsics_avx2_mm256_sub_epi32(coefficients, quotient1); + uu____0 = libcrux_intrinsics_avx2_mm256_sub_epi32( + libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)(size_t)2U), + coefficients_mod_5); + return uu____0; } /** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.ntt.ntt_at_layer_5_to_3.round -with const generics -- STEP= 16 -- STEP_BY= 2 +A monomorphic instance of +libcrux_ml_dsa.simd.avx2.rejection_sample.less_than_eta.sample with const +generics +- ETA= 2 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(__m256i *re, - size_t index, - int32_t zeta) { - __m256i rhs = libcrux_intrinsics_avx2_mm256_set1_epi32(zeta); - size_t offset = index * (size_t)16U * (size_t)2U / - LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT; - for (size_t i = offset; i < offset + (size_t)2U; i++) { - size_t j = i; - __m256i t = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply( - re[j + (size_t)2U], rhs); - re[j + (size_t)2U] = libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j], t); - re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], t); - } +static KRML_MUSTINLINE size_t +libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_sample_fd( + Eurydice_slice input, Eurydice_slice output) { + __m256i potential_coefficients = + libcrux_ml_dsa_simd_avx2_encoding_error_deserialize_to_unsigned_ac(input); + int32_t interval_boundary; + interval_boundary = (int32_t)15; + __m256i compare_with_interval_boundary = + libcrux_intrinsics_avx2_mm256_cmpgt_epi32( + libcrux_intrinsics_avx2_mm256_set1_epi32(interval_boundary), + potential_coefficients); + int32_t good = libcrux_intrinsics_avx2_mm256_movemask_ps( + libcrux_intrinsics_avx2_mm256_castsi256_ps( + compare_with_interval_boundary)); + int32_t good_lower_half = good & (int32_t)15; + int32_t good_upper_half = good >> 4U; + __m256i shifted = + libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_shift_interval_fd( + potential_coefficients); + uint8_t lower_shuffles[16U]; + memcpy(lower_shuffles, + libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_SHUFFLE_TABLE[( + size_t)good_lower_half], + (size_t)16U * sizeof(uint8_t)); + __m128i lower_shuffles0 = libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_array_to_slice((size_t)16U, lower_shuffles, uint8_t)); + __m128i lower_coefficients = + libcrux_intrinsics_avx2_mm256_castsi256_si128(shifted); + __m128i lower_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( + lower_coefficients, lower_shuffles0); + libcrux_intrinsics_avx2_mm_storeu_si128_i32( + Eurydice_slice_subslice2(output, (size_t)0U, (size_t)4U, int32_t), + lower_coefficients0); + size_t sampled_count = (size_t)core_num__i32_2__count_ones(good_lower_half); + uint8_t upper_shuffles[16U]; + memcpy(upper_shuffles, + libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_SHUFFLE_TABLE[( + size_t)good_upper_half], + (size_t)16U * sizeof(uint8_t)); + __m128i upper_shuffles0 = libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_array_to_slice((size_t)16U, upper_shuffles, uint8_t)); + __m128i upper_coefficients = libcrux_intrinsics_avx2_mm256_extracti128_si256( + (int32_t)1, shifted, __m128i); + __m128i upper_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( + upper_coefficients, upper_shuffles0); + libcrux_intrinsics_avx2_mm_storeu_si128_i32( + Eurydice_slice_subslice2(output, sampled_count, + sampled_count + (size_t)4U, int32_t), + upper_coefficients0); + size_t uu____0 = sampled_count; + return uu____0 + (size_t)core_num__i32_2__count_ones(good_upper_half); } /** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.ntt.ntt_at_layer_5_to_3.round -with const generics -- STEP= 8 -- STEP_BY= 1 +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(__m256i *re, - size_t index, - int32_t zeta) { - __m256i rhs = libcrux_intrinsics_avx2_mm256_set1_epi32(zeta); - size_t offset = index * (size_t)8U * (size_t)2U / - LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT; - for (size_t i = offset; i < offset + (size_t)1U; i++) { - size_t j = i; - __m256i t = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply( - re[j + (size_t)1U], rhs); - re[j + (size_t)1U] = libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j], t); - re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], t); - } +static KRML_MUSTINLINE size_t +libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_equals_2_a2( + Eurydice_slice randomness, Eurydice_slice out) { + return libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_sample_fd( + randomness, out); } /** - Layer 5, 4, 3 - - Each layer does 16 Montgomery multiplications -> 3*16 = 48 total - pqclean does 4 * 4 on each layer -> 48 total | plus 4 * 4 shuffles every time - (48) +A monomorphic instance of +libcrux_ml_dsa.simd.avx2.rejection_sample.less_than_eta.shift_interval with +const generics +- ETA= 4 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3( - __m256i *re) { - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_f6(re, (size_t)0U, - (int32_t)237124); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_f6(re, (size_t)1U, - (int32_t)-777960); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_f6(re, (size_t)2U, - (int32_t)-876248); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_f6(re, (size_t)3U, - (int32_t)466468); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)0U, - (int32_t)1826347); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)1U, - (int32_t)2353451); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)2U, - (int32_t)-359251); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)3U, - (int32_t)-2091905); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)4U, - (int32_t)3119733); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)5U, - (int32_t)-2884855); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)6U, - (int32_t)3111497); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)7U, - (int32_t)2680103); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)0U, - (int32_t)2725464); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)1U, - (int32_t)1024112); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)2U, - (int32_t)-1079900); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)3U, - (int32_t)3585928); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)4U, - (int32_t)-549488); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)5U, - (int32_t)-1119584); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)6U, - (int32_t)2619752); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)7U, - (int32_t)-2108549); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)8U, - (int32_t)-2118186); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)9U, - (int32_t)-3859737); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)10U, - (int32_t)-1399561); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)11U, - (int32_t)-3277672); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)12U, - (int32_t)1757237); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)13U, - (int32_t)-19422); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)14U, - (int32_t)4010497); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)15U, - (int32_t)280005); -} - -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE core_core_arch_x86___m256i_x2 -libcrux_ml_dsa_simd_avx2_ntt_butterfly_8(__m256i a, __m256i b, int32_t zeta0, - int32_t zeta1) { - __m256i summands = libcrux_intrinsics_avx2_mm256_set_m128i( - libcrux_intrinsics_avx2_mm256_castsi256_si128(b), - libcrux_intrinsics_avx2_mm256_castsi256_si128(a)); - __m256i zeta_multiplicands = libcrux_intrinsics_avx2_mm256_permute2x128_si256( - (int32_t)19, b, a, __m256i); - __m256i zetas = libcrux_intrinsics_avx2_mm256_set_epi32( - zeta1, zeta1, zeta1, zeta1, zeta0, zeta0, zeta0, zeta0); - __m256i zeta_products = - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply( - zeta_multiplicands, zetas); - __m256i add_terms = - libcrux_ml_dsa_simd_avx2_arithmetic_add(summands, zeta_products); - __m256i sub_terms = - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(summands, zeta_products); - __m256i a_out = libcrux_intrinsics_avx2_mm256_set_m128i( - libcrux_intrinsics_avx2_mm256_castsi256_si128(sub_terms), - libcrux_intrinsics_avx2_mm256_castsi256_si128(add_terms)); - __m256i b_out = libcrux_intrinsics_avx2_mm256_permute2x128_si256( - (int32_t)19, sub_terms, add_terms, __m256i); - return (CLITERAL(core_core_arch_x86___m256i_x2){.fst = a_out, .snd = b_out}); +static KRML_MUSTINLINE __m256i +libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_shift_interval_ac( + __m256i coefficients) { + return libcrux_intrinsics_avx2_mm256_sub_epi32( + libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)(size_t)4U), + coefficients); } +/** +A monomorphic instance of +libcrux_ml_dsa.simd.avx2.rejection_sample.less_than_eta.sample with const +generics +- ETA= 4 +*/ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( - __m256i *re, size_t index, int32_t zeta_0, int32_t zeta_1) { - core_core_arch_x86___m256i_x2 uu____0 = - libcrux_ml_dsa_simd_avx2_ntt_butterfly_8( - re[index], re[index + (size_t)1U], zeta_0, zeta_1); - __m256i a = uu____0.fst; - __m256i b = uu____0.snd; - re[index] = a; - re[index + (size_t)1U] = b; +static KRML_MUSTINLINE size_t +libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_sample_ac( + Eurydice_slice input, Eurydice_slice output) { + __m256i potential_coefficients = + libcrux_ml_dsa_simd_avx2_encoding_error_deserialize_to_unsigned_ac(input); + int32_t interval_boundary; + interval_boundary = (int32_t)9; + __m256i compare_with_interval_boundary = + libcrux_intrinsics_avx2_mm256_cmpgt_epi32( + libcrux_intrinsics_avx2_mm256_set1_epi32(interval_boundary), + potential_coefficients); + int32_t good = libcrux_intrinsics_avx2_mm256_movemask_ps( + libcrux_intrinsics_avx2_mm256_castsi256_ps( + compare_with_interval_boundary)); + int32_t good_lower_half = good & (int32_t)15; + int32_t good_upper_half = good >> 4U; + __m256i shifted = + libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_shift_interval_ac( + potential_coefficients); + uint8_t lower_shuffles[16U]; + memcpy(lower_shuffles, + libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_SHUFFLE_TABLE[( + size_t)good_lower_half], + (size_t)16U * sizeof(uint8_t)); + __m128i lower_shuffles0 = libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_array_to_slice((size_t)16U, lower_shuffles, uint8_t)); + __m128i lower_coefficients = + libcrux_intrinsics_avx2_mm256_castsi256_si128(shifted); + __m128i lower_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( + lower_coefficients, lower_shuffles0); + libcrux_intrinsics_avx2_mm_storeu_si128_i32( + Eurydice_slice_subslice2(output, (size_t)0U, (size_t)4U, int32_t), + lower_coefficients0); + size_t sampled_count = (size_t)core_num__i32_2__count_ones(good_lower_half); + uint8_t upper_shuffles[16U]; + memcpy(upper_shuffles, + libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_SHUFFLE_TABLE[( + size_t)good_upper_half], + (size_t)16U * sizeof(uint8_t)); + __m128i upper_shuffles0 = libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_array_to_slice((size_t)16U, upper_shuffles, uint8_t)); + __m128i upper_coefficients = libcrux_intrinsics_avx2_mm256_extracti128_si256( + (int32_t)1, shifted, __m128i); + __m128i upper_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( + upper_coefficients, upper_shuffles0); + libcrux_intrinsics_avx2_mm_storeu_si128_i32( + Eurydice_slice_subslice2(output, sampled_count, + sampled_count + (size_t)4U, int32_t), + upper_coefficients0); + size_t uu____0 = sampled_count; + return uu____0 + (size_t)core_num__i32_2__count_ones(good_upper_half); } +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +*/ KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2(__m256i *re) { - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( - re, (size_t)0U, (int32_t)2706023, (int32_t)95776); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( - re, (size_t)2U, (int32_t)3077325, (int32_t)3530437); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( - re, (size_t)4U, (int32_t)-1661693, (int32_t)-3592148); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( - re, (size_t)6U, (int32_t)-2537516, (int32_t)3915439); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( - re, (size_t)8U, (int32_t)-3861115, (int32_t)-3043716); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( - re, (size_t)10U, (int32_t)3574422, (int32_t)-2867647); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( - re, (size_t)12U, (int32_t)3539968, (int32_t)-300467); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( - re, (size_t)14U, (int32_t)2348700, (int32_t)-539299); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( - re, (size_t)16U, (int32_t)-1699267, (int32_t)-1643818); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( - re, (size_t)18U, (int32_t)3505694, (int32_t)-3821735); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( - re, (size_t)20U, (int32_t)3507263, (int32_t)-2140649); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( - re, (size_t)22U, (int32_t)-1600420, (int32_t)3699596); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( - re, (size_t)24U, (int32_t)811944, (int32_t)531354); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( - re, (size_t)26U, (int32_t)954230, (int32_t)3881043); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( - re, (size_t)28U, (int32_t)3900724, (int32_t)-2556880); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( - re, (size_t)30U, (int32_t)2071892, (int32_t)-2797779); +static KRML_MUSTINLINE size_t +libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_equals_4_a2( + Eurydice_slice randomness, Eurydice_slice out) { + return libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_sample_ac( + randomness, out); } +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +*/ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE core_core_arch_x86___m256i_x2 -libcrux_ml_dsa_simd_avx2_ntt_butterfly_4(__m256i a, __m256i b, int32_t zeta_a0, - int32_t zeta_a1, int32_t zeta_b0, - int32_t zeta_b1) { - __m256i summands = libcrux_intrinsics_avx2_mm256_unpacklo_epi64(a, b); - __m256i zeta_multiplicands = - libcrux_intrinsics_avx2_mm256_unpackhi_epi64(a, b); - __m256i zetas = libcrux_intrinsics_avx2_mm256_set_epi32( - zeta_b1, zeta_b1, zeta_a1, zeta_a1, zeta_b0, zeta_b0, zeta_a0, zeta_a0); - __m256i zeta_products = - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply( - zeta_multiplicands, zetas); - __m256i add_terms = - libcrux_ml_dsa_simd_avx2_arithmetic_add(summands, zeta_products); - __m256i sub_terms = - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(summands, zeta_products); - __m256i a_out = - libcrux_intrinsics_avx2_mm256_unpacklo_epi64(add_terms, sub_terms); - __m256i b_out = - libcrux_intrinsics_avx2_mm256_unpackhi_epi64(add_terms, sub_terms); - return (CLITERAL(core_core_arch_x86___m256i_x2){.fst = a_out, .snd = b_out}); +static KRML_MUSTINLINE size_t +libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus_a2( + Eurydice_slice randomness, Eurydice_slice out) { + return libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus_sample( + randomness, out); } +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +*/ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( - __m256i *re, size_t index, int32_t zeta_0, int32_t zeta_1, int32_t zeta_2, - int32_t zeta_3) { - core_core_arch_x86___m256i_x2 uu____0 = - libcrux_ml_dsa_simd_avx2_ntt_butterfly_4( - re[index], re[index + (size_t)1U], zeta_0, zeta_1, zeta_2, zeta_3); - __m256i a = uu____0.fst; - __m256i b = uu____0.snd; - re[index] = a; - re[index + (size_t)1U] = b; +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_subtract_a2(__m256i *lhs, + __m256i *rhs) { + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(lhs, rhs); } +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +*/ KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1(__m256i *re) { - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( - re, (size_t)0U, (int32_t)-3930395, (int32_t)-1528703, (int32_t)-3677745, - (int32_t)-3041255); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( - re, (size_t)2U, (int32_t)-1452451, (int32_t)3475950, (int32_t)2176455, - (int32_t)-1585221); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( - re, (size_t)4U, (int32_t)-1257611, (int32_t)1939314, (int32_t)-4083598, - (int32_t)-1000202); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( - re, (size_t)6U, (int32_t)-3190144, (int32_t)-3157330, (int32_t)-3632928, - (int32_t)126922); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( - re, (size_t)8U, (int32_t)3412210, (int32_t)-983419, (int32_t)2147896, - (int32_t)2715295); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( - re, (size_t)10U, (int32_t)-2967645, (int32_t)-3693493, (int32_t)-411027, - (int32_t)-2477047); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( - re, (size_t)12U, (int32_t)-671102, (int32_t)-1228525, (int32_t)-22981, - (int32_t)-1308169); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( - re, (size_t)14U, (int32_t)-381987, (int32_t)1349076, (int32_t)1852771, - (int32_t)-1430430); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( - re, (size_t)16U, (int32_t)-3343383, (int32_t)264944, (int32_t)508951, - (int32_t)3097992); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( - re, (size_t)18U, (int32_t)44288, (int32_t)-1100098, (int32_t)904516, - (int32_t)3958618); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( - re, (size_t)20U, (int32_t)-3724342, (int32_t)-8578, (int32_t)1653064, - (int32_t)-3249728); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( - re, (size_t)22U, (int32_t)2389356, (int32_t)-210977, (int32_t)759969, - (int32_t)-1316856); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( - re, (size_t)24U, (int32_t)189548, (int32_t)-3553272, (int32_t)3159746, - (int32_t)-1851402); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( - re, (size_t)26U, (int32_t)-2409325, (int32_t)-177440, (int32_t)1315589, - (int32_t)1341330); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( - re, (size_t)28U, (int32_t)1285669, (int32_t)-1584928, (int32_t)-812732, - (int32_t)-1439742); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( - re, (size_t)30U, (int32_t)-3019102, (int32_t)-3881060, (int32_t)-3628969, - (int32_t)3839961); +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_t0_deserialize_a2( + Eurydice_slice serialized, __m256i *out) { + libcrux_ml_dsa_simd_avx2_encoding_t0_deserialize(serialized, out); } +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +*/ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE core_core_arch_x86___m256i_x2 -libcrux_ml_dsa_simd_avx2_ntt_butterfly_2(__m256i a, __m256i b, int32_t zeta_a0, - int32_t zeta_a1, int32_t zeta_a2, - int32_t zeta_a3, int32_t zeta_b0, - int32_t zeta_b1, int32_t zeta_b2, - int32_t zeta_b3) { - __m256i a_shuffled = - libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)216, a, __m256i); - __m256i b_shuffled = - libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)216, b, __m256i); - __m256i summands = - libcrux_intrinsics_avx2_mm256_unpacklo_epi64(a_shuffled, b_shuffled); - __m256i zeta_multiplicands = - libcrux_intrinsics_avx2_mm256_unpackhi_epi64(a_shuffled, b_shuffled); - __m256i zetas = libcrux_intrinsics_avx2_mm256_set_epi32( - zeta_b3, zeta_b2, zeta_a3, zeta_a2, zeta_b1, zeta_b0, zeta_a1, zeta_a0); - __m256i zeta_products = - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply( - zeta_multiplicands, zetas); - __m256i add_terms = - libcrux_ml_dsa_simd_avx2_arithmetic_add(summands, zeta_products); - __m256i sub_terms = - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(summands, zeta_products); - __m256i a_terms_shuffled = - libcrux_intrinsics_avx2_mm256_unpacklo_epi64(add_terms, sub_terms); - __m256i b_terms_shuffled = - libcrux_intrinsics_avx2_mm256_unpackhi_epi64(add_terms, sub_terms); - __m256i a_out = libcrux_intrinsics_avx2_mm256_shuffle_epi32( - (int32_t)216, a_terms_shuffled, __m256i); - __m256i b_out = libcrux_intrinsics_avx2_mm256_shuffle_epi32( - (int32_t)216, b_terms_shuffled, __m256i); - return (CLITERAL(core_core_arch_x86___m256i_x2){.fst = a_out, .snd = b_out}); +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_t0_serialize_a2( + __m256i *simd_unit, Eurydice_slice out) { + libcrux_ml_dsa_simd_avx2_encoding_t0_serialize(simd_unit, out); } +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +*/ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( - __m256i *re, size_t index, int32_t zeta_0, int32_t zeta_1, int32_t zeta_2, - int32_t zeta_3, int32_t zeta_4, int32_t zeta_5, int32_t zeta_6, - int32_t zeta_7) { - core_core_arch_x86___m256i_x2 uu____0 = - libcrux_ml_dsa_simd_avx2_ntt_butterfly_2( - re[index], re[index + (size_t)1U], zeta_0, zeta_1, zeta_2, zeta_3, - zeta_4, zeta_5, zeta_6, zeta_7); - __m256i a = uu____0.fst; - __m256i b = uu____0.snd; - re[index] = a; - re[index + (size_t)1U] = b; +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_t1_deserialize_a2( + Eurydice_slice serialized, __m256i *out) { + libcrux_ml_dsa_simd_avx2_encoding_t1_deserialize(serialized, out); } +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +*/ KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0(__m256i *re) { - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( - re, (size_t)0U, (int32_t)2091667, (int32_t)3407706, (int32_t)2316500, - (int32_t)3817976, (int32_t)-3342478, (int32_t)2244091, (int32_t)-2446433, - (int32_t)-3562462); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( - re, (size_t)2U, (int32_t)266997, (int32_t)2434439, (int32_t)-1235728, - (int32_t)3513181, (int32_t)-3520352, (int32_t)-3759364, (int32_t)-1197226, - (int32_t)-3193378); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( - re, (size_t)4U, (int32_t)900702, (int32_t)1859098, (int32_t)909542, - (int32_t)819034, (int32_t)495491, (int32_t)-1613174, (int32_t)-43260, - (int32_t)-522500); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( - re, (size_t)6U, (int32_t)-655327, (int32_t)-3122442, (int32_t)2031748, - (int32_t)3207046, (int32_t)-3556995, (int32_t)-525098, (int32_t)-768622, - (int32_t)-3595838); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( - re, (size_t)8U, (int32_t)342297, (int32_t)286988, (int32_t)-2437823, - (int32_t)4108315, (int32_t)3437287, (int32_t)-3342277, (int32_t)1735879, - (int32_t)203044); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( - re, (size_t)10U, (int32_t)2842341, (int32_t)2691481, (int32_t)-2590150, - (int32_t)1265009, (int32_t)4055324, (int32_t)1247620, (int32_t)2486353, - (int32_t)1595974); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( - re, (size_t)12U, (int32_t)-3767016, (int32_t)1250494, (int32_t)2635921, - (int32_t)-3548272, (int32_t)-2994039, (int32_t)1869119, (int32_t)1903435, - (int32_t)-1050970); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( - re, (size_t)14U, (int32_t)-1333058, (int32_t)1237275, (int32_t)-3318210, - (int32_t)-1430225, (int32_t)-451100, (int32_t)1312455, (int32_t)3306115, - (int32_t)-1962642); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( - re, (size_t)16U, (int32_t)-1279661, (int32_t)1917081, (int32_t)-2546312, - (int32_t)-1374803, (int32_t)1500165, (int32_t)777191, (int32_t)2235880, - (int32_t)3406031); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( - re, (size_t)18U, (int32_t)-542412, (int32_t)-2831860, (int32_t)-1671176, - (int32_t)-1846953, (int32_t)-2584293, (int32_t)-3724270, (int32_t)594136, - (int32_t)-3776993); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( - re, (size_t)20U, (int32_t)-2013608, (int32_t)2432395, (int32_t)2454455, - (int32_t)-164721, (int32_t)1957272, (int32_t)3369112, (int32_t)185531, - (int32_t)-1207385); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( - re, (size_t)22U, (int32_t)-3183426, (int32_t)162844, (int32_t)1616392, - (int32_t)3014001, (int32_t)810149, (int32_t)1652634, (int32_t)-3694233, - (int32_t)-1799107); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( - re, (size_t)24U, (int32_t)-3038916, (int32_t)3523897, (int32_t)3866901, - (int32_t)269760, (int32_t)2213111, (int32_t)-975884, (int32_t)1717735, - (int32_t)472078); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( - re, (size_t)26U, (int32_t)-426683, (int32_t)1723600, (int32_t)-1803090, - (int32_t)1910376, (int32_t)-1667432, (int32_t)-1104333, (int32_t)-260646, - (int32_t)-3833893); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( - re, (size_t)28U, (int32_t)-2939036, (int32_t)-2235985, (int32_t)-420899, - (int32_t)-2286327, (int32_t)183443, (int32_t)-976891, (int32_t)1612842, - (int32_t)-3545687); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( - re, (size_t)30U, (int32_t)-554416, (int32_t)3919660, (int32_t)-48306, - (int32_t)-1362209, (int32_t)3937738, (int32_t)1400424, (int32_t)-846154, - (int32_t)1976782); +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_t1_serialize_a2( + __m256i *simd_unit, Eurydice_slice out) { + libcrux_ml_dsa_simd_avx2_encoding_t1_serialize(simd_unit, out); } +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +*/ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_ntt_ntt(__m256i re[32U], - __m256i ret[32U]) { - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6(re); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3(re); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2(re); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1(re); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0(re); - memcpy(ret, re, (size_t)32U * sizeof(__m256i)); +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_to_coefficient_array_a2( + __m256i *value, Eurydice_slice out) { + libcrux_ml_dsa_simd_avx2_vector_type_to_coefficient_array(value, out); } /** diff --git a/libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h b/libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h index bde9e3754..26b22d2ce 100644 --- a/libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h +++ b/libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h @@ -22,14 +22,6 @@ extern "C" { #include "libcrux_core.h" #include "libcrux_sha3_portable.h" -#define LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT ((size_t)8U) - -#define LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT ((size_t)256U) - -#define LIBCRUX_ML_DSA_SIMD_TRAITS_SIMD_UNITS_IN_RING_ELEMENT \ - (LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / \ - LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT) - #define LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T ((size_t)13U) #define LIBCRUX_ML_DSA_CONSTANTS_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH \ @@ -41,6 +33,8 @@ extern "C" { #define LIBCRUX_ML_DSA_CONSTANTS_BYTES_FOR_VERIFICATION_KEY_HASH ((size_t)64U) +#define LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT ((size_t)256U) + #define LIBCRUX_ML_DSA_CONSTANTS_CONTEXT_MAX_LEN ((size_t)255U) #define LIBCRUX_ML_DSA_CONSTANTS_FIELD_MODULUS ((int32_t)8380417) @@ -517,834 +511,675 @@ typedef libcrux_ml_dsa_types_MLDSAVerificationKey_ea LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T) / \ (size_t)8U) -#define LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS ((int32_t)8380417) - -#define LIBCRUX_ML_DSA_SIMD_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R \ - (58728449ULL) - -typedef struct uint8_t_x2_s { - uint8_t fst; - uint8_t snd; -} uint8_t_x2; - -static KRML_MUSTINLINE uint16_t -libcrux_ml_dsa_sample_generate_domain_separator(uint8_t_x2 _) { - uint8_t row = _.fst; - uint8_t column = _.snd; - return (uint32_t)(uint16_t)column | (uint32_t)(uint16_t)row << 8U; -} - -static KRML_MUSTINLINE void libcrux_ml_dsa_sample_add_domain_separator( - Eurydice_slice slice, uint8_t_x2 indices, uint8_t ret[34U]) { - uint8_t out[34U] = {0U}; - uint8_t *uu____0 = out; - Eurydice_slice_copy( - Eurydice_array_to_subslice2(uu____0, (size_t)0U, - Eurydice_slice_len(slice, uint8_t), uint8_t), - slice, uint8_t); - uint16_t domain_separator = - libcrux_ml_dsa_sample_generate_domain_separator(indices); - out[32U] = (uint8_t)domain_separator; - out[33U] = (uint8_t)((uint32_t)domain_separator >> 8U); - memcpy(ret, out, (size_t)34U * sizeof(uint8_t)); -} - -typedef struct libcrux_ml_dsa_pre_hash_DomainSeparationContext_s { - Eurydice_slice context; - Option_30 pre_hash_oid; -} libcrux_ml_dsa_pre_hash_DomainSeparationContext; - -#define libcrux_ml_dsa_pre_hash_DomainSeparationError_ContextTooLongError 0 - -typedef uint8_t libcrux_ml_dsa_pre_hash_DomainSeparationError; - /** -A monomorphic instance of core.result.Result -with types libcrux_ml_dsa_pre_hash_DomainSeparationContext, -libcrux_ml_dsa_pre_hash_DomainSeparationError +A monomorphic instance of K. +with types uint8_t[4032size_t], uint8_t[1952size_t] */ -typedef struct Result_a8_s { - Result_a9_tags tag; - union { - libcrux_ml_dsa_pre_hash_DomainSeparationContext case_Ok; - libcrux_ml_dsa_pre_hash_DomainSeparationError case_Err; - } val; -} Result_a8; +typedef struct tuple_a0_s { + uint8_t fst[4032U]; + uint8_t snd[1952U]; +} tuple_a0; /** - `context` must be at most 255 bytes long. + Generate key pair. */ /** -This function found in impl -{libcrux_ml_dsa::pre_hash::DomainSeparationContext<'a>#1} +A monomorphic instance of +libcrux_ml_dsa.ml_dsa_generic.instantiations.portable.generate_key_pair with +const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- ROW_COLUMN= 11 +- ETA= 4 +- ERROR_RING_ELEMENT_SIZE= 128 +- SIGNING_KEY_SIZE= 4032 +- VERIFICATION_KEY_SIZE= 1952 */ -static inline Result_a8 libcrux_ml_dsa_pre_hash_new_45(Eurydice_slice context, - Option_30 pre_hash_oid) { - if (!(Eurydice_slice_len(context, uint8_t) > - LIBCRUX_ML_DSA_CONSTANTS_CONTEXT_MAX_LEN)) { - return (CLITERAL(Result_a8){ - .tag = Ok, - .val = { - .case_Ok = {.context = context, .pre_hash_oid = pre_hash_oid}}}); - } - return (CLITERAL(Result_a8){ - .tag = Err, - .val = { - .case_Err = - libcrux_ml_dsa_pre_hash_DomainSeparationError_ContextTooLongError}}); +static inline tuple_a0 +libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_generate_key_pair_c9( + uint8_t randomness[32U]) { + KRML_HOST_EPRINTF( + "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "Eurydice error: Failure(\"TODO: TraitTypes Self::Coefficient\")\n"); + KRML_HOST_EXIT(255U); } /** - Returns the pre-hash OID, if any. -*/ -/** -This function found in impl -{libcrux_ml_dsa::pre_hash::DomainSeparationContext<'a>#1} + Generate an ML-DSA-65 Key Pair */ -static inline Option_30 *libcrux_ml_dsa_pre_hash_pre_hash_oid_45( - libcrux_ml_dsa_pre_hash_DomainSeparationContext *self) { - return &self->pre_hash_oid; +static inline libcrux_ml_dsa_ml_dsa_65_MLDSA65KeyPair +libcrux_ml_dsa_ml_dsa_65_portable_generate_key_pair(uint8_t randomness[32U]) { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + tuple_a0 uu____1 = + libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_generate_key_pair_c9( + copy_of_randomness); + uint8_t signing_key[4032U]; + memcpy(signing_key, uu____1.fst, (size_t)4032U * sizeof(uint8_t)); + uint8_t verification_key[1952U]; + memcpy(verification_key, uu____1.snd, (size_t)1952U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_signing_key[4032U]; + memcpy(copy_of_signing_key, signing_key, (size_t)4032U * sizeof(uint8_t)); + libcrux_ml_dsa_types_MLDSASigningKey_22 uu____3 = + libcrux_ml_dsa_types_new_9b_09(copy_of_signing_key); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_verification_key[1952U]; + memcpy(copy_of_verification_key, verification_key, + (size_t)1952U * sizeof(uint8_t)); + libcrux_ml_dsa_ml_dsa_65_MLDSA65KeyPair lit; + lit.signing_key = uu____3; + lit.verification_key = + libcrux_ml_dsa_types_new_66_97(copy_of_verification_key); + return lit; } /** - Returns the context, guaranteed to be at most 255 bytes long. + Sign. */ /** -This function found in impl -{libcrux_ml_dsa::pre_hash::DomainSeparationContext<'a>#1} +A monomorphic instance of +libcrux_ml_dsa.ml_dsa_generic.instantiations.portable.sign with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- ETA= 4 +- ERROR_RING_ELEMENT_SIZE= 128 +- GAMMA1_EXPONENT= 19 +- GAMMA2= 261888 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- SIGNING_KEY_SIZE= 4032 +- SIGNATURE_SIZE= 3309 */ -static inline Eurydice_slice libcrux_ml_dsa_pre_hash_context_45( - libcrux_ml_dsa_pre_hash_DomainSeparationContext *self) { - return self->context; -} - -static KRML_MUSTINLINE void libcrux_ml_dsa_sample_update_seed( - uint8_t seed[66U], uint16_t *domain_separator, uint8_t ret[66U]) { - seed[64U] = (uint8_t)domain_separator[0U]; - seed[65U] = (uint8_t)((uint32_t)domain_separator[0U] >> 8U); - domain_separator[0U] = (uint32_t)domain_separator[0U] + 1U; - memcpy(ret, seed, (size_t)66U * sizeof(uint8_t)); -} - -static KRML_MUSTINLINE bool libcrux_ml_dsa_sample_inside_out_shuffle( - Eurydice_slice randomness, size_t *out_index, uint64_t *signs, - int32_t *result) { - bool done = false; - for (size_t i = (size_t)0U; i < Eurydice_slice_len(randomness, uint8_t); - i++) { - size_t _cloop_j = i; - uint8_t *byte = - &Eurydice_slice_index(randomness, _cloop_j, uint8_t, uint8_t *); - if (!done) { - size_t sample_at = (size_t)byte[0U]; - if (sample_at <= out_index[0U]) { - result[out_index[0U]] = result[sample_at]; - out_index[0U] = out_index[0U] + (size_t)1U; - result[sample_at] = - (int32_t)1 - (int32_t)2 * (int32_t)(signs[0U] & 1ULL); - signs[0U] = signs[0U] >> 1U; - size_t uu____0 = out_index[0U]; - done = uu____0 == Eurydice_slice_len(Eurydice_array_to_slice( - (size_t)256U, result, int32_t), - int32_t); - } else { - size_t uu____1 = out_index[0U]; - done = uu____1 == Eurydice_slice_len(Eurydice_array_to_slice( - (size_t)256U, result, int32_t), - int32_t); - } - } - } - return done; +static inline Result_2e +libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_sign_f3( + uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, + uint8_t randomness[32U]) { + KRML_HOST_EPRINTF( + "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "Eurydice error: Failure(\"TODO: TraitTypes Self::Coefficient\")\n"); + KRML_HOST_EXIT(255U); } -static const uint8_t libcrux_ml_dsa_pre_hash_SHAKE128_OID[11U] = { - 6U, 9U, 96U, 134U, 72U, 1U, 101U, 3U, 4U, 2U, 11U}; - /** -This function found in impl {(libcrux_ml_dsa::pre_hash::PreHash<256: usize> for -libcrux_ml_dsa::pre_hash::SHAKE128_PH)} -*/ -static inline void libcrux_ml_dsa_pre_hash_oid_bd(uint8_t ret[11U]) { - memcpy(ret, libcrux_ml_dsa_pre_hash_SHAKE128_OID, - (size_t)11U * sizeof(uint8_t)); -} - -typedef struct libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_s { - int32_t coefficients[8U]; -} libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit; - -static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -libcrux_ml_dsa_simd_portable_vector_type_ZERO(void) { - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit lit; - lit.coefficients[0U] = (int32_t)0; - lit.coefficients[1U] = (int32_t)0; - lit.coefficients[2U] = (int32_t)0; - lit.coefficients[3U] = (int32_t)0; - lit.coefficients[4U] = (int32_t)0; - lit.coefficients[5U] = (int32_t)0; - lit.coefficients[6U] = (int32_t)0; - lit.coefficients[7U] = (int32_t)0; - return lit; -} + Generate an ML-DSA-65 Signature -/** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} + The parameter `context` is used for domain separation + and is a byte string of length at most 255 bytes. It + may also be empty. */ -static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -libcrux_ml_dsa_simd_portable_ZERO_36(void) { - return libcrux_ml_dsa_simd_portable_vector_type_ZERO(); -} - -static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -libcrux_ml_dsa_simd_portable_vector_type_from_coefficient_array( - Eurydice_slice array) { - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit lit; - int32_t ret[8U]; - Result_6c dst; - Eurydice_slice_to_array2( - &dst, Eurydice_slice_subslice2(array, (size_t)0U, (size_t)8U, int32_t), - Eurydice_slice, int32_t[8U]); - unwrap_26_55(dst, ret); - memcpy(lit.coefficients, ret, (size_t)8U * sizeof(int32_t)); - return lit; +static inline Result_2e libcrux_ml_dsa_ml_dsa_65_portable_sign( + libcrux_ml_dsa_types_MLDSASigningKey_22 *signing_key, + Eurydice_slice message, Eurydice_slice context, uint8_t randomness[32U]) { + uint8_t *uu____0 = libcrux_ml_dsa_types_as_ref_9b_09(signing_key); + Eurydice_slice uu____1 = message; + Eurydice_slice uu____2 = context; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_sign_f3( + uu____0, uu____1, uu____2, copy_of_randomness); } /** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} + Sign (pre-hashed). */ -static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -libcrux_ml_dsa_simd_portable_from_coefficient_array_36(Eurydice_slice array) { - return libcrux_ml_dsa_simd_portable_vector_type_from_coefficient_array(array); -} - -static inline void -libcrux_ml_dsa_simd_portable_vector_type_to_coefficient_array( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *x, - int32_t ret[8U]) { - memcpy(ret, x->coefficients, (size_t)8U * sizeof(int32_t)); -} - /** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +A monomorphic instance of +libcrux_ml_dsa.ml_dsa_generic.instantiations.portable.sign_pre_hashed_shake128 +with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- ETA= 4 +- ERROR_RING_ELEMENT_SIZE= 128 +- GAMMA1_EXPONENT= 19 +- GAMMA2= 261888 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- SIGNING_KEY_SIZE= 4032 +- SIGNATURE_SIZE= 3309 */ -static inline void libcrux_ml_dsa_simd_portable_to_coefficient_array_36( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *self, - int32_t ret[8U]) { - libcrux_ml_dsa_simd_portable_vector_type_to_coefficient_array(self, ret); -} - -static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -libcrux_ml_dsa_simd_portable_arithmetic_add( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *lhs, - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *rhs) { - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit sum = - libcrux_ml_dsa_simd_portable_vector_type_ZERO(); - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice((size_t)8U, sum.coefficients, int32_t), - int32_t); - i++) { - size_t i0 = i; - sum.coefficients[i0] = lhs->coefficients[i0] + rhs->coefficients[i0]; - } - return sum; +static inline Result_2e +libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_sign_pre_hashed_shake128_f3( + uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, + uint8_t randomness[32U]) { + KRML_HOST_EPRINTF( + "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "Eurydice error: Failure(\"TODO: TraitTypes Self::Coefficient\")\n"); + KRML_HOST_EXIT(255U); } /** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} -*/ -static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -libcrux_ml_dsa_simd_portable_add_36( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *lhs, - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *rhs) { - return libcrux_ml_dsa_simd_portable_arithmetic_add(lhs, rhs); -} + Generate a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing -static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -libcrux_ml_dsa_simd_portable_arithmetic_subtract( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *lhs, - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *rhs) { - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit difference = - libcrux_ml_dsa_simd_portable_vector_type_ZERO(); - for (size_t i = (size_t)0U; - i < Eurydice_slice_len(Eurydice_array_to_slice( - (size_t)8U, difference.coefficients, int32_t), - int32_t); - i++) { - size_t i0 = i; - difference.coefficients[i0] = lhs->coefficients[i0] - rhs->coefficients[i0]; - } - return difference; + The parameter `context` is used for domain separation + and is a byte string of length at most 255 bytes. It + may also be empty. +*/ +static inline Result_2e +libcrux_ml_dsa_ml_dsa_65_portable_sign_pre_hashed_shake128( + libcrux_ml_dsa_types_MLDSASigningKey_22 *signing_key, + Eurydice_slice message, Eurydice_slice context, uint8_t randomness[32U]) { + uint8_t *uu____0 = libcrux_ml_dsa_types_as_ref_9b_09(signing_key); + Eurydice_slice uu____1 = message; + Eurydice_slice uu____2 = context; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_sign_pre_hashed_shake128_f3( + uu____0, uu____1, uu____2, copy_of_randomness); } /** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} + Verify. */ -static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -libcrux_ml_dsa_simd_portable_subtract_36( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *lhs, - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *rhs) { - return libcrux_ml_dsa_simd_portable_arithmetic_subtract(lhs, rhs); +/** +A monomorphic instance of +libcrux_ml_dsa.ml_dsa_generic.instantiations.portable.verify with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- SIGNATURE_SIZE= 3309 +- VERIFICATION_KEY_SIZE= 1952 +- GAMMA1_EXPONENT= 19 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- GAMMA2= 261888 +- BETA= 196 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +*/ +static inline Result_41 +libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_verify_01( + uint8_t *verification_key, Eurydice_slice message, Eurydice_slice context, + uint8_t *signature) { + KRML_HOST_EPRINTF( + "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "Eurydice error: Failure(\"TODO: TraitTypes Self::Coefficient\")\n"); + KRML_HOST_EXIT(255U); } -static KRML_MUSTINLINE bool -libcrux_ml_dsa_simd_portable_arithmetic_infinity_norm_exceeds( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, - int32_t bound) { - bool exceeds = false; - core_ops_range_Range_08 lit; - lit.start = (size_t)0U; - lit.end = Eurydice_slice_len( - Eurydice_array_to_slice((size_t)8U, simd_unit.coefficients, int32_t), - int32_t); - core_ops_range_Range_08 iter = - core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( - lit, core_ops_range_Range_08, core_ops_range_Range_08); - while (true) { - Option_08 uu____0 = - core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A__TraitClause_0___6__next( - &iter, size_t, Option_08); - if (uu____0.tag == None) { - return exceeds; - } else { - size_t _cloop_k = uu____0.f0; - int32_t coefficient = simd_unit.coefficients[_cloop_k]; - int32_t sign = coefficient >> 31U; - int32_t normalized = coefficient - (sign & (int32_t)2 * coefficient); - bool uu____1; - if (exceeds) { - uu____1 = true; - } else { - uu____1 = normalized >= bound; - } - exceeds = uu____1; - } - } +/** + Verify an ML-DSA-65 Signature + + The parameter `context` is used for domain separation + and is a byte string of length at most 255 bytes. It + may also be empty. +*/ +static inline Result_41 libcrux_ml_dsa_ml_dsa_65_portable_verify( + libcrux_ml_dsa_types_MLDSAVerificationKey_ea *verification_key, + Eurydice_slice message, Eurydice_slice context, + libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature *signature) { + return libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_verify_01( + libcrux_ml_dsa_types_as_ref_66_97(verification_key), message, context, + libcrux_ml_dsa_types_as_ref_8f_fa(signature)); } /** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} + Verify (pre-hashed with SHAKE-128). */ -static inline bool libcrux_ml_dsa_simd_portable_infinity_norm_exceeds_36( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, - int32_t bound) { - return libcrux_ml_dsa_simd_portable_arithmetic_infinity_norm_exceeds( - simd_unit, bound); +/** +A monomorphic instance of +libcrux_ml_dsa.ml_dsa_generic.instantiations.portable.verify_pre_hashed_shake128 +with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- SIGNATURE_SIZE= 3309 +- VERIFICATION_KEY_SIZE= 1952 +- GAMMA1_EXPONENT= 19 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- GAMMA2= 261888 +- BETA= 196 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +*/ +static inline Result_41 +libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_verify_pre_hashed_shake128_01( + uint8_t *verification_key, Eurydice_slice message, Eurydice_slice context, + uint8_t *signature) { + KRML_HOST_EPRINTF( + "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "Eurydice error: Failure(\"TODO: TraitTypes Self::Coefficient\")\n"); + KRML_HOST_EXIT(255U); } -#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ARITHMETIC_MONTGOMERY_SHIFT (32U) +/** + Verify a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing -static KRML_MUSTINLINE uint64_t -libcrux_ml_dsa_simd_portable_arithmetic_get_n_least_significant_bits( - uint8_t n, uint64_t value) { - return value & ((1ULL << (uint32_t)n) - 1ULL); + The parameter `context` is used for domain separation + and is a byte string of length at most 255 bytes. It + may also be empty. +*/ +static inline Result_41 +libcrux_ml_dsa_ml_dsa_65_portable_verify_pre_hashed_shake128( + libcrux_ml_dsa_types_MLDSAVerificationKey_ea *verification_key, + Eurydice_slice message, Eurydice_slice context, + libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature *signature) { + return libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_verify_pre_hashed_shake128_01( + libcrux_ml_dsa_types_as_ref_66_97(verification_key), message, context, + libcrux_ml_dsa_types_as_ref_8f_fa(signature)); } -static KRML_MUSTINLINE int32_t -libcrux_ml_dsa_simd_portable_arithmetic_montgomery_reduce_element( - int64_t value) { - uint64_t t = - libcrux_ml_dsa_simd_portable_arithmetic_get_n_least_significant_bits( - LIBCRUX_ML_DSA_SIMD_PORTABLE_ARITHMETIC_MONTGOMERY_SHIFT, - (uint64_t)value) * - LIBCRUX_ML_DSA_SIMD_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R; - int32_t k = (int32_t) - libcrux_ml_dsa_simd_portable_arithmetic_get_n_least_significant_bits( - LIBCRUX_ML_DSA_SIMD_PORTABLE_ARITHMETIC_MONTGOMERY_SHIFT, t); - int64_t k_times_modulus = - (int64_t)k * (int64_t)LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS; - int32_t c = - (int32_t)(k_times_modulus >> - (uint32_t) - LIBCRUX_ML_DSA_SIMD_PORTABLE_ARITHMETIC_MONTGOMERY_SHIFT); - int32_t value_high = - (int32_t)(value >> - (uint32_t) - LIBCRUX_ML_DSA_SIMD_PORTABLE_ARITHMETIC_MONTGOMERY_SHIFT); - return value_high - c; -} +typedef struct libcrux_ml_dsa_pre_hash_DomainSeparationContext_s { + Eurydice_slice context; + Option_30 pre_hash_oid; +} libcrux_ml_dsa_pre_hash_DomainSeparationContext; -static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *lhs, - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *rhs) { - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit product = - libcrux_ml_dsa_simd_portable_vector_type_ZERO(); - for (size_t i = (size_t)0U; - i < Eurydice_slice_len(Eurydice_array_to_slice( - (size_t)8U, product.coefficients, int32_t), - int32_t); - i++) { - size_t i0 = i; - product.coefficients[i0] = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_reduce_element( - (int64_t)lhs->coefficients[i0] * (int64_t)rhs->coefficients[i0]); - } - return product; +/** + Returns the pre-hash OID, if any. +*/ +/** +This function found in impl +{libcrux_ml_dsa::pre_hash::DomainSeparationContext<'a>#1} +*/ +static inline Option_30 *libcrux_ml_dsa_pre_hash_pre_hash_oid_45( + libcrux_ml_dsa_pre_hash_DomainSeparationContext *self) { + return &self->pre_hash_oid; } /** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} + Returns the context, guaranteed to be at most 255 bytes long. */ -static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -libcrux_ml_dsa_simd_portable_montgomery_multiply_36( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit lhs, - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit rhs) { - return libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply(&lhs, - &rhs); +/** +This function found in impl +{libcrux_ml_dsa::pre_hash::DomainSeparationContext<'a>#1} +*/ +static inline Eurydice_slice libcrux_ml_dsa_pre_hash_context_45( + libcrux_ml_dsa_pre_hash_DomainSeparationContext *self) { + return self->context; } -static KRML_MUSTINLINE int32_t -libcrux_ml_dsa_simd_portable_arithmetic_reduce_element(int32_t fe) { - int32_t quotient = (fe + ((int32_t)1 << 22U)) >> 23U; - return fe - quotient * LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS; -} +#define libcrux_ml_dsa_pre_hash_DomainSeparationError_ContextTooLongError 0 -typedef struct int32_t_x2_s { - int32_t fst; - int32_t snd; -} int32_t_x2; +typedef uint8_t libcrux_ml_dsa_pre_hash_DomainSeparationError; -static KRML_MUSTINLINE int32_t_x2 -libcrux_ml_dsa_simd_portable_arithmetic_power2round_element(int32_t t) { - int32_t t2 = t + (t >> 31U & LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS); - int32_t t1 = - (t2 - (int32_t)1 + - ((int32_t)1 - << (uint32_t)(LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T - - (size_t)1U))) >> - (uint32_t)LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T; - int32_t t0 = - t2 - (t1 << (uint32_t)LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T); - return (CLITERAL(int32_t_x2){.fst = t0, .snd = t1}); -} +#define LIBCRUX_ML_DSA_PRE_HASH_PRE_HASH_OID_LEN ((size_t)11U) -typedef struct libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x2_s { - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit fst; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit snd; -} libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x2; +typedef uint8_t libcrux_ml_dsa_pre_hash_PreHashOID[11U]; -static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x2 -libcrux_ml_dsa_simd_portable_arithmetic_power2round( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit) { - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t0_simd_unit = - libcrux_ml_dsa_simd_portable_vector_type_ZERO(); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t1_simd_unit = - libcrux_ml_dsa_simd_portable_vector_type_ZERO(); - for (size_t i = (size_t)0U; - i < Eurydice_slice_len(Eurydice_array_to_slice( - (size_t)8U, simd_unit.coefficients, int32_t), - int32_t); - i++) { - size_t i0 = i; - int32_t t = simd_unit.coefficients[i0]; - int32_t_x2 uu____0 = - libcrux_ml_dsa_simd_portable_arithmetic_power2round_element(t); - int32_t t0 = uu____0.fst; - int32_t t1 = uu____0.snd; - t0_simd_unit.coefficients[i0] = t0; - t1_simd_unit.coefficients[i0] = t1; - } - return ( - CLITERAL(libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x2){ - .fst = t0_simd_unit, .snd = t1_simd_unit}); +static const uint8_t libcrux_ml_dsa_pre_hash_SHAKE128_OID[11U] = { + 6U, 9U, 96U, 134U, 72U, 1U, 101U, 3U, 4U, 2U, 11U}; + +/** +This function found in impl +{(core::convert::From for +libcrux_ml_dsa::types::SigningError)#2} +*/ +static inline libcrux_ml_dsa_types_SigningError libcrux_ml_dsa_pre_hash_from_4b( + libcrux_ml_dsa_pre_hash_DomainSeparationError e) { + return libcrux_ml_dsa_types_SigningError_ContextTooLongError; } /** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +This function found in impl +{(core::convert::From for +libcrux_ml_dsa::types::VerificationError)#3} */ -static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x2 -libcrux_ml_dsa_simd_portable_power2round_36( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit) { - return libcrux_ml_dsa_simd_portable_arithmetic_power2round(simd_unit); +static inline libcrux_ml_dsa_types_VerificationError +libcrux_ml_dsa_pre_hash_from_b6( + libcrux_ml_dsa_pre_hash_DomainSeparationError e) { + return libcrux_ml_dsa_types_VerificationError_VerificationContextTooLongError; } -static KRML_MUSTINLINE size_t -libcrux_ml_dsa_simd_portable_sample_rejection_sample_less_than_field_modulus( - Eurydice_slice randomness, Eurydice_slice out) { - size_t sampled = (size_t)0U; - for (size_t i = (size_t)0U; - i < Eurydice_slice_len(randomness, uint8_t) / (size_t)3U; i++) { - size_t _cloop_i = i; - Eurydice_slice bytes = - Eurydice_slice_subslice2(randomness, _cloop_i * (size_t)3U, - _cloop_i * (size_t)3U + (size_t)3U, uint8_t); - int32_t b0 = - (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *); - int32_t b1 = - (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *); - int32_t b2 = - (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *); - int32_t coefficient = ((b2 << 16U | b1 << 8U) | b0) & (int32_t)8388607; - if (coefficient < LIBCRUX_ML_DSA_CONSTANTS_FIELD_MODULUS) { - Eurydice_slice_index(out, sampled, int32_t, int32_t *) = coefficient; - sampled++; - } - } - return sampled; +/** +This function found in impl {(libcrux_ml_dsa::pre_hash::PreHash<256: usize> for +libcrux_ml_dsa::pre_hash::SHAKE128_PH)} +*/ +static inline void libcrux_ml_dsa_pre_hash_oid_bd(uint8_t ret[11U]) { + memcpy(ret, libcrux_ml_dsa_pre_hash_SHAKE128_OID, + (size_t)11U * sizeof(uint8_t)); } +#define libcrux_ml_dsa_pre_hash_Ok 0 +#define libcrux_ml_dsa_pre_hash_Err 1 + +typedef uint8_t libcrux_ml_dsa_pre_hash_PreHashResult_tags; + +typedef struct libcrux_ml_dsa_pre_hash_PreHashResult_s { + libcrux_ml_dsa_pre_hash_PreHashResult_tags tag; + union { + libcrux_ml_dsa_pre_hash_DomainSeparationContext case_Ok; + libcrux_ml_dsa_pre_hash_DomainSeparationError case_Err; + } val; +} libcrux_ml_dsa_pre_hash_PreHashResult; + /** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} + `context` must be at most 255 bytes long. */ -static inline size_t -libcrux_ml_dsa_simd_portable_rejection_sample_less_than_field_modulus_36( - Eurydice_slice randomness, Eurydice_slice out) { - return libcrux_ml_dsa_simd_portable_sample_rejection_sample_less_than_field_modulus( - randomness, out); +/** +This function found in impl +{libcrux_ml_dsa::pre_hash::DomainSeparationContext<'a>#1} +*/ +static inline libcrux_ml_dsa_pre_hash_PreHashResult +libcrux_ml_dsa_pre_hash_new_45(Eurydice_slice context, Option_30 pre_hash_oid) { + if (!(Eurydice_slice_len(context, uint8_t) > + LIBCRUX_ML_DSA_CONSTANTS_CONTEXT_MAX_LEN)) { + return (CLITERAL(libcrux_ml_dsa_pre_hash_PreHashResult){ + .tag = libcrux_ml_dsa_pre_hash_Ok, + .val = { + .case_Ok = {.context = context, .pre_hash_oid = pre_hash_oid}}}); + } + return (CLITERAL(libcrux_ml_dsa_pre_hash_PreHashResult){ + .tag = libcrux_ml_dsa_pre_hash_Err, + .val = { + .case_Err = + libcrux_ml_dsa_pre_hash_DomainSeparationError_ContextTooLongError}}); } -static KRML_MUSTINLINE size_t -libcrux_ml_dsa_simd_portable_sample_rejection_sample_less_than_eta_equals_2( - Eurydice_slice randomness, Eurydice_slice out) { - size_t sampled = (size_t)0U; - for (size_t i = (size_t)0U; i < Eurydice_slice_len(randomness, uint8_t); - i++) { - size_t _cloop_j = i; - uint8_t *byte = - &Eurydice_slice_index(randomness, _cloop_j, uint8_t, uint8_t *); - uint8_t try_0 = Eurydice_bitand_pv_u8(byte, 15U); - uint8_t try_1 = Eurydice_shr_pv_u8(byte, (int32_t)4); - if (try_0 < 15U) { - int32_t try_00 = (int32_t)try_0; - int32_t try_0_mod_5 = try_00 - (try_00 * (int32_t)26 >> 7U) * (int32_t)5; - Eurydice_slice_index(out, sampled, int32_t, int32_t *) = - (int32_t)2 - try_0_mod_5; - sampled++; - } - if (try_1 < 15U) { - int32_t try_10 = (int32_t)try_1; - int32_t try_1_mod_5 = try_10 - (try_10 * (int32_t)26 >> 7U) * (int32_t)5; - Eurydice_slice_index(out, sampled, int32_t, int32_t *) = - (int32_t)2 - try_1_mod_5; - sampled++; - } +typedef struct uint8_t_x2_s { + uint8_t fst; + uint8_t snd; +} uint8_t_x2; + +static KRML_MUSTINLINE uint16_t +libcrux_ml_dsa_sample_generate_domain_separator(uint8_t_x2 _) { + uint8_t row = _.fst; + uint8_t column = _.snd; + return (uint32_t)(uint16_t)column | (uint32_t)(uint16_t)row << 8U; +} + +static KRML_MUSTINLINE void libcrux_ml_dsa_sample_add_domain_separator( + Eurydice_slice slice, uint8_t_x2 indices, uint8_t ret[34U]) { + uint8_t out[34U] = {0U}; + uint8_t *uu____0 = out; + Eurydice_slice_copy( + Eurydice_array_to_subslice2(uu____0, (size_t)0U, + Eurydice_slice_len(slice, uint8_t), uint8_t), + slice, uint8_t); + uint16_t domain_separator = + libcrux_ml_dsa_sample_generate_domain_separator(indices); + out[32U] = (uint8_t)domain_separator; + out[33U] = (uint8_t)((uint32_t)domain_separator >> 8U); + memcpy(ret, out, (size_t)34U * sizeof(uint8_t)); +} + +typedef struct libcrux_ml_dsa_pre_hash_DomainSeparationContext_s { + Eurydice_slice context; + Option_30 pre_hash_oid; +} libcrux_ml_dsa_pre_hash_DomainSeparationContext; + +#define libcrux_ml_dsa_pre_hash_DomainSeparationError_ContextTooLongError 0 + +typedef uint8_t libcrux_ml_dsa_pre_hash_DomainSeparationError; + +/** +A monomorphic instance of core.result.Result +with types libcrux_ml_dsa_pre_hash_DomainSeparationContext, +libcrux_ml_dsa_pre_hash_DomainSeparationError + +*/ +typedef struct Result_a8_s { + Result_a9_tags tag; + union { + libcrux_ml_dsa_pre_hash_DomainSeparationContext case_Ok; + libcrux_ml_dsa_pre_hash_DomainSeparationError case_Err; + } val; +} Result_a8; + +/** + `context` must be at most 255 bytes long. +*/ +/** +This function found in impl +{libcrux_ml_dsa::pre_hash::DomainSeparationContext<'a>#1} +*/ +static inline Result_a8 libcrux_ml_dsa_pre_hash_new_45(Eurydice_slice context, + Option_30 pre_hash_oid) { + if (!(Eurydice_slice_len(context, uint8_t) > + LIBCRUX_ML_DSA_CONSTANTS_CONTEXT_MAX_LEN)) { + return (CLITERAL(Result_a8){ + .tag = Ok, + .val = { + .case_Ok = {.context = context, .pre_hash_oid = pre_hash_oid}}}); } - return sampled; + return (CLITERAL(Result_a8){ + .tag = Err, + .val = { + .case_Err = + libcrux_ml_dsa_pre_hash_DomainSeparationError_ContextTooLongError}}); } /** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} + Returns the pre-hash OID, if any. */ -static inline size_t -libcrux_ml_dsa_simd_portable_rejection_sample_less_than_eta_equals_2_36( - Eurydice_slice randomness, Eurydice_slice out) { - return libcrux_ml_dsa_simd_portable_sample_rejection_sample_less_than_eta_equals_2( - randomness, out); +/** +This function found in impl +{libcrux_ml_dsa::pre_hash::DomainSeparationContext<'a>#1} +*/ +static inline Option_30 *libcrux_ml_dsa_pre_hash_pre_hash_oid_45( + libcrux_ml_dsa_pre_hash_DomainSeparationContext *self) { + return &self->pre_hash_oid; } -static KRML_MUSTINLINE size_t -libcrux_ml_dsa_simd_portable_sample_rejection_sample_less_than_eta_equals_4( - Eurydice_slice randomness, Eurydice_slice out) { - size_t sampled = (size_t)0U; +/** + Returns the context, guaranteed to be at most 255 bytes long. +*/ +/** +This function found in impl +{libcrux_ml_dsa::pre_hash::DomainSeparationContext<'a>#1} +*/ +static inline Eurydice_slice libcrux_ml_dsa_pre_hash_context_45( + libcrux_ml_dsa_pre_hash_DomainSeparationContext *self) { + return self->context; +} + +static KRML_MUSTINLINE void libcrux_ml_dsa_sample_update_seed( + uint8_t seed[66U], uint16_t *domain_separator, uint8_t ret[66U]) { + seed[64U] = (uint8_t)domain_separator[0U]; + seed[65U] = (uint8_t)((uint32_t)domain_separator[0U] >> 8U); + domain_separator[0U] = (uint32_t)domain_separator[0U] + 1U; + memcpy(ret, seed, (size_t)66U * sizeof(uint8_t)); +} + +static KRML_MUSTINLINE bool libcrux_ml_dsa_sample_inside_out_shuffle( + Eurydice_slice randomness, size_t *out_index, uint64_t *signs, + int32_t *result) { + bool done = false; for (size_t i = (size_t)0U; i < Eurydice_slice_len(randomness, uint8_t); i++) { size_t _cloop_j = i; uint8_t *byte = &Eurydice_slice_index(randomness, _cloop_j, uint8_t, uint8_t *); - uint8_t try_0 = Eurydice_bitand_pv_u8(byte, 15U); - uint8_t try_1 = Eurydice_shr_pv_u8(byte, (int32_t)4); - if (try_0 < 9U) { - Eurydice_slice_index(out, sampled, int32_t, int32_t *) = - (int32_t)4 - (int32_t)try_0; - sampled++; - } - if (try_1 < 9U) { - Eurydice_slice_index(out, sampled, int32_t, int32_t *) = - (int32_t)4 - (int32_t)try_1; - sampled++; + if (!done) { + size_t sample_at = (size_t)byte[0U]; + if (sample_at <= out_index[0U]) { + result[out_index[0U]] = result[sample_at]; + out_index[0U] = out_index[0U] + (size_t)1U; + result[sample_at] = + (int32_t)1 - (int32_t)2 * (int32_t)(signs[0U] & 1ULL); + signs[0U] = signs[0U] >> 1U; + size_t uu____0 = out_index[0U]; + done = uu____0 == Eurydice_slice_len(Eurydice_array_to_slice( + (size_t)256U, result, int32_t), + int32_t); + } else { + size_t uu____1 = out_index[0U]; + done = uu____1 == Eurydice_slice_len(Eurydice_array_to_slice( + (size_t)256U, result, int32_t), + int32_t); + } } } - return sampled; + return done; } -/** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} -*/ -static inline size_t -libcrux_ml_dsa_simd_portable_rejection_sample_less_than_eta_equals_4_36( - Eurydice_slice randomness, Eurydice_slice out) { - return libcrux_ml_dsa_simd_portable_sample_rejection_sample_less_than_eta_equals_4( - randomness, out); -} +#define LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS ((int32_t)8380417) -#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 \ - ((int32_t)1 << 17U) +#define LIBCRUX_ML_DSA_SIMD_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R \ + (58728449ULL) -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_encoding_gamma1_serialize_when_gamma1_is_2_pow_17( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, - Eurydice_slice serialized) { +#define LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT ((size_t)8U) + +#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ARITHMETIC_MONTGOMERY_SHIFT (32U) + +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_arithmetic_add( + int32_t *lhs, int32_t *rhs) { for (size_t i = (size_t)0U; - i < Eurydice_slice_len(Eurydice_array_to_slice( - (size_t)8U, simd_unit.coefficients, int32_t), - int32_t) / - (size_t)4U; + i < Eurydice_slice_len(Eurydice_array_to_slice((size_t)8U, lhs, int32_t), + int32_t); i++) { size_t i0 = i; - Eurydice_slice coefficients = - Eurydice_array_to_subslice2(simd_unit.coefficients, i0 * (size_t)4U, - i0 * (size_t)4U + (size_t)4U, int32_t); - int32_t coefficient0 = - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 - - Eurydice_slice_index(coefficients, (size_t)0U, int32_t, int32_t *); - int32_t coefficient1 = - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 - - Eurydice_slice_index(coefficients, (size_t)1U, int32_t, int32_t *); - int32_t coefficient2 = - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 - - Eurydice_slice_index(coefficients, (size_t)2U, int32_t, int32_t *); - int32_t coefficient3 = - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 - - Eurydice_slice_index(coefficients, (size_t)3U, int32_t, int32_t *); - Eurydice_slice_index(serialized, (size_t)9U * i0, uint8_t, uint8_t *) = - (uint8_t)coefficient0; - Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)1U, uint8_t, - uint8_t *) = (uint8_t)(coefficient0 >> 8U); - Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)2U, uint8_t, - uint8_t *) = (uint8_t)(coefficient0 >> 16U); - size_t uu____0 = (size_t)9U * i0 + (size_t)2U; - Eurydice_slice_index(serialized, uu____0, uint8_t, uint8_t *) = - (uint32_t)Eurydice_slice_index(serialized, uu____0, uint8_t, - uint8_t *) | - (uint32_t)(uint8_t)(coefficient1 << 2U); - Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)3U, uint8_t, - uint8_t *) = (uint8_t)(coefficient1 >> 6U); - Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)4U, uint8_t, - uint8_t *) = (uint8_t)(coefficient1 >> 14U); - size_t uu____1 = (size_t)9U * i0 + (size_t)4U; - Eurydice_slice_index(serialized, uu____1, uint8_t, uint8_t *) = - (uint32_t)Eurydice_slice_index(serialized, uu____1, uint8_t, - uint8_t *) | - (uint32_t)(uint8_t)(coefficient2 << 4U); - Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)5U, uint8_t, - uint8_t *) = (uint8_t)(coefficient2 >> 4U); - Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)6U, uint8_t, - uint8_t *) = (uint8_t)(coefficient2 >> 12U); - size_t uu____2 = (size_t)9U * i0 + (size_t)6U; - Eurydice_slice_index(serialized, uu____2, uint8_t, uint8_t *) = - (uint32_t)Eurydice_slice_index(serialized, uu____2, uint8_t, - uint8_t *) | - (uint32_t)(uint8_t)(coefficient3 << 6U); - Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)7U, uint8_t, - uint8_t *) = (uint8_t)(coefficient3 >> 2U); - Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)8U, uint8_t, - uint8_t *) = (uint8_t)(coefficient3 >> 10U); + size_t uu____0 = i0; + lhs[uu____0] = lhs[uu____0] + rhs[i0]; } } -#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 \ - ((int32_t)1 << 19U) +static KRML_MUSTINLINE uint64_t +libcrux_ml_dsa_simd_portable_arithmetic_get_n_least_significant_bits( + uint8_t n, uint64_t value) { + return value & ((1ULL << (uint32_t)n) - 1ULL); +} + +static KRML_MUSTINLINE bool +libcrux_ml_dsa_simd_portable_arithmetic_infinity_norm_exceeds( + int32_t *simd_unit, int32_t bound) { + KRML_HOST_EPRINTF( + "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "Eurydice error: Failure(\"TODO: TraitTypes " + "core::ops::bit::{core::ops::bit::Shr for i32}#1175::Output\")\n"); + KRML_HOST_EXIT(255U); +} + +static KRML_MUSTINLINE int32_t +libcrux_ml_dsa_simd_portable_arithmetic_montgomery_reduce_element( + int64_t value) { + uint64_t t = + libcrux_ml_dsa_simd_portable_arithmetic_get_n_least_significant_bits( + LIBCRUX_ML_DSA_SIMD_PORTABLE_ARITHMETIC_MONTGOMERY_SHIFT, + (uint64_t)value) * + LIBCRUX_ML_DSA_SIMD_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R; + int32_t k = (int32_t) + libcrux_ml_dsa_simd_portable_arithmetic_get_n_least_significant_bits( + LIBCRUX_ML_DSA_SIMD_PORTABLE_ARITHMETIC_MONTGOMERY_SHIFT, t); + int64_t k_times_modulus = + (int64_t)k * (int64_t)LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS; + int32_t c = + (int32_t)(k_times_modulus >> + (uint32_t) + LIBCRUX_ML_DSA_SIMD_PORTABLE_ARITHMETIC_MONTGOMERY_SHIFT); + int32_t value_high = + (int32_t)(value >> + (uint32_t) + LIBCRUX_ML_DSA_SIMD_PORTABLE_ARITHMETIC_MONTGOMERY_SHIFT); + return value_high - c; +} static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_encoding_gamma1_serialize_when_gamma1_is_2_pow_19( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, - Eurydice_slice serialized) { +libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply(int32_t *lhs, + int32_t *rhs) { for (size_t i = (size_t)0U; - i < Eurydice_slice_len(Eurydice_array_to_slice( - (size_t)8U, simd_unit.coefficients, int32_t), - int32_t) / - (size_t)2U; + i < Eurydice_slice_len(Eurydice_array_to_slice((size_t)8U, lhs, int32_t), + int32_t); i++) { size_t i0 = i; - Eurydice_slice coefficients = - Eurydice_array_to_subslice2(simd_unit.coefficients, i0 * (size_t)2U, - i0 * (size_t)2U + (size_t)2U, int32_t); - int32_t coefficient0 = - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 - - Eurydice_slice_index(coefficients, (size_t)0U, int32_t, int32_t *); - int32_t coefficient1 = - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 - - Eurydice_slice_index(coefficients, (size_t)1U, int32_t, int32_t *); - Eurydice_slice_index(serialized, (size_t)5U * i0, uint8_t, uint8_t *) = - (uint8_t)coefficient0; - Eurydice_slice_index(serialized, (size_t)5U * i0 + (size_t)1U, uint8_t, - uint8_t *) = (uint8_t)(coefficient0 >> 8U); - Eurydice_slice_index(serialized, (size_t)5U * i0 + (size_t)2U, uint8_t, - uint8_t *) = (uint8_t)(coefficient0 >> 16U); - size_t uu____0 = (size_t)5U * i0 + (size_t)2U; - Eurydice_slice_index(serialized, uu____0, uint8_t, uint8_t *) = - (uint32_t)Eurydice_slice_index(serialized, uu____0, uint8_t, - uint8_t *) | - (uint32_t)(uint8_t)(coefficient1 << 4U); - Eurydice_slice_index(serialized, (size_t)5U * i0 + (size_t)3U, uint8_t, - uint8_t *) = (uint8_t)(coefficient1 >> 4U); - Eurydice_slice_index(serialized, (size_t)5U * i0 + (size_t)4U, uint8_t, - uint8_t *) = (uint8_t)(coefficient1 >> 12U); + lhs[i0] = libcrux_ml_dsa_simd_portable_arithmetic_montgomery_reduce_element( + (int64_t)lhs[i0] * (int64_t)rhs[i0]); } } -#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 \ - ((int32_t)1 << 17U) - -#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1_TIMES_2_BITMASK \ - ((LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 \ - << 1U) - \ - (int32_t)1) - -static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -libcrux_ml_dsa_simd_portable_encoding_gamma1_deserialize_when_gamma1_is_2_pow_17( - Eurydice_slice serialized) { - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit = - libcrux_ml_dsa_simd_portable_vector_type_ZERO(); +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + int32_t *simd_unit, int32_t c) { for (size_t i = (size_t)0U; - i < Eurydice_slice_len(serialized, uint8_t) / (size_t)9U; i++) { + i < + Eurydice_slice_len( + Eurydice_array_to_slice((size_t)8U, simd_unit, int32_t), int32_t); + i++) { size_t i0 = i; - Eurydice_slice bytes = Eurydice_slice_subslice2( - serialized, i0 * (size_t)9U, i0 * (size_t)9U + (size_t)9U, uint8_t); - int32_t coefficient0 = - (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *); - coefficient0 = - coefficient0 | - (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *) - << 8U; - coefficient0 = - coefficient0 | - (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *) - << 16U; - coefficient0 = - coefficient0 & - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1_TIMES_2_BITMASK; - int32_t coefficient1 = - (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *) >> - 2U; - coefficient1 = - coefficient1 | - (int32_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *) - << 6U; - coefficient1 = - coefficient1 | - (int32_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *) - << 14U; - coefficient1 = - coefficient1 & - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1_TIMES_2_BITMASK; - int32_t coefficient2 = - (int32_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *) >> - 4U; - coefficient2 = - coefficient2 | - (int32_t)Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *) - << 4U; - coefficient2 = - coefficient2 | - (int32_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *) - << 12U; - coefficient2 = - coefficient2 & - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1_TIMES_2_BITMASK; - int32_t coefficient3 = - (int32_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *) >> - 6U; - coefficient3 = - coefficient3 | - (int32_t)Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *) - << 2U; - coefficient3 = - coefficient3 | - (int32_t)Eurydice_slice_index(bytes, (size_t)8U, uint8_t, uint8_t *) - << 10U; - coefficient3 = - coefficient3 & - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1_TIMES_2_BITMASK; - simd_unit.coefficients[(size_t)4U * i0] = - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 - - coefficient0; - simd_unit.coefficients[(size_t)4U * i0 + (size_t)1U] = - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 - - coefficient1; - simd_unit.coefficients[(size_t)4U * i0 + (size_t)2U] = - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 - - coefficient2; - simd_unit.coefficients[(size_t)4U * i0 + (size_t)3U] = - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 - - coefficient3; + simd_unit[i0] = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_reduce_element( + (int64_t)simd_unit[i0] * (int64_t)c); } - return simd_unit; } -#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 \ - ((int32_t)1 << 19U) +static KRML_MUSTINLINE int32_t +libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + int32_t fe, int32_t fer) { + return libcrux_ml_dsa_simd_portable_arithmetic_montgomery_reduce_element( + (int64_t)fe * (int64_t)fer); +} -#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1_TIMES_2_BITMASK \ - ((LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 \ - << 1U) - \ - (int32_t)1) +typedef struct int32_t_x2_s { + int32_t fst; + int32_t snd; +} int32_t_x2; -static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -libcrux_ml_dsa_simd_portable_encoding_gamma1_deserialize_when_gamma1_is_2_pow_19( - Eurydice_slice serialized) { - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit = - libcrux_ml_dsa_simd_portable_vector_type_ZERO(); +static KRML_MUSTINLINE int32_t_x2 +libcrux_ml_dsa_simd_portable_arithmetic_power2round_element(int32_t t) { + int32_t t2 = t + (t >> 31U & LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS); + int32_t t1 = + (t2 - (int32_t)1 + + ((int32_t)1 + << (uint32_t)(LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T - + (size_t)1U))) >> + (uint32_t)LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T; + int32_t t0 = + t2 - (t1 << (uint32_t)LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T); + return (CLITERAL(int32_t_x2){.fst = t0, .snd = t1}); +} + +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_arithmetic_power2round( + int32_t *t0, int32_t *t1) { for (size_t i = (size_t)0U; - i < Eurydice_slice_len(serialized, uint8_t) / (size_t)5U; i++) { + i < Eurydice_slice_len(Eurydice_array_to_slice((size_t)8U, t0, int32_t), + int32_t); + i++) { size_t i0 = i; - Eurydice_slice bytes = Eurydice_slice_subslice2( - serialized, i0 * (size_t)5U, i0 * (size_t)5U + (size_t)5U, uint8_t); - int32_t coefficient0 = - (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *); - coefficient0 = - coefficient0 | - (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *) - << 8U; - coefficient0 = - coefficient0 | - (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *) - << 16U; - coefficient0 = - coefficient0 & - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1_TIMES_2_BITMASK; - int32_t coefficient1 = - (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *) >> - 4U; - coefficient1 = - coefficient1 | - (int32_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *) - << 4U; - coefficient1 = - coefficient1 | - (int32_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *) - << 12U; - simd_unit.coefficients[(size_t)2U * i0] = - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 - - coefficient0; - simd_unit.coefficients[(size_t)2U * i0 + (size_t)1U] = - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 - - coefficient1; + int32_t_x2 uu____0 = + libcrux_ml_dsa_simd_portable_arithmetic_power2round_element(t0[i0]); + int32_t lhs0 = uu____0.fst; + int32_t lhs = uu____0.snd; + t0[i0] = lhs0; + t1[i0] = lhs; + } +} + +static KRML_MUSTINLINE int32_t +libcrux_ml_dsa_simd_portable_arithmetic_reduce_element(int32_t fe) { + int32_t quotient = (fe + ((int32_t)1 << 22U)) >> 23U; + return fe - quotient * LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS; +} + +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_arithmetic_subtract( + int32_t *lhs, int32_t *rhs) { + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(Eurydice_array_to_slice((size_t)8U, lhs, int32_t), + int32_t); + i++) { + size_t i0 = i; + size_t uu____0 = i0; + lhs[uu____0] = lhs[uu____0] - rhs[i0]; } - return simd_unit; } static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_encoding_commitment_serialize( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, - Eurydice_slice serialized) { + int32_t *simd_unit, Eurydice_slice serialized) { switch ((uint8_t)Eurydice_slice_len(serialized, uint8_t)) { case 4U: { for (size_t i = (size_t)0U; - i < - Eurydice_slice_len(Eurydice_array_to_slice( - (size_t)8U, simd_unit.coefficients, int32_t), - int32_t) / - (size_t)2U; + i < Eurydice_slice_len( + Eurydice_array_to_slice((size_t)8U, simd_unit, int32_t), + int32_t) / + (size_t)2U; i++) { size_t i0 = i; - Eurydice_slice coefficients = - Eurydice_array_to_subslice2(simd_unit.coefficients, i0 * (size_t)2U, - i0 * (size_t)2U + (size_t)2U, int32_t); + Eurydice_slice coefficients = Eurydice_array_to_subslice2( + simd_unit, i0 * (size_t)2U, i0 * (size_t)2U + (size_t)2U, int32_t); uint8_t coefficient0 = (uint8_t)Eurydice_slice_index( coefficients, (size_t)0U, int32_t, int32_t *); uint8_t coefficient1 = (uint8_t)Eurydice_slice_index( @@ -1356,16 +1191,14 @@ libcrux_ml_dsa_simd_portable_encoding_commitment_serialize( } case 6U: { for (size_t i = (size_t)0U; - i < - Eurydice_slice_len(Eurydice_array_to_slice( - (size_t)8U, simd_unit.coefficients, int32_t), - int32_t) / - (size_t)4U; + i < Eurydice_slice_len( + Eurydice_array_to_slice((size_t)8U, simd_unit, int32_t), + int32_t) / + (size_t)4U; i++) { size_t i0 = i; - Eurydice_slice coefficients = - Eurydice_array_to_subslice2(simd_unit.coefficients, i0 * (size_t)4U, - i0 * (size_t)4U + (size_t)4U, int32_t); + Eurydice_slice coefficients = Eurydice_array_to_subslice2( + simd_unit, i0 * (size_t)4U, i0 * (size_t)4U + (size_t)4U, int32_t); uint8_t coefficient0 = (uint8_t)Eurydice_slice_index( coefficients, (size_t)0U, int32_t, int32_t *); uint8_t coefficient1 = (uint8_t)Eurydice_slice_index( @@ -1393,15 +1226,63 @@ libcrux_ml_dsa_simd_portable_encoding_commitment_serialize( } } -/** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} -*/ -static inline void libcrux_ml_dsa_simd_portable_commitment_serialize_36( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, - Eurydice_slice serialized) { - libcrux_ml_dsa_simd_portable_encoding_commitment_serialize(simd_unit, - serialized); +#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA \ + ((int32_t)2) + +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_encoding_error_deserialize_when_eta_is_2( + Eurydice_slice serialized, int32_t *simd_unit) { + int32_t byte0 = + (int32_t)Eurydice_slice_index(serialized, (size_t)0U, uint8_t, uint8_t *); + int32_t byte1 = + (int32_t)Eurydice_slice_index(serialized, (size_t)1U, uint8_t, uint8_t *); + int32_t byte2 = + (int32_t)Eurydice_slice_index(serialized, (size_t)2U, uint8_t, uint8_t *); + simd_unit[0U] = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA - + (byte0 & (int32_t)7); + simd_unit[1U] = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA - + (byte0 >> 3U & (int32_t)7); + simd_unit[2U] = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA - + ((byte0 >> 6U | byte1 << 2U) & (int32_t)7); + simd_unit[3U] = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA - + (byte1 >> 1U & (int32_t)7); + simd_unit[4U] = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA - + (byte1 >> 4U & (int32_t)7); + simd_unit[5U] = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA - + ((byte1 >> 7U | byte2 << 1U) & (int32_t)7); + simd_unit[6U] = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA - + (byte2 >> 2U & (int32_t)7); + simd_unit[7U] = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA - + (byte2 >> 5U & (int32_t)7); +} + +#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_4_ETA \ + ((int32_t)4) + +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_encoding_error_deserialize_when_eta_is_4( + Eurydice_slice serialized, int32_t *simd_units) { + for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t); + i++) { + size_t i0 = i; + uint8_t *byte = &Eurydice_slice_index(serialized, i0, uint8_t, uint8_t *); + uint8_t uu____0 = Eurydice_bitand_pv_u8(byte, 15U); + simd_units[(size_t)2U * i0] = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_4_ETA - + (int32_t)uu____0; + uint8_t uu____1 = Eurydice_shr_pv_u8(byte, (int32_t)4); + simd_units[(size_t)2U * i0 + (size_t)1U] = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_4_ETA - + (int32_t)uu____1; + } } #define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA \ @@ -1409,32 +1290,31 @@ static inline void libcrux_ml_dsa_simd_portable_commitment_serialize_36( static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_encoding_error_serialize_when_eta_is_2( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, - Eurydice_slice serialized) { + int32_t *simd_unit, Eurydice_slice serialized) { uint8_t coefficient0 = (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA - - simd_unit.coefficients[0U]); + simd_unit[0U]); uint8_t coefficient1 = (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA - - simd_unit.coefficients[1U]); + simd_unit[1U]); uint8_t coefficient2 = (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA - - simd_unit.coefficients[2U]); + simd_unit[2U]); uint8_t coefficient3 = (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA - - simd_unit.coefficients[3U]); + simd_unit[3U]); uint8_t coefficient4 = (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA - - simd_unit.coefficients[4U]); + simd_unit[4U]); uint8_t coefficient5 = (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA - - simd_unit.coefficients[5U]); + simd_unit[5U]); uint8_t coefficient6 = (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA - - simd_unit.coefficients[6U]); + simd_unit[6U]); uint8_t coefficient7 = (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA - - simd_unit.coefficients[7U]); + simd_unit[7U]); Eurydice_slice_index(serialized, (size_t)0U, uint8_t, uint8_t *) = ((uint32_t)coefficient2 << 6U | (uint32_t)coefficient1 << 3U) | (uint32_t)coefficient0; @@ -1452,18 +1332,16 @@ libcrux_ml_dsa_simd_portable_encoding_error_serialize_when_eta_is_2( static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_encoding_error_serialize_when_eta_is_4( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, - Eurydice_slice serialized) { + int32_t *simd_unit, Eurydice_slice serialized) { for (size_t i = (size_t)0U; - i < Eurydice_slice_len(Eurydice_array_to_slice( - (size_t)8U, simd_unit.coefficients, int32_t), - int32_t) / - (size_t)2U; + i < + Eurydice_slice_len( + Eurydice_array_to_slice((size_t)8U, simd_unit, int32_t), int32_t) / + (size_t)2U; i++) { size_t i0 = i; - Eurydice_slice coefficients = - Eurydice_array_to_subslice2(simd_unit.coefficients, i0 * (size_t)2U, - i0 * (size_t)2U + (size_t)2U, int32_t); + Eurydice_slice coefficients = Eurydice_array_to_subslice2( + simd_unit, i0 * (size_t)2U, i0 * (size_t)2U + (size_t)2U, int32_t); uint8_t coefficient0 = (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_4_ETA - Eurydice_slice_index(coefficients, (size_t)0U, int32_t, @@ -1477,152 +1355,249 @@ libcrux_ml_dsa_simd_portable_encoding_error_serialize_when_eta_is_4( } } -#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA \ - ((int32_t)2) - -static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -libcrux_ml_dsa_simd_portable_encoding_error_deserialize_when_eta_is_2( - Eurydice_slice serialized) { - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit = - libcrux_ml_dsa_simd_portable_vector_type_ZERO(); - int32_t byte0 = - (int32_t)Eurydice_slice_index(serialized, (size_t)0U, uint8_t, uint8_t *); - int32_t byte1 = - (int32_t)Eurydice_slice_index(serialized, (size_t)1U, uint8_t, uint8_t *); - int32_t byte2 = - (int32_t)Eurydice_slice_index(serialized, (size_t)2U, uint8_t, uint8_t *); - simd_unit.coefficients[0U] = - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA - - (byte0 & (int32_t)7); - simd_unit.coefficients[1U] = - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA - - (byte0 >> 3U & (int32_t)7); - simd_unit.coefficients[2U] = - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA - - ((byte0 >> 6U | byte1 << 2U) & (int32_t)7); - simd_unit.coefficients[3U] = - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA - - (byte1 >> 1U & (int32_t)7); - simd_unit.coefficients[4U] = - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA - - (byte1 >> 4U & (int32_t)7); - simd_unit.coefficients[5U] = - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA - - ((byte1 >> 7U | byte2 << 1U) & (int32_t)7); - simd_unit.coefficients[6U] = - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA - - (byte2 >> 2U & (int32_t)7); - simd_unit.coefficients[7U] = - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA - - (byte2 >> 5U & (int32_t)7); - return simd_unit; -} +#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 \ + ((int32_t)1 << 17U) -#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_4_ETA \ - ((int32_t)4) +#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1_TIMES_2_BITMASK \ + ((LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 \ + << 1U) - \ + (int32_t)1) -static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -libcrux_ml_dsa_simd_portable_encoding_error_deserialize_when_eta_is_4( - Eurydice_slice serialized) { - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit = - libcrux_ml_dsa_simd_portable_vector_type_ZERO(); - for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t); - i++) { +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_encoding_gamma1_deserialize_when_gamma1_is_2_pow_17( + Eurydice_slice serialized, int32_t *simd_unit) { + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(serialized, uint8_t) / (size_t)9U; i++) { size_t i0 = i; - uint8_t *byte = &Eurydice_slice_index(serialized, i0, uint8_t, uint8_t *); - uint8_t uu____0 = Eurydice_bitand_pv_u8(byte, 15U); - simd_unit.coefficients[(size_t)2U * i0] = - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_4_ETA - - (int32_t)uu____0; - uint8_t uu____1 = Eurydice_shr_pv_u8(byte, (int32_t)4); - simd_unit.coefficients[(size_t)2U * i0 + (size_t)1U] = - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_4_ETA - - (int32_t)uu____1; + Eurydice_slice bytes = Eurydice_slice_subslice2( + serialized, i0 * (size_t)9U, i0 * (size_t)9U + (size_t)9U, uint8_t); + int32_t coefficient0 = + (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *); + coefficient0 = + coefficient0 | + (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *) + << 8U; + coefficient0 = + coefficient0 | + (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *) + << 16U; + coefficient0 = + coefficient0 & + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1_TIMES_2_BITMASK; + int32_t coefficient1 = + (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *) >> + 2U; + coefficient1 = + coefficient1 | + (int32_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *) + << 6U; + coefficient1 = + coefficient1 | + (int32_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *) + << 14U; + coefficient1 = + coefficient1 & + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1_TIMES_2_BITMASK; + int32_t coefficient2 = + (int32_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *) >> + 4U; + coefficient2 = + coefficient2 | + (int32_t)Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *) + << 4U; + coefficient2 = + coefficient2 | + (int32_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *) + << 12U; + coefficient2 = + coefficient2 & + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1_TIMES_2_BITMASK; + int32_t coefficient3 = + (int32_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *) >> + 6U; + coefficient3 = + coefficient3 | + (int32_t)Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *) + << 2U; + coefficient3 = + coefficient3 | + (int32_t)Eurydice_slice_index(bytes, (size_t)8U, uint8_t, uint8_t *) + << 10U; + coefficient3 = + coefficient3 & + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1_TIMES_2_BITMASK; + simd_unit[(size_t)4U * i0] = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 - + coefficient0; + simd_unit[(size_t)4U * i0 + (size_t)1U] = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 - + coefficient1; + simd_unit[(size_t)4U * i0 + (size_t)2U] = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 - + coefficient2; + simd_unit[(size_t)4U * i0 + (size_t)3U] = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 - + coefficient3; } - return simd_unit; } -static KRML_MUSTINLINE int32_t -libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(int32_t t0) { - return ((int32_t)1 - << (uint32_t)(LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T - - (size_t)1U)) - - t0; -} +#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 \ + ((int32_t)1 << 19U) -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_encoding_t0_serialize( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, - uint8_t ret[13U]) { - uint8_t serialized[13U] = {0U}; - int32_t coefficient0 = - libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval( - simd_unit.coefficients[0U]); - int32_t coefficient1 = - libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval( - simd_unit.coefficients[1U]); - int32_t coefficient2 = - libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval( - simd_unit.coefficients[2U]); - int32_t coefficient3 = - libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval( - simd_unit.coefficients[3U]); - int32_t coefficient4 = - libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval( - simd_unit.coefficients[4U]); - int32_t coefficient5 = - libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval( - simd_unit.coefficients[5U]); - int32_t coefficient6 = - libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval( - simd_unit.coefficients[6U]); - int32_t coefficient7 = - libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval( - simd_unit.coefficients[7U]); - serialized[0U] = (uint8_t)coefficient0; - serialized[1U] = (uint8_t)(coefficient0 >> 8U); - size_t uu____0 = (size_t)1U; - serialized[uu____0] = - (uint32_t)serialized[uu____0] | (uint32_t)(uint8_t)(coefficient1 << 5U); - serialized[2U] = (uint8_t)(coefficient1 >> 3U); - serialized[3U] = (uint8_t)(coefficient1 >> 11U); - size_t uu____1 = (size_t)3U; - serialized[uu____1] = - (uint32_t)serialized[uu____1] | (uint32_t)(uint8_t)(coefficient2 << 2U); - serialized[4U] = (uint8_t)(coefficient2 >> 6U); - size_t uu____2 = (size_t)4U; - serialized[uu____2] = - (uint32_t)serialized[uu____2] | (uint32_t)(uint8_t)(coefficient3 << 7U); - serialized[5U] = (uint8_t)(coefficient3 >> 1U); - serialized[6U] = (uint8_t)(coefficient3 >> 9U); - size_t uu____3 = (size_t)6U; - serialized[uu____3] = - (uint32_t)serialized[uu____3] | (uint32_t)(uint8_t)(coefficient4 << 4U); - serialized[7U] = (uint8_t)(coefficient4 >> 4U); - serialized[8U] = (uint8_t)(coefficient4 >> 12U); - size_t uu____4 = (size_t)8U; - serialized[uu____4] = - (uint32_t)serialized[uu____4] | (uint32_t)(uint8_t)(coefficient5 << 1U); - serialized[9U] = (uint8_t)(coefficient5 >> 7U); - size_t uu____5 = (size_t)9U; - serialized[uu____5] = - (uint32_t)serialized[uu____5] | (uint32_t)(uint8_t)(coefficient6 << 6U); - serialized[10U] = (uint8_t)(coefficient6 >> 2U); - serialized[11U] = (uint8_t)(coefficient6 >> 10U); - size_t uu____6 = (size_t)11U; - serialized[uu____6] = - (uint32_t)serialized[uu____6] | (uint32_t)(uint8_t)(coefficient7 << 3U); - serialized[12U] = (uint8_t)(coefficient7 >> 5U); - memcpy(ret, serialized, (size_t)13U * sizeof(uint8_t)); +#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1_TIMES_2_BITMASK \ + ((LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 \ + << 1U) - \ + (int32_t)1) + +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_encoding_gamma1_deserialize_when_gamma1_is_2_pow_19( + Eurydice_slice serialized, int32_t *simd_unit) { + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(serialized, uint8_t) / (size_t)5U; i++) { + size_t i0 = i; + Eurydice_slice bytes = Eurydice_slice_subslice2( + serialized, i0 * (size_t)5U, i0 * (size_t)5U + (size_t)5U, uint8_t); + int32_t coefficient0 = + (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *); + coefficient0 = + coefficient0 | + (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *) + << 8U; + coefficient0 = + coefficient0 | + (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *) + << 16U; + coefficient0 = + coefficient0 & + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1_TIMES_2_BITMASK; + int32_t coefficient1 = + (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *) >> + 4U; + coefficient1 = + coefficient1 | + (int32_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *) + << 4U; + coefficient1 = + coefficient1 | + (int32_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *) + << 12U; + simd_unit[(size_t)2U * i0] = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 - + coefficient0; + simd_unit[(size_t)2U * i0 + (size_t)1U] = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 - + coefficient1; + } } -/** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} -*/ -static inline void libcrux_ml_dsa_simd_portable_t0_serialize_36( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, - uint8_t ret[13U]) { - libcrux_ml_dsa_simd_portable_encoding_t0_serialize(simd_unit, ret); +#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 \ + ((int32_t)1 << 17U) + +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_encoding_gamma1_serialize_when_gamma1_is_2_pow_17( + int32_t *simd_unit, Eurydice_slice serialized) { + for (size_t i = (size_t)0U; + i < + Eurydice_slice_len( + Eurydice_array_to_slice((size_t)8U, simd_unit, int32_t), int32_t) / + (size_t)4U; + i++) { + size_t i0 = i; + Eurydice_slice coefficients = Eurydice_array_to_subslice2( + simd_unit, i0 * (size_t)4U, i0 * (size_t)4U + (size_t)4U, int32_t); + int32_t coefficient0 = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 - + Eurydice_slice_index(coefficients, (size_t)0U, int32_t, int32_t *); + int32_t coefficient1 = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 - + Eurydice_slice_index(coefficients, (size_t)1U, int32_t, int32_t *); + int32_t coefficient2 = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 - + Eurydice_slice_index(coefficients, (size_t)2U, int32_t, int32_t *); + int32_t coefficient3 = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 - + Eurydice_slice_index(coefficients, (size_t)3U, int32_t, int32_t *); + Eurydice_slice_index(serialized, (size_t)9U * i0, uint8_t, uint8_t *) = + (uint8_t)coefficient0; + Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)1U, uint8_t, + uint8_t *) = (uint8_t)(coefficient0 >> 8U); + Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)2U, uint8_t, + uint8_t *) = (uint8_t)(coefficient0 >> 16U); + size_t uu____0 = (size_t)9U * i0 + (size_t)2U; + Eurydice_slice_index(serialized, uu____0, uint8_t, uint8_t *) = + (uint32_t)Eurydice_slice_index(serialized, uu____0, uint8_t, + uint8_t *) | + (uint32_t)(uint8_t)(coefficient1 << 2U); + Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)3U, uint8_t, + uint8_t *) = (uint8_t)(coefficient1 >> 6U); + Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)4U, uint8_t, + uint8_t *) = (uint8_t)(coefficient1 >> 14U); + size_t uu____1 = (size_t)9U * i0 + (size_t)4U; + Eurydice_slice_index(serialized, uu____1, uint8_t, uint8_t *) = + (uint32_t)Eurydice_slice_index(serialized, uu____1, uint8_t, + uint8_t *) | + (uint32_t)(uint8_t)(coefficient2 << 4U); + Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)5U, uint8_t, + uint8_t *) = (uint8_t)(coefficient2 >> 4U); + Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)6U, uint8_t, + uint8_t *) = (uint8_t)(coefficient2 >> 12U); + size_t uu____2 = (size_t)9U * i0 + (size_t)6U; + Eurydice_slice_index(serialized, uu____2, uint8_t, uint8_t *) = + (uint32_t)Eurydice_slice_index(serialized, uu____2, uint8_t, + uint8_t *) | + (uint32_t)(uint8_t)(coefficient3 << 6U); + Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)7U, uint8_t, + uint8_t *) = (uint8_t)(coefficient3 >> 2U); + Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)8U, uint8_t, + uint8_t *) = (uint8_t)(coefficient3 >> 10U); + } +} + +#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 \ + ((int32_t)1 << 19U) + +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_encoding_gamma1_serialize_when_gamma1_is_2_pow_19( + int32_t *simd_unit, Eurydice_slice serialized) { + for (size_t i = (size_t)0U; + i < + Eurydice_slice_len( + Eurydice_array_to_slice((size_t)8U, simd_unit, int32_t), int32_t) / + (size_t)2U; + i++) { + size_t i0 = i; + Eurydice_slice coefficients = Eurydice_array_to_subslice2( + simd_unit, i0 * (size_t)2U, i0 * (size_t)2U + (size_t)2U, int32_t); + int32_t coefficient0 = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 - + Eurydice_slice_index(coefficients, (size_t)0U, int32_t, int32_t *); + int32_t coefficient1 = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 - + Eurydice_slice_index(coefficients, (size_t)1U, int32_t, int32_t *); + Eurydice_slice_index(serialized, (size_t)5U * i0, uint8_t, uint8_t *) = + (uint8_t)coefficient0; + Eurydice_slice_index(serialized, (size_t)5U * i0 + (size_t)1U, uint8_t, + uint8_t *) = (uint8_t)(coefficient0 >> 8U); + Eurydice_slice_index(serialized, (size_t)5U * i0 + (size_t)2U, uint8_t, + uint8_t *) = (uint8_t)(coefficient0 >> 16U); + size_t uu____0 = (size_t)5U * i0 + (size_t)2U; + Eurydice_slice_index(serialized, uu____0, uint8_t, uint8_t *) = + (uint32_t)Eurydice_slice_index(serialized, uu____0, uint8_t, + uint8_t *) | + (uint32_t)(uint8_t)(coefficient1 << 4U); + Eurydice_slice_index(serialized, (size_t)5U * i0 + (size_t)3U, uint8_t, + uint8_t *) = (uint8_t)(coefficient1 >> 4U); + Eurydice_slice_index(serialized, (size_t)5U * i0 + (size_t)4U, uint8_t, + uint8_t *) = (uint8_t)(coefficient1 >> 12U); + } +} + +static KRML_MUSTINLINE int32_t +libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(int32_t t0) { + return ((int32_t)1 + << (uint32_t)(LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T - + (size_t)1U)) - + t0; } #define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_T0_DESERIALIZE_BITS_IN_LOWER_PART_OF_T_MASK \ @@ -1630,9 +1605,9 @@ static inline void libcrux_ml_dsa_simd_portable_t0_serialize_36( LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T) - \ (int32_t)1) -static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -libcrux_ml_dsa_simd_portable_encoding_t0_deserialize( - Eurydice_slice serialized) { +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_encoding_t0_deserialize(Eurydice_slice serialized, + int32_t *simd_unit) { int32_t byte0 = (int32_t)Eurydice_slice_index(serialized, (size_t)0U, uint8_t, uint8_t *); int32_t byte1 = @@ -1703,55 +1678,154 @@ libcrux_ml_dsa_simd_portable_encoding_t0_deserialize( coefficient7 = coefficient7 & LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_T0_DESERIALIZE_BITS_IN_LOWER_PART_OF_T_MASK; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit = - libcrux_ml_dsa_simd_portable_vector_type_ZERO(); - simd_unit.coefficients[0U] = + simd_unit[0U] = libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(coefficient0); - simd_unit.coefficients[1U] = + simd_unit[1U] = libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(coefficient1); - simd_unit.coefficients[2U] = + simd_unit[2U] = libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(coefficient2); - simd_unit.coefficients[3U] = + simd_unit[3U] = libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(coefficient3); - simd_unit.coefficients[4U] = + simd_unit[4U] = libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(coefficient4); - simd_unit.coefficients[5U] = + simd_unit[5U] = libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(coefficient5); - simd_unit.coefficients[6U] = + simd_unit[6U] = libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(coefficient6); - simd_unit.coefficients[7U] = + simd_unit[7U] = libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(coefficient7); - return simd_unit; } -/** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} -*/ -static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -libcrux_ml_dsa_simd_portable_t0_deserialize_36(Eurydice_slice serialized) { - return libcrux_ml_dsa_simd_portable_encoding_t0_deserialize(serialized); +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_encoding_t0_serialize( + int32_t *simd_unit, Eurydice_slice serialized) { + int32_t coefficient0 = + libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval( + simd_unit[0U]); + int32_t coefficient1 = + libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval( + simd_unit[1U]); + int32_t coefficient2 = + libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval( + simd_unit[2U]); + int32_t coefficient3 = + libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval( + simd_unit[3U]); + int32_t coefficient4 = + libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval( + simd_unit[4U]); + int32_t coefficient5 = + libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval( + simd_unit[5U]); + int32_t coefficient6 = + libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval( + simd_unit[6U]); + int32_t coefficient7 = + libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval( + simd_unit[7U]); + Eurydice_slice_index(serialized, (size_t)0U, uint8_t, uint8_t *) = + (uint8_t)coefficient0; + Eurydice_slice_index(serialized, (size_t)1U, uint8_t, uint8_t *) = + (uint8_t)(coefficient0 >> 8U); + size_t uu____0 = (size_t)1U; + Eurydice_slice_index(serialized, uu____0, uint8_t, uint8_t *) = + (uint32_t)Eurydice_slice_index(serialized, uu____0, uint8_t, uint8_t *) | + (uint32_t)(uint8_t)(coefficient1 << 5U); + Eurydice_slice_index(serialized, (size_t)2U, uint8_t, uint8_t *) = + (uint8_t)(coefficient1 >> 3U); + Eurydice_slice_index(serialized, (size_t)3U, uint8_t, uint8_t *) = + (uint8_t)(coefficient1 >> 11U); + size_t uu____1 = (size_t)3U; + Eurydice_slice_index(serialized, uu____1, uint8_t, uint8_t *) = + (uint32_t)Eurydice_slice_index(serialized, uu____1, uint8_t, uint8_t *) | + (uint32_t)(uint8_t)(coefficient2 << 2U); + Eurydice_slice_index(serialized, (size_t)4U, uint8_t, uint8_t *) = + (uint8_t)(coefficient2 >> 6U); + size_t uu____2 = (size_t)4U; + Eurydice_slice_index(serialized, uu____2, uint8_t, uint8_t *) = + (uint32_t)Eurydice_slice_index(serialized, uu____2, uint8_t, uint8_t *) | + (uint32_t)(uint8_t)(coefficient3 << 7U); + Eurydice_slice_index(serialized, (size_t)5U, uint8_t, uint8_t *) = + (uint8_t)(coefficient3 >> 1U); + Eurydice_slice_index(serialized, (size_t)6U, uint8_t, uint8_t *) = + (uint8_t)(coefficient3 >> 9U); + size_t uu____3 = (size_t)6U; + Eurydice_slice_index(serialized, uu____3, uint8_t, uint8_t *) = + (uint32_t)Eurydice_slice_index(serialized, uu____3, uint8_t, uint8_t *) | + (uint32_t)(uint8_t)(coefficient4 << 4U); + Eurydice_slice_index(serialized, (size_t)7U, uint8_t, uint8_t *) = + (uint8_t)(coefficient4 >> 4U); + Eurydice_slice_index(serialized, (size_t)8U, uint8_t, uint8_t *) = + (uint8_t)(coefficient4 >> 12U); + size_t uu____4 = (size_t)8U; + Eurydice_slice_index(serialized, uu____4, uint8_t, uint8_t *) = + (uint32_t)Eurydice_slice_index(serialized, uu____4, uint8_t, uint8_t *) | + (uint32_t)(uint8_t)(coefficient5 << 1U); + Eurydice_slice_index(serialized, (size_t)9U, uint8_t, uint8_t *) = + (uint8_t)(coefficient5 >> 7U); + size_t uu____5 = (size_t)9U; + Eurydice_slice_index(serialized, uu____5, uint8_t, uint8_t *) = + (uint32_t)Eurydice_slice_index(serialized, uu____5, uint8_t, uint8_t *) | + (uint32_t)(uint8_t)(coefficient6 << 6U); + Eurydice_slice_index(serialized, (size_t)10U, uint8_t, uint8_t *) = + (uint8_t)(coefficient6 >> 2U); + Eurydice_slice_index(serialized, (size_t)11U, uint8_t, uint8_t *) = + (uint8_t)(coefficient6 >> 10U); + size_t uu____6 = (size_t)11U; + Eurydice_slice_index(serialized, uu____6, uint8_t, uint8_t *) = + (uint32_t)Eurydice_slice_index(serialized, uu____6, uint8_t, uint8_t *) | + (uint32_t)(uint8_t)(coefficient7 << 3U); + Eurydice_slice_index(serialized, (size_t)12U, uint8_t, uint8_t *) = + (uint8_t)(coefficient7 >> 5U); +} + +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_encoding_t1_deserialize(Eurydice_slice serialized, + int32_t *simd_unit) { + int32_t mask = ((int32_t)1 << (uint32_t) + LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_UPPER_PART_OF_T) - + (int32_t)1; + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(serialized, uint8_t) / (size_t)5U; i++) { + size_t i0 = i; + Eurydice_slice bytes = Eurydice_slice_subslice2( + serialized, i0 * (size_t)5U, i0 * (size_t)5U + (size_t)5U, uint8_t); + int32_t byte0 = + (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *); + int32_t byte1 = + (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *); + int32_t byte2 = + (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *); + int32_t byte3 = + (int32_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *); + int32_t byte4 = + (int32_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *); + simd_unit[(size_t)4U * i0] = (byte0 | byte1 << 8U) & mask; + simd_unit[(size_t)4U * i0 + (size_t)1U] = + (byte1 >> 2U | byte2 << 6U) & mask; + simd_unit[(size_t)4U * i0 + (size_t)2U] = + (byte2 >> 4U | byte3 << 4U) & mask; + simd_unit[(size_t)4U * i0 + (size_t)3U] = + (byte3 >> 6U | byte4 << 2U) & mask; + } } static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_encoding_t1_serialize( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, - uint8_t ret[10U]) { - uint8_t serialized[10U] = {0U}; + int32_t *simd_unit, Eurydice_slice serialized) { for (size_t i = (size_t)0U; - i < Eurydice_slice_len(Eurydice_array_to_slice( - (size_t)8U, simd_unit.coefficients, int32_t), - int32_t) / - (size_t)4U; + i < + Eurydice_slice_len( + Eurydice_array_to_slice((size_t)8U, simd_unit, int32_t), int32_t) / + (size_t)4U; i++) { size_t i0 = i; - Eurydice_slice coefficients = - Eurydice_array_to_subslice2(simd_unit.coefficients, i0 * (size_t)4U, - i0 * (size_t)4U + (size_t)4U, int32_t); - serialized[(size_t)5U * i0] = + Eurydice_slice coefficients = Eurydice_array_to_subslice2( + simd_unit, i0 * (size_t)4U, i0 * (size_t)4U + (size_t)4U, int32_t); + Eurydice_slice_index(serialized, (size_t)5U * i0, uint8_t, uint8_t *) = (uint8_t)(Eurydice_slice_index(coefficients, (size_t)0U, int32_t, int32_t *) & (int32_t)255); - serialized[(size_t)5U * i0 + (size_t)1U] = + Eurydice_slice_index(serialized, (size_t)5U * i0 + (size_t)1U, uint8_t, + uint8_t *) = (uint32_t)(uint8_t)(Eurydice_slice_index(coefficients, (size_t)1U, int32_t, int32_t *) & (int32_t)63) @@ -1760,7 +1834,8 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_encoding_t1_serialize( int32_t, int32_t *) >> 8U & (int32_t)3); - serialized[(size_t)5U * i0 + (size_t)2U] = + Eurydice_slice_index(serialized, (size_t)5U * i0 + (size_t)2U, uint8_t, + uint8_t *) = (uint32_t)(uint8_t)(Eurydice_slice_index(coefficients, (size_t)2U, int32_t, int32_t *) & (int32_t)15) @@ -1769,7 +1844,8 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_encoding_t1_serialize( int32_t, int32_t *) >> 6U & (int32_t)15); - serialized[(size_t)5U * i0 + (size_t)3U] = + Eurydice_slice_index(serialized, (size_t)5U * i0 + (size_t)3U, uint8_t, + uint8_t *) = (uint32_t)(uint8_t)(Eurydice_slice_index(coefficients, (size_t)3U, int32_t, int32_t *) & (int32_t)3) @@ -1778,1252 +1854,51 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_encoding_t1_serialize( int32_t, int32_t *) >> 4U & (int32_t)63); - serialized[(size_t)5U * i0 + (size_t)4U] = + Eurydice_slice_index(serialized, (size_t)5U * i0 + (size_t)4U, uint8_t, + uint8_t *) = (uint8_t)(Eurydice_slice_index(coefficients, (size_t)3U, int32_t, int32_t *) >> 2U & (int32_t)255); } - memcpy(ret, serialized, (size_t)10U * sizeof(uint8_t)); } -/** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} -*/ -static inline void libcrux_ml_dsa_simd_portable_t1_serialize_36( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, - uint8_t ret[10U]) { - libcrux_ml_dsa_simd_portable_encoding_t1_serialize(simd_unit, ret); +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_simd_unit_invert_ntt_at_layer_0( + int32_t *simd_unit, int32_t zeta0, int32_t zeta1, int32_t zeta2, + int32_t zeta3) { + int32_t a_minus_b = simd_unit[1U] - simd_unit[0U]; + simd_unit[0U] = simd_unit[0U] + simd_unit[1U]; + simd_unit[1U] = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b, zeta0); + int32_t a_minus_b0 = simd_unit[3U] - simd_unit[2U]; + simd_unit[2U] = simd_unit[2U] + simd_unit[3U]; + simd_unit[3U] = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b0, zeta1); + int32_t a_minus_b1 = simd_unit[5U] - simd_unit[4U]; + simd_unit[4U] = simd_unit[4U] + simd_unit[5U]; + simd_unit[5U] = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b1, zeta2); + int32_t a_minus_b2 = simd_unit[7U] - simd_unit[6U]; + simd_unit[6U] = simd_unit[6U] + simd_unit[7U]; + simd_unit[7U] = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b2, zeta3); } -static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -libcrux_ml_dsa_simd_portable_encoding_t1_deserialize( - Eurydice_slice serialized) { - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit = - libcrux_ml_dsa_simd_portable_vector_type_ZERO(); - int32_t mask = ((int32_t)1 << (uint32_t) - LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_UPPER_PART_OF_T) - - (int32_t)1; - for (size_t i = (size_t)0U; - i < Eurydice_slice_len(serialized, uint8_t) / (size_t)5U; i++) { - size_t i0 = i; - Eurydice_slice bytes = Eurydice_slice_subslice2( - serialized, i0 * (size_t)5U, i0 * (size_t)5U + (size_t)5U, uint8_t); - int32_t byte0 = - (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *); - int32_t byte1 = - (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *); - int32_t byte2 = - (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *); - int32_t byte3 = - (int32_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *); - int32_t byte4 = - (int32_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *); - simd_unit.coefficients[(size_t)4U * i0] = (byte0 | byte1 << 8U) & mask; - simd_unit.coefficients[(size_t)4U * i0 + (size_t)1U] = - (byte1 >> 2U | byte2 << 6U) & mask; - simd_unit.coefficients[(size_t)4U * i0 + (size_t)2U] = - (byte2 >> 4U | byte3 << 4U) & mask; - simd_unit.coefficients[(size_t)4U * i0 + (size_t)3U] = - (byte3 >> 6U | byte4 << 2U) & mask; - } - return simd_unit; -} - -/** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} -*/ -static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -libcrux_ml_dsa_simd_portable_t1_deserialize_36(Eurydice_slice serialized) { - return libcrux_ml_dsa_simd_portable_encoding_t1_deserialize(serialized); -} - -static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, - int32_t c) { - for (size_t i = (size_t)0U; - i < Eurydice_slice_len(Eurydice_array_to_slice( - (size_t)8U, simd_unit.coefficients, int32_t), - int32_t); - i++) { - size_t i0 = i; - simd_unit.coefficients[i0] = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_reduce_element( - (int64_t)simd_unit.coefficients[i0] * (int64_t)c); - } - return simd_unit; -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus -with const generics -- OFFSET= 0 -- STEP_BY= 16 -- ZETA= 25847 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_99( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)16U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)16U], (int32_t)25847); - re[j + (size_t)16U] = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); - re[j] = uu____1; - } -} - -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_7( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_99(re); -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus -with const generics -- OFFSET= 0 -- STEP_BY= 8 -- ZETA= -2608894 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_990( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)8U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)8U], (int32_t)-2608894); - re[j + (size_t)8U] = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); - re[j] = uu____1; - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus -with const generics -- OFFSET= 16 -- STEP_BY= 8 -- ZETA= -518909 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)8U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)8U], (int32_t)-518909); - re[j + (size_t)8U] = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); - re[j] = uu____1; - } -} - -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_6( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_990(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a(re); -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus -with const generics -- OFFSET= 0 -- STEP_BY= 4 -- ZETA= 237124 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_991( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)4U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)4U], (int32_t)237124); - re[j + (size_t)4U] = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); - re[j] = uu____1; - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus -with const generics -- OFFSET= 8 -- STEP_BY= 4 -- ZETA= -777960 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a8( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)4U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)4U], (int32_t)-777960); - re[j + (size_t)4U] = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); - re[j] = uu____1; - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus -with const generics -- OFFSET= 16 -- STEP_BY= 4 -- ZETA= -876248 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a0( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)4U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)4U], (int32_t)-876248); - re[j + (size_t)4U] = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); - re[j] = uu____1; - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus -with const generics -- OFFSET= 24 -- STEP_BY= 4 -- ZETA= 466468 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_d9( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)4U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)4U], (int32_t)466468); - re[j + (size_t)4U] = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); - re[j] = uu____1; - } -} - -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_5( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_991(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a8(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a0(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_d9(re); -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus -with const generics -- OFFSET= 0 -- STEP_BY= 2 -- ZETA= 1826347 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_992( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)2U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)2U], (int32_t)1826347); - re[j + (size_t)2U] = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); - re[j] = uu____1; - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus -with const generics -- OFFSET= 4 -- STEP_BY= 2 -- ZETA= 2353451 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_6b( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)4U; i < (size_t)4U + (size_t)2U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)2U], (int32_t)2353451); - re[j + (size_t)2U] = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); - re[j] = uu____1; - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus -with const generics -- OFFSET= 8 -- STEP_BY= 2 -- ZETA= -359251 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a80( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)2U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)2U], (int32_t)-359251); - re[j + (size_t)2U] = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); - re[j] = uu____1; - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus -with const generics -- OFFSET= 12 -- STEP_BY= 2 -- ZETA= -2091905 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_95( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)12U; i < (size_t)12U + (size_t)2U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)2U], (int32_t)-2091905); - re[j + (size_t)2U] = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); - re[j] = uu____1; - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus -with const generics -- OFFSET= 16 -- STEP_BY= 2 -- ZETA= 3119733 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a1( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)2U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)2U], (int32_t)3119733); - re[j + (size_t)2U] = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); - re[j] = uu____1; - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus -with const generics -- OFFSET= 20 -- STEP_BY= 2 -- ZETA= -2884855 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_de( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)20U; i < (size_t)20U + (size_t)2U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)2U], (int32_t)-2884855); - re[j + (size_t)2U] = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); - re[j] = uu____1; - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus -with const generics -- OFFSET= 24 -- STEP_BY= 2 -- ZETA= 3111497 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_d90( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)2U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)2U], (int32_t)3111497); - re[j + (size_t)2U] = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); - re[j] = uu____1; - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus -with const generics -- OFFSET= 28 -- STEP_BY= 2 -- ZETA= 2680103 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3b( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)28U; i < (size_t)28U + (size_t)2U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)2U], (int32_t)2680103); - re[j + (size_t)2U] = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); - re[j] = uu____1; - } -} - -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_4( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_992(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_6b(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a80(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_95(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a1(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_de(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_d90(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3b(re); -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus -with const generics -- OFFSET= 0 -- STEP_BY= 1 -- ZETA= 2725464 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_993( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)1U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)1U], (int32_t)2725464); - re[j + (size_t)1U] = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); - re[j] = uu____1; - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus -with const generics -- OFFSET= 2 -- STEP_BY= 1 -- ZETA= 1024112 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_1c( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)2U; i < (size_t)2U + (size_t)1U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)1U], (int32_t)1024112); - re[j + (size_t)1U] = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); - re[j] = uu____1; - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus -with const generics -- OFFSET= 4 -- STEP_BY= 1 -- ZETA= -1079900 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_6b0( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)4U; i < (size_t)4U + (size_t)1U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)1U], (int32_t)-1079900); - re[j + (size_t)1U] = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); - re[j] = uu____1; - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus -with const generics -- OFFSET= 6 -- STEP_BY= 1 -- ZETA= 3585928 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_44( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)6U; i < (size_t)6U + (size_t)1U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)1U], (int32_t)3585928); - re[j + (size_t)1U] = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); - re[j] = uu____1; - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus -with const generics -- OFFSET= 8 -- STEP_BY= 1 -- ZETA= -549488 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a81( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)1U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)1U], (int32_t)-549488); - re[j + (size_t)1U] = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); - re[j] = uu____1; - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus -with const generics -- OFFSET= 10 -- STEP_BY= 1 -- ZETA= -1119584 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_1f( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)10U; i < (size_t)10U + (size_t)1U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)1U], (int32_t)-1119584); - re[j + (size_t)1U] = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); - re[j] = uu____1; - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus -with const generics -- OFFSET= 12 -- STEP_BY= 1 -- ZETA= 2619752 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_950( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)12U; i < (size_t)12U + (size_t)1U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)1U], (int32_t)2619752); - re[j + (size_t)1U] = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); - re[j] = uu____1; - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus -with const generics -- OFFSET= 14 -- STEP_BY= 1 -- ZETA= -2108549 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3b0( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)14U; i < (size_t)14U + (size_t)1U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)1U], (int32_t)-2108549); - re[j + (size_t)1U] = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); - re[j] = uu____1; - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus -with const generics -- OFFSET= 16 -- STEP_BY= 1 -- ZETA= -2118186 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a2( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)1U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)1U], (int32_t)-2118186); - re[j + (size_t)1U] = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); - re[j] = uu____1; - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus -with const generics -- OFFSET= 18 -- STEP_BY= 1 -- ZETA= -3859737 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_e4( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)18U; i < (size_t)18U + (size_t)1U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)1U], (int32_t)-3859737); - re[j + (size_t)1U] = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); - re[j] = uu____1; - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus -with const generics -- OFFSET= 20 -- STEP_BY= 1 -- ZETA= -1399561 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_de0( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)20U; i < (size_t)20U + (size_t)1U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)1U], (int32_t)-1399561); - re[j + (size_t)1U] = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); - re[j] = uu____1; - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus -with const generics -- OFFSET= 22 -- STEP_BY= 1 -- ZETA= -3277672 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_05( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)22U; i < (size_t)22U + (size_t)1U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)1U], (int32_t)-3277672); - re[j + (size_t)1U] = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); - re[j] = uu____1; - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus -with const generics -- OFFSET= 24 -- STEP_BY= 1 -- ZETA= 1757237 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_d91( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)1U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)1U], (int32_t)1757237); - re[j + (size_t)1U] = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); - re[j] = uu____1; - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus -with const generics -- OFFSET= 26 -- STEP_BY= 1 -- ZETA= -19422 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3a( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)26U; i < (size_t)26U + (size_t)1U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)1U], (int32_t)-19422); - re[j + (size_t)1U] = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); - re[j] = uu____1; - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus -with const generics -- OFFSET= 28 -- STEP_BY= 1 -- ZETA= 4010497 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3b1( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)28U; i < (size_t)28U + (size_t)1U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)1U], (int32_t)4010497); - re[j + (size_t)1U] = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); - re[j] = uu____1; - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus -with const generics -- OFFSET= 30 -- STEP_BY= 1 -- ZETA= 280005 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a0( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)30U; i < (size_t)30U + (size_t)1U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)1U], (int32_t)280005); - re[j + (size_t)1U] = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); - re[j] = uu____1; - } -} - -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_3( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_993(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_1c(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_6b0(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_44(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a81(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_1f(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_950(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3b0(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a2(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_e4(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_de0(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_05(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_d91(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3a(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3b1(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a0(re); -} - -static KRML_MUSTINLINE int32_t -libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( - int32_t fe, int32_t fer) { - return libcrux_ml_dsa_simd_portable_arithmetic_montgomery_reduce_element( - (int64_t)fe * (int64_t)fer); -} - -static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -libcrux_ml_dsa_simd_portable_ntt_simd_unit_ntt_at_layer_2( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, - int32_t zeta) { - int32_t t = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( - simd_unit.coefficients[4U], zeta); - simd_unit.coefficients[4U] = simd_unit.coefficients[0U] - t; - simd_unit.coefficients[0U] = simd_unit.coefficients[0U] + t; - int32_t t0 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( - simd_unit.coefficients[5U], zeta); - simd_unit.coefficients[5U] = simd_unit.coefficients[1U] - t0; - simd_unit.coefficients[1U] = simd_unit.coefficients[1U] + t0; - int32_t t1 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( - simd_unit.coefficients[6U], zeta); - simd_unit.coefficients[6U] = simd_unit.coefficients[2U] - t1; - simd_unit.coefficients[2U] = simd_unit.coefficients[2U] + t1; - int32_t t2 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( - simd_unit.coefficients[7U], zeta); - simd_unit.coefficients[7U] = simd_unit.coefficients[3U] - t2; - simd_unit.coefficients[3U] = simd_unit.coefficients[3U] + t2; - return simd_unit; -} - -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re, size_t index, - int32_t zeta) { - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 = - libcrux_ml_dsa_simd_portable_ntt_simd_unit_ntt_at_layer_2(re[index], - zeta); - re[index] = uu____0; -} - -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)0U, - (int32_t)2706023); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)1U, - (int32_t)95776); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)2U, - (int32_t)3077325); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)3U, - (int32_t)3530437); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)4U, - (int32_t)-1661693); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)5U, - (int32_t)-3592148); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)6U, - (int32_t)-2537516); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)7U, - (int32_t)3915439); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)8U, - (int32_t)-3861115); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)9U, - (int32_t)-3043716); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)10U, - (int32_t)3574422); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)11U, - (int32_t)-2867647); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)12U, - (int32_t)3539968); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)13U, - (int32_t)-300467); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)14U, - (int32_t)2348700); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)15U, - (int32_t)-539299); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)16U, - (int32_t)-1699267); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)17U, - (int32_t)-1643818); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)18U, - (int32_t)3505694); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)19U, - (int32_t)-3821735); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)20U, - (int32_t)3507263); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)21U, - (int32_t)-2140649); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)22U, - (int32_t)-1600420); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)23U, - (int32_t)3699596); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)24U, - (int32_t)811944); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)25U, - (int32_t)531354); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)26U, - (int32_t)954230); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)27U, - (int32_t)3881043); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)28U, - (int32_t)3900724); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)29U, - (int32_t)-2556880); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)30U, - (int32_t)2071892); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)31U, - (int32_t)-2797779); -} - -static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -libcrux_ml_dsa_simd_portable_ntt_simd_unit_ntt_at_layer_1( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, - int32_t zeta1, int32_t zeta2) { - int32_t t = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( - simd_unit.coefficients[2U], zeta1); - simd_unit.coefficients[2U] = simd_unit.coefficients[0U] - t; - simd_unit.coefficients[0U] = simd_unit.coefficients[0U] + t; - int32_t t0 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( - simd_unit.coefficients[3U], zeta1); - simd_unit.coefficients[3U] = simd_unit.coefficients[1U] - t0; - simd_unit.coefficients[1U] = simd_unit.coefficients[1U] + t0; - int32_t t1 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( - simd_unit.coefficients[6U], zeta2); - simd_unit.coefficients[6U] = simd_unit.coefficients[4U] - t1; - simd_unit.coefficients[4U] = simd_unit.coefficients[4U] + t1; - int32_t t2 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( - simd_unit.coefficients[7U], zeta2); - simd_unit.coefficients[7U] = simd_unit.coefficients[5U] - t2; - simd_unit.coefficients[5U] = simd_unit.coefficients[5U] + t2; - return simd_unit; -} - -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re, size_t index, - int32_t zeta_0, int32_t zeta_1) { - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 = - libcrux_ml_dsa_simd_portable_ntt_simd_unit_ntt_at_layer_1(re[index], - zeta_0, zeta_1); - re[index] = uu____0; -} - -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)0U, (int32_t)-3930395, (int32_t)-1528703); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)1U, (int32_t)-3677745, (int32_t)-3041255); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)2U, (int32_t)-1452451, (int32_t)3475950); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)3U, (int32_t)2176455, (int32_t)-1585221); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)4U, (int32_t)-1257611, (int32_t)1939314); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)5U, (int32_t)-4083598, (int32_t)-1000202); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)6U, (int32_t)-3190144, (int32_t)-3157330); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)7U, (int32_t)-3632928, (int32_t)126922); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)8U, (int32_t)3412210, (int32_t)-983419); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)9U, (int32_t)2147896, (int32_t)2715295); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)10U, (int32_t)-2967645, (int32_t)-3693493); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)11U, (int32_t)-411027, (int32_t)-2477047); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)12U, (int32_t)-671102, (int32_t)-1228525); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)13U, (int32_t)-22981, (int32_t)-1308169); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)14U, (int32_t)-381987, (int32_t)1349076); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)15U, (int32_t)1852771, (int32_t)-1430430); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)16U, (int32_t)-3343383, (int32_t)264944); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)17U, (int32_t)508951, (int32_t)3097992); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)18U, (int32_t)44288, (int32_t)-1100098); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)19U, (int32_t)904516, (int32_t)3958618); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)20U, (int32_t)-3724342, (int32_t)-8578); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)21U, (int32_t)1653064, (int32_t)-3249728); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)22U, (int32_t)2389356, (int32_t)-210977); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)23U, (int32_t)759969, (int32_t)-1316856); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)24U, (int32_t)189548, (int32_t)-3553272); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)25U, (int32_t)3159746, (int32_t)-1851402); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)26U, (int32_t)-2409325, (int32_t)-177440); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)27U, (int32_t)1315589, (int32_t)1341330); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)28U, (int32_t)1285669, (int32_t)-1584928); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)29U, (int32_t)-812732, (int32_t)-1439742); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)30U, (int32_t)-3019102, (int32_t)-3881060); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)31U, (int32_t)-3628969, (int32_t)3839961); -} - -static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -libcrux_ml_dsa_simd_portable_ntt_simd_unit_ntt_at_layer_0( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, - int32_t zeta0, int32_t zeta1, int32_t zeta2, int32_t zeta3) { - int32_t t = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( - simd_unit.coefficients[1U], zeta0); - simd_unit.coefficients[1U] = simd_unit.coefficients[0U] - t; - simd_unit.coefficients[0U] = simd_unit.coefficients[0U] + t; - int32_t t0 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( - simd_unit.coefficients[3U], zeta1); - simd_unit.coefficients[3U] = simd_unit.coefficients[2U] - t0; - simd_unit.coefficients[2U] = simd_unit.coefficients[2U] + t0; - int32_t t1 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( - simd_unit.coefficients[5U], zeta2); - simd_unit.coefficients[5U] = simd_unit.coefficients[4U] - t1; - simd_unit.coefficients[4U] = simd_unit.coefficients[4U] + t1; - int32_t t2 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( - simd_unit.coefficients[7U], zeta3); - simd_unit.coefficients[7U] = simd_unit.coefficients[6U] - t2; - simd_unit.coefficients[6U] = simd_unit.coefficients[6U] + t2; - return simd_unit; -} - -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re, size_t index, - int32_t zeta_0, int32_t zeta_1, int32_t zeta_2, int32_t zeta_3) { - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 = - libcrux_ml_dsa_simd_portable_ntt_simd_unit_ntt_at_layer_0( - re[index], zeta_0, zeta_1, zeta_2, zeta_3); - re[index] = uu____0; -} - -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)0U, (int32_t)2091667, (int32_t)3407706, (int32_t)2316500, - (int32_t)3817976); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)1U, (int32_t)-3342478, (int32_t)2244091, (int32_t)-2446433, - (int32_t)-3562462); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)2U, (int32_t)266997, (int32_t)2434439, (int32_t)-1235728, - (int32_t)3513181); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)3U, (int32_t)-3520352, (int32_t)-3759364, (int32_t)-1197226, - (int32_t)-3193378); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)4U, (int32_t)900702, (int32_t)1859098, (int32_t)909542, - (int32_t)819034); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)5U, (int32_t)495491, (int32_t)-1613174, (int32_t)-43260, - (int32_t)-522500); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)6U, (int32_t)-655327, (int32_t)-3122442, (int32_t)2031748, - (int32_t)3207046); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)7U, (int32_t)-3556995, (int32_t)-525098, (int32_t)-768622, - (int32_t)-3595838); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)8U, (int32_t)342297, (int32_t)286988, (int32_t)-2437823, - (int32_t)4108315); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)9U, (int32_t)3437287, (int32_t)-3342277, (int32_t)1735879, - (int32_t)203044); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)10U, (int32_t)2842341, (int32_t)2691481, (int32_t)-2590150, - (int32_t)1265009); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)11U, (int32_t)4055324, (int32_t)1247620, (int32_t)2486353, - (int32_t)1595974); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)12U, (int32_t)-3767016, (int32_t)1250494, (int32_t)2635921, - (int32_t)-3548272); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)13U, (int32_t)-2994039, (int32_t)1869119, (int32_t)1903435, - (int32_t)-1050970); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)14U, (int32_t)-1333058, (int32_t)1237275, (int32_t)-3318210, - (int32_t)-1430225); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)15U, (int32_t)-451100, (int32_t)1312455, (int32_t)3306115, - (int32_t)-1962642); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)16U, (int32_t)-1279661, (int32_t)1917081, (int32_t)-2546312, - (int32_t)-1374803); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)17U, (int32_t)1500165, (int32_t)777191, (int32_t)2235880, - (int32_t)3406031); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)18U, (int32_t)-542412, (int32_t)-2831860, (int32_t)-1671176, - (int32_t)-1846953); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)19U, (int32_t)-2584293, (int32_t)-3724270, (int32_t)594136, - (int32_t)-3776993); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)20U, (int32_t)-2013608, (int32_t)2432395, (int32_t)2454455, - (int32_t)-164721); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)21U, (int32_t)1957272, (int32_t)3369112, (int32_t)185531, - (int32_t)-1207385); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)22U, (int32_t)-3183426, (int32_t)162844, (int32_t)1616392, - (int32_t)3014001); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)23U, (int32_t)810149, (int32_t)1652634, (int32_t)-3694233, - (int32_t)-1799107); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)24U, (int32_t)-3038916, (int32_t)3523897, (int32_t)3866901, - (int32_t)269760); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)25U, (int32_t)2213111, (int32_t)-975884, (int32_t)1717735, - (int32_t)472078); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)26U, (int32_t)-426683, (int32_t)1723600, (int32_t)-1803090, - (int32_t)1910376); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)27U, (int32_t)-1667432, (int32_t)-1104333, (int32_t)-260646, - (int32_t)-3833893); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)28U, (int32_t)-2939036, (int32_t)-2235985, (int32_t)-420899, - (int32_t)-2286327); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)29U, (int32_t)183443, (int32_t)-976891, (int32_t)1612842, - (int32_t)-3545687); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)30U, (int32_t)-554416, (int32_t)3919660, (int32_t)-48306, - (int32_t)-1362209); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)31U, (int32_t)3937738, (int32_t)1400424, (int32_t)-846154, - (int32_t)1976782); -} - -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit re[32U], - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit ret[32U]) { - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_7(re); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_6(re); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_5(re); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_4(re); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_3(re); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2(re); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1(re); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0(re); - memcpy(ret, re, - (size_t)32U * - sizeof(libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit)); -} - -/** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} -*/ -static inline void libcrux_ml_dsa_simd_portable_ntt_36( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_units[32U], - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit ret[32U]) { - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit - copy_of_simd_units[32U]; - memcpy(copy_of_simd_units, simd_units, - (size_t)32U * - sizeof(libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit)); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit ret0[32U]; - libcrux_ml_dsa_simd_portable_ntt_ntt(copy_of_simd_units, ret0); - memcpy(ret, ret0, - (size_t)32U * - sizeof(libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit)); -} - -static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -libcrux_ml_dsa_simd_portable_invntt_simd_unit_invert_ntt_at_layer_0( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, - int32_t zeta0, int32_t zeta1, int32_t zeta2, int32_t zeta3) { - int32_t a_minus_b = simd_unit.coefficients[1U] - simd_unit.coefficients[0U]; - simd_unit.coefficients[0U] = - simd_unit.coefficients[0U] + simd_unit.coefficients[1U]; - simd_unit.coefficients[1U] = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( - a_minus_b, zeta0); - int32_t a_minus_b0 = simd_unit.coefficients[3U] - simd_unit.coefficients[2U]; - simd_unit.coefficients[2U] = - simd_unit.coefficients[2U] + simd_unit.coefficients[3U]; - simd_unit.coefficients[3U] = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( - a_minus_b0, zeta1); - int32_t a_minus_b1 = simd_unit.coefficients[5U] - simd_unit.coefficients[4U]; - simd_unit.coefficients[4U] = - simd_unit.coefficients[4U] + simd_unit.coefficients[5U]; - simd_unit.coefficients[5U] = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( - a_minus_b1, zeta2); - int32_t a_minus_b2 = simd_unit.coefficients[7U] - simd_unit.coefficients[6U]; - simd_unit.coefficients[6U] = - simd_unit.coefficients[6U] + simd_unit.coefficients[7U]; - simd_unit.coefficients[7U] = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( - a_minus_b2, zeta3); - return simd_unit; -} - -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re, size_t index, - int32_t zeta0, int32_t zeta1, int32_t zeta2, int32_t zeta3) { - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 = - libcrux_ml_dsa_simd_portable_invntt_simd_unit_invert_ntt_at_layer_0( - re[index], zeta0, zeta1, zeta2, zeta3); - re[index] = uu____0; +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + int32_t (*re)[8U], size_t index, int32_t zeta0, int32_t zeta1, + int32_t zeta2, int32_t zeta3) { + libcrux_ml_dsa_simd_portable_invntt_simd_unit_invert_ntt_at_layer_0( + re[index], zeta0, zeta1, zeta2, zeta3); } static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { +libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0(int32_t (*re)[8U]) { libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( re, (size_t)0U, (int32_t)1976782, (int32_t)-846154, (int32_t)1400424, (int32_t)3937738); @@ -3122,50 +1997,40 @@ libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0( (int32_t)2091667); } -static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_simd_unit_invert_ntt_at_layer_1( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, - int32_t zeta0, int32_t zeta1) { - int32_t a_minus_b = simd_unit.coefficients[2U] - simd_unit.coefficients[0U]; - simd_unit.coefficients[0U] = - simd_unit.coefficients[0U] + simd_unit.coefficients[2U]; - simd_unit.coefficients[2U] = + int32_t *simd_unit, int32_t zeta0, int32_t zeta1) { + int32_t a_minus_b = simd_unit[2U] - simd_unit[0U]; + simd_unit[0U] = simd_unit[0U] + simd_unit[2U]; + simd_unit[2U] = libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( a_minus_b, zeta0); - int32_t a_minus_b0 = simd_unit.coefficients[3U] - simd_unit.coefficients[1U]; - simd_unit.coefficients[1U] = - simd_unit.coefficients[1U] + simd_unit.coefficients[3U]; - simd_unit.coefficients[3U] = + int32_t a_minus_b0 = simd_unit[3U] - simd_unit[1U]; + simd_unit[1U] = simd_unit[1U] + simd_unit[3U]; + simd_unit[3U] = libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( a_minus_b0, zeta0); - int32_t a_minus_b1 = simd_unit.coefficients[6U] - simd_unit.coefficients[4U]; - simd_unit.coefficients[4U] = - simd_unit.coefficients[4U] + simd_unit.coefficients[6U]; - simd_unit.coefficients[6U] = + int32_t a_minus_b1 = simd_unit[6U] - simd_unit[4U]; + simd_unit[4U] = simd_unit[4U] + simd_unit[6U]; + simd_unit[6U] = libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( a_minus_b1, zeta1); - int32_t a_minus_b2 = simd_unit.coefficients[7U] - simd_unit.coefficients[5U]; - simd_unit.coefficients[5U] = - simd_unit.coefficients[5U] + simd_unit.coefficients[7U]; - simd_unit.coefficients[7U] = + int32_t a_minus_b2 = simd_unit[7U] - simd_unit[5U]; + simd_unit[5U] = simd_unit[5U] + simd_unit[7U]; + simd_unit[7U] = libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( a_minus_b2, zeta1); - return simd_unit; } static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re, size_t index, - int32_t zeta_00, int32_t zeta_01) { - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 = - libcrux_ml_dsa_simd_portable_invntt_simd_unit_invert_ntt_at_layer_1( - re[index], zeta_00, zeta_01); - re[index] = uu____0; + int32_t (*re)[8U], size_t index, int32_t zeta_00, int32_t zeta_01) { + libcrux_ml_dsa_simd_portable_invntt_simd_unit_invert_ntt_at_layer_1( + re[index], zeta_00, zeta_01); } static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { +libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1(int32_t (*re)[8U]) { libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( re, (size_t)0U, (int32_t)3839961, (int32_t)-3628969); libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( @@ -3232,50 +2097,40 @@ libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1( re, (size_t)31U, (int32_t)-1528703, (int32_t)-3930395); } -static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_simd_unit_invert_ntt_at_layer_2( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, - int32_t zeta) { - int32_t a_minus_b = simd_unit.coefficients[4U] - simd_unit.coefficients[0U]; - simd_unit.coefficients[0U] = - simd_unit.coefficients[0U] + simd_unit.coefficients[4U]; - simd_unit.coefficients[4U] = + int32_t *simd_unit, int32_t zeta) { + int32_t a_minus_b = simd_unit[4U] - simd_unit[0U]; + simd_unit[0U] = simd_unit[0U] + simd_unit[4U]; + simd_unit[4U] = libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( a_minus_b, zeta); - int32_t a_minus_b0 = simd_unit.coefficients[5U] - simd_unit.coefficients[1U]; - simd_unit.coefficients[1U] = - simd_unit.coefficients[1U] + simd_unit.coefficients[5U]; - simd_unit.coefficients[5U] = + int32_t a_minus_b0 = simd_unit[5U] - simd_unit[1U]; + simd_unit[1U] = simd_unit[1U] + simd_unit[5U]; + simd_unit[5U] = libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( a_minus_b0, zeta); - int32_t a_minus_b1 = simd_unit.coefficients[6U] - simd_unit.coefficients[2U]; - simd_unit.coefficients[2U] = - simd_unit.coefficients[2U] + simd_unit.coefficients[6U]; - simd_unit.coefficients[6U] = + int32_t a_minus_b1 = simd_unit[6U] - simd_unit[2U]; + simd_unit[2U] = simd_unit[2U] + simd_unit[6U]; + simd_unit[6U] = libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( a_minus_b1, zeta); - int32_t a_minus_b2 = simd_unit.coefficients[7U] - simd_unit.coefficients[3U]; - simd_unit.coefficients[3U] = - simd_unit.coefficients[3U] + simd_unit.coefficients[7U]; - simd_unit.coefficients[7U] = + int32_t a_minus_b2 = simd_unit[7U] - simd_unit[3U]; + simd_unit[3U] = simd_unit[3U] + simd_unit[7U]; + simd_unit[7U] = libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( a_minus_b2, zeta); - return simd_unit; } static inline void libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re, size_t index, - int32_t zeta1) { - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 = - libcrux_ml_dsa_simd_portable_invntt_simd_unit_invert_ntt_at_layer_2( - re[index], zeta1); - re[index] = uu____0; + int32_t (*re)[8U], size_t index, int32_t zeta1) { + libcrux_ml_dsa_simd_portable_invntt_simd_unit_invert_ntt_at_layer_2(re[index], + zeta1); } static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { +libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2(int32_t (*re)[8U]) { libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( re, (size_t)0U, (int32_t)-2797779); libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( @@ -3350,18 +2205,22 @@ with const generics - ZETA= 280005 */ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_99( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + int32_t (*re)[8U]) { for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)1U; i++) { size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], - &re[j]); - re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], - &re[j + (size_t)1U]); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)280005); - re[j + (size_t)1U] = uu____1; + int32_t rejs[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, re[j + (size_t)1U], rejs, int32_t, void *); + int32_t a_minus_b[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, rejs, a_minus_b, int32_t, void *); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); + int32_t uu____0[8U]; + memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)1U], (int32_t)280005); } } @@ -3373,18 +2232,22 @@ with const generics - ZETA= 4010497 */ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_1c( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + int32_t (*re)[8U]) { for (size_t i = (size_t)2U; i < (size_t)2U + (size_t)1U; i++) { size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], - &re[j]); - re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], - &re[j + (size_t)1U]); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)4010497); - re[j + (size_t)1U] = uu____1; + int32_t rejs[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, re[j + (size_t)1U], rejs, int32_t, void *); + int32_t a_minus_b[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, rejs, a_minus_b, int32_t, void *); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); + int32_t uu____0[8U]; + memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)1U], (int32_t)4010497); } } @@ -3396,18 +2259,22 @@ with const generics - ZETA= -19422 */ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_6b( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + int32_t (*re)[8U]) { for (size_t i = (size_t)4U; i < (size_t)4U + (size_t)1U; i++) { size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], - &re[j]); - re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], - &re[j + (size_t)1U]); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)-19422); - re[j + (size_t)1U] = uu____1; + int32_t rejs[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, re[j + (size_t)1U], rejs, int32_t, void *); + int32_t a_minus_b[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, rejs, a_minus_b, int32_t, void *); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); + int32_t uu____0[8U]; + memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)1U], (int32_t)-19422); } } @@ -3419,18 +2286,22 @@ with const generics - ZETA= 1757237 */ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_44( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + int32_t (*re)[8U]) { for (size_t i = (size_t)6U; i < (size_t)6U + (size_t)1U; i++) { size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], - &re[j]); - re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], - &re[j + (size_t)1U]); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)1757237); - re[j + (size_t)1U] = uu____1; + int32_t rejs[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, re[j + (size_t)1U], rejs, int32_t, void *); + int32_t a_minus_b[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, rejs, a_minus_b, int32_t, void *); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); + int32_t uu____0[8U]; + memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)1U], (int32_t)1757237); } } @@ -3442,18 +2313,22 @@ with const generics - ZETA= -3277672 */ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a8( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + int32_t (*re)[8U]) { for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)1U; i++) { size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], - &re[j]); - re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], - &re[j + (size_t)1U]); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)-3277672); - re[j + (size_t)1U] = uu____1; + int32_t rejs[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, re[j + (size_t)1U], rejs, int32_t, void *); + int32_t a_minus_b[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, rejs, a_minus_b, int32_t, void *); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); + int32_t uu____0[8U]; + memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)1U], (int32_t)-3277672); } } @@ -3465,18 +2340,22 @@ with const generics - ZETA= -1399561 */ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_1f( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + int32_t (*re)[8U]) { for (size_t i = (size_t)10U; i < (size_t)10U + (size_t)1U; i++) { size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], - &re[j]); - re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], - &re[j + (size_t)1U]); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)-1399561); - re[j + (size_t)1U] = uu____1; + int32_t rejs[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, re[j + (size_t)1U], rejs, int32_t, void *); + int32_t a_minus_b[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, rejs, a_minus_b, int32_t, void *); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); + int32_t uu____0[8U]; + memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)1U], (int32_t)-1399561); } } @@ -3488,18 +2367,22 @@ with const generics - ZETA= -3859737 */ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_95( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + int32_t (*re)[8U]) { for (size_t i = (size_t)12U; i < (size_t)12U + (size_t)1U; i++) { size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], - &re[j]); - re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], - &re[j + (size_t)1U]); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)-3859737); - re[j + (size_t)1U] = uu____1; + int32_t rejs[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, re[j + (size_t)1U], rejs, int32_t, void *); + int32_t a_minus_b[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, rejs, a_minus_b, int32_t, void *); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); + int32_t uu____0[8U]; + memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)1U], (int32_t)-3859737); } } @@ -3511,18 +2394,22 @@ with const generics - ZETA= -2118186 */ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3b( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + int32_t (*re)[8U]) { for (size_t i = (size_t)14U; i < (size_t)14U + (size_t)1U; i++) { size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], - &re[j]); - re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], - &re[j + (size_t)1U]); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)-2118186); - re[j + (size_t)1U] = uu____1; + int32_t rejs[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, re[j + (size_t)1U], rejs, int32_t, void *); + int32_t a_minus_b[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, rejs, a_minus_b, int32_t, void *); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); + int32_t uu____0[8U]; + memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)1U], (int32_t)-2118186); } } @@ -3534,18 +2421,22 @@ with const generics - ZETA= -2108549 */ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + int32_t (*re)[8U]) { for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)1U; i++) { size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], - &re[j]); - re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], - &re[j + (size_t)1U]); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)-2108549); - re[j + (size_t)1U] = uu____1; + int32_t rejs[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, re[j + (size_t)1U], rejs, int32_t, void *); + int32_t a_minus_b[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, rejs, a_minus_b, int32_t, void *); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); + int32_t uu____0[8U]; + memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)1U], (int32_t)-2108549); } } @@ -3557,18 +2448,22 @@ with const generics - ZETA= 2619752 */ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_e4( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + int32_t (*re)[8U]) { for (size_t i = (size_t)18U; i < (size_t)18U + (size_t)1U; i++) { size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], - &re[j]); - re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], - &re[j + (size_t)1U]); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)2619752); - re[j + (size_t)1U] = uu____1; + int32_t rejs[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, re[j + (size_t)1U], rejs, int32_t, void *); + int32_t a_minus_b[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, rejs, a_minus_b, int32_t, void *); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); + int32_t uu____0[8U]; + memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)1U], (int32_t)2619752); } } @@ -3580,2627 +2475,1942 @@ with const generics - ZETA= -1119584 */ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_de( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + int32_t (*re)[8U]) { for (size_t i = (size_t)20U; i < (size_t)20U + (size_t)1U; i++) { size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], - &re[j]); - re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], - &re[j + (size_t)1U]); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)-1119584); - re[j + (size_t)1U] = uu____1; - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus -with const generics -- OFFSET= 22 -- STEP_BY= 1 -- ZETA= -549488 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_05( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)22U; i < (size_t)22U + (size_t)1U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], - &re[j]); - re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], - &re[j + (size_t)1U]); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)-549488); - re[j + (size_t)1U] = uu____1; - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus -with const generics -- OFFSET= 24 -- STEP_BY= 1 -- ZETA= 3585928 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_d9( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)1U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], - &re[j]); - re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], - &re[j + (size_t)1U]); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)3585928); - re[j + (size_t)1U] = uu____1; - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus -with const generics -- OFFSET= 26 -- STEP_BY= 1 -- ZETA= -1079900 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3a( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)26U; i < (size_t)26U + (size_t)1U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], - &re[j]); - re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], - &re[j + (size_t)1U]); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)-1079900); - re[j + (size_t)1U] = uu____1; - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus -with const generics -- OFFSET= 28 -- STEP_BY= 1 -- ZETA= 1024112 -*/ -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3b0( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)28U; i < (size_t)28U + (size_t)1U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], - &re[j]); - re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], - &re[j + (size_t)1U]); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)1024112); - re[j + (size_t)1U] = uu____1; - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus -with const generics -- OFFSET= 30 -- STEP_BY= 1 -- ZETA= 2725464 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a0( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)30U; i < (size_t)30U + (size_t)1U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], - &re[j]); - re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], - &re[j + (size_t)1U]); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)2725464); - re[j + (size_t)1U] = uu____1; - } -} - -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_3( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_99(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_1c(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_6b(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_44(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a8(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_1f(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_95(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3b(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_e4(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_de(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_05(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_d9(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3a(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3b0(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a0(re); -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus -with const generics -- OFFSET= 0 -- STEP_BY= 2 -- ZETA= 2680103 -*/ -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_990( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)2U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)2U], - &re[j]); - re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], - &re[j + (size_t)2U]); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)2680103); - re[j + (size_t)2U] = uu____1; - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus -with const generics -- OFFSET= 4 -- STEP_BY= 2 -- ZETA= 3111497 -*/ -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_6b0( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)4U; i < (size_t)4U + (size_t)2U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)2U], - &re[j]); - re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], - &re[j + (size_t)2U]); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)3111497); - re[j + (size_t)2U] = uu____1; - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus -with const generics -- OFFSET= 8 -- STEP_BY= 2 -- ZETA= -2884855 -*/ -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a80( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)2U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)2U], - &re[j]); - re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], - &re[j + (size_t)2U]); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)-2884855); - re[j + (size_t)2U] = uu____1; - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus -with const generics -- OFFSET= 12 -- STEP_BY= 2 -- ZETA= 3119733 -*/ -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_950( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)12U; i < (size_t)12U + (size_t)2U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)2U], - &re[j]); - re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], - &re[j + (size_t)2U]); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)3119733); - re[j + (size_t)2U] = uu____1; - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus -with const generics -- OFFSET= 16 -- STEP_BY= 2 -- ZETA= -2091905 -*/ -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a0( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)2U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)2U], - &re[j]); - re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], - &re[j + (size_t)2U]); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)-2091905); - re[j + (size_t)2U] = uu____1; - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus -with const generics -- OFFSET= 20 -- STEP_BY= 2 -- ZETA= -359251 -*/ -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_de0( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)20U; i < (size_t)20U + (size_t)2U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)2U], - &re[j]); - re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], - &re[j + (size_t)2U]); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)-359251); - re[j + (size_t)2U] = uu____1; - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus -with const generics -- OFFSET= 24 -- STEP_BY= 2 -- ZETA= 2353451 -*/ -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_d90( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)2U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)2U], - &re[j]); - re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], - &re[j + (size_t)2U]); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)2353451); - re[j + (size_t)2U] = uu____1; - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus -with const generics -- OFFSET= 28 -- STEP_BY= 2 -- ZETA= 1826347 -*/ -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3b1( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)28U; i < (size_t)28U + (size_t)2U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)2U], - &re[j]); - re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], - &re[j + (size_t)2U]); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)1826347); - re[j + (size_t)2U] = uu____1; - } -} - -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_4( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_990(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_6b0(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a80(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_950(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a0(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_de0(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_d90(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3b1(re); -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus -with const generics -- OFFSET= 0 -- STEP_BY= 4 -- ZETA= 466468 -*/ -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_991( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)4U; i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)4U], - &re[j]); - re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], - &re[j + (size_t)4U]); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)466468); - re[j + (size_t)4U] = uu____1; + int32_t rejs[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, re[j + (size_t)1U], rejs, int32_t, void *); + int32_t a_minus_b[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, rejs, a_minus_b, int32_t, void *); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); + int32_t uu____0[8U]; + memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)1U], (int32_t)-1119584); } } /** A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus with const generics -- OFFSET= 8 -- STEP_BY= 4 -- ZETA= -876248 +- OFFSET= 22 +- STEP_BY= 1 +- ZETA= -549488 */ -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a81( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)4U; i++) { +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_05( + int32_t (*re)[8U]) { + for (size_t i = (size_t)22U; i < (size_t)22U + (size_t)1U; i++) { size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)4U], - &re[j]); - re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], - &re[j + (size_t)4U]); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)-876248); - re[j + (size_t)4U] = uu____1; + int32_t rejs[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, re[j + (size_t)1U], rejs, int32_t, void *); + int32_t a_minus_b[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, rejs, a_minus_b, int32_t, void *); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); + int32_t uu____0[8U]; + memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)1U], (int32_t)-549488); } } /** A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus with const generics -- OFFSET= 16 -- STEP_BY= 4 -- ZETA= -777960 +- OFFSET= 24 +- STEP_BY= 1 +- ZETA= 3585928 */ -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a1( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)4U; i++) { +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_d9( + int32_t (*re)[8U]) { + for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)1U; i++) { size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)4U], - &re[j]); - re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], - &re[j + (size_t)4U]); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)-777960); - re[j + (size_t)4U] = uu____1; + int32_t rejs[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, re[j + (size_t)1U], rejs, int32_t, void *); + int32_t a_minus_b[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, rejs, a_minus_b, int32_t, void *); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); + int32_t uu____0[8U]; + memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)1U], (int32_t)3585928); } } /** A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus with const generics -- OFFSET= 24 -- STEP_BY= 4 -- ZETA= 237124 +- OFFSET= 26 +- STEP_BY= 1 +- ZETA= -1079900 */ -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_d91( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)4U; i++) { +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3a( + int32_t (*re)[8U]) { + for (size_t i = (size_t)26U; i < (size_t)26U + (size_t)1U; i++) { size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)4U], - &re[j]); - re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], - &re[j + (size_t)4U]); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)237124); - re[j + (size_t)4U] = uu____1; + int32_t rejs[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, re[j + (size_t)1U], rejs, int32_t, void *); + int32_t a_minus_b[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, rejs, a_minus_b, int32_t, void *); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); + int32_t uu____0[8U]; + memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)1U], (int32_t)-1079900); } } -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_5( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_991(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a81(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a1(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_d91(re); -} - /** A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus with const generics -- OFFSET= 0 -- STEP_BY= 8 -- ZETA= -518909 +- OFFSET= 28 +- STEP_BY= 1 +- ZETA= 1024112 */ static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_992( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)8U; i++) { +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3b0(int32_t (*re)[8U]) { + for (size_t i = (size_t)28U; i < (size_t)28U + (size_t)1U; i++) { size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)8U], - &re[j]); - re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], - &re[j + (size_t)8U]); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)-518909); - re[j + (size_t)8U] = uu____1; + int32_t rejs[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, re[j + (size_t)1U], rejs, int32_t, void *); + int32_t a_minus_b[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, rejs, a_minus_b, int32_t, void *); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); + int32_t uu____0[8U]; + memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)1U], (int32_t)1024112); } } /** A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus with const generics -- OFFSET= 16 -- STEP_BY= 8 -- ZETA= -2608894 +- OFFSET= 30 +- STEP_BY= 1 +- ZETA= 2725464 */ -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a2( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)8U; i++) { +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a0( + int32_t (*re)[8U]) { + for (size_t i = (size_t)30U; i < (size_t)30U + (size_t)1U; i++) { size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)8U], - &re[j]); - re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], - &re[j + (size_t)8U]); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)-2608894); - re[j + (size_t)8U] = uu____1; + int32_t rejs[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, re[j + (size_t)1U], rejs, int32_t, void *); + int32_t a_minus_b[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, rejs, a_minus_b, int32_t, void *); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); + int32_t uu____0[8U]; + memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)1U], (int32_t)2725464); } } static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_6( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_992(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a2(re); +libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_3(int32_t (*re)[8U]) { + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_99(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_1c(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_6b(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_44(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a8(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_1f(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_95(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3b(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_e4(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_de(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_05(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_d9(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3a(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3b0(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a0(re); } /** A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus with const generics - OFFSET= 0 -- STEP_BY= 16 -- ZETA= 25847 +- STEP_BY= 2 +- ZETA= 2680103 */ static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_993( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)16U; i++) { +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_990(int32_t (*re)[8U]) { + for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)2U; i++) { size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = - libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)16U], - &re[j]); - re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], - &re[j + (size_t)16U]); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)25847); - re[j + (size_t)16U] = uu____1; - } -} - -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_7( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_993(re); -} - -static inline void libcrux_ml_dsa_simd_portable_invntt_invert_ntt_montgomery( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit re[32U], - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit ret[32U]) { - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0(re); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1(re); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2(re); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_3(re); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_4(re); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_5(re); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_6(re); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_7(re); - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)32U, re, - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit), - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit); - i++) { - size_t i0 = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[i0], (int32_t)41978); - re[i0] = uu____0; + int32_t rejs[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, re[j + (size_t)2U], rejs, int32_t, void *); + int32_t a_minus_b[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, rejs, a_minus_b, int32_t, void *); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); + int32_t uu____0[8U]; + memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)2U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)2U], (int32_t)2680103); } - memcpy(ret, re, - (size_t)32U * - sizeof(libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit)); } /** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus +with const generics +- OFFSET= 4 +- STEP_BY= 2 +- ZETA= 3111497 */ -static inline void libcrux_ml_dsa_simd_portable_invert_ntt_montgomery_36( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_units[32U], - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit ret[32U]) { - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit - copy_of_simd_units[32U]; - memcpy(copy_of_simd_units, simd_units, - (size_t)32U * - sizeof(libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit)); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit ret0[32U]; - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_montgomery(copy_of_simd_units, - ret0); - memcpy(ret, ret0, - (size_t)32U * - sizeof(libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit)); +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_6b0(int32_t (*re)[8U]) { + for (size_t i = (size_t)4U; i < (size_t)4U + (size_t)2U; i++) { + size_t j = i; + int32_t rejs[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, re[j + (size_t)2U], rejs, int32_t, void *); + int32_t a_minus_b[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, rejs, a_minus_b, int32_t, void *); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); + int32_t uu____0[8U]; + memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)2U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)2U], (int32_t)3111497); + } } /** -A monomorphic instance of K. -with types uint8_t[4032size_t], uint8_t[1952size_t] - -*/ -typedef struct tuple_a0_s { - uint8_t fst[4032U]; - uint8_t snd[1952U]; -} tuple_a0; - -/** -A monomorphic instance of libcrux_ml_dsa.polynomial.PolynomialRingElement -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit - -*/ -typedef struct libcrux_ml_dsa_polynomial_PolynomialRingElement_9b_s { - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_units[32U]; -} libcrux_ml_dsa_polynomial_PolynomialRingElement_9b; - -/** -This function found in impl -{libcrux_ml_dsa::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]} -*/ -/** -A monomorphic instance of libcrux_ml_dsa.polynomial.ZERO_ff -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus with const generics - +- OFFSET= 8 +- STEP_BY= 2 +- ZETA= -2884855 */ -static inline libcrux_ml_dsa_polynomial_PolynomialRingElement_9b -libcrux_ml_dsa_polynomial_ZERO_ff_ba(void) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b lit; - lit.simd_units[0U] = libcrux_ml_dsa_simd_portable_ZERO_36(); - lit.simd_units[1U] = libcrux_ml_dsa_simd_portable_ZERO_36(); - lit.simd_units[2U] = libcrux_ml_dsa_simd_portable_ZERO_36(); - lit.simd_units[3U] = libcrux_ml_dsa_simd_portable_ZERO_36(); - lit.simd_units[4U] = libcrux_ml_dsa_simd_portable_ZERO_36(); - lit.simd_units[5U] = libcrux_ml_dsa_simd_portable_ZERO_36(); - lit.simd_units[6U] = libcrux_ml_dsa_simd_portable_ZERO_36(); - lit.simd_units[7U] = libcrux_ml_dsa_simd_portable_ZERO_36(); - lit.simd_units[8U] = libcrux_ml_dsa_simd_portable_ZERO_36(); - lit.simd_units[9U] = libcrux_ml_dsa_simd_portable_ZERO_36(); - lit.simd_units[10U] = libcrux_ml_dsa_simd_portable_ZERO_36(); - lit.simd_units[11U] = libcrux_ml_dsa_simd_portable_ZERO_36(); - lit.simd_units[12U] = libcrux_ml_dsa_simd_portable_ZERO_36(); - lit.simd_units[13U] = libcrux_ml_dsa_simd_portable_ZERO_36(); - lit.simd_units[14U] = libcrux_ml_dsa_simd_portable_ZERO_36(); - lit.simd_units[15U] = libcrux_ml_dsa_simd_portable_ZERO_36(); - lit.simd_units[16U] = libcrux_ml_dsa_simd_portable_ZERO_36(); - lit.simd_units[17U] = libcrux_ml_dsa_simd_portable_ZERO_36(); - lit.simd_units[18U] = libcrux_ml_dsa_simd_portable_ZERO_36(); - lit.simd_units[19U] = libcrux_ml_dsa_simd_portable_ZERO_36(); - lit.simd_units[20U] = libcrux_ml_dsa_simd_portable_ZERO_36(); - lit.simd_units[21U] = libcrux_ml_dsa_simd_portable_ZERO_36(); - lit.simd_units[22U] = libcrux_ml_dsa_simd_portable_ZERO_36(); - lit.simd_units[23U] = libcrux_ml_dsa_simd_portable_ZERO_36(); - lit.simd_units[24U] = libcrux_ml_dsa_simd_portable_ZERO_36(); - lit.simd_units[25U] = libcrux_ml_dsa_simd_portable_ZERO_36(); - lit.simd_units[26U] = libcrux_ml_dsa_simd_portable_ZERO_36(); - lit.simd_units[27U] = libcrux_ml_dsa_simd_portable_ZERO_36(); - lit.simd_units[28U] = libcrux_ml_dsa_simd_portable_ZERO_36(); - lit.simd_units[29U] = libcrux_ml_dsa_simd_portable_ZERO_36(); - lit.simd_units[30U] = libcrux_ml_dsa_simd_portable_ZERO_36(); - lit.simd_units[31U] = libcrux_ml_dsa_simd_portable_ZERO_36(); - return lit; +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a80(int32_t (*re)[8U]) { + for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)2U; i++) { + size_t j = i; + int32_t rejs[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, re[j + (size_t)2U], rejs, int32_t, void *); + int32_t a_minus_b[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, rejs, a_minus_b, int32_t, void *); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); + int32_t uu____0[8U]; + memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)2U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)2U], (int32_t)-2884855); + } } /** -A monomorphic instance of -libcrux_ml_dsa.sample.rejection_sample_less_than_field_modulus with types -libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit with const generics - +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus +with const generics +- OFFSET= 12 +- STEP_BY= 2 +- ZETA= 3119733 */ -static KRML_MUSTINLINE bool -libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( - Eurydice_slice randomness, size_t *sampled_coefficients, int32_t *out) { - bool done = false; - for (size_t i = (size_t)0U; - i < Eurydice_slice_len(randomness, uint8_t) / (size_t)24U; i++) { - size_t _cloop_i = i; - Eurydice_slice random_bytes = - Eurydice_slice_subslice2(randomness, _cloop_i * (size_t)24U, - _cloop_i * (size_t)24U + (size_t)24U, uint8_t); - if (!done) { - Eurydice_slice uu____0 = random_bytes; - size_t sampled = - libcrux_ml_dsa_simd_portable_rejection_sample_less_than_field_modulus_36( - uu____0, Eurydice_array_to_subslice_from((size_t)263U, out, - sampled_coefficients[0U], - int32_t, size_t)); - sampled_coefficients[0U] = sampled_coefficients[0U] + sampled; - if (sampled_coefficients[0U] >= - LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - done = true; - } - } +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_950(int32_t (*re)[8U]) { + for (size_t i = (size_t)12U; i < (size_t)12U + (size_t)2U; i++) { + size_t j = i; + int32_t rejs[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, re[j + (size_t)2U], rejs, int32_t, void *); + int32_t a_minus_b[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, rejs, a_minus_b, int32_t, void *); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); + int32_t uu____0[8U]; + memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)2U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)2U], (int32_t)3119733); } - return done; } /** -A monomorphic instance of libcrux_ml_dsa.sample.update_matrix -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 +- OFFSET= 16 +- STEP_BY= 2 +- ZETA= -2091905 */ -static inline void libcrux_ml_dsa_sample_update_matrix_2f( - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b (*m)[5U], size_t i, - size_t j, libcrux_ml_dsa_polynomial_PolynomialRingElement_9b v) { - m[i][j] = v; +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a0(int32_t (*re)[8U]) { + for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)2U; i++) { + size_t j = i; + int32_t rejs[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, re[j + (size_t)2U], rejs, int32_t, void *); + int32_t a_minus_b[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, rejs, a_minus_b, int32_t, void *); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); + int32_t uu____0[8U]; + memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)2U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)2U], (int32_t)-2091905); + } } /** -This function found in impl -{libcrux_ml_dsa::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]} -*/ -/** -A monomorphic instance of libcrux_ml_dsa.polynomial.from_i32_array_ff -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus with const generics - +- OFFSET= 20 +- STEP_BY= 2 +- ZETA= -359251 */ -static inline libcrux_ml_dsa_polynomial_PolynomialRingElement_9b -libcrux_ml_dsa_polynomial_from_i32_array_ff_ba(Eurydice_slice array) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b result = - libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - for (size_t i = (size_t)0U; - i < LIBCRUX_ML_DSA_SIMD_TRAITS_SIMD_UNITS_IN_RING_ELEMENT; i++) { - size_t i0 = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 = - libcrux_ml_dsa_simd_portable_from_coefficient_array_36( - Eurydice_slice_subslice2( - array, - i0 * LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT, - (i0 + (size_t)1U) * - LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT, - int32_t)); - result.simd_units[i0] = uu____0; +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_de0(int32_t (*re)[8U]) { + for (size_t i = (size_t)20U; i < (size_t)20U + (size_t)2U; i++) { + size_t j = i; + int32_t rejs[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, re[j + (size_t)2U], rejs, int32_t, void *); + int32_t a_minus_b[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, rejs, a_minus_b, int32_t, void *); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); + int32_t uu____0[8U]; + memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)2U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)2U], (int32_t)-359251); } - return result; } /** - Sample and write out up to four ring elements. - - If i <= `elements_requested`, a field element with domain separated - seed according to the provided index is generated in - `tmp_stack[i]`. After successful rejection sampling in - `tmp_stack[i]`, the ring element is written to `matrix` at the - provided index in `indices[i]`. - `rand_stack` is a working buffer that holds initial Shake output. -*/ -/** -A monomorphic instance of libcrux_ml_dsa.sample.sample_up_to_four_ring_elements -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, -libcrux_ml_dsa_hash_functions_portable_Shake128X4 with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus +with const generics +- OFFSET= 24 +- STEP_BY= 2 +- ZETA= 2353451 */ static KRML_MUSTINLINE void -libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_49( - Eurydice_slice seed, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b (*matrix)[5U], - uint8_t *rand_stack0, uint8_t *rand_stack1, uint8_t *rand_stack2, - uint8_t *rand_stack3, Eurydice_slice tmp_stack, uint8_t_x2 *indices, - size_t elements_requested) { - uint8_t seed0[34U]; - libcrux_ml_dsa_sample_add_domain_separator(seed, indices[0U], seed0); - uint8_t seed1[34U]; - libcrux_ml_dsa_sample_add_domain_separator(seed, indices[1U], seed1); - uint8_t seed2[34U]; - libcrux_ml_dsa_sample_add_domain_separator(seed, indices[2U], seed2); - uint8_t seed3[34U]; - libcrux_ml_dsa_sample_add_domain_separator(seed, indices[3U], seed3); - libcrux_ml_dsa_hash_functions_portable_Shake128X4 state = - libcrux_ml_dsa_hash_functions_portable_init_absorb_ed( - Eurydice_array_to_slice((size_t)34U, seed0, uint8_t), - Eurydice_array_to_slice((size_t)34U, seed1, uint8_t), - Eurydice_array_to_slice((size_t)34U, seed2, uint8_t), - Eurydice_array_to_slice((size_t)34U, seed3, uint8_t)); - libcrux_ml_dsa_hash_functions_portable_squeeze_first_five_blocks_ed( - &state, rand_stack0, rand_stack1, rand_stack2, rand_stack3); - size_t sampled0 = (size_t)0U; - size_t sampled1 = (size_t)0U; - size_t sampled2 = (size_t)0U; - size_t sampled3 = (size_t)0U; - bool done0 = - libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( - Eurydice_array_to_slice((size_t)840U, rand_stack0, uint8_t), - &sampled0, - Eurydice_slice_index(tmp_stack, (size_t)0U, int32_t[263U], - int32_t(*)[263U])); - bool done1 = - libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( - Eurydice_array_to_slice((size_t)840U, rand_stack1, uint8_t), - &sampled1, - Eurydice_slice_index(tmp_stack, (size_t)1U, int32_t[263U], - int32_t(*)[263U])); - bool done2 = - libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( - Eurydice_array_to_slice((size_t)840U, rand_stack2, uint8_t), - &sampled2, - Eurydice_slice_index(tmp_stack, (size_t)2U, int32_t[263U], - int32_t(*)[263U])); - bool done3 = - libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( - Eurydice_array_to_slice((size_t)840U, rand_stack3, uint8_t), - &sampled3, - Eurydice_slice_index(tmp_stack, (size_t)3U, int32_t[263U], - int32_t(*)[263U])); - while (true) { - if (done0) { - if (done1) { - if (done2) { - if (done3) { - break; - } else { - uint8_t_168size_t__x4 randomnesses = - libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_ed( - &state); - if (!done0) { - done0 = - libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( - Eurydice_array_to_slice((size_t)168U, randomnesses.fst, - uint8_t), - &sampled0, - Eurydice_slice_index(tmp_stack, (size_t)0U, int32_t[263U], - int32_t(*)[263U])); - } - if (!done1) { - done1 = - libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( - Eurydice_array_to_slice((size_t)168U, randomnesses.snd, - uint8_t), - &sampled1, - Eurydice_slice_index(tmp_stack, (size_t)1U, int32_t[263U], - int32_t(*)[263U])); - } - if (!done2) { - done2 = - libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( - Eurydice_array_to_slice((size_t)168U, randomnesses.thd, - uint8_t), - &sampled2, - Eurydice_slice_index(tmp_stack, (size_t)2U, int32_t[263U], - int32_t(*)[263U])); - } - if (!done3) { - done3 = - libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( - Eurydice_array_to_slice((size_t)168U, randomnesses.f3, - uint8_t), - &sampled3, - Eurydice_slice_index(tmp_stack, (size_t)3U, int32_t[263U], - int32_t(*)[263U])); - } - } - } else { - uint8_t_168size_t__x4 randomnesses = - libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_ed( - &state); - if (!done0) { - done0 = - libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( - Eurydice_array_to_slice((size_t)168U, randomnesses.fst, - uint8_t), - &sampled0, - Eurydice_slice_index(tmp_stack, (size_t)0U, int32_t[263U], - int32_t(*)[263U])); - } - if (!done1) { - done1 = - libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( - Eurydice_array_to_slice((size_t)168U, randomnesses.snd, - uint8_t), - &sampled1, - Eurydice_slice_index(tmp_stack, (size_t)1U, int32_t[263U], - int32_t(*)[263U])); - } - if (!done2) { - done2 = - libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( - Eurydice_array_to_slice((size_t)168U, randomnesses.thd, - uint8_t), - &sampled2, - Eurydice_slice_index(tmp_stack, (size_t)2U, int32_t[263U], - int32_t(*)[263U])); - } - if (!done3) { - done3 = - libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( - Eurydice_array_to_slice((size_t)168U, randomnesses.f3, - uint8_t), - &sampled3, - Eurydice_slice_index(tmp_stack, (size_t)3U, int32_t[263U], - int32_t(*)[263U])); - } - } - } else { - uint8_t_168size_t__x4 randomnesses = - libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_ed( - &state); - if (!done0) { - done0 = - libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( - Eurydice_array_to_slice((size_t)168U, randomnesses.fst, - uint8_t), - &sampled0, - Eurydice_slice_index(tmp_stack, (size_t)0U, int32_t[263U], - int32_t(*)[263U])); - } - if (!done1) { - done1 = - libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( - Eurydice_array_to_slice((size_t)168U, randomnesses.snd, - uint8_t), - &sampled1, - Eurydice_slice_index(tmp_stack, (size_t)1U, int32_t[263U], - int32_t(*)[263U])); - } - if (!done2) { - done2 = - libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( - Eurydice_array_to_slice((size_t)168U, randomnesses.thd, - uint8_t), - &sampled2, - Eurydice_slice_index(tmp_stack, (size_t)2U, int32_t[263U], - int32_t(*)[263U])); - } - if (!done3) { - done3 = - libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( - Eurydice_array_to_slice((size_t)168U, randomnesses.f3, - uint8_t), - &sampled3, - Eurydice_slice_index(tmp_stack, (size_t)3U, int32_t[263U], - int32_t(*)[263U])); - } - } - } else { - uint8_t_168size_t__x4 randomnesses = - libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_ed(&state); - if (!done0) { - done0 = - libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( - Eurydice_array_to_slice((size_t)168U, randomnesses.fst, - uint8_t), - &sampled0, - Eurydice_slice_index(tmp_stack, (size_t)0U, int32_t[263U], - int32_t(*)[263U])); - } - if (!done1) { - done1 = - libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( - Eurydice_array_to_slice((size_t)168U, randomnesses.snd, - uint8_t), - &sampled1, - Eurydice_slice_index(tmp_stack, (size_t)1U, int32_t[263U], - int32_t(*)[263U])); - } - if (!done2) { - done2 = - libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( - Eurydice_array_to_slice((size_t)168U, randomnesses.thd, - uint8_t), - &sampled2, - Eurydice_slice_index(tmp_stack, (size_t)2U, int32_t[263U], - int32_t(*)[263U])); - } - if (!done3) { - done3 = - libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( - Eurydice_array_to_slice((size_t)168U, randomnesses.f3, uint8_t), - &sampled3, - Eurydice_slice_index(tmp_stack, (size_t)3U, int32_t[263U], - int32_t(*)[263U])); - } - } - } - for (size_t i0 = (size_t)0U; i0 < elements_requested; i0++) { - size_t k = i0; - size_t uu____0 = k; - uint8_t i = indices[uu____0].fst; - uint8_t j = indices[uu____0].snd; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b(*uu____1)[5U] = matrix; - size_t uu____2 = (size_t)i; - size_t uu____3 = (size_t)j; - libcrux_ml_dsa_sample_update_matrix_2f( - uu____1, uu____2, uu____3, - libcrux_ml_dsa_polynomial_from_i32_array_ff_ba(Eurydice_array_to_slice( - (size_t)263U, - Eurydice_slice_index(tmp_stack, k, int32_t[263U], int32_t(*)[263U]), - int32_t))); +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_d90(int32_t (*re)[8U]) { + for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)2U; i++) { + size_t j = i; + int32_t rejs[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, re[j + (size_t)2U], rejs, int32_t, void *); + int32_t a_minus_b[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, rejs, a_minus_b, int32_t, void *); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); + int32_t uu____0[8U]; + memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)2U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)2U], (int32_t)2353451); } } /** -A monomorphic instance of libcrux_ml_dsa.samplex4.matrix_6_by_5 -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, -libcrux_ml_dsa_hash_functions_portable_Shake128X4 with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_matrix_6_by_5_49( - Eurydice_slice seed, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b (*matrix)[5U]) { - uint8_t rand_stack0[840U] = {0U}; - uint8_t rand_stack1[840U] = {0U}; - uint8_t rand_stack2[840U] = {0U}; - uint8_t rand_stack3[840U] = {0U}; - int32_t tmp_stack[4U][263U] = {{0U}}; - uint8_t_x2 buf[4U] = {(CLITERAL(uint8_t_x2){.fst = 0U, .snd = 0U}), - (CLITERAL(uint8_t_x2){.fst = 0U, .snd = 1U}), - (CLITERAL(uint8_t_x2){.fst = 0U, .snd = 2U}), - (CLITERAL(uint8_t_x2){.fst = 0U, .snd = 3U})}; - libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_49( - seed, matrix, rand_stack0, rand_stack1, rand_stack2, rand_stack3, - Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf, - (size_t)4U); - uint8_t_x2 buf0[4U] = {(CLITERAL(uint8_t_x2){.fst = 0U, .snd = 4U}), - (CLITERAL(uint8_t_x2){.fst = 1U, .snd = 0U}), - (CLITERAL(uint8_t_x2){.fst = 1U, .snd = 1U}), - (CLITERAL(uint8_t_x2){.fst = 1U, .snd = 2U})}; - libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_49( - seed, matrix, rand_stack0, rand_stack1, rand_stack2, rand_stack3, - Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf0, - (size_t)4U); - uint8_t_x2 buf1[4U] = {(CLITERAL(uint8_t_x2){.fst = 1U, .snd = 3U}), - (CLITERAL(uint8_t_x2){.fst = 1U, .snd = 4U}), - (CLITERAL(uint8_t_x2){.fst = 2U, .snd = 0U}), - (CLITERAL(uint8_t_x2){.fst = 2U, .snd = 1U})}; - libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_49( - seed, matrix, rand_stack0, rand_stack1, rand_stack2, rand_stack3, - Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf1, - (size_t)4U); - uint8_t_x2 buf2[4U] = {(CLITERAL(uint8_t_x2){.fst = 2U, .snd = 2U}), - (CLITERAL(uint8_t_x2){.fst = 2U, .snd = 3U}), - (CLITERAL(uint8_t_x2){.fst = 2U, .snd = 4U}), - (CLITERAL(uint8_t_x2){.fst = 3U, .snd = 0U})}; - libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_49( - seed, matrix, rand_stack0, rand_stack1, rand_stack2, rand_stack3, - Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf2, - (size_t)4U); - uint8_t_x2 buf3[4U] = {(CLITERAL(uint8_t_x2){.fst = 3U, .snd = 1U}), - (CLITERAL(uint8_t_x2){.fst = 3U, .snd = 2U}), - (CLITERAL(uint8_t_x2){.fst = 3U, .snd = 3U}), - (CLITERAL(uint8_t_x2){.fst = 3U, .snd = 4U})}; - libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_49( - seed, matrix, rand_stack0, rand_stack1, rand_stack2, rand_stack3, - Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf3, - (size_t)4U); - uint8_t_x2 buf4[4U] = {(CLITERAL(uint8_t_x2){.fst = 4U, .snd = 0U}), - (CLITERAL(uint8_t_x2){.fst = 4U, .snd = 1U}), - (CLITERAL(uint8_t_x2){.fst = 4U, .snd = 2U}), - (CLITERAL(uint8_t_x2){.fst = 4U, .snd = 3U})}; - libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_49( - seed, matrix, rand_stack0, rand_stack1, rand_stack2, rand_stack3, - Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf4, - (size_t)4U); - uint8_t_x2 buf5[4U] = {(CLITERAL(uint8_t_x2){.fst = 4U, .snd = 4U}), - (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 0U}), - (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 1U}), - (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 2U})}; - libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_49( - seed, matrix, rand_stack0, rand_stack1, rand_stack2, rand_stack3, - Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf5, - (size_t)4U); - uint8_t_x2 buf6[4U] = {(CLITERAL(uint8_t_x2){.fst = 5U, .snd = 3U}), - (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 4U}), - (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 5U}), - (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 6U})}; - libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_49( - seed, matrix, rand_stack0, rand_stack1, rand_stack2, rand_stack3, - Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf6, - (size_t)2U); -} - -/** -A monomorphic instance of libcrux_ml_dsa.samplex4.matrix_generic -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, -libcrux_ml_dsa_hash_functions_portable_Shake128X4 with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus +with const generics +- OFFSET= 28 +- STEP_BY= 2 +- ZETA= 1826347 */ -static inline void libcrux_ml_dsa_samplex4_matrix_generic_49( - Eurydice_slice seed, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b (*matrix)[5U]) { - uint8_t_x2 uu____0 = {.fst = (uint8_t)(size_t)6U, .snd = (uint8_t)(size_t)5U}; - switch (uu____0.fst) { - case 6U: { - switch (uu____0.snd) { - case 5U: { - libcrux_ml_dsa_samplex4_matrix_6_by_5_49(seed, matrix); - return; - } - default: { - } - } - break; - } - default: { - } +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3b1(int32_t (*re)[8U]) { + for (size_t i = (size_t)28U; i < (size_t)28U + (size_t)2U; i++) { + size_t j = i; + int32_t rejs[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, re[j + (size_t)2U], rejs, int32_t, void *); + int32_t a_minus_b[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, rejs, a_minus_b, int32_t, void *); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); + int32_t uu____0[8U]; + memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)2U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)2U], (int32_t)1826347); } - KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "panic!"); - KRML_HOST_EXIT(255U); +} + +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_4(int32_t (*re)[8U]) { + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_990(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_6b0(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a80(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_950(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a0(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_de0(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_d90(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3b1(re); } /** -This function found in impl {(libcrux_ml_dsa::samplex4::X4Sampler for -libcrux_ml_dsa::samplex4::portable::PortableSampler)} -*/ -/** -A monomorphic instance of libcrux_ml_dsa.samplex4.portable.matrix_36 -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 +- OFFSET= 0 +- STEP_BY= 4 +- ZETA= 466468 */ -static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_portable_matrix_36_2f( - Eurydice_slice seed, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b (*matrix)[5U]) { - libcrux_ml_dsa_samplex4_matrix_generic_49(seed, matrix); +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_991(int32_t (*re)[8U]) { + for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)4U; i++) { + size_t j = i; + int32_t rejs[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, re[j + (size_t)4U], rejs, int32_t, void *); + int32_t a_minus_b[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, rejs, a_minus_b, int32_t, void *); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); + int32_t uu____0[8U]; + memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)4U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)4U], (int32_t)466468); + } } /** -A monomorphic instance of libcrux_ml_dsa.sample.sample_four_error_ring_elements -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, -libcrux_ml_dsa_hash_functions_portable_Shake256X4 with const generics -- ETA= 4 +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus +with const generics +- OFFSET= 8 +- STEP_BY= 4 +- ZETA= -876248 */ static KRML_MUSTINLINE void -libcrux_ml_dsa_sample_sample_four_error_ring_elements_92(Eurydice_slice seed, - uint16_t start_index, - Eurydice_slice re) { - KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "Eurydice error: Failure(\"Error looking trait impl: " - "core::cmp::impls::{core::cmp::Ord for usize}#59 min\")\n"); - KRML_HOST_EXIT(255U); +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a81(int32_t (*re)[8U]) { + for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)4U; i++) { + size_t j = i; + int32_t rejs[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, re[j + (size_t)4U], rejs, int32_t, void *); + int32_t a_minus_b[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, rejs, a_minus_b, int32_t, void *); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); + int32_t uu____0[8U]; + memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)4U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)4U], (int32_t)-876248); + } } /** -A monomorphic instance of libcrux_ml_dsa.samplex4.sample_s1_and_s2 -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, -libcrux_ml_dsa_hash_functions_portable_Shake256X4 with const generics -- ETA= 4 -- ROW_COLUMN= 11 +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus +with const generics +- OFFSET= 16 +- STEP_BY= 4 +- ZETA= -777960 */ -static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_sample_s1_and_s2_3d( - Eurydice_slice seed, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *s1_s2) { - for (size_t i = (size_t)0U; - i < core_num__usize_11__div_ceil((size_t)11U, (size_t)4U); i++) { - size_t i0 = i; - libcrux_ml_dsa_sample_sample_four_error_ring_elements_92( - seed, 4U * (uint32_t)(uint16_t)i0, - Eurydice_array_to_slice( - (size_t)11U, s1_s2, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a1(int32_t (*re)[8U]) { + for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)4U; i++) { + size_t j = i; + int32_t rejs[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, re[j + (size_t)4U], rejs, int32_t, void *); + int32_t a_minus_b[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, rejs, a_minus_b, int32_t, void *); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); + int32_t uu____0[8U]; + memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)4U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)4U], (int32_t)-777960); } } /** -A monomorphic instance of libcrux_ml_dsa.ntt.ntt -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus with const generics - +- OFFSET= 24 +- STEP_BY= 4 +- ZETA= 237124 */ -static KRML_MUSTINLINE libcrux_ml_dsa_polynomial_PolynomialRingElement_9b -libcrux_ml_dsa_ntt_ntt_ba( - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b re) { - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0[32U]; - memcpy(uu____0, re.simd_units, - (size_t)32U * - sizeof(libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b lit; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit ret[32U]; - libcrux_ml_dsa_simd_portable_ntt_36(uu____0, ret); - memcpy(lit.simd_units, ret, - (size_t)32U * - sizeof(libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit)); - return lit; +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_d91(int32_t (*re)[8U]) { + for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)4U; i++) { + size_t j = i; + int32_t rejs[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, re[j + (size_t)4U], rejs, int32_t, void *); + int32_t a_minus_b[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, rejs, a_minus_b, int32_t, void *); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); + int32_t uu____0[8U]; + memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)4U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)4U], (int32_t)237124); + } +} + +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_5(int32_t (*re)[8U]) { + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_991(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a81(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a1(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_d91(re); } /** -A monomorphic instance of libcrux_ml_dsa.matrix.compute_As1_plus_s2.closure -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 +- OFFSET= 0 +- STEP_BY= 8 +- ZETA= -518909 */ -static inline libcrux_ml_dsa_polynomial_PolynomialRingElement_9b -libcrux_ml_dsa_matrix_compute_As1_plus_s2_closure_2f(Eurydice_slice *state, - size_t i) { - return libcrux_ml_dsa_ntt_ntt_ba(Eurydice_slice_index( - state[0U], i, libcrux_ml_dsa_polynomial_PolynomialRingElement_9b, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *)); +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_992(int32_t (*re)[8U]) { + for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)8U; i++) { + size_t j = i; + int32_t rejs[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, re[j + (size_t)8U], rejs, int32_t, void *); + int32_t a_minus_b[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, rejs, a_minus_b, int32_t, void *); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); + int32_t uu____0[8U]; + memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)8U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)8U], (int32_t)-518909); + } } /** -A monomorphic instance of libcrux_ml_dsa.ntt.ntt_multiply_montgomery -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus with const generics - +- OFFSET= 16 +- STEP_BY= 8 +- ZETA= -2608894 */ -static KRML_MUSTINLINE libcrux_ml_dsa_polynomial_PolynomialRingElement_9b -libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ba( - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *lhs, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *rhs) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b out = - libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)32U, out.simd_units, - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit), - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit); - i++) { - size_t i0 = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 = - libcrux_ml_dsa_simd_portable_montgomery_multiply_36( - lhs->simd_units[i0], rhs->simd_units[i0]); - out.simd_units[i0] = uu____0; +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a2(int32_t (*re)[8U]) { + for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)8U; i++) { + size_t j = i; + int32_t rejs[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, re[j + (size_t)8U], rejs, int32_t, void *); + int32_t a_minus_b[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, rejs, a_minus_b, int32_t, void *); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); + int32_t uu____0[8U]; + memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)8U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)8U], (int32_t)-2608894); } - return out; +} + +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_6(int32_t (*re)[8U]) { + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_992(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a2(re); } /** -This function found in impl -{libcrux_ml_dsa::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]} -*/ -/** -A monomorphic instance of libcrux_ml_dsa.polynomial.add_ff -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus with const generics - +- OFFSET= 0 +- STEP_BY= 16 +- ZETA= 25847 */ -static KRML_MUSTINLINE libcrux_ml_dsa_polynomial_PolynomialRingElement_9b -libcrux_ml_dsa_polynomial_add_ff_ba( - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *self, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *rhs) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b sum = - libcrux_ml_dsa_polynomial_ZERO_ff_ba(); +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_993(int32_t (*re)[8U]) { + for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)16U; i++) { + size_t j = i; + int32_t rejs[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, re[j + (size_t)16U], rejs, int32_t, void *); + int32_t a_minus_b[8U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)8U, rejs, a_minus_b, int32_t, void *); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); + int32_t uu____0[8U]; + memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)16U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)16U], (int32_t)25847); + } +} + +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_7(int32_t (*re)[8U]) { + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_993(re); +} + +static inline void libcrux_ml_dsa_simd_portable_invntt_invert_ntt_montgomery( + int32_t (*re)[8U]) { + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0(re); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1(re); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2(re); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_3(re); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_4(re); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_5(re); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_6(re); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_7(re); for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)32U, sum.simd_units, - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit), - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit); + i < + Eurydice_slice_len(Eurydice_array_to_slice((size_t)32U, re, int32_t[8U]), + int32_t[8U]); i++) { size_t i0 = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 = - libcrux_ml_dsa_simd_portable_add_36(&self->simd_units[i0], - &rhs->simd_units[i0]); - sum.simd_units[i0] = uu____0; + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[i0], (int32_t)41978); } - return sum; } /** -A monomorphic instance of libcrux_ml_dsa.ntt.invert_ntt_montgomery -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus with const generics - +- OFFSET= 0 +- STEP_BY= 16 +- ZETA= 25847 */ -static KRML_MUSTINLINE libcrux_ml_dsa_polynomial_PolynomialRingElement_9b -libcrux_ml_dsa_ntt_invert_ntt_montgomery_ba( - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b re) { - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0[32U]; - memcpy(uu____0, re.simd_units, - (size_t)32U * - sizeof(libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b lit; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit ret[32U]; - libcrux_ml_dsa_simd_portable_invert_ntt_montgomery_36(uu____0, ret); - memcpy(lit.simd_units, ret, - (size_t)32U * - sizeof(libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit)); - return lit; +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_99( + int32_t (*re)[8U]) { + for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)16U; i++) { + size_t j = i; + int32_t tmp[8U]; + memcpy(tmp, re[j + (size_t)16U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + tmp, (int32_t)25847); + int32_t uu____0[8U]; + memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)16U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)16U], tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); + } +} + +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_7( + int32_t (*re)[8U]) { + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_99(re); } /** - Compute InvertNTT(Â ◦ ŝ₁) + s₂ -*/ -/** -A monomorphic instance of libcrux_ml_dsa.matrix.compute_As1_plus_s2 -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 +- OFFSET= 0 +- STEP_BY= 8 +- ZETA= -2608894 */ -static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_compute_As1_plus_s2_2f( - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b (*a_as_ntt)[5U], - Eurydice_slice s1_s2, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *result) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s1_ntt[5U]; - for (size_t i = (size_t)0U; i < (size_t)5U; i++) { - s1_ntt[i] = libcrux_ml_dsa_ntt_ntt_ba(Eurydice_slice_index( - s1_s2, i, libcrux_ml_dsa_polynomial_PolynomialRingElement_9b, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *)); - } - for (size_t i0 = (size_t)0U; i0 < (size_t)6U; i0++) { - size_t i1 = i0; - for (size_t i = (size_t)0U; i < (size_t)5U; i++) { - size_t j = i; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b product = - libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ba(&a_as_ntt[i1][j], - &s1_ntt[j]); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____0 = - libcrux_ml_dsa_polynomial_add_ff_ba(&result[i1], &product); - result[i1] = uu____0; - } - } - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)6U, result, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b), - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b); - i++) { - size_t i0 = i; - result[i0] = libcrux_ml_dsa_ntt_invert_ntt_montgomery_ba(result[i0]); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____2 = - libcrux_ml_dsa_polynomial_add_ff_ba( - &result[i0], - &Eurydice_slice_index( - s1_s2, (size_t)5U + i0, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *)); - result[i0] = uu____2; +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_990( + int32_t (*re)[8U]) { + for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)8U; i++) { + size_t j = i; + int32_t tmp[8U]; + memcpy(tmp, re[j + (size_t)8U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + tmp, (int32_t)-2608894); + int32_t uu____0[8U]; + memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)8U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)8U], tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); } } -typedef struct - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_6size_t__x2_s { - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b fst[6U]; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b snd[6U]; -} libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_6size_t__x2; - /** -A monomorphic instance of libcrux_ml_dsa.arithmetic.power2round_vector -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus with const generics -- DIMENSION= 6 +- OFFSET= 16 +- STEP_BY= 8 +- ZETA= -518909 */ -static KRML_MUSTINLINE - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_6size_t__x2 - libcrux_ml_dsa_arithmetic_power2round_vector_07( - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t[6U]) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t0[6U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - t0[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - } - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t1[6U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - t1[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - } - for (size_t i0 = (size_t)0U; - i0 < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)6U, t, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b), - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b); - i0++) { - size_t i1 = i0; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *ring_element = &t[i1]; - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)32U, ring_element->simd_units, - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit), - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit); - i++) { - size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *simd_unit = - &ring_element->simd_units[j]; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x2 uu____0 = - libcrux_ml_dsa_simd_portable_power2round_36(simd_unit[0U]); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t0_unit = - uu____0.fst; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t1_unit = - uu____0.snd; - t0[i1].simd_units[j] = t0_unit; - t1[i1].simd_units[j] = t1_unit; - } +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a( + int32_t (*re)[8U]) { + for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)8U; i++) { + size_t j = i; + int32_t tmp[8U]; + memcpy(tmp, re[j + (size_t)8U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + tmp, (int32_t)-518909); + int32_t uu____0[8U]; + memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)8U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)8U], tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); } - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_t0[6U]; - memcpy( - copy_of_t0, t0, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_t1[6U]; - memcpy( - copy_of_t1, t1, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_6size_t__x2 - lit; - memcpy( - lit.fst, copy_of_t0, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - memcpy( - lit.snd, copy_of_t1, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - return lit; +} + +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_6( + int32_t (*re)[8U]) { + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_990(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a(re); } /** -A monomorphic instance of libcrux_ml_dsa.encoding.t1.serialize -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus with const generics - +- OFFSET= 0 +- STEP_BY= 4 +- ZETA= 237124 */ -static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_t1_serialize_ba( - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b re, uint8_t ret[320U]) { - uint8_t serialized[320U] = {0U}; - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)32U, re.simd_units, - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit), - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit); - i++) { - size_t i0 = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *simd_unit = - &re.simd_units[i0]; - Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - serialized, - i0 * LIBCRUX_ML_DSA_ENCODING_T1_SERIALIZE_OUTPUT_BYTES_PER_SIMD_UNIT, - (i0 + (size_t)1U) * - LIBCRUX_ML_DSA_ENCODING_T1_SERIALIZE_OUTPUT_BYTES_PER_SIMD_UNIT, - uint8_t); - uint8_t ret0[10U]; - libcrux_ml_dsa_simd_portable_t1_serialize_36(simd_unit[0U], ret0); - Eurydice_slice_copy( - uu____0, Eurydice_array_to_slice((size_t)10U, ret0, uint8_t), uint8_t); +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_991( + int32_t (*re)[8U]) { + for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)4U; i++) { + size_t j = i; + int32_t tmp[8U]; + memcpy(tmp, re[j + (size_t)4U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + tmp, (int32_t)237124); + int32_t uu____0[8U]; + memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)4U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)4U], tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); } - memcpy(ret, serialized, (size_t)320U * sizeof(uint8_t)); } /** -A monomorphic instance of -libcrux_ml_dsa.encoding.verification_key.generate_serialized with types -libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit with const generics -- ROWS_IN_A= 6 -- VERIFICATION_KEY_SIZE= 1952 +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 8 +- STEP_BY= 4 +- ZETA= -777960 */ -static KRML_MUSTINLINE void -libcrux_ml_dsa_encoding_verification_key_generate_serialized_2f( - Eurydice_slice seed_for_A, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t1[6U], - uint8_t ret[1952U]) { - uint8_t verification_key_serialized[1952U] = {0U}; - Eurydice_slice_copy(Eurydice_array_to_subslice2( - verification_key_serialized, (size_t)0U, - LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE, uint8_t), - seed_for_A, uint8_t); - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)6U, t1, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b), - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b); - i++) { - size_t i0 = i; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *ring_element = &t1[i0]; - size_t offset = LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE + - i0 * LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T1S_SIZE; - Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - verification_key_serialized, offset, - offset + LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T1S_SIZE, uint8_t); - uint8_t ret0[320U]; - libcrux_ml_dsa_encoding_t1_serialize_ba(ring_element[0U], ret0); - Eurydice_slice_copy( - uu____0, Eurydice_array_to_slice((size_t)320U, ret0, uint8_t), uint8_t); +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a8( + int32_t (*re)[8U]) { + for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)4U; i++) { + size_t j = i; + int32_t tmp[8U]; + memcpy(tmp, re[j + (size_t)4U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + tmp, (int32_t)-777960); + int32_t uu____0[8U]; + memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)4U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)4U], tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); } - memcpy(ret, verification_key_serialized, (size_t)1952U * sizeof(uint8_t)); } /** -A monomorphic instance of libcrux_ml_dsa.hash_functions.portable.shake256 +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus with const generics -- OUTPUT_LENGTH= 64 +- OFFSET= 16 +- STEP_BY= 4 +- ZETA= -876248 */ -static KRML_MUSTINLINE void libcrux_ml_dsa_hash_functions_portable_shake256_24( - Eurydice_slice input, uint8_t *out) { - libcrux_sha3_portable_shake256( - Eurydice_array_to_slice((size_t)64U, out, uint8_t), input); +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a0( + int32_t (*re)[8U]) { + for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)4U; i++) { + size_t j = i; + int32_t tmp[8U]; + memcpy(tmp, re[j + (size_t)4U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + tmp, (int32_t)-876248); + int32_t uu____0[8U]; + memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)4U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)4U], tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); + } } /** -This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::DsaXof -for libcrux_ml_dsa::hash_functions::portable::Shake256)#2} -*/ -/** -A monomorphic instance of libcrux_ml_dsa.hash_functions.portable.shake256_5c +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus with const generics -- OUTPUT_LENGTH= 64 +- OFFSET= 24 +- STEP_BY= 4 +- ZETA= 466468 */ -static KRML_MUSTINLINE void -libcrux_ml_dsa_hash_functions_portable_shake256_5c_24(Eurydice_slice input, - uint8_t *out) { - libcrux_ml_dsa_hash_functions_portable_shake256_24(input, out); +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_d9( + int32_t (*re)[8U]) { + for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)4U; i++) { + size_t j = i; + int32_t tmp[8U]; + memcpy(tmp, re[j + (size_t)4U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + tmp, (int32_t)466468); + int32_t uu____0[8U]; + memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)4U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)4U], tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); + } +} + +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_5( + int32_t (*re)[8U]) { + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_991(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a8(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a0(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_d9(re); } /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.encoding.error.serialize +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus with const generics -- ETA= 4 +- OFFSET= 0 +- STEP_BY= 2 +- ZETA= 1826347 */ -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_encoding_error_serialize_ac( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, - Eurydice_slice serialized) { - libcrux_ml_dsa_simd_portable_encoding_error_serialize_when_eta_is_4( - simd_unit, serialized); +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_992( + int32_t (*re)[8U]) { + for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)2U; i++) { + size_t j = i; + int32_t tmp[8U]; + memcpy(tmp, re[j + (size_t)2U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + tmp, (int32_t)1826347); + int32_t uu____0[8U]; + memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)2U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)2U], tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); + } } /** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 4 +- STEP_BY= 2 +- ZETA= 2353451 */ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_6b( + int32_t (*re)[8U]) { + for (size_t i = (size_t)4U; i < (size_t)4U + (size_t)2U; i++) { + size_t j = i; + int32_t tmp[8U]; + memcpy(tmp, re[j + (size_t)2U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + tmp, (int32_t)2353451); + int32_t uu____0[8U]; + memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)2U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)2U], tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); + } +} + /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.error_serialize_36 +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus with const generics -- ETA= 4 +- OFFSET= 8 +- STEP_BY= 2 +- ZETA= -359251 */ -static inline void libcrux_ml_dsa_simd_portable_error_serialize_36_ac( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, - Eurydice_slice serialized) { - libcrux_ml_dsa_simd_portable_encoding_error_serialize_ac(simd_unit, - serialized); +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a80( + int32_t (*re)[8U]) { + for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)2U; i++) { + size_t j = i; + int32_t tmp[8U]; + memcpy(tmp, re[j + (size_t)2U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + tmp, (int32_t)-359251); + int32_t uu____0[8U]; + memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)2U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)2U], tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); + } } /** -A monomorphic instance of libcrux_ml_dsa.encoding.error.serialize -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus with const generics -- ETA= 4 -- OUTPUT_SIZE= 128 +- OFFSET= 12 +- STEP_BY= 2 +- ZETA= -2091905 */ -static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_error_serialize_ea( - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *re, - Eurydice_slice serialized) { - size_t output_bytes_per_simd_unit; - output_bytes_per_simd_unit = (size_t)4U; - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)32U, re->simd_units, - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit), - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit); - i++) { - size_t i0 = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *simd_unit = - &re->simd_units[i0]; - libcrux_ml_dsa_simd_portable_error_serialize_36_ac( - simd_unit[0U], - Eurydice_slice_subslice2(serialized, i0 * output_bytes_per_simd_unit, - (i0 + (size_t)1U) * output_bytes_per_simd_unit, - uint8_t)); +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_95( + int32_t (*re)[8U]) { + for (size_t i = (size_t)12U; i < (size_t)12U + (size_t)2U; i++) { + size_t j = i; + int32_t tmp[8U]; + memcpy(tmp, re[j + (size_t)2U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + tmp, (int32_t)-2091905); + int32_t uu____0[8U]; + memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)2U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)2U], tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); } } /** -A monomorphic instance of libcrux_ml_dsa.encoding.t0.serialize -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus with const generics - +- OFFSET= 16 +- STEP_BY= 2 +- ZETA= 3119733 */ -static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_t0_serialize_ba( - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b re, - Eurydice_slice serialized) { - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)32U, re.simd_units, - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit), - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit); - i++) { - size_t i0 = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *simd_unit = - &re.simd_units[i0]; - Eurydice_slice uu____0 = Eurydice_slice_subslice2( - serialized, i0 * LIBCRUX_ML_DSA_ENCODING_T0_OUTPUT_BYTES_PER_SIMD_UNIT, - (i0 + (size_t)1U) * - LIBCRUX_ML_DSA_ENCODING_T0_OUTPUT_BYTES_PER_SIMD_UNIT, - uint8_t); - uint8_t ret[13U]; - libcrux_ml_dsa_simd_portable_t0_serialize_36(simd_unit[0U], ret); - Eurydice_slice_copy( - uu____0, Eurydice_array_to_slice((size_t)13U, ret, uint8_t), uint8_t); +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a1( + int32_t (*re)[8U]) { + for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)2U; i++) { + size_t j = i; + int32_t tmp[8U]; + memcpy(tmp, re[j + (size_t)2U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + tmp, (int32_t)3119733); + int32_t uu____0[8U]; + memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)2U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)2U], tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); } } /** -A monomorphic instance of -libcrux_ml_dsa.encoding.signing_key.generate_serialized with types -libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, -libcrux_ml_dsa_hash_functions_portable_Shake256 with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- ETA= 4 -- ERROR_RING_ELEMENT_SIZE= 128 -- SIGNING_KEY_SIZE= 4032 +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 20 +- STEP_BY= 2 +- ZETA= -2884855 */ -static KRML_MUSTINLINE void -libcrux_ml_dsa_encoding_signing_key_generate_serialized_d2( - Eurydice_slice seed_for_A, Eurydice_slice seed_for_signing, - Eurydice_slice verification_key, Eurydice_slice s1_2, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t0[6U], - uint8_t ret[4032U]) { - uint8_t signing_key_serialized[4032U] = {0U}; - size_t offset = (size_t)0U; - Eurydice_slice_copy( - Eurydice_array_to_subslice2( - signing_key_serialized, offset, - offset + LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE, uint8_t), - seed_for_A, uint8_t); - offset = offset + LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE; - Eurydice_slice_copy( - Eurydice_array_to_subslice2( - signing_key_serialized, offset, - offset + LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_SIGNING_SIZE, uint8_t), - seed_for_signing, uint8_t); - offset = offset + LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_SIGNING_SIZE; - uint8_t verification_key_hash[64U] = {0U}; - libcrux_ml_dsa_hash_functions_portable_shake256_5c_24(verification_key, - verification_key_hash); - Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - signing_key_serialized, offset, - offset + LIBCRUX_ML_DSA_CONSTANTS_BYTES_FOR_VERIFICATION_KEY_HASH, - uint8_t); - Eurydice_slice_copy( - uu____0, - Eurydice_array_to_slice((size_t)64U, verification_key_hash, uint8_t), - uint8_t); - offset = offset + LIBCRUX_ML_DSA_CONSTANTS_BYTES_FOR_VERIFICATION_KEY_HASH; - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - s1_2, libcrux_ml_dsa_polynomial_PolynomialRingElement_9b); - i++) { - size_t i0 = i; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *uu____1 = - &Eurydice_slice_index( - s1_2, i0, libcrux_ml_dsa_polynomial_PolynomialRingElement_9b, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *); - libcrux_ml_dsa_encoding_error_serialize_ea( - uu____1, Eurydice_array_to_subslice2(signing_key_serialized, offset, - offset + (size_t)128U, uint8_t)); - offset = offset + (size_t)128U; - } - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)6U, t0, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b), - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b); - i++) { - size_t _cloop_j = i; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *ring_element = - &t0[_cloop_j]; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____2 = - ring_element[0U]; - libcrux_ml_dsa_encoding_t0_serialize_ba( - uu____2, Eurydice_array_to_subslice2( - signing_key_serialized, offset, - offset + LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE, - uint8_t)); - offset = offset + LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE; +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_de( + int32_t (*re)[8U]) { + for (size_t i = (size_t)20U; i < (size_t)20U + (size_t)2U; i++) { + size_t j = i; + int32_t tmp[8U]; + memcpy(tmp, re[j + (size_t)2U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + tmp, (int32_t)-2884855); + int32_t uu____0[8U]; + memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)2U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)2U], tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); } - memcpy(ret, signing_key_serialized, (size_t)4032U * sizeof(uint8_t)); } /** - Generate a key pair. +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 24 +- STEP_BY= 2 +- ZETA= 3111497 */ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_d90( + int32_t (*re)[8U]) { + for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)2U; i++) { + size_t j = i; + int32_t tmp[8U]; + memcpy(tmp, re[j + (size_t)2U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + tmp, (int32_t)3111497); + int32_t uu____0[8U]; + memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)2U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)2U], tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); + } +} + /** -A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.generate_key_pair -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, -libcrux_ml_dsa_samplex4_portable_PortableSampler, -libcrux_ml_dsa_hash_functions_portable_Shake128X4, -libcrux_ml_dsa_hash_functions_portable_Shake256, -libcrux_ml_dsa_hash_functions_portable_Shake256Xof, -libcrux_ml_dsa_hash_functions_portable_Shake256X4 with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- ROW_COLUMN= 11 -- ETA= 4 -- ERROR_RING_ELEMENT_SIZE= 128 -- SIGNING_KEY_SIZE= 4032 -- VERIFICATION_KEY_SIZE= 1952 +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 28 +- STEP_BY= 2 +- ZETA= 2680103 */ -static KRML_MUSTINLINE tuple_a0 -libcrux_ml_dsa_ml_dsa_generic_generate_key_pair_fc(uint8_t randomness[32U]) { - uint8_t seed_expanded0[128U] = {0U}; - libcrux_sha3_portable_incremental_Shake256Xof shake = - libcrux_ml_dsa_hash_functions_portable_init_83(); - libcrux_ml_dsa_hash_functions_portable_absorb_83( - &shake, Eurydice_array_to_slice((size_t)32U, randomness, uint8_t)); - uint8_t buf[2U] = {(uint8_t)(size_t)6U, (uint8_t)(size_t)5U}; - libcrux_ml_dsa_hash_functions_portable_absorb_final_83( - &shake, Eurydice_array_to_slice((size_t)2U, buf, uint8_t)); - libcrux_ml_dsa_hash_functions_portable_squeeze_83( - &shake, Eurydice_array_to_slice((size_t)128U, seed_expanded0, uint8_t)); - Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( - Eurydice_array_to_slice((size_t)128U, seed_expanded0, uint8_t), - LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE, uint8_t, - Eurydice_slice_uint8_t_x2); - Eurydice_slice seed_for_a = uu____0.fst; - Eurydice_slice seed_expanded = uu____0.snd; - Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( - seed_expanded, LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_ERROR_VECTORS_SIZE, - uint8_t, Eurydice_slice_uint8_t_x2); - Eurydice_slice seed_for_error_vectors = uu____1.fst; - Eurydice_slice seed_for_signing = uu____1.snd; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b a_as_ntt[6U][5U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - a_as_ntt[i][0U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - a_as_ntt[i][1U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - a_as_ntt[i][2U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - a_as_ntt[i][3U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - a_as_ntt[i][4U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - } - libcrux_ml_dsa_samplex4_portable_matrix_36_2f(seed_for_a, a_as_ntt); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s1_s2[11U]; - for (size_t i = (size_t)0U; i < (size_t)11U; i++) { - s1_s2[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - } - libcrux_ml_dsa_samplex4_sample_s1_and_s2_3d(seed_for_error_vectors, s1_s2); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t[6U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - t[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - } - libcrux_ml_dsa_matrix_compute_As1_plus_s2_2f( - a_as_ntt, - Eurydice_array_to_slice( - (size_t)11U, s1_s2, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b), - t); - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_t[6U]; - memcpy( - copy_of_t, t, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_6size_t__x2 - uu____3 = libcrux_ml_dsa_arithmetic_power2round_vector_07(copy_of_t); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t0[6U]; - memcpy( - t0, uu____3.fst, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t1[6U]; - memcpy( - t1, uu____3.snd, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - Eurydice_slice uu____4 = seed_for_a; - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_t1[6U]; - memcpy( - copy_of_t1, t1, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - uint8_t verification_key_serialized[1952U]; - libcrux_ml_dsa_encoding_verification_key_generate_serialized_2f( - uu____4, copy_of_t1, verification_key_serialized); - Eurydice_slice uu____6 = seed_for_a; - Eurydice_slice uu____7 = seed_for_signing; - Eurydice_slice uu____8 = Eurydice_array_to_slice( - (size_t)1952U, verification_key_serialized, uint8_t); - Eurydice_slice uu____9 = Eurydice_array_to_slice( - (size_t)11U, s1_s2, libcrux_ml_dsa_polynomial_PolynomialRingElement_9b); - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_t0[6U]; - memcpy( - copy_of_t0, t0, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - uint8_t signing_key_serialized[4032U]; - libcrux_ml_dsa_encoding_signing_key_generate_serialized_d2( - uu____6, uu____7, uu____8, uu____9, copy_of_t0, signing_key_serialized); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_signing_key_serialized[4032U]; - memcpy(copy_of_signing_key_serialized, signing_key_serialized, - (size_t)4032U * sizeof(uint8_t)); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_verification_key_serialized[1952U]; - memcpy(copy_of_verification_key_serialized, verification_key_serialized, - (size_t)1952U * sizeof(uint8_t)); - tuple_a0 lit; - memcpy(lit.fst, copy_of_signing_key_serialized, - (size_t)4032U * sizeof(uint8_t)); - memcpy(lit.snd, copy_of_verification_key_serialized, - (size_t)1952U * sizeof(uint8_t)); - return lit; +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3b( + int32_t (*re)[8U]) { + for (size_t i = (size_t)28U; i < (size_t)28U + (size_t)2U; i++) { + size_t j = i; + int32_t tmp[8U]; + memcpy(tmp, re[j + (size_t)2U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + tmp, (int32_t)2680103); + int32_t uu____0[8U]; + memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)2U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)2U], tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); + } +} + +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_4( + int32_t (*re)[8U]) { + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_992(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_6b(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a80(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_95(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a1(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_de(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_d90(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3b(re); } /** - Generate key pair. +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 0 +- STEP_BY= 1 +- ZETA= 2725464 */ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_993( + int32_t (*re)[8U]) { + for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)1U; i++) { + size_t j = i; + int32_t tmp[8U]; + memcpy(tmp, re[j + (size_t)1U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + tmp, (int32_t)2725464); + int32_t uu____0[8U]; + memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)1U], tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); + } +} + /** -A monomorphic instance of -libcrux_ml_dsa.ml_dsa_generic.instantiations.portable.generate_key_pair with -const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- ROW_COLUMN= 11 -- ETA= 4 -- ERROR_RING_ELEMENT_SIZE= 128 -- SIGNING_KEY_SIZE= 4032 -- VERIFICATION_KEY_SIZE= 1952 +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 2 +- STEP_BY= 1 +- ZETA= 1024112 */ -static inline tuple_a0 -libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_generate_key_pair_c9( - uint8_t randomness[32U]) { - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_randomness[32U]; - memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_dsa_ml_dsa_generic_generate_key_pair_fc(copy_of_randomness); +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_1c( + int32_t (*re)[8U]) { + for (size_t i = (size_t)2U; i < (size_t)2U + (size_t)1U; i++) { + size_t j = i; + int32_t tmp[8U]; + memcpy(tmp, re[j + (size_t)1U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + tmp, (int32_t)1024112); + int32_t uu____0[8U]; + memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)1U], tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); + } } /** - Generate an ML-DSA-65 Key Pair +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 4 +- STEP_BY= 1 +- ZETA= -1079900 */ -static inline libcrux_ml_dsa_ml_dsa_65_MLDSA65KeyPair -libcrux_ml_dsa_ml_dsa_65_portable_generate_key_pair(uint8_t randomness[32U]) { - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_randomness[32U]; - memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - tuple_a0 uu____1 = - libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_generate_key_pair_c9( - copy_of_randomness); - uint8_t signing_key[4032U]; - memcpy(signing_key, uu____1.fst, (size_t)4032U * sizeof(uint8_t)); - uint8_t verification_key[1952U]; - memcpy(verification_key, uu____1.snd, (size_t)1952U * sizeof(uint8_t)); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_signing_key[4032U]; - memcpy(copy_of_signing_key, signing_key, (size_t)4032U * sizeof(uint8_t)); - libcrux_ml_dsa_types_MLDSASigningKey_22 uu____3 = - libcrux_ml_dsa_types_new_9b_09(copy_of_signing_key); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_verification_key[1952U]; - memcpy(copy_of_verification_key, verification_key, - (size_t)1952U * sizeof(uint8_t)); - libcrux_ml_dsa_ml_dsa_65_MLDSA65KeyPair lit; - lit.signing_key = uu____3; - lit.verification_key = - libcrux_ml_dsa_types_new_66_97(copy_of_verification_key); - return lit; +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_6b0( + int32_t (*re)[8U]) { + for (size_t i = (size_t)4U; i < (size_t)4U + (size_t)1U; i++) { + size_t j = i; + int32_t tmp[8U]; + memcpy(tmp, re[j + (size_t)1U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + tmp, (int32_t)-1079900); + int32_t uu____0[8U]; + memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)1U], tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); + } } /** -A monomorphic instance of K. -with types int32_t[256size_t][6size_t], size_t - +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 6 +- STEP_BY= 1 +- ZETA= 3585928 */ -typedef struct tuple_e6_s { - int32_t fst[6U][256U]; - size_t snd; -} tuple_e6; +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_44( + int32_t (*re)[8U]) { + for (size_t i = (size_t)6U; i < (size_t)6U + (size_t)1U; i++) { + size_t j = i; + int32_t tmp[8U]; + memcpy(tmp, re[j + (size_t)1U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + tmp, (int32_t)3585928); + int32_t uu____0[8U]; + memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)1U], tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); + } +} /** -A monomorphic instance of core.option.Option -with types libcrux_ml_dsa_pre_hash_DomainSeparationContext - +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 8 +- STEP_BY= 1 +- ZETA= -549488 */ -typedef struct Option_84_s { - Option_d8_tags tag; - libcrux_ml_dsa_pre_hash_DomainSeparationContext f0; -} Option_84; +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a81( + int32_t (*re)[8U]) { + for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)1U; i++) { + size_t j = i; + int32_t tmp[8U]; + memcpy(tmp, re[j + (size_t)1U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + tmp, (int32_t)-549488); + int32_t uu____0[8U]; + memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)1U], tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); + } +} /** -A monomorphic instance of K. -with types uint8_t[32size_t], uint8_t[32size_t], uint8_t[64size_t], -libcrux_ml_dsa_polynomial_PolynomialRingElement -libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit[5size_t], -libcrux_ml_dsa_polynomial_PolynomialRingElement -libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit[6size_t], -libcrux_ml_dsa_polynomial_PolynomialRingElement -libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit[6size_t] - +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 10 +- STEP_BY= 1 +- ZETA= -1119584 */ -typedef struct tuple_f0_s { - uint8_t fst[32U]; - uint8_t snd[32U]; - uint8_t thd[64U]; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b f3[5U]; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b f4[6U]; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b f5[6U]; -} tuple_f0; +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_1f( + int32_t (*re)[8U]) { + for (size_t i = (size_t)10U; i < (size_t)10U + (size_t)1U; i++) { + size_t j = i; + int32_t tmp[8U]; + memcpy(tmp, re[j + (size_t)1U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + tmp, (int32_t)-1119584); + int32_t uu____0[8U]; + memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)1U], tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); + } +} /** -A monomorphic instance of -libcrux_ml_dsa.simd.portable.encoding.error.deserialize with const generics -- ETA= 4 +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 12 +- STEP_BY= 1 +- ZETA= 2619752 */ -static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -libcrux_ml_dsa_simd_portable_encoding_error_deserialize_ac( - Eurydice_slice serialized) { - return libcrux_ml_dsa_simd_portable_encoding_error_deserialize_when_eta_is_4( - serialized); +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_950( + int32_t (*re)[8U]) { + for (size_t i = (size_t)12U; i < (size_t)12U + (size_t)1U; i++) { + size_t j = i; + int32_t tmp[8U]; + memcpy(tmp, re[j + (size_t)1U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + tmp, (int32_t)2619752); + int32_t uu____0[8U]; + memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)1U], tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); + } } /** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 14 +- STEP_BY= 1 +- ZETA= -2108549 */ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3b0( + int32_t (*re)[8U]) { + for (size_t i = (size_t)14U; i < (size_t)14U + (size_t)1U; i++) { + size_t j = i; + int32_t tmp[8U]; + memcpy(tmp, re[j + (size_t)1U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + tmp, (int32_t)-2108549); + int32_t uu____0[8U]; + memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)1U], tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); + } +} + /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.error_deserialize_36 +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus with const generics -- ETA= 4 +- OFFSET= 16 +- STEP_BY= 1 +- ZETA= -2118186 */ -static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -libcrux_ml_dsa_simd_portable_error_deserialize_36_ac( - Eurydice_slice serialized) { - return libcrux_ml_dsa_simd_portable_encoding_error_deserialize_ac(serialized); +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a2( + int32_t (*re)[8U]) { + for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)1U; i++) { + size_t j = i; + int32_t tmp[8U]; + memcpy(tmp, re[j + (size_t)1U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + tmp, (int32_t)-2118186); + int32_t uu____0[8U]; + memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)1U], tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); + } } /** -A monomorphic instance of libcrux_ml_dsa.encoding.error.deserialize -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus with const generics -- ETA= 4 +- OFFSET= 18 +- STEP_BY= 1 +- ZETA= -3859737 */ -static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_error_deserialize_73( - Eurydice_slice serialized, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *result) { - size_t chunk_size; - chunk_size = (size_t)4U; - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)32U, result->simd_units, - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit), - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit); - i++) { - size_t i0 = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 = - libcrux_ml_dsa_simd_portable_error_deserialize_36_ac( - Eurydice_slice_subslice2(serialized, i0 * chunk_size, - (i0 + (size_t)1U) * chunk_size, uint8_t)); - result->simd_units[i0] = uu____0; +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_e4( + int32_t (*re)[8U]) { + for (size_t i = (size_t)18U; i < (size_t)18U + (size_t)1U; i++) { + size_t j = i; + int32_t tmp[8U]; + memcpy(tmp, re[j + (size_t)1U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + tmp, (int32_t)-3859737); + int32_t uu____0[8U]; + memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)1U], tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); } } /** -A monomorphic instance of -libcrux_ml_dsa.encoding.error.deserialize_to_vector_then_ntt with types -libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit with const generics -- DIMENSION= 5 -- ETA= 4 -- RING_ELEMENT_SIZE= 128 +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 20 +- STEP_BY= 1 +- ZETA= -1399561 */ -static KRML_MUSTINLINE void -libcrux_ml_dsa_encoding_error_deserialize_to_vector_then_ntt_76( - Eurydice_slice serialized, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[5U]) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ring_elements[5U]; - for (size_t i = (size_t)0U; i < (size_t)5U; i++) { - ring_elements[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - } - for (size_t i = (size_t)0U; - i < Eurydice_slice_len(serialized, uint8_t) / (size_t)128U; i++) { - size_t i0 = i; - Eurydice_slice bytes = - Eurydice_slice_subslice2(serialized, i0 * (size_t)128U, - i0 * (size_t)128U + (size_t)128U, uint8_t); - libcrux_ml_dsa_encoding_error_deserialize_73(bytes, &ring_elements[i0]); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____0 = - libcrux_ml_dsa_ntt_ntt_ba(ring_elements[i0]); - ring_elements[i0] = uu____0; +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_de0( + int32_t (*re)[8U]) { + for (size_t i = (size_t)20U; i < (size_t)20U + (size_t)1U; i++) { + size_t j = i; + int32_t tmp[8U]; + memcpy(tmp, re[j + (size_t)1U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + tmp, (int32_t)-1399561); + int32_t uu____0[8U]; + memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)1U], tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); } - memcpy( - ret, ring_elements, - (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); } /** -A monomorphic instance of -libcrux_ml_dsa.encoding.error.deserialize_to_vector_then_ntt with types -libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit with const generics -- DIMENSION= 6 -- ETA= 4 -- RING_ELEMENT_SIZE= 128 +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 22 +- STEP_BY= 1 +- ZETA= -3277672 */ -static KRML_MUSTINLINE void -libcrux_ml_dsa_encoding_error_deserialize_to_vector_then_ntt_5d( - Eurydice_slice serialized, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[6U]) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ring_elements[6U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - ring_elements[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - } - for (size_t i = (size_t)0U; - i < Eurydice_slice_len(serialized, uint8_t) / (size_t)128U; i++) { - size_t i0 = i; - Eurydice_slice bytes = - Eurydice_slice_subslice2(serialized, i0 * (size_t)128U, - i0 * (size_t)128U + (size_t)128U, uint8_t); - libcrux_ml_dsa_encoding_error_deserialize_73(bytes, &ring_elements[i0]); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____0 = - libcrux_ml_dsa_ntt_ntt_ba(ring_elements[i0]); - ring_elements[i0] = uu____0; +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_05( + int32_t (*re)[8U]) { + for (size_t i = (size_t)22U; i < (size_t)22U + (size_t)1U; i++) { + size_t j = i; + int32_t tmp[8U]; + memcpy(tmp, re[j + (size_t)1U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + tmp, (int32_t)-3277672); + int32_t uu____0[8U]; + memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)1U], tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); } - memcpy( - ret, ring_elements, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); } /** -A monomorphic instance of libcrux_ml_dsa.encoding.t0.deserialize -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus with const generics +- OFFSET= 24 +- STEP_BY= 1 +- ZETA= 1757237 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_d91( + int32_t (*re)[8U]) { + for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)1U; i++) { + size_t j = i; + int32_t tmp[8U]; + memcpy(tmp, re[j + (size_t)1U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + tmp, (int32_t)1757237); + int32_t uu____0[8U]; + memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)1U], tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); + } +} +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 26 +- STEP_BY= 1 +- ZETA= -19422 */ -static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_t0_deserialize_ba( - Eurydice_slice serialized, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *result) { - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)32U, result->simd_units, - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit), - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit); - i++) { - size_t i0 = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 = - libcrux_ml_dsa_simd_portable_t0_deserialize_36(Eurydice_slice_subslice2( - serialized, - i0 * LIBCRUX_ML_DSA_ENCODING_T0_OUTPUT_BYTES_PER_SIMD_UNIT, - (i0 + (size_t)1U) * - LIBCRUX_ML_DSA_ENCODING_T0_OUTPUT_BYTES_PER_SIMD_UNIT, - uint8_t)); - result->simd_units[i0] = uu____0; +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3a( + int32_t (*re)[8U]) { + for (size_t i = (size_t)26U; i < (size_t)26U + (size_t)1U; i++) { + size_t j = i; + int32_t tmp[8U]; + memcpy(tmp, re[j + (size_t)1U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + tmp, (int32_t)-19422); + int32_t uu____0[8U]; + memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)1U], tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); } } /** -A monomorphic instance of -libcrux_ml_dsa.encoding.t0.deserialize_to_vector_then_ntt with types -libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit with const generics -- DIMENSION= 6 +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 28 +- STEP_BY= 1 +- ZETA= 4010497 */ -static KRML_MUSTINLINE void -libcrux_ml_dsa_encoding_t0_deserialize_to_vector_then_ntt_07( - Eurydice_slice serialized, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[6U]) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ring_elements[6U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - ring_elements[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - } - for (size_t i = (size_t)0U; - i < Eurydice_slice_len(serialized, uint8_t) / - LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE; - i++) { - size_t i0 = i; - Eurydice_slice bytes = Eurydice_slice_subslice2( - serialized, i0 * LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE, - i0 * LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE + - LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE, - uint8_t); - libcrux_ml_dsa_encoding_t0_deserialize_ba(bytes, &ring_elements[i0]); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____0 = - libcrux_ml_dsa_ntt_ntt_ba(ring_elements[i0]); - ring_elements[i0] = uu____0; +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3b1( + int32_t (*re)[8U]) { + for (size_t i = (size_t)28U; i < (size_t)28U + (size_t)1U; i++) { + size_t j = i; + int32_t tmp[8U]; + memcpy(tmp, re[j + (size_t)1U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + tmp, (int32_t)4010497); + int32_t uu____0[8U]; + memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)1U], tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); } - memcpy( - ret, ring_elements, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); } /** -A monomorphic instance of -libcrux_ml_dsa.encoding.signing_key.deserialize_then_ntt with types -libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- ETA= 4 -- ERROR_RING_ELEMENT_SIZE= 128 -- SIGNING_KEY_SIZE= 4032 +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 30 +- STEP_BY= 1 +- ZETA= 280005 */ -static KRML_MUSTINLINE tuple_f0 -libcrux_ml_dsa_encoding_signing_key_deserialize_then_ntt_c6( - uint8_t *serialized) { - Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( - Eurydice_array_to_slice((size_t)4032U, serialized, uint8_t), - LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE, uint8_t, - Eurydice_slice_uint8_t_x2); - Eurydice_slice seed_for_A = uu____0.fst; - Eurydice_slice remaining_serialized0 = uu____0.snd; - Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( - remaining_serialized0, LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_SIGNING_SIZE, - uint8_t, Eurydice_slice_uint8_t_x2); - Eurydice_slice seed_for_signing = uu____1.fst; - Eurydice_slice remaining_serialized1 = uu____1.snd; - Eurydice_slice_uint8_t_x2 uu____2 = Eurydice_slice_split_at( - remaining_serialized1, - LIBCRUX_ML_DSA_CONSTANTS_BYTES_FOR_VERIFICATION_KEY_HASH, uint8_t, - Eurydice_slice_uint8_t_x2); - Eurydice_slice verification_key_hash = uu____2.fst; - Eurydice_slice remaining_serialized2 = uu____2.snd; - Eurydice_slice_uint8_t_x2 uu____3 = - Eurydice_slice_split_at(remaining_serialized2, (size_t)128U * (size_t)5U, - uint8_t, Eurydice_slice_uint8_t_x2); - Eurydice_slice s1_serialized = uu____3.fst; - Eurydice_slice remaining_serialized = uu____3.snd; - Eurydice_slice_uint8_t_x2 uu____4 = - Eurydice_slice_split_at(remaining_serialized, (size_t)128U * (size_t)6U, - uint8_t, Eurydice_slice_uint8_t_x2); - Eurydice_slice s2_serialized = uu____4.fst; - Eurydice_slice t0_serialized = uu____4.snd; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s1_as_ntt[5U]; - libcrux_ml_dsa_encoding_error_deserialize_to_vector_then_ntt_76(s1_serialized, - s1_as_ntt); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s2_as_ntt[6U]; - libcrux_ml_dsa_encoding_error_deserialize_to_vector_then_ntt_5d(s2_serialized, - s2_as_ntt); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t0_as_ntt[6U]; - libcrux_ml_dsa_encoding_t0_deserialize_to_vector_then_ntt_07(t0_serialized, - t0_as_ntt); - uint8_t uu____5[32U]; - Result_fb dst0; - Eurydice_slice_to_array2(&dst0, seed_for_A, Eurydice_slice, uint8_t[32U]); - unwrap_26_b3(dst0, uu____5); - uint8_t uu____6[32U]; - Result_fb dst1; - Eurydice_slice_to_array2(&dst1, seed_for_signing, Eurydice_slice, - uint8_t[32U]); - unwrap_26_b3(dst1, uu____6); - uint8_t uu____7[64U]; - Result_f2 dst; - Eurydice_slice_to_array2(&dst, verification_key_hash, Eurydice_slice, - uint8_t[64U]); - unwrap_26_4b(dst, uu____7); - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_s1_as_ntt[5U]; - memcpy( - copy_of_s1_as_ntt, s1_as_ntt, - (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_s2_as_ntt[6U]; - memcpy( - copy_of_s2_as_ntt, s2_as_ntt, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_t0_as_ntt[6U]; - memcpy( - copy_of_t0_as_ntt, t0_as_ntt, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - tuple_f0 lit; - memcpy(lit.fst, uu____5, (size_t)32U * sizeof(uint8_t)); - memcpy(lit.snd, uu____6, (size_t)32U * sizeof(uint8_t)); - memcpy(lit.thd, uu____7, (size_t)64U * sizeof(uint8_t)); - memcpy( - lit.f3, copy_of_s1_as_ntt, - (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - memcpy( - lit.f4, copy_of_s2_as_ntt, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - memcpy( - lit.f5, copy_of_t0_as_ntt, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - return lit; +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a0( + int32_t (*re)[8U]) { + for (size_t i = (size_t)30U; i < (size_t)30U + (size_t)1U; i++) { + size_t j = i; + int32_t tmp[8U]; + memcpy(tmp, re[j + (size_t)1U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + tmp, (int32_t)280005); + int32_t uu____0[8U]; + memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); + memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)1U], tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); + } } -/** - This corresponds to line 6 in algorithm 7 in FIPS 204 (line 7 in algorithm - 8, resp.). +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_3( + int32_t (*re)[8U]) { + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_993(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_1c(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_6b0(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_44(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a81(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_1f(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_950(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3b0(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a2(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_e4(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_de0(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_05(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_d91(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3a(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3b1(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a0(re); +} - If `domain_separation_context` is supplied, applies domain - separation and length encoding to the context string, - before appending the message (in the regular variant) or the - pre-hash OID as well as the pre-hashed message digest. Otherwise, - it is assumed that `message` already contains domain separation - information. +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_ntt_simd_unit_ntt_at_layer_2(int32_t *simd_unit, + int32_t zeta) { + int32_t t = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + simd_unit[4U], zeta); + simd_unit[4U] = simd_unit[0U] - t; + simd_unit[0U] = simd_unit[0U] + t; + int32_t t0 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + simd_unit[5U], zeta); + simd_unit[5U] = simd_unit[1U] - t0; + simd_unit[1U] = simd_unit[1U] + t0; + int32_t t1 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + simd_unit[6U], zeta); + simd_unit[6U] = simd_unit[2U] - t1; + simd_unit[2U] = simd_unit[2U] + t1; + int32_t t2 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + simd_unit[7U], zeta); + simd_unit[7U] = simd_unit[3U] - t2; + simd_unit[3U] = simd_unit[3U] + t2; +} - In FIPS 204 M' is the concatenation of the domain separated context, any - potential pre-hash OID and the message (or the message pre-hash). We do not - explicitely construct the concatenation in memory since it is of statically - unknown length, but feed its components directly into the incremental XOF. +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(int32_t (*re)[8U], + size_t index, + int32_t zeta) { + libcrux_ml_dsa_simd_portable_ntt_simd_unit_ntt_at_layer_2(re[index], zeta); +} - Refer to line 10 of Algorithm 2 (and line 5 of Algorithm 3, resp.) in [FIPS - 204](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf#section.5) - for details on the domain separation for regular ML-DSA. Line - 23 of Algorithm 4 (and line 18 of Algorithm 5,resp.) describe domain separation - for the HashMl-DSA variant. -*/ -/** -A monomorphic instance of -libcrux_ml_dsa.ml_dsa_generic.derive_message_representative with types -libcrux_ml_dsa_hash_functions_portable_Shake256Xof with const generics +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2( + int32_t (*re)[8U]) { + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)0U, + (int32_t)2706023); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)1U, + (int32_t)95776); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)2U, + (int32_t)3077325); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)3U, + (int32_t)3530437); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)4U, + (int32_t)-1661693); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)5U, + (int32_t)-3592148); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)6U, + (int32_t)-2537516); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)7U, + (int32_t)3915439); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)8U, + (int32_t)-3861115); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)9U, + (int32_t)-3043716); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)10U, + (int32_t)3574422); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)11U, + (int32_t)-2867647); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)12U, + (int32_t)3539968); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)13U, + (int32_t)-300467); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)14U, + (int32_t)2348700); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)15U, + (int32_t)-539299); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)16U, + (int32_t)-1699267); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)17U, + (int32_t)-1643818); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)18U, + (int32_t)3505694); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)19U, + (int32_t)-3821735); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)20U, + (int32_t)3507263); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)21U, + (int32_t)-2140649); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)22U, + (int32_t)-1600420); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)23U, + (int32_t)3699596); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)24U, + (int32_t)811944); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)25U, + (int32_t)531354); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)26U, + (int32_t)954230); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)27U, + (int32_t)3881043); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)28U, + (int32_t)3900724); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)29U, + (int32_t)-2556880); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)30U, + (int32_t)2071892); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)31U, + (int32_t)-2797779); +} -*/ static KRML_MUSTINLINE void -libcrux_ml_dsa_ml_dsa_generic_derive_message_representative_7b( - uint8_t verification_key_hash[64U], Option_84 domain_separation_context, - Eurydice_slice message, uint8_t *message_representative) { - libcrux_sha3_portable_incremental_Shake256Xof shake = - libcrux_ml_dsa_hash_functions_portable_init_83(); - libcrux_ml_dsa_hash_functions_portable_absorb_83( - &shake, - Eurydice_array_to_slice((size_t)64U, verification_key_hash, uint8_t)); - if (domain_separation_context.tag == Some) { - libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context0 = - domain_separation_context.f0; - libcrux_sha3_portable_incremental_Shake256Xof *uu____0 = &shake; - uint8_t buf0[1U] = { - (uint8_t)core_option__core__option__Option_T__TraitClause_0___is_some( - libcrux_ml_dsa_pre_hash_pre_hash_oid_45( - &domain_separation_context0), - uint8_t[11U], bool)}; - libcrux_ml_dsa_hash_functions_portable_absorb_83( - uu____0, Eurydice_array_to_slice((size_t)1U, buf0, uint8_t)); - libcrux_sha3_portable_incremental_Shake256Xof *uu____1 = &shake; - uint8_t buf[1U] = {(uint8_t)Eurydice_slice_len( - libcrux_ml_dsa_pre_hash_context_45(&domain_separation_context0), - uint8_t)}; - libcrux_ml_dsa_hash_functions_portable_absorb_83( - uu____1, Eurydice_array_to_slice((size_t)1U, buf, uint8_t)); - libcrux_ml_dsa_hash_functions_portable_absorb_83( - &shake, - libcrux_ml_dsa_pre_hash_context_45(&domain_separation_context0)); - Option_30 *uu____2 = - libcrux_ml_dsa_pre_hash_pre_hash_oid_45(&domain_separation_context0); - if (uu____2->tag == Some) { - uint8_t *pre_hash_oid = uu____2->f0; - libcrux_ml_dsa_hash_functions_portable_absorb_83( - &shake, Eurydice_array_to_slice((size_t)11U, pre_hash_oid, uint8_t)); - } - } - libcrux_ml_dsa_hash_functions_portable_absorb_final_83(&shake, message); - libcrux_ml_dsa_hash_functions_portable_squeeze_83( - &shake, - Eurydice_array_to_slice((size_t)64U, message_representative, uint8_t)); +libcrux_ml_dsa_simd_portable_ntt_simd_unit_ntt_at_layer_1(int32_t *simd_unit, + int32_t zeta1, + int32_t zeta2) { + int32_t t = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + simd_unit[2U], zeta1); + simd_unit[2U] = simd_unit[0U] - t; + simd_unit[0U] = simd_unit[0U] + t; + int32_t t0 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + simd_unit[3U], zeta1); + simd_unit[3U] = simd_unit[1U] - t0; + simd_unit[1U] = simd_unit[1U] + t0; + int32_t t1 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + simd_unit[6U], zeta2); + simd_unit[6U] = simd_unit[4U] - t1; + simd_unit[4U] = simd_unit[4U] + t1; + int32_t t2 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + simd_unit[7U], zeta2); + simd_unit[7U] = simd_unit[5U] - t2; + simd_unit[5U] = simd_unit[5U] + t2; +} + +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round(int32_t (*re)[8U], + size_t index, + int32_t zeta_0, + int32_t zeta_1) { + libcrux_ml_dsa_simd_portable_ntt_simd_unit_ntt_at_layer_1(re[index], zeta_0, + zeta_1); +} + +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1( + int32_t (*re)[8U]) { + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)0U, (int32_t)-3930395, (int32_t)-1528703); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)1U, (int32_t)-3677745, (int32_t)-3041255); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)2U, (int32_t)-1452451, (int32_t)3475950); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)3U, (int32_t)2176455, (int32_t)-1585221); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)4U, (int32_t)-1257611, (int32_t)1939314); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)5U, (int32_t)-4083598, (int32_t)-1000202); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)6U, (int32_t)-3190144, (int32_t)-3157330); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)7U, (int32_t)-3632928, (int32_t)126922); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)8U, (int32_t)3412210, (int32_t)-983419); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)9U, (int32_t)2147896, (int32_t)2715295); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)10U, (int32_t)-2967645, (int32_t)-3693493); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)11U, (int32_t)-411027, (int32_t)-2477047); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)12U, (int32_t)-671102, (int32_t)-1228525); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)13U, (int32_t)-22981, (int32_t)-1308169); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)14U, (int32_t)-381987, (int32_t)1349076); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)15U, (int32_t)1852771, (int32_t)-1430430); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)16U, (int32_t)-3343383, (int32_t)264944); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)17U, (int32_t)508951, (int32_t)3097992); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)18U, (int32_t)44288, (int32_t)-1100098); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)19U, (int32_t)904516, (int32_t)3958618); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)20U, (int32_t)-3724342, (int32_t)-8578); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)21U, (int32_t)1653064, (int32_t)-3249728); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)22U, (int32_t)2389356, (int32_t)-210977); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)23U, (int32_t)759969, (int32_t)-1316856); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)24U, (int32_t)189548, (int32_t)-3553272); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)25U, (int32_t)3159746, (int32_t)-1851402); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)26U, (int32_t)-2409325, (int32_t)-177440); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)27U, (int32_t)1315589, (int32_t)1341330); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)28U, (int32_t)1285669, (int32_t)-1584928); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)29U, (int32_t)-812732, (int32_t)-1439742); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)30U, (int32_t)-3019102, (int32_t)-3881060); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)31U, (int32_t)-3628969, (int32_t)3839961); } -/** -A monomorphic instance of core.option.Option -with types libcrux_ml_dsa_polynomial_PolynomialRingElement -libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit[5size_t] - -*/ -typedef struct Option_f3_s { - Option_d8_tags tag; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b f0[5U]; -} Option_f3; - -/** -A monomorphic instance of libcrux_ml_dsa.hash_functions.portable.shake256 -with const generics -- OUTPUT_LENGTH= 576 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_hash_functions_portable_shake256_1b( - Eurydice_slice input, uint8_t *out) { - libcrux_sha3_portable_shake256( - Eurydice_array_to_slice((size_t)576U, out, uint8_t), input); +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_ntt_simd_unit_ntt_at_layer_0(int32_t *simd_unit, + int32_t zeta0, + int32_t zeta1, + int32_t zeta2, + int32_t zeta3) { + int32_t t = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + simd_unit[1U], zeta0); + simd_unit[1U] = simd_unit[0U] - t; + simd_unit[0U] = simd_unit[0U] + t; + int32_t t0 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + simd_unit[3U], zeta1); + simd_unit[3U] = simd_unit[2U] - t0; + simd_unit[2U] = simd_unit[2U] + t0; + int32_t t1 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + simd_unit[5U], zeta2); + simd_unit[5U] = simd_unit[4U] - t1; + simd_unit[4U] = simd_unit[4U] + t1; + int32_t t2 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + simd_unit[7U], zeta3); + simd_unit[7U] = simd_unit[6U] - t2; + simd_unit[6U] = simd_unit[6U] + t2; } -/** -This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::XofX4 -for libcrux_ml_dsa::hash_functions::portable::Shake256X4)#3} -*/ -/** -A monomorphic instance of libcrux_ml_dsa.hash_functions.portable.shake256_x4_50 -with const generics -- OUT_LEN= 576 -*/ static KRML_MUSTINLINE void -libcrux_ml_dsa_hash_functions_portable_shake256_x4_50_1b( - Eurydice_slice input0, Eurydice_slice input1, Eurydice_slice input2, - Eurydice_slice input3, uint8_t *out0, uint8_t *out1, uint8_t *out2, - uint8_t *out3) { - libcrux_ml_dsa_hash_functions_portable_shake256_1b(input0, out0); - libcrux_ml_dsa_hash_functions_portable_shake256_1b(input1, out1); - libcrux_ml_dsa_hash_functions_portable_shake256_1b(input2, out2); - libcrux_ml_dsa_hash_functions_portable_shake256_1b(input3, out3); +libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + int32_t (*re)[8U], size_t index, int32_t zeta_0, int32_t zeta_1, + int32_t zeta_2, int32_t zeta_3) { + libcrux_ml_dsa_simd_portable_ntt_simd_unit_ntt_at_layer_0( + re[index], zeta_0, zeta_1, zeta_2, zeta_3); } -/** -A monomorphic instance of -libcrux_ml_dsa.simd.portable.encoding.gamma1.deserialize with const generics -- GAMMA1_EXPONENT= 19 -*/ -static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -libcrux_ml_dsa_simd_portable_encoding_gamma1_deserialize_36( - Eurydice_slice serialized) { - return libcrux_ml_dsa_simd_portable_encoding_gamma1_deserialize_when_gamma1_is_2_pow_19( - serialized); +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0( + int32_t (*re)[8U]) { + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)0U, (int32_t)2091667, (int32_t)3407706, (int32_t)2316500, + (int32_t)3817976); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)1U, (int32_t)-3342478, (int32_t)2244091, (int32_t)-2446433, + (int32_t)-3562462); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)2U, (int32_t)266997, (int32_t)2434439, (int32_t)-1235728, + (int32_t)3513181); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)3U, (int32_t)-3520352, (int32_t)-3759364, (int32_t)-1197226, + (int32_t)-3193378); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)4U, (int32_t)900702, (int32_t)1859098, (int32_t)909542, + (int32_t)819034); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)5U, (int32_t)495491, (int32_t)-1613174, (int32_t)-43260, + (int32_t)-522500); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)6U, (int32_t)-655327, (int32_t)-3122442, (int32_t)2031748, + (int32_t)3207046); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)7U, (int32_t)-3556995, (int32_t)-525098, (int32_t)-768622, + (int32_t)-3595838); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)8U, (int32_t)342297, (int32_t)286988, (int32_t)-2437823, + (int32_t)4108315); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)9U, (int32_t)3437287, (int32_t)-3342277, (int32_t)1735879, + (int32_t)203044); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)10U, (int32_t)2842341, (int32_t)2691481, (int32_t)-2590150, + (int32_t)1265009); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)11U, (int32_t)4055324, (int32_t)1247620, (int32_t)2486353, + (int32_t)1595974); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)12U, (int32_t)-3767016, (int32_t)1250494, (int32_t)2635921, + (int32_t)-3548272); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)13U, (int32_t)-2994039, (int32_t)1869119, (int32_t)1903435, + (int32_t)-1050970); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)14U, (int32_t)-1333058, (int32_t)1237275, (int32_t)-3318210, + (int32_t)-1430225); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)15U, (int32_t)-451100, (int32_t)1312455, (int32_t)3306115, + (int32_t)-1962642); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)16U, (int32_t)-1279661, (int32_t)1917081, (int32_t)-2546312, + (int32_t)-1374803); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)17U, (int32_t)1500165, (int32_t)777191, (int32_t)2235880, + (int32_t)3406031); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)18U, (int32_t)-542412, (int32_t)-2831860, (int32_t)-1671176, + (int32_t)-1846953); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)19U, (int32_t)-2584293, (int32_t)-3724270, (int32_t)594136, + (int32_t)-3776993); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)20U, (int32_t)-2013608, (int32_t)2432395, (int32_t)2454455, + (int32_t)-164721); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)21U, (int32_t)1957272, (int32_t)3369112, (int32_t)185531, + (int32_t)-1207385); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)22U, (int32_t)-3183426, (int32_t)162844, (int32_t)1616392, + (int32_t)3014001); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)23U, (int32_t)810149, (int32_t)1652634, (int32_t)-3694233, + (int32_t)-1799107); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)24U, (int32_t)-3038916, (int32_t)3523897, (int32_t)3866901, + (int32_t)269760); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)25U, (int32_t)2213111, (int32_t)-975884, (int32_t)1717735, + (int32_t)472078); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)26U, (int32_t)-426683, (int32_t)1723600, (int32_t)-1803090, + (int32_t)1910376); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)27U, (int32_t)-1667432, (int32_t)-1104333, (int32_t)-260646, + (int32_t)-3833893); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)28U, (int32_t)-2939036, (int32_t)-2235985, (int32_t)-420899, + (int32_t)-2286327); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)29U, (int32_t)183443, (int32_t)-976891, (int32_t)1612842, + (int32_t)-3545687); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)30U, (int32_t)-554416, (int32_t)3919660, (int32_t)-48306, + (int32_t)-1362209); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)31U, (int32_t)3937738, (int32_t)1400424, (int32_t)-846154, + (int32_t)1976782); } -/** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} -*/ -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.gamma1_deserialize_36 -with const generics -- GAMMA1_EXPONENT= 19 -*/ -static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -libcrux_ml_dsa_simd_portable_gamma1_deserialize_36_36( - Eurydice_slice serialized) { - return libcrux_ml_dsa_simd_portable_encoding_gamma1_deserialize_36( - serialized); +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt( + int32_t (*re)[8U]) { + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_7(re); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_6(re); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_5(re); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_4(re); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_3(re); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2(re); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1(re); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0(re); } -/** -A monomorphic instance of libcrux_ml_dsa.encoding.gamma1.deserialize -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -with const generics -- GAMMA1_EXPONENT= 19 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_gamma1_deserialize_61( - Eurydice_slice serialized, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *result) { - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)32U, result->simd_units, - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit), - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit); +static KRML_MUSTINLINE size_t +libcrux_ml_dsa_simd_portable_sample_rejection_sample_less_than_eta_equals_2( + Eurydice_slice randomness, Eurydice_slice out) { + size_t sampled = (size_t)0U; + for (size_t i = (size_t)0U; i < Eurydice_slice_len(randomness, uint8_t); i++) { - size_t i0 = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 = - libcrux_ml_dsa_simd_portable_gamma1_deserialize_36_36( - Eurydice_slice_subslice2( - serialized, i0 * ((size_t)19U + (size_t)1U), - (i0 + (size_t)1U) * ((size_t)19U + (size_t)1U), uint8_t)); - result->simd_units[i0] = uu____0; + size_t _cloop_j = i; + uint8_t *byte = + &Eurydice_slice_index(randomness, _cloop_j, uint8_t, uint8_t *); + uint8_t try_0 = Eurydice_bitand_pv_u8(byte, 15U); + uint8_t try_1 = Eurydice_shr_pv_u8(byte, (int32_t)4); + if (try_0 < 15U) { + int32_t try_00 = (int32_t)try_0; + int32_t try_0_mod_5 = try_00 - (try_00 * (int32_t)26 >> 7U) * (int32_t)5; + Eurydice_slice_index(out, sampled, int32_t, int32_t *) = + (int32_t)2 - try_0_mod_5; + sampled++; + } + if (try_1 < 15U) { + int32_t try_10 = (int32_t)try_1; + int32_t try_1_mod_5 = try_10 - (try_10 * (int32_t)26 >> 7U) * (int32_t)5; + Eurydice_slice_index(out, sampled, int32_t, int32_t *) = + (int32_t)2 - try_1_mod_5; + sampled++; + } } + return sampled; } -/** -A monomorphic instance of libcrux_ml_dsa.hash_functions.portable.shake256 -with const generics -- OUTPUT_LENGTH= 640 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_hash_functions_portable_shake256_c8( - Eurydice_slice input, uint8_t *out) { - libcrux_sha3_portable_shake256( - Eurydice_array_to_slice((size_t)640U, out, uint8_t), input); +static KRML_MUSTINLINE size_t +libcrux_ml_dsa_simd_portable_sample_rejection_sample_less_than_eta_equals_4( + Eurydice_slice randomness, Eurydice_slice out) { + size_t sampled = (size_t)0U; + for (size_t i = (size_t)0U; i < Eurydice_slice_len(randomness, uint8_t); + i++) { + size_t _cloop_j = i; + uint8_t *byte = + &Eurydice_slice_index(randomness, _cloop_j, uint8_t, uint8_t *); + uint8_t try_0 = Eurydice_bitand_pv_u8(byte, 15U); + uint8_t try_1 = Eurydice_shr_pv_u8(byte, (int32_t)4); + if (try_0 < 9U) { + Eurydice_slice_index(out, sampled, int32_t, int32_t *) = + (int32_t)4 - (int32_t)try_0; + sampled++; + } + if (try_1 < 9U) { + Eurydice_slice_index(out, sampled, int32_t, int32_t *) = + (int32_t)4 - (int32_t)try_1; + sampled++; + } + } + return sampled; } -/** -This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::XofX4 -for libcrux_ml_dsa::hash_functions::portable::Shake256X4)#3} -*/ -/** -A monomorphic instance of libcrux_ml_dsa.hash_functions.portable.shake256_x4_50 -with const generics -- OUT_LEN= 640 -*/ -static KRML_MUSTINLINE void -libcrux_ml_dsa_hash_functions_portable_shake256_x4_50_c8( - Eurydice_slice input0, Eurydice_slice input1, Eurydice_slice input2, - Eurydice_slice input3, uint8_t *out0, uint8_t *out1, uint8_t *out2, - uint8_t *out3) { - libcrux_ml_dsa_hash_functions_portable_shake256_c8(input0, out0); - libcrux_ml_dsa_hash_functions_portable_shake256_c8(input1, out1); - libcrux_ml_dsa_hash_functions_portable_shake256_c8(input2, out2); - libcrux_ml_dsa_hash_functions_portable_shake256_c8(input3, out3); +static KRML_MUSTINLINE size_t +libcrux_ml_dsa_simd_portable_sample_rejection_sample_less_than_field_modulus( + Eurydice_slice randomness, Eurydice_slice out) { + size_t sampled = (size_t)0U; + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(randomness, uint8_t) / (size_t)3U; i++) { + size_t _cloop_i = i; + Eurydice_slice bytes = + Eurydice_slice_subslice2(randomness, _cloop_i * (size_t)3U, + _cloop_i * (size_t)3U + (size_t)3U, uint8_t); + int32_t b0 = + (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *); + int32_t b1 = + (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *); + int32_t b2 = + (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *); + int32_t coefficient = ((b2 << 16U | b1 << 8U) | b0) & (int32_t)8388607; + if (coefficient < LIBCRUX_ML_DSA_CONSTANTS_FIELD_MODULUS) { + Eurydice_slice_index(out, sampled, int32_t, int32_t *) = coefficient; + sampled++; + } + } + return sampled; +} + +static inline void +libcrux_ml_dsa_simd_portable_vector_type_from_coefficient_array( + Eurydice_slice array, int32_t ret[8U]) { + Result_6c dst; + Eurydice_slice_to_array2( + &dst, + Eurydice_slice_subslice2( + array, (size_t)0U, + LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT, int32_t), + Eurydice_slice, int32_t[8U]); + unwrap_26_55(dst, ret); } -/** -This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::DsaXof -for libcrux_ml_dsa::hash_functions::portable::Shake256)#2} -*/ -/** -A monomorphic instance of libcrux_ml_dsa.hash_functions.portable.shake256_5c -with const generics -- OUTPUT_LENGTH= 576 -*/ static KRML_MUSTINLINE void -libcrux_ml_dsa_hash_functions_portable_shake256_5c_1b(Eurydice_slice input, - uint8_t *out) { - libcrux_ml_dsa_hash_functions_portable_shake256_1b(input, out); +libcrux_ml_dsa_simd_portable_vector_type_to_coefficient_array( + int32_t *value, Eurydice_slice out) { + Eurydice_slice_copy(out, Eurydice_array_to_slice((size_t)8U, value, int32_t), + int32_t); +} + +static inline void libcrux_ml_dsa_simd_portable_vector_type_zero( + int32_t ret[8U]) { + ret[0U] = (int32_t)0; + ret[1U] = (int32_t)0; + ret[2U] = (int32_t)0; + ret[3U] = (int32_t)0; + ret[4U] = (int32_t)0; + ret[5U] = (int32_t)0; + ret[6U] = (int32_t)0; + ret[7U] = (int32_t)0; } /** -This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::DsaXof -for libcrux_ml_dsa::hash_functions::portable::Shake256)#2} +This function found in impl {(core::clone::Clone for +libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} */ +static inline void libcrux_ml_dsa_simd_portable_vector_type_clone_ae( + void **self) {} + /** -A monomorphic instance of libcrux_ml_dsa.hash_functions.portable.shake256_5c -with const generics -- OUTPUT_LENGTH= 640 +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} */ -static KRML_MUSTINLINE void -libcrux_ml_dsa_hash_functions_portable_shake256_5c_c8(Eurydice_slice input, - uint8_t *out) { - libcrux_ml_dsa_hash_functions_portable_shake256_c8(input, out); +static inline void libcrux_ml_dsa_simd_portable_add_36(int32_t *lhs, + int32_t *rhs) { + libcrux_ml_dsa_simd_portable_arithmetic_add(lhs, rhs); } /** -A monomorphic instance of libcrux_ml_dsa.sample.sample_mask_ring_element -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, -libcrux_ml_dsa_hash_functions_portable_Shake256 with const generics -- GAMMA1_EXPONENT= 19 +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} */ -static KRML_MUSTINLINE void libcrux_ml_dsa_sample_sample_mask_ring_element_20( - uint8_t seed[66U], - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *result) { - uint8_t out[640U] = {0U}; - libcrux_ml_dsa_hash_functions_portable_shake256_5c_c8( - Eurydice_array_to_slice((size_t)66U, seed, uint8_t), out); - libcrux_ml_dsa_encoding_gamma1_deserialize_61( - Eurydice_array_to_slice((size_t)640U, out, uint8_t), result); +static inline void libcrux_ml_dsa_simd_portable_commitment_serialize_36( + int32_t *simd_unit, Eurydice_slice serialized) { + libcrux_ml_dsa_simd_portable_encoding_commitment_serialize(simd_unit, + serialized); } /** -A monomorphic instance of libcrux_ml_dsa.sample.sample_mask_vector -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, -libcrux_ml_dsa_hash_functions_portable_Shake256, -libcrux_ml_dsa_hash_functions_portable_Shake256X4 with const generics -- DIMENSION= 5 -- GAMMA1_EXPONENT= 19 +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} */ -static KRML_MUSTINLINE void libcrux_ml_dsa_sample_sample_mask_vector_0e( - uint8_t seed[66U], uint16_t *domain_separator, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[5U]) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b mask[5U]; - for (size_t i = (size_t)0U; i < (size_t)5U; i++) { - mask[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - } - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed0[66U]; - memcpy(copy_of_seed0, seed, (size_t)66U * sizeof(uint8_t)); - uint8_t seed0[66U]; - libcrux_ml_dsa_sample_update_seed(copy_of_seed0, domain_separator, seed0); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed1[66U]; - memcpy(copy_of_seed1, seed, (size_t)66U * sizeof(uint8_t)); - uint8_t seed1[66U]; - libcrux_ml_dsa_sample_update_seed(copy_of_seed1, domain_separator, seed1); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed2[66U]; - memcpy(copy_of_seed2, seed, (size_t)66U * sizeof(uint8_t)); - uint8_t seed2[66U]; - libcrux_ml_dsa_sample_update_seed(copy_of_seed2, domain_separator, seed2); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed3[66U]; - memcpy(copy_of_seed3, seed, (size_t)66U * sizeof(uint8_t)); - uint8_t seed3[66U]; - libcrux_ml_dsa_sample_update_seed(copy_of_seed3, domain_separator, seed3); - uint8_t out0[640U] = {0U}; - uint8_t out1[640U] = {0U}; - uint8_t out2[640U] = {0U}; - uint8_t out3[640U] = {0U}; - libcrux_ml_dsa_hash_functions_portable_shake256_x4_50_c8( - Eurydice_array_to_slice((size_t)66U, seed0, uint8_t), - Eurydice_array_to_slice((size_t)66U, seed1, uint8_t), - Eurydice_array_to_slice((size_t)66U, seed2, uint8_t), - Eurydice_array_to_slice((size_t)66U, seed3, uint8_t), out0, out1, out2, - out3); - libcrux_ml_dsa_encoding_gamma1_deserialize_61( - Eurydice_array_to_slice((size_t)640U, out0, uint8_t), mask); - libcrux_ml_dsa_encoding_gamma1_deserialize_61( - Eurydice_array_to_slice((size_t)640U, out1, uint8_t), &mask[1U]); - libcrux_ml_dsa_encoding_gamma1_deserialize_61( - Eurydice_array_to_slice((size_t)640U, out2, uint8_t), &mask[2U]); - libcrux_ml_dsa_encoding_gamma1_deserialize_61( - Eurydice_array_to_slice((size_t)640U, out3, uint8_t), &mask[3U]); - for (size_t i = (size_t)4U; i < (size_t)5U; i++) { - size_t i0 = i; - seed[64U] = (uint8_t)domain_separator[0U]; - seed[65U] = (uint8_t)((uint32_t)domain_separator[0U] >> 8U); - domain_separator[0U] = (uint32_t)domain_separator[0U] + 1U; - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed[66U]; - memcpy(copy_of_seed, seed, (size_t)66U * sizeof(uint8_t)); - libcrux_ml_dsa_sample_sample_mask_ring_element_20(copy_of_seed, &mask[i0]); - } - memcpy( - ret, mask, - (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); +static inline void libcrux_ml_dsa_simd_portable_from_coefficient_array_36( + Eurydice_slice array, int32_t ret[8U]) { + libcrux_ml_dsa_simd_portable_vector_type_from_coefficient_array(array, ret); } /** -A monomorphic instance of libcrux_ml_dsa.matrix.compute_A_times_mask.closure -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} */ -static inline libcrux_ml_dsa_polynomial_PolynomialRingElement_9b -libcrux_ml_dsa_matrix_compute_A_times_mask_closure_2f( - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s) { - return libcrux_ml_dsa_ntt_ntt_ba(s); +static inline bool libcrux_ml_dsa_simd_portable_infinity_norm_exceeds_36( + int32_t *simd_unit, int32_t bound) { + return libcrux_ml_dsa_simd_portable_arithmetic_infinity_norm_exceeds( + simd_unit, bound); } /** - Compute InvertNTT(Â ◦ ŷ) +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} */ +static inline void libcrux_ml_dsa_simd_portable_invert_ntt_montgomery_36( + int32_t (*simd_units)[8U]) { + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_montgomery(simd_units); +} + /** -A monomorphic instance of libcrux_ml_dsa.matrix.compute_A_times_mask -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} */ -static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_compute_A_times_mask_2f( - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b (*A_as_ntt)[5U], - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *mask, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[6U]) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b result[6U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - } - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_mask[5U]; - memcpy( - copy_of_mask, mask, - (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b mask_ntt[5U]; - for (size_t i = (size_t)0U; i < (size_t)5U; i++) { - mask_ntt[i] = - libcrux_ml_dsa_matrix_compute_A_times_mask_closure_2f(copy_of_mask[i]); - } - for (size_t i0 = (size_t)0U; - i0 < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)6U, A_as_ntt, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b[5U]), - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b[5U]); - i0++) { - size_t i1 = i0; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *row = A_as_ntt[i1]; - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)5U, row, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b), - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b); - i++) { - size_t j = i; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *ring_element = - &row[j]; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b product = - libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ba(ring_element, - &mask_ntt[j]); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____1 = - libcrux_ml_dsa_polynomial_add_ff_ba(&result[i1], &product); - result[i1] = uu____1; - } - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____2 = - libcrux_ml_dsa_ntt_invert_ntt_montgomery_ba(result[i1]); - result[i1] = uu____2; - } - memcpy( - ret, result, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); +static inline void libcrux_ml_dsa_simd_portable_montgomery_multiply_36( + int32_t *lhs, int32_t *rhs) { + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply(lhs, rhs); } /** -A monomorphic instance of -libcrux_ml_dsa.simd.portable.arithmetic.decompose_element with const generics -- GAMMA2= 261888 +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} */ -static KRML_MUSTINLINE int32_t_x2 -libcrux_ml_dsa_simd_portable_arithmetic_decompose_element_80(int32_t r) { - int32_t r2 = r + (r >> 31U & LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS); - int32_t ALPHA = (int32_t)261888 * (int32_t)2; - int32_t ceil_of_r_by_128 = (r2 + (int32_t)127) >> 7U; - int32_t r1; - switch (ALPHA) { - case 190464: { - int32_t result = - (ceil_of_r_by_128 * (int32_t)11275 + ((int32_t)1 << 23U)) >> 24U; - r1 = (result ^ ((int32_t)43 - result) >> 31U) & result; - break; - } - case 523776: { - int32_t result = - (ceil_of_r_by_128 * (int32_t)1025 + ((int32_t)1 << 21U)) >> 22U; - r1 = result & (int32_t)15; - break; - } - default: { - KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "panic!"); - KRML_HOST_EXIT(255U); - } - } - int32_t r0 = r2 - r1 * ALPHA; - r0 = r0 - - (((LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS - (int32_t)1) / (int32_t)2 - - r0) >> - 31U & - LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS); - return (CLITERAL(int32_t_x2){.fst = r0, .snd = r1}); +static inline void libcrux_ml_dsa_simd_portable_ntt_36( + int32_t (*simd_units)[8U]) { + libcrux_ml_dsa_simd_portable_ntt_ntt(simd_units); } /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.arithmetic.decompose -with const generics -- GAMMA2= 261888 +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} */ -static KRML_MUSTINLINE - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x2 - libcrux_ml_dsa_simd_portable_arithmetic_decompose_80( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit) { - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit low = - libcrux_ml_dsa_simd_portable_vector_type_ZERO(); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit high = - libcrux_ml_dsa_simd_portable_vector_type_ZERO(); - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice((size_t)8U, low.coefficients, int32_t), - int32_t); - i++) { - size_t i0 = i; - int32_t_x2 uu____0 = - libcrux_ml_dsa_simd_portable_arithmetic_decompose_element_80( - simd_unit.coefficients[i0]); - int32_t low_part = uu____0.fst; - int32_t high_part = uu____0.snd; - low.coefficients[i0] = low_part; - high.coefficients[i0] = high_part; - } - return ( - CLITERAL(libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x2){ - .fst = low, .snd = high}); +static inline void libcrux_ml_dsa_simd_portable_power2round_36(int32_t *t0, + int32_t *t1) { + libcrux_ml_dsa_simd_portable_arithmetic_power2round(t0, t1); } /** @@ -6729,125 +4939,11 @@ libcrux_ml_dsa_simd_portable_arithmetic_compute_hint_80( This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} */ -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.compute_hint_36 -with const generics -- GAMMA2= 261888 -*/ -static inline tuple_ca libcrux_ml_dsa_simd_portable_compute_hint_36_80( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit low, - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit high) { - return libcrux_ml_dsa_simd_portable_arithmetic_compute_hint_80(low, high); -} - -/** -This function found in impl -{libcrux_ml_dsa::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]} -*/ -/** -A monomorphic instance of libcrux_ml_dsa.polynomial.to_i32_array_ff -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -with const generics - -*/ -static inline void libcrux_ml_dsa_polynomial_to_i32_array_ff_ba( - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *self, - int32_t ret[256U]) { - int32_t result[256U] = {0U}; - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)32U, self->simd_units, - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit), - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit); - i++) { - size_t i0 = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *simd_unit = - &self->simd_units[i0]; - Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - result, i0 * LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT, - (i0 + (size_t)1U) * - LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT, - int32_t); - int32_t ret0[8U]; - libcrux_ml_dsa_simd_portable_to_coefficient_array_36(simd_unit, ret0); - Eurydice_slice_copy( - uu____0, Eurydice_array_to_slice((size_t)8U, ret0, int32_t), int32_t); - } - memcpy(ret, result, (size_t)256U * sizeof(int32_t)); -} - -/** -A monomorphic instance of libcrux_ml_dsa.arithmetic.make_hint -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -with const generics -- DIMENSION= 6 -- GAMMA2= 261888 -*/ -static KRML_MUSTINLINE tuple_e6 libcrux_ml_dsa_arithmetic_make_hint_2f( - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b low[6U], - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b high[6U]) { - int32_t hint[6U][256U] = {{0U}}; - size_t true_hints = (size_t)0U; - for (size_t i0 = (size_t)0U; i0 < (size_t)6U; i0++) { - size_t i1 = i0; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b hint_simd = - libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)32U, hint_simd.simd_units, - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit), - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit); - i++) { - size_t j = i; - tuple_ca uu____0 = libcrux_ml_dsa_simd_portable_compute_hint_36_80( - low[i1].simd_units[j], high[i1].simd_units[j]); - size_t one_hints_count = uu____0.fst; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit current_hint = - uu____0.snd; - hint_simd.simd_units[j] = current_hint; - true_hints = true_hints + one_hints_count; - } - int32_t uu____1[256U]; - libcrux_ml_dsa_polynomial_to_i32_array_ff_ba(&hint_simd, uu____1); - memcpy(hint[i1], uu____1, (size_t)256U * sizeof(int32_t)); - } - /* Passing arrays by value in Rust generates a copy in C */ - int32_t copy_of_hint[6U][256U]; - memcpy(copy_of_hint, hint, (size_t)6U * sizeof(int32_t[256U])); - tuple_e6 lit; - memcpy(lit.fst, copy_of_hint, (size_t)6U * sizeof(int32_t[256U])); - lit.snd = true_hints; - return lit; -} - -/** -A monomorphic instance of libcrux_ml_dsa.encoding.signature.Signature -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -with const generics -- $48size_t -- $5size_t -- $6size_t -*/ -typedef struct libcrux_ml_dsa_encoding_signature_Signature_44_s { - uint8_t commitment_hash[48U]; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b signer_response[5U]; - int32_t hint[6U][256U]; -} libcrux_ml_dsa_encoding_signature_Signature_44; - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.encoding.gamma1.serialize -with const generics -- GAMMA1_EXPONENT= 19 -*/ -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_encoding_gamma1_serialize_36( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, - Eurydice_slice serialized) { - libcrux_ml_dsa_simd_portable_encoding_gamma1_serialize_when_gamma1_is_2_pow_19( - simd_unit, serialized); +static inline size_t +libcrux_ml_dsa_simd_portable_rejection_sample_less_than_eta_equals_4_36( + Eurydice_slice randomness, Eurydice_slice out) { + return libcrux_ml_dsa_simd_portable_sample_rejection_sample_less_than_eta_equals_4( + randomness, out); } /** @@ -8076,16 +6172,9 @@ libcrux_ml_dsa_simd_portable_arithmetic_use_hint_80( This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} */ -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.use_hint_36 -with const generics -- GAMMA2= 261888 -*/ -static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -libcrux_ml_dsa_simd_portable_use_hint_36_80( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit hint) { - return libcrux_ml_dsa_simd_portable_arithmetic_use_hint_80(simd_unit, hint); +static inline void libcrux_ml_dsa_simd_portable_t0_deserialize_36( + Eurydice_slice serialized, int32_t *out) { + libcrux_ml_dsa_simd_portable_encoding_t0_deserialize(serialized, out); } /** @@ -8497,17 +6586,55 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_sample_add_error_domain_separator( This function found in impl {(core::clone::Clone for libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} */ -static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -libcrux_ml_dsa_simd_portable_vector_type_clone_ae( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *self) { - return self[0U]; +static inline void libcrux_ml_dsa_simd_portable_t0_serialize_36( + int32_t *simd_unit, Eurydice_slice out) { + libcrux_ml_dsa_simd_portable_encoding_t0_serialize(simd_unit, out); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +*/ +static inline void libcrux_ml_dsa_simd_portable_t1_deserialize_36( + Eurydice_slice serialized, int32_t *out) { + libcrux_ml_dsa_simd_portable_encoding_t1_deserialize(serialized, out); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +*/ +static inline void libcrux_ml_dsa_simd_portable_t1_serialize_36( + int32_t *simd_unit, Eurydice_slice out) { + libcrux_ml_dsa_simd_portable_encoding_t1_serialize(simd_unit, out); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +*/ +static inline void libcrux_ml_dsa_simd_portable_to_coefficient_array_36( + int32_t *value, Eurydice_slice out) { + libcrux_ml_dsa_simd_portable_vector_type_to_coefficient_array(value, out); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +*/ +static inline void libcrux_ml_dsa_simd_portable_zero_36(int32_t ret[8U]) { + libcrux_ml_dsa_simd_portable_vector_type_zero(ret); } +#define LIBCRUX_ML_DSA_SIMD_TRAITS_SIMD_UNITS_IN_RING_ELEMENT \ + (LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / \ + LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT) + typedef int32_t libcrux_ml_dsa_simd_traits_FieldElementTimesMontgomeryR; typedef int32_t libcrux_ml_dsa_simd_portable_vector_type_FieldElement; -typedef Result_a8 libcrux_ml_dsa_pre_hash_PreHashResult; +typedef int32_t libcrux_ml_dsa_simd_portable_vector_type_Coefficients[8U]; #if defined(__cplusplus) } diff --git a/libcrux-ml-dsa/profile.json b/libcrux-ml-dsa/profile.json deleted file mode 100644 index 4c5f8be16..000000000 --- a/libcrux-ml-dsa/profile.json +++ /dev/null @@ -1 +0,0 @@ -{"meta":{"categories":[{"name":"Other","color":"grey","subcategories":["Other"]},{"name":"User","color":"yellow","subcategories":["Other"]},{"name":"Kernel","color":"orange","subcategories":["Other"]}],"debug":false,"extensions":{"baseURL":[],"id":[],"length":0,"name":[]},"interval":1.0,"preprocessedProfileVersion":46,"processType":0,"product":"/home/franziskus/libcrux/target/release/examples/sign_44","sampleUnits":{"eventDelay":"ms","threadCPUDelta":"µs","time":"ms"},"startTime":1732989457679.1018,"symbolicated":false,"pausedRanges":[],"version":24,"usesOnlyOneStackType":true,"doesNotUseFrameImplementation":true,"sourceCodeIsNotOnSearchfox":true,"markerSchema":[]},"libs":[{"name":"libc.so.6","path":"/usr/lib/x86_64-linux-gnu/libc.so.6","debugName":"libc.so.6","debugPath":"/usr/lib/x86_64-linux-gnu/libc.so.6","breakpadId":"84EF0F492403910C833978D494D39E530","codeId":"490fef8403240c91833978d494d39e537409b92e","arch":null},{"name":"sign_44","path":"/home/franziskus/libcrux/target/release/examples/sign_44","debugName":"sign_44","debugPath":"/home/franziskus/libcrux/target/release/examples/sign_44","breakpadId":"43E25B1307697D9D59DC1136BE04A9EA0","codeId":"135be24369079d7d59dc1136be04a9ea763c5d94","arch":null}],"threads":[{"frameTable":{"length":1,"address":[962699],"inlineDepth":[0],"category":[1],"subcategory":[0],"func":[0],"nativeSymbol":[null],"innerWindowID":[null],"implementation":[null],"line":[null],"column":[null],"optimizations":[null]},"funcTable":{"length":1,"name":[1],"isJS":[false],"relevantForJS":[false],"resource":[0],"fileName":[null],"lineNumber":[null],"columnNumber":[null]},"markers":{"length":0,"category":[],"data":[],"endTime":[],"name":[],"phase":[],"startTime":[]},"name":"samply","isMainThread":true,"nativeSymbols":{"length":0,"address":[],"functionSize":[],"libIndex":[],"name":[]},"pausedRanges":[],"pid":"1785864","processName":"samply","processShutdownTime":2160792986.873682,"processStartupTime":0.0,"processType":"default","registerTime":0.0,"resourceTable":{"length":1,"lib":[0],"name":[0],"host":[null],"type":[1]},"samples":{"length":6,"stack":[0,0,0,0,0,0],"time":[2160792986.835161,2160792986.846641,2160792986.851841,2160792986.857222,2160792986.862572,2160792986.868022],"weight":[1,1,1,1,1,1],"weightType":"samples","threadCPUDelta":[0,11,5,5,5,5]},"stackTable":{"length":1,"prefix":[null],"frame":[0],"category":[1],"subcategory":[0]},"stringArray":["libc.so.6","0xeb08b"],"tid":"1785864","unregisterTime":2160792986.873682},{"frameTable":{"length":2109,"address":[-1,596761,594870,591274,469981,600195,1706392,470692,600744,73246,591135,474680,52884,608335,1708036,590765,442642,475191,459577,590954,472759,72924,604615,604247,605839,1705797,608713,467241,626538,625946,471730,597546,446965,599098,473209,494644,616583,600752,69044,628169,609657,594975,451943,602085,61776,438684,600803,1708041,623686,604999,608476,474890,494612,598967,600899,72811,600140,591987,631619,625166,458761,601892,623646,602061,56874,625952,460080,74209,605399,600736,71136,600760,67005,62389,71747,451805,603181,600768,63971,63932,441681,598995,436349,625843,469724,625042,625099,594842,610071,60782,68576,600914,471756,494473,596671,603722,625711,625178,610039,1706413,611162,603272,1706359,464236,610079,61823,73868,586530,627341,625820,465241,597524,70573,472213,494650,596310,64623,70724,612293,1708046,55829,625662,472918,494564,65972,608572,60560,461712,624682,596599,619053,1706540,625619,596658,461866,600329,72698,474199,602053,53333,625026,608540,1706402,590221,611149,73746,472036,67178,61927,74430,623085,609415,590871,1706492,72334,474694,55923,609674,603199,605874,630857,472831,72801,608556,55287,440745,53404,609833,1706378,603097,60646,603112,472709,76468,600587,592584,631099,625072,611167,600863,460603,598347,611065,449984,603785,608114,591944,625172,65053,605034,61605,587699,70185,625302,612277,461934,600726,69995,72235,74937,467721,609985,600728,1706373,602377,610777,596644,440390,74164,622497,474572,70646,600894,64249,594743,73149,65601,469854,68059,461026,630984,599155,68747,612071,435487,625667,594570,448810,625305,608199,631640,72531,608239,494354,76475,609685,438609,61222,62085,467339,597249,74619,602168,65597,598841,471718,610201,610000,74582,625922,443267,60078,70483,473732,76472,628100,596993,63051,76408,625201,588243,626043,440318,71843,64420,624051,72816,610055,56209,460545,71751,69464,471590,52866,623396,593804,625792,609304,474838,71073,472817,596305,596379,72638,610495,596509,596292,444991,1708083,608564,57989,597194,447814,625848,609428,592541,627627,67753,616303,53389,600496,72243,73794,473218,599046,603364,625150,609648,472937,494596,64757,76208,608276,610063,58699,594011,602953,74509,603767,617336,75491,1708051,473840,602809,473990,596813,72796,72929,72894,612430,589713,71437,75627,471976,599229,68485,598601,72292,625215,494724,622182,62944,608268,70840,69866,74949,625381,631273,609887,1708086,66681,599079,67611,453926,61539,594617,460266,609694,71251,608580,61433,435726,607216,474610,494477,596342,466140,602077,60886,625966,597048,600193,440223,631473,60905,65857,475083,597333,600787,1706368,604034,1706350,616236,442405,624034,604012,594691,597617,599061,73973,625748,608387,611504,449241,625889,494616,69096,601636,593557,64679,625444,626357,610296,474050,609433,460326,66137,627742,70367,66335,467685,68321,1706385,625091,625147,62189,594724,61227,462564,61500,72551,596779,72826,619740,66933,63709,63733,66259,65065,622565,1706086,608548,53006,596703,601508,589420,73125,59979,473122,473063,494637,596871,69453,62421,596258,594241,63568,72907,597111,450829,611264,445853,55883,625708,473389,613301,66401,623663,473941,70541,66669,472520,609679,588088,69259,623548,610047,54717,474230,602069,58415,55673,473952,494580,625240,608450,67375,71152,466114,596797,447235,602935,625556,73238,72880,607644,54212,64391,52892,68141,468652,603886,627428,603214,71388,601167,625504,615273,70454,74822,64736,59005,70308,72066,596844,597698,462438,627610,627521,596612,55400,62407,604946,437863,54757,600120,598338,71599,463710,62986,465178,57089,596831,63721,628114,611423,598875,469244,610903,466279,71511,609954,598930,623972,56901,624711,55229,611325,447355,63464,1706363,595960,56633,596716,454084,609661,441077,602760,473770,59455,608496,67895,69130,594315,625256,470577,65838,468791,65695,603993,1705776,625342,596890,611173,596573,588684,70181,603258,460804,608487,436188,72545,69788,74627,73438,63077,603103,598545,66240,450787,602019,66633,600890,53394,609783,627896,473429,458791,610504,603608,631788,53029,620491,75486,609592,597129,461047,64105,67225,601843,609528,612376,60083,589083,65885,1706264,464517,62184,70742,469860,605821,608852,596826,605392,1706101,65349,471946,494600,608872,627687,70097,602804,603347,627250,54363,54583,475047,1706295,72655,598859,73968,627971,62489,611060,438316,62616,74109,465667,594061,53749,598693,74813,67232,449012,627652,623762,66531,66097,53338,53142,611341,597030,440201,66901,64395,494568,598778,70492,74056,597083,73646,70552,457135,615515,64507,455474,631709,625599,600571,1706506,1706406,625226,620482,623776,473358,68769,63061,474270,494628,593498,597294,602791,73193,470766,607591,610936,596415,608108,620729,75282,608319,1706543,595204,438095,625229,60030,600872,73541,457354,607002,434854,74282,602503,71006,609925,458576,625223,601664,446287,60552,64178,623672,625513,624113,601834,72688,590310,72510,58835,471482,64100,448937,600153,69022,474830,623486,64239,445816,608300,63663,68883,72570,65299,53731,623267,467156,58131,600868,608468,473830,53960,596267,598358,53684,69297,448583,603075,464171,603194,456132,625050,471984,627930,606791,606515,625234,606644,57013,620245,60201,55009,473786,494512,1707776,596631,450541,623796,66383,64651,457469,472951,609145,438579,55184,603657,625102,631616,62925,74807,462657,67345,609849,589729,68889,466367,623540,473028,609258,474758,594024,73629,76317,603639,466974,1708068,54411,440083,72316,60764,471826,609289,594346,625521,71780,588398,64476,68911,457277,604158,493317,494347,598760,70354,1706355,450218,607059,63703,447048,625576,73576,458878,461909,625183,474800,494592,54735,60664,611182,450668,625275,57461,625730,597088,68605,610872,460893,598501,627458,623444,606939,599261,64797,624059,625499,66767,53034,56477,67424,612583,63033,630906,469656,67747,474144,52993,54864,623235,597053,61074,72540,467584,605341,594511,56617,1706283,65012,70666,445664,625815,466088,493367,494410,1706289,594200,596487,626064,601900,625760,596978,54611,605434,610921,70196,601851,603850,61279,597479,435373,1706340,53623,587455,1706268,1706257,596936,463944,631581,472253,596407,470155,603594,74884,65829,599324,73120,436249,625175,625540,73420,56075,597134,606826,474489,64355,472071,56740,54623,628002,72447,73043,450473,631013,452692,71162,595113,65084,440971,604194,462332,623306,631770,60437,593298,1708032,598688,440620,53640,625736,602660,55435,57919,75391,630690,625917,465746,607208,609284,599173,459485,625587,623061,594943,586970,450750,75497,56755,59280,69277,72012,594529,593450,57023,451766,446593,71241,631155,609384,599116,436516,64143,471938,611043,62136,57817,69845,448551,607005,1708058,446475,66279,631023,601956,598823,611999,74318,70017,61985,53290,468438,624828,65617,69860,609577,612475,609944,609001,438158,597215,72046,450685,437880,601611,474155,610489,609749,1706238,70816,455843,54879,447117,64066,65463,625772,470622,72102,453192,623911,608664,53644,613222,1706474,64411,71772,1706479,589444,65877,600980,62807,610772,438454,67885,625475,607445,617392,593757,452603,608292,72214,440931,600839,54607,631423,58287,70674,448662,75963,603630,472947,596784,612907,62289,602100,63416,493802,76459,604074,473808,494544,58437,615849,596766,71964,65565,68179,53826,594476,474992,603529,468454,606777,608284,68253,625355,58557,596456,74639,68463,455225,60991,461174,625259,606712,599150,72673,600886,450305,56085,474648,494541,64513,453253,596585,493342,64602,625131,619998,64891,461923,611047,73054,597168,603966,595235,587372,61876,471840,57180,450679,62250,75574,625013,610471,595475,474085,64277,627557,74817,607931,74925,452137,600316,460162,626617,630926,616327,61009,625347,463947,54347,597410,74373,467524,54847,603890,619360,57043,445841,624134,625676,609980,613150,598609,62722,72346,623517,616141,470591,594399,475160,463696,607559,71338,460274,603498,625467,73226,465706,627733,58841,438419,627767,63318,58487,628109,603177,625837,610098,612529,62303,72783,447128,627157,473482,596973,599495,76299,74726,59139,609271,595818,597303,454042,602040,73220,62698,610916,623452,603754,593160,75046,443349,493395,73048,66547,74680,606894,469337,596959,76090,464151,472725,494463,1706382,60089,70475,55013,586427,68761,435779,68903,625908,56219,631655,63698,465799,444035,58429,53558,1706469,63798,438112,453695,67625,625141,53204,466046,625493,494619,442820,67075,76441,604557,608481,494633,443028,63154,469735,626299,53631,610345,621235,66374,463759,625067,625562,474925,67201,606761,55296,586570,631531,627647,619414,68343,602043,456893,57147,54713,611612,440980,67775,611136,452580,625264,625998,65526,64647,590025,74186,471768,62730,71332,607507,67169,459298,53676,596858,1706397,59947,76041,631493,56621,52888,59125,593829,623189,62203,53523,606916,625410,70950,66405,444099,627545,452441,65731,71680,594586,587396,65735,601440,625840,474781,605346,590535,442614,473979,456594,627906,64257,452331,603048,625078,625528,607205,67455,590049,603323,445441,623874,494572,625237,623298,68718,63606,589318,63725,452228,625436,626159,600123,605215,630954,464081,1706235,440915,631042,60891,435721,471927,459070,631077,609559,1705783,611080,587772,71884,462860,54208,607457,71587,625484,609295,54497,608863,67475,458006,623325,74491,628138,61966,617679,601972,448602,74604,605853,608695,621122,63685,450744,624438,623383,473849,607286,70316,74300,624685,55419,67909,467331,455030,625192,473973,54749,65335,446824,607085,628196,75146,56995,449479,609448,53372,624790,62677,436458,473998,72417,440253,70619,56343,494575,599587,594996,598635,589629,71720,448545,625112,71872,467075,607526,470716,627993,607816,606867,589183,71428,627945,1706502,615349,625248,600019,69850,603092,70405,75373,455101,625433,631544,75521,631444,631090,598903,600387,587707,72766,452572,57847,75609,76456,623958,457120,65169,74802,607602,616256,598665,70279,445468,625294,473960,70013,69778,58295,58003,436272,596534,598576,613388,1706410,445349,625059,598765,601576,59365,59330,594412,437944,474239,598380,594837,610633,600905,70850,463423,591384,1706345,76418,612853,460846,62053,69488,473782,74191,453608,607241,606981,57869,61420,60419,587049,68311,594154,455547,471358,631589,53510,59258,593517,67491,68595,70528,72124,71058,628302,463643,57314,625470,54467,60502,440983,59623,591052,456597,73979,55539,71063,54339,74504,446870,73891,73030,471965,75840,65327,628034,472635,606641,1705780,608459,71206,74609,464113,74418,462636,73842,71019,455672,59095,596594,440628,62716,593597,598733,75845,465635,594709,59391,471692,627566,63444,602045,462318,437790,57027,67365,608708,627484,598063,447988,66803,607128,619192,67272,442439,631293,75509,76102,58273,70778,455606,71225,472127,603511,630793,593624,597993,58863,66244,72668,630817,472785,494532,71762,71024,453535,72944,69229,1708019,58527,453864,623186,627924,61544,53692,603846,61862,446274,66067,601876,599453,64200,437801,452489,628457,458547,625144,71231,72762,70657,631964,71658,460963,455502,599964,60956,599947,623155,76426,600475,456612,606897,615333,603205,60788,1706251,55387,470783,625699,59424,435547,57326,596693,457363,71202,62825,600035,475123,65004,602516,494608,625654,596319,587479,1708078,75058,601363,446364,625198,473748,56325,610615,594341,71854,53363,615374,608472,68037,456376,67035,60215,65331,448413,67228,53138,589938,452164,75176,589156,59720,472976,612934,462250,618136,627784,451937,66503,53282,440022,631727,439471,67083,603485,599686,625390,593271,53274,64789,603506,64517,471429,596564,73464,72407,617159,435830,624014,471210,607608,57516,627385,627481,64446,68165,607162,56491,73476,53874,53635,454860,53260,625880,606739,616319,76377,458796,435645,601372,72164,602931,63204,610360,72225,606549,55545,63529,69439,631584,73782,70748,603913,67724,449808,66866,493990,594052,607067,627976,599370,460626,606668,615803,625272,72747,596698,590950,472747,64489,58409,72135,454254,606611,435580,71348,494110,72619,450177,625943,595100,74295,465001,61744,55003,627806,631242,470489,608055,625680,494070,596398,72911,598720,611229,58011,1706314,61971,587041,463812,450782,55655,445407,67582,618466,76196,590356,464032,448727,603168,450758,69461,625781,617423,607298,55405,631456,620236,60524,435838,66115,462864,54899,66871,1707986,473854,450645,66651,603466,625602,469812,54477,460088,53076,587989,451914,625809,75473,464090,628141,65475,601465,450041,75827,57008,59861,53606,612385,72935,623891,451333,608089,608728,599906,460913,625204,625439,597573,602372,463578,594948,63178,56885,75023,610759,625096,615367,468859,600211,455740,625605,62831,596908,589309,602968,75294,625613,75264,72683,604088,64931,460190,458639,625784,1706497,598706,460470,57157,468378,625795,612448,69932,439184,67380,458701,70858,63953,626380,461840,601749,75246,607440,599139,588430,66517,59584,602027,470698,607605,494182,625401,596465,471794,605443,594358,75028,64927,627532,623914,69927,455483,610648,460756,57861,587388,453738,468870,597162,64087,70044,72807,470372,597072,605777,1705826,627990,598114,451993,623652,72506,588080,72560,466031,611963,76220,464581,447224,630865,608421,70564,459039,606730,63741,71477,625865,71830,71946,460104,625115,631138,442569,64781,604608,494383,76078,465222,67917,627644,67197,61329,607679,631403,468881,594444,454530,625186,591365,54086,71527,607156,57035,494603,445907,603079,467462,627463,60266,53146,594557,589327,61209,72054,71405,67091,623739,70300,69155,455584,631245,598477,599027,607454,437186,631661,65531,465413,624008,66795,56373,597011,587715,64123,63590,470614,58721,54947,617048,67827,60541,445591,623819,607468,437841,602217,52984,617744,70388,473522,75745,608012,1707981,610196,594552,74711,75810,75270,630862,599008,67217,594281,442735,66267,605626,627730,588323,457257,70040,625376,64127,75709,596152,440447,602948,596913,64383,455763,594767,445027,602824,603462,74086,459258,590971,609096,597380,455890,606924,608952,606772,615655,60179,458456,68335,452506,611666,453772,56057,455346,594431,451413,598432,590503,54615,467229,61526,631594,474792,494576,494425,75259,597818,453355,623418,630806,69652,462089,74539,462350,53011,603882,472968,60777,459626,631511,594893,448496,470271,595854,75945,597106,589947,625416,461318,612331,60528,470313,607310,609572,611882,71935,587691,70926,70758,456583,627540,64744,54008,61118,466210,607173,623481],"inlineDepth":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"category":[1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1],"subcategory":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"func":[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929,930,931,932,933,934,935,936,937,938,939,940,941,942,943,944,945,946,947,948,949,950,951,952,953,954,955,956,957,958,959,960,961,962,963,964,965,966,967,968,969,970,971,972,973,974,975,976,977,978,979,980,981,982,983,984,985,986,987,988,989,990,991,992,993,994,995,996,997,998,999,1000,1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,1011,1012,1013,1014,1015,1016,1017,1018,1019,1020,1021,1022,1023,1024,1025,1026,1027,1028,1029,1030,1031,1032,1033,1034,1035,1036,1037,1038,1039,1040,1041,1042,1043,1044,1045,1046,1047,1048,1049,1050,1051,1052,1053,1054,1055,1056,1057,1058,1059,1060,1061,1062,1063,1064,1065,1066,1067,1068,1069,1070,1071,1072,1073,1074,1075,1076,1077,1078,1079,1080,1081,1082,1083,1084,1085,1086,1087,1088,1089,1090,1091,1092,1093,1094,1095,1096,1097,1098,1099,1100,1101,1102,1103,1104,1105,1106,1107,1108,1109,1110,1111,1112,1113,1114,1115,1116,1117,1118,1119,1120,1121,1122,1123,1124,1125,1126,1127,1128,1129,1130,1131,1132,1133,1134,1135,1136,1137,1138,1139,1140,1141,1142,1143,1144,1145,1146,1147,1148,1149,1150,1151,1152,1153,1154,1155,1156,1157,1158,1159,1160,1161,1162,1163,1164,1165,1166,1167,1168,1169,1170,1171,1172,1173,1174,1175,1176,1177,1178,1179,1180,1181,1182,1183,1184,1185,1186,1187,1188,1189,1190,1191,1192,1193,1194,1195,1196,1197,1198,1199,1200,1201,1202,1203,1204,1205,1206,1207,1208,1209,1210,1211,1212,1213,1214,1215,1216,1217,1218,1219,1220,1221,1222,1223,1224,1225,1226,1227,1228,1229,1230,1231,1232,1233,1234,1235,1236,1237,1238,1239,1240,1241,1242,1243,1244,1245,1246,1247,1248,1249,1250,1251,1252,1253,1254,1255,1256,1257,1258,1259,1260,1261,1262,1263,1264,1265,1266,1267,1268,1269,1270,1271,1272,1273,1274,1275,1276,1277,1278,1279,1280,1281,1282,1283,1284,1285,1286,1287,1288,1289,1290,1291,1292,1293,1294,1295,1296,1297,1298,1299,1300,1301,1302,1303,1304,1305,1306,1307,1308,1309,1310,1311,1312,1313,1314,1315,1316,1317,1318,1319,1320,1321,1322,1323,1324,1325,1326,1327,1328,1329,1330,1331,1332,1333,1334,1335,1336,1337,1338,1339,1340,1341,1342,1343,1344,1345,1346,1347,1348,1349,1350,1351,1352,1353,1354,1355,1356,1357,1358,1359,1360,1361,1362,1363,1364,1365,1366,1367,1368,1369,1370,1371,1372,1373,1374,1375,1376,1377,1378,1379,1380,1381,1382,1383,1384,1385,1386,1387,1388,1389,1390,1391,1392,1393,1394,1395,1396,1397,1398,1399,1400,1401,1402,1403,1404,1405,1406,1407,1408,1409,1410,1411,1412,1413,1414,1415,1416,1417,1418,1419,1420,1421,1422,1423,1424,1425,1426,1427,1428,1429,1430,1431,1432,1433,1434,1435,1436,1437,1438,1439,1440,1441,1442,1443,1444,1445,1446,1447,1448,1449,1450,1451,1452,1453,1454,1455,1456,1457,1458,1459,1460,1461,1462,1463,1464,1465,1466,1467,1468,1469,1470,1471,1472,1473,1474,1475,1476,1477,1478,1479,1480,1481,1482,1483,1484,1485,1486,1487,1488,1489,1490,1491,1492,1493,1494,1495,1496,1497,1498,1499,1500,1501,1502,1503,1504,1505,1506,1507,1508,1509,1510,1511,1512,1513,1514,1515,1516,1517,1518,1519,1520,1521,1522,1523,1524,1525,1526,1527,1528,1529,1530,1531,1532,1533,1534,1535,1536,1537,1538,1539,1540,1541,1542,1543,1544,1545,1546,1547,1548,1549,1550,1551,1552,1553,1554,1555,1556,1557,1558,1559,1560,1561,1562,1563,1564,1565,1566,1567,1568,1569,1570,1571,1572,1573,1574,1575,1576,1577,1578,1579,1580,1581,1582,1583,1584,1585,1586,1587,1588,1589,1590,1591,1592,1593,1594,1595,1596,1597,1598,1599,1600,1601,1602,1603,1604,1605,1606,1607,1608,1609,1610,1611,1612,1613,1614,1615,1616,1617,1618,1619,1620,1621,1622,1623,1624,1625,1626,1627,1628,1629,1630,1631,1632,1633,1634,1635,1636,1637,1638,1639,1640,1641,1642,1643,1644,1645,1646,1647,1648,1649,1650,1651,1652,1653,1654,1655,1656,1657,1658,1659,1660,1661,1662,1663,1664,1665,1666,1667,1668,1669,1670,1671,1672,1673,1674,1675,1676,1677,1678,1679,1680,1681,1682,1683,1684,1685,1686,1687,1688,1689,1690,1691,1692,1693,1694,1695,1696,1697,1698,1699,1700,1701,1702,1703,1704,1705,1706,1707,1708,1709,1710,1711,1712,1713,1714,1715,1716,1717,1718,1719,1720,1721,1722,1723,1724,1725,1726,1727,1728,1729,1730,1731,1732,1733,1734,1735,1736,1737,1738,1739,1740,1741,1742,1743,1744,1745,1746,1747,1748,1749,1750,1751,1752,1753,1754,1755,1756,1757,1758,1759,1760,1761,1762,1763,1764,1765,1766,1767,1768,1769,1770,1771,1772,1773,1774,1775,1776,1777,1778,1779,1780,1781,1782,1783,1784,1785,1786,1787,1788,1789,1790,1791,1792,1793,1794,1795,1796,1797,1798,1799,1800,1801,1802,1803,1804,1805,1806,1807,1808,1809,1810,1811,1812,1813,1814,1815,1816,1817,1818,1819,1820,1821,1822,1823,1824,1825,1826,1827,1828,1829,1830,1831,1832,1833,1834,1835,1836,1837,1838,1839,1840,1841,1842,1843,1844,1845,1846,1847,1848,1849,1850,1851,1852,1853,1854,1855,1856,1857,1858,1859,1860,1861,1862,1863,1864,1865,1866,1867,1868,1869,1870,1871,1872,1873,1874,1875,1876,1877,1878,1879,1880,1881,1882,1883,1884,1885,1886,1887,1888,1889,1890,1891,1892,1893,1894,1895,1896,1897,1898,1899,1900,1901,1902,1903,1904,1905,1906,1907,1908,1909,1910,1911,1912,1913,1914,1915,1916,1917,1918,1919,1920,1921,1922,1923,1924,1925,1926,1927,1928,1929,1930,1931,1932,1933,1934,1935,1936,1937,1938,1939,1940,1941,1942,1943,1944,1945,1946,1947,1948,1949,1950,1951,1952,1953,1954,1955,1956,1957,1958,1959,1960,1961,1962,1963,1964,1965,1966,1967,1968,1969,1970,1971,1972,1973,1974,1975,1976,1977,1978,1979,1980,1981,1982,1983,1984,1985,1986,1987,1988,1989,1990,1991,1992,1993,1994,1995,1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021,2022,2023,2024,2025,2026,2027,2028,2029,2030,2031,2032,2033,2034,2035,2036,2037,2038,2039,2040,2041,2042,2043,2044,2045,2046,2047,2048,2049,2050,2051,2052,2053,2054,2055,2056,2057,2058,2059,2060,2061,2062,2063,2064,2065,2066,2067,2068,2069,2070,2071,2072,2073,2074,2075,2076,2077,2078,2079,2080,2081,2082,2083,2084,2085,2086,2087,2088,2089,2090,2091,2092,2093,2094,2095,2096,2097,2098,2099,2100,2101,2102,2103,2104,2105,2106,2107,2108],"nativeSymbol":[null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null],"innerWindowID":[null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null],"implementation":[null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null],"line":[null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null],"column":[null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null],"optimizations":[null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null]},"funcTable":{"length":2109,"name":[0,2,3,4,5,6,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929,930,931,932,933,934,935,936,937,938,939,940,941,942,943,944,945,946,947,948,949,950,951,952,953,954,955,956,957,958,959,960,961,962,963,964,965,966,967,968,969,970,971,972,973,974,975,976,977,978,979,980,981,982,983,984,985,986,987,988,989,990,991,992,993,994,995,996,997,998,999,1000,1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,1011,1012,1013,1014,1015,1016,1017,1018,1019,1020,1021,1022,1023,1024,1025,1026,1027,1028,1029,1030,1031,1032,1033,1034,1035,1036,1037,1038,1039,1040,1041,1042,1043,1044,1045,1046,1047,1048,1049,1050,1051,1052,1053,1054,1055,1056,1057,1058,1059,1060,1061,1062,1063,1064,1065,1066,1067,1068,1069,1070,1071,1072,1073,1074,1075,1076,1077,1078,1079,1080,1081,1082,1083,1084,1085,1086,1087,1088,1089,1090,1091,1092,1093,1094,1095,1096,1097,1098,1099,1100,1101,1102,1103,1104,1105,1106,1107,1108,1109,1110,1111,1112,1113,1114,1115,1116,1117,1118,1119,1120,1121,1122,1123,1124,1125,1126,1127,1128,1129,1130,1131,1132,1133,1134,1135,1136,1137,1138,1139,1140,1141,1142,1143,1144,1145,1146,1147,1148,1149,1150,1151,1152,1153,1154,1155,1156,1157,1158,1159,1160,1161,1162,1163,1164,1165,1166,1167,1168,1169,1170,1171,1172,1173,1174,1175,1176,1177,1178,1179,1180,1181,1182,1183,1184,1185,1186,1187,1188,1189,1190,1191,1192,1193,1194,1195,1196,1197,1198,1199,1200,1201,1202,1203,1204,1205,1206,1207,1208,1209,1210,1211,1212,1213,1214,1215,1216,1217,1218,1219,1220,1221,1222,1223,1224,1225,1226,1227,1228,1229,1230,1231,1232,1233,1234,1235,1236,1237,1238,1239,1240,1241,1242,1243,1244,1245,1246,1247,1248,1249,1250,1251,1252,1253,1254,1255,1256,1257,1258,1259,1260,1261,1262,1263,1264,1265,1266,1267,1268,1269,1270,1271,1272,1273,1274,1275,1276,1277,1278,1279,1280,1281,1282,1283,1284,1285,1286,1287,1288,1289,1290,1291,1292,1293,1294,1295,1296,1297,1298,1299,1300,1301,1302,1303,1304,1305,1306,1307,1308,1309,1310,1311,1312,1313,1314,1315,1316,1317,1318,1319,1320,1321,1322,1323,1324,1325,1326,1327,1328,1329,1330,1331,1332,1333,1334,1335,1336,1337,1338,1339,1340,1341,1342,1343,1344,1345,1346,1347,1348,1349,1350,1351,1352,1353,1354,1355,1356,1357,1358,1359,1360,1361,1362,1363,1364,1365,1366,1367,1368,1369,1370,1371,1372,1373,1374,1375,1376,1377,1378,1379,1380,1381,1382,1383,1384,1385,1386,1387,1388,1389,1390,1391,1392,1393,1394,1395,1396,1397,1398,1399,1400,1401,1402,1403,1404,1405,1406,1407,1408,1409,1410,1411,1412,1413,1414,1415,1416,1417,1418,1419,1420,1421,1422,1423,1424,1425,1426,1427,1428,1429,1430,1431,1432,1433,1434,1435,1436,1437,1438,1439,1440,1441,1442,1443,1444,1445,1446,1447,1448,1449,1450,1451,1452,1453,1454,1455,1456,1457,1458,1459,1460,1461,1462,1463,1464,1465,1466,1467,1468,1469,1470,1471,1472,1473,1474,1475,1476,1477,1478,1479,1480,1481,1482,1483,1484,1485,1486,1487,1488,1489,1490,1491,1492,1493,1494,1495,1496,1497,1498,1499,1500,1501,1502,1503,1504,1505,1506,1507,1508,1509,1510,1511,1512,1513,1514,1515,1516,1517,1518,1519,1520,1521,1522,1523,1524,1525,1526,1527,1528,1529,1530,1531,1532,1533,1534,1535,1536,1537,1538,1539,1540,1541,1542,1543,1544,1545,1546,1547,1548,1549,1550,1551,1552,1553,1554,1555,1556,1557,1558,1559,1560,1561,1562,1563,1564,1565,1566,1567,1568,1569,1570,1571,1572,1573,1574,1575,1576,1577,1578,1579,1580,1581,1582,1583,1584,1585,1586,1587,1588,1589,1590,1591,1592,1593,1594,1595,1596,1597,1598,1599,1600,1601,1602,1603,1604,1605,1606,1607,1608,1609,1610,1611,1612,1613,1614,1615,1616,1617,1618,1619,1620,1621,1622,1623,1624,1625,1626,1627,1628,1629,1630,1631,1632,1633,1634,1635,1636,1637,1638,1639,1640,1641,1642,1643,1644,1645,1646,1647,1648,1649,1650,1651,1652,1653,1654,1655,1656,1657,1658,1659,1660,1661,1662,1663,1664,1665,1666,1667,1668,1669,1670,1671,1672,1673,1674,1675,1676,1677,1678,1679,1680,1681,1682,1683,1684,1685,1686,1687,1688,1689,1690,1691,1692,1693,1694,1695,1696,1697,1698,1699,1700,1701,1702,1703,1704,1705,1706,1707,1708,1709,1710,1711,1712,1713,1714,1715,1716,1717,1718,1719,1720,1721,1722,1723,1724,1725,1726,1727,1728,1729,1730,1731,1732,1733,1734,1735,1736,1737,1738,1739,1740,1741,1742,1743,1744,1745,1746,1747,1748,1749,1750,1751,1752,1753,1754,1755,1756,1757,1758,1759,1760,1761,1762,1763,1764,1765,1766,1767,1768,1769,1770,1771,1772,1773,1774,1775,1776,1777,1778,1779,1780,1781,1782,1783,1784,1785,1786,1787,1788,1789,1790,1791,1792,1793,1794,1795,1796,1797,1798,1799,1800,1801,1802,1803,1804,1805,1806,1807,1808,1809,1810,1811,1812,1813,1814,1815,1816,1817,1818,1819,1820,1821,1822,1823,1824,1825,1826,1827,1828,1829,1830,1831,1832,1833,1834,1835,1836,1837,1838,1839,1840,1841,1842,1843,1844,1845,1846,1847,1848,1849,1850,1851,1852,1853,1854,1855,1856,1857,1858,1859,1860,1861,1862,1863,1864,1865,1866,1867,1868,1869,1870,1871,1872,1873,1874,1875,1876,1877,1878,1879,1880,1881,1882,1883,1884,1885,1886,1887,1888,1889,1890,1891,1892,1893,1894,1895,1896,1897,1898,1899,1900,1901,1902,1903,1904,1905,1906,1907,1908,1909,1910,1911,1912,1913,1914,1915,1916,1917,1918,1919,1920,1921,1922,1923,1924,1925,1926,1927,1928,1929,1930,1931,1932,1933,1934,1935,1936,1937,1938,1939,1940,1941,1942,1943,1944,1945,1946,1947,1948,1949,1950,1951,1952,1953,1954,1955,1956,1957,1958,1959,1960,1961,1962,1963,1964,1965,1966,1967,1968,1969,1970,1971,1972,1973,1974,1975,1976,1977,1978,1979,1980,1981,1982,1983,1984,1985,1986,1987,1988,1989,1990,1991,1992,1993,1994,1995,1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021,2022,2023,2024,2025,2026,2027,2028,2029,2030,2031,2032,2033,2034,2035,2036,2037,2038,2039,2040,2041,2042,2043,2044,2045,2046,2047,2048,2049,2050,2051,2052,2053,2054,2055,2056,2057,2058,2059,2060,2061,2062,2063,2064,2065,2066,2067,2068,2069,2070,2071,2072,2073,2074,2075,2076,2077,2078,2079,2080,2081,2082,2083,2084,2085,2086,2087,2088,2089,2090,2091,2092,2093,2094,2095,2096,2097,2098,2099,2100,2101,2102,2103,2104,2105,2106,2107,2108,2109,2110],"isJS":[false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false],"relevantForJS":[false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false],"resource":[-1,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"fileName":[null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null],"lineNumber":[null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null],"columnNumber":[null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null]},"markers":{"length":0,"category":[],"data":[],"endTime":[],"name":[],"phase":[],"startTime":[]},"name":"sign_44","isMainThread":true,"nativeSymbols":{"length":0,"address":[],"functionSize":[],"libIndex":[],"name":[]},"pausedRanges":[],"pid":"1785864.1","processName":"sign_44","processShutdownTime":2160796743.709309,"processStartupTime":2160792986.873682,"processType":"default","registerTime":2160792986.873682,"resourceTable":{"length":2,"lib":[1,0],"name":[1,7],"host":[null,null],"type":[1,1]},"samples":{"length":3745,"stack":[0,1,2,4,6,7,9,12,14,16,17,18,20,21,22,23,25,26,27,29,30,31,32,33,35,23,36,38,39,40,41,42,44,45,47,48,49,50,52,53,54,55,56,58,59,60,61,62,64,65,66,67,68,70,72,73,74,75,54,76,78,79,80,81,82,83,84,85,86,87,89,90,91,93,94,95,96,97,99,100,102,103,105,106,107,108,109,110,111,112,114,115,116,117,119,120,121,123,124,126,127,128,129,91,131,132,133,134,135,136,137,139,140,142,143,144,145,147,148,23,149,150,151,152,154,155,23,156,157,23,158,159,161,162,163,164,166,167,168,170,171,68,172,173,175,177,49,179,180,181,182,183,184,185,186,187,188,191,192,193,194,196,197,199,200,26,201,201,202,203,22,205,91,206,207,50,208,209,211,54,212,188,213,214,215,216,217,219,220,221,222,223,224,225,226,227,54,228,229,100,230,231,39,232,233,234,235,236,237,238,239,240,243,244,245,246,247,248,249,250,50,251,252,68,254,255,159,257,258,259,260,261,144,262,263,264,265,267,221,268,269,270,271,272,273,225,274,275,276,277,278,279,281,56,282,283,284,286,221,287,288,201,289,290,291,112,292,294,295,296,297,298,299,300,302,304,305,306,307,308,310,311,221,49,313,314,315,175,316,54,317,144,314,318,320,321,322,324,325,326,294,328,330,331,332,333,334,335,336,337,339,340,22,341,342,343,344,345,346,129,348,54,349,350,351,352,354,355,356,357,359,360,362,364,365,366,368,369,370,372,373,374,375,376,377,378,379,380,252,381,383,129,221,384,272,385,387,388,182,389,151,391,392,393,394,395,396,397,398,52,399,23,401,402,404,406,407,259,342,408,409,411,413,414,415,416,417,231,418,420,421,221,422,91,423,425,426,427,354,428,76,429,430,431,432,434,23,435,436,437,159,438,439,276,440,441,442,443,444,392,259,445,221,91,446,447,448,449,450,451,452,454,455,456,68,458,91,459,175,460,461,463,464,465,467,469,470,471,473,474,23,475,343,177,477,478,479,480,392,481,482,484,426,197,486,487,488,279,489,490,491,492,494,181,495,496,497,498,499,500,164,501,188,100,503,504,505,506,129,305,76,392,188,507,509,510,512,514,516,517,519,520,521,305,23,522,523,524,525,482,526,527,528,530,531,532,533,534,535,49,536,393,537,538,140,539,540,456,541,542,544,545,546,548,549,550,551,552,237,553,143,554,555,425,556,557,558,49,559,560,561,562,49,524,563,564,565,566,252,307,567,568,569,570,571,572,573,574,575,487,576,49,577,578,579,54,580,392,581,582,583,584,585,586,587,588,590,591,592,372,594,571,595,596,597,598,569,599,600,22,321,601,602,49,392,603,604,144,605,606,344,608,609,610,181,611,612,613,614,615,616,617,415,618,619,620,622,623,624,625,626,627,628,630,631,632,119,633,227,336,634,541,635,604,636,637,638,640,307,641,350,642,643,644,9,645,646,647,648,23,650,651,380,652,541,487,653,140,654,129,655,656,657,658,659,541,175,660,661,662,663,664,665,666,667,668,670,671,352,672,673,674,675,676,677,678,679,680,681,205,682,683,685,686,305,687,688,689,691,692,693,694,695,696,697,699,561,700,701,702,703,704,705,706,707,708,709,710,23,711,712,713,553,100,579,714,715,716,718,719,221,720,392,721,181,722,724,725,726,727,728,730,731,732,733,734,735,736,737,738,739,740,49,741,742,744,745,746,747,464,748,749,750,751,753,754,416,755,252,756,128,103,561,757,758,759,760,761,541,22,762,763,764,221,765,767,768,769,159,770,771,772,773,774,775,776,704,777,778,779,608,322,780,781,782,783,784,785,223,786,787,525,305,788,789,305,418,790,791,792,793,794,796,797,798,799,392,800,801,802,803,804,805,806,807,809,810,318,811,177,812,813,23,814,815,68,816,817,68,818,40,819,114,820,372,821,822,823,824,825,826,527,827,828,829,830,109,831,832,49,833,834,835,836,837,838,839,840,841,842,843,845,846,847,848,320,128,849,850,188,738,231,851,852,853,23,392,854,470,855,856,857,148,504,858,59,859,860,861,100,863,864,91,865,791,866,867,258,487,869,221,437,271,871,819,645,872,49,873,875,876,877,878,879,507,881,414,33,344,882,883,884,885,886,887,888,889,890,892,893,894,895,402,896,221,898,899,900,901,173,902,903,904,905,907,908,220,290,909,551,910,911,912,650,52,249,913,914,915,916,917,392,741,918,919,140,921,922,521,923,554,54,924,610,925,604,927,602,789,928,929,930,931,932,221,933,152,934,240,935,613,936,938,939,772,760,620,940,941,943,944,945,207,946,702,947,948,949,491,950,951,828,952,214,953,956,49,957,958,602,959,960,904,961,406,962,610,963,964,965,54,927,966,967,968,636,969,970,971,972,305,973,974,975,976,132,977,978,420,481,981,982,983,828,984,985,986,144,987,988,863,826,989,990,304,991,388,992,993,994,208,995,996,997,22,79,999,549,794,987,1000,1001,41,1003,1004,1005,425,185,1006,1007,392,251,23,494,812,374,1008,109,1009,1011,1012,551,1013,1014,771,1015,1016,1017,1018,1019,1020,1021,1023,541,1024,1026,1027,1028,1029,49,1030,259,1031,1032,1033,1035,1036,1037,1038,54,1039,22,407,1040,1041,1042,1043,208,1044,1045,1046,22,470,1047,1048,1049,274,1050,364,2,373,1051,1052,1053,1054,1056,1057,345,1058,1059,1060,1062,47,1063,573,1064,1065,1066,531,1067,182,68,1068,1069,1070,1071,1072,536,896,1073,1074,541,1075,1076,1077,711,221,1078,933,76,1079,1080,1081,875,1082,489,687,1083,1084,1085,54,557,1086,1087,185,208,503,1088,1028,1089,68,220,1090,1091,1092,221,610,478,1093,1094,232,1095,1096,826,1097,1099,1100,1102,1103,1104,1105,402,1106,49,68,1107,1108,244,1110,1111,99,1112,634,1113,689,1114,1115,1116,666,158,259,640,342,1117,1118,23,392,1120,415,1121,1122,271,1123,1124,50,1125,208,1127,1128,221,1129,265,1130,1131,292,1132,1133,1134,1135,1136,484,49,1137,1138,1139,392,1140,1141,311,1142,1143,791,1144,1145,1146,252,1147,1148,1149,1151,1152,279,23,1153,1154,1155,1156,866,1157,1159,996,1160,402,1161,1162,49,1163,1006,1164,1165,1166,1167,1012,1168,1170,982,1171,1172,1173,1175,1176,1177,1178,1179,1180,1181,1182,1116,344,23,1183,1184,1185,1186,944,1187,1189,1190,1191,1192,555,1193,188,1194,1195,1196,601,1197,1198,1199,1200,1201,1202,1203,81,1204,679,1205,1206,1208,760,1210,456,1212,1214,1215,1216,1217,1218,1219,1220,1221,1222,1223,1224,164,1225,1226,1227,1229,1230,1231,129,1232,1233,1234,1235,1236,1237,656,1239,1045,866,1240,1241,1242,991,1243,1244,1245,1246,1220,1247,1249,1250,1123,1251,884,1252,1254,611,532,279,1255,49,1256,1257,41,1258,1259,1260,23,1262,1263,1264,1265,1267,435,1268,1270,1271,541,1272,1273,1274,1275,813,1276,1277,1278,1279,49,1280,1281,561,1283,1284,326,730,660,1285,1286,47,1287,1288,1289,507,1290,1291,188,50,1293,525,1294,1295,173,21,227,1296,1297,1298,1300,1006,1301,1302,1303,575,35,1304,1305,1306,1307,620,1308,1309,23,261,1310,620,1311,1312,1313,1314,114,1315,1316,1317,1318,1319,1320,1322,136,49,1323,300,1324,1325,221,231,1326,68,1327,185,1328,182,688,1329,1330,1331,1333,1334,550,1335,49,1336,831,991,525,1337,1338,1339,50,1023,1340,1341,938,1342,1343,1344,1345,1346,1347,359,91,1348,1349,68,1350,1351,372,1352,1353,1354,731,456,1355,576,1356,1357,1358,26,1062,1359,1360,1361,1233,1362,1363,1364,161,392,185,738,1365,590,541,1366,413,415,1123,1367,610,1368,1369,1370,850,521,1372,1373,1374,463,1375,1376,1294,23,261,1377,1378,1379,1380,1381,261,588,1383,1384,692,1385,1386,823,1387,1389,1390,202,1391,1392,1393,413,1394,1395,1396,1397,1077,802,1398,180,1045,1399,235,1400,1401,54,68,1402,1403,1404,1405,1406,1141,201,1407,784,501,1409,847,967,1410,1411,1412,1413,21,47,159,1414,1415,1021,1416,305,1417,1418,54,1419,1420,1421,1422,986,1423,507,521,1425,402,661,1426,159,1427,1428,68,1429,1430,1431,660,1432,1434,504,1435,1436,1437,1438,1440,1441,221,1171,1442,1443,660,1444,612,1000,1436,380,1149,1445,961,373,1220,1446,151,1447,1448,1449,1450,1451,1452,1315,1454,1234,858,1455,1456,1457,482,1458,334,392,267,1459,1460,1461,22,1462,1463,115,1464,1465,1467,1225,22,1468,1469,932,1471,1472,1473,144,47,1474,803,1475,1476,1477,1478,1479,572,1481,1482,378,1483,1484,243,1485,1487,54,344,990,1488,269,1489,1490,68,1491,533,604,1492,484,1493,201,1495,1496,1497,1498,1499,345,813,188,1252,1500,1501,1502,105,1503,1504,1505,22,119,1506,1507,1509,1510,1511,1512,1513,1331,1514,626,49,1516,1517,1518,1519,158,1520,984,181,41,159,1522,22,151,1523,22,392,1524,1525,802,1526,249,1527,1528,1529,1277,1530,1531,1532,1534,1535,746,1536,455,392,969,1136,1537,1538,1540,54,1542,1543,1544,1545,1546,68,1547,1548,1549,1550,525,1551,1092,1012,1552,1553,527,1554,1555,1556,1558,1559,268,1560,1561,94,201,1563,1564,864,1565,1566,944,1567,76,1568,1570,1571,39,1572,750,1012,1573,1574,1438,23,1576,932,54,1577,1578,791,1579,1580,1581,1582,1584,1585,814,1586,1587,1588,1591,76,297,1592,1225,49,1593,1594,1595,1596,1598,755,1599,1600,1601,1602,454,692,1603,22,208,1604,330,1605,1244,1606,1607,634,784,219,1233,1608,1609,1611,40,1612,1613,602,1614,1615,1616,1617,1618,261,1619,1620,91,1621,1622,1623,1624,1625,1626,415,1627,1628,1629,1630,1631,1632,507,1633,91,571,1634,1635,1636,1637,1639,1172,1640,1471,1641,1642,144,351,634,953,1643,1225,62,818,991,1644,1646,1647,54,201,68,497,1648,1649,213,94,1650,182,54,1651,1652,1518,1653,1654,1655,1656,223,296,1657,1658,556,1659,1660,561,1661,1662,1663,1664,1665,1075,1666,1667,307,1668,1669,1670,507,223,1672,1673,1464,1674,1675,1676,1677,494,1678,1679,1681,1682,1683,1684,1685,1686,1687,1688,1689,1690,1691,819,1692,1693,1694,1695,1696,1698,222,1700,826,764,1701,1702,1703,990,574,1704,1705,182,602,764,411,1706,692,1707,660,435,1708,133,1379,1709,812,1710,221,1711,1712,1713,1714,1715,1716,1717,1718,1719,1721,1134,372,94,1722,54,1723,1712,1724,1725,1726,49,431,1262,1727,299,1728,1113,265,392,407,1730,944,1731,289,1732,1734,1735,1736,76,977,1737,1738,208,1739,1352,1740,1427,23,1741,1742,1743,351,1606,68,320,1315,893,1744,1745,1746,1747,1748,23,261,1750,780,556,1751,23,1752,1753,227,1754,1755,1392,159,49,181,109,188,1756,1757,561,1758,140,1759,1761,1762,1763,1764,1765,1766,208,1768,478,1769,1771,602,1772,1773,22,430,1774,1775,1776,1777,1778,561,1779,245,602,221,1780,1781,525,1690,491,1782,1454,1783,1784,828,1746,1785,620,1786,1244,1787,49,83,1788,1789,1790,1791,1792,1793,987,1794,1795,185,1797,479,1202,1798,1799,1422,1800,85,1801,610,1802,1803,1277,1804,1805,1806,1807,435,692,1810,491,1811,491,1812,1308,1813,1357,1527,1814,1815,1816,274,1262,1817,1818,1819,1820,1821,437,859,261,759,1822,235,1823,1824,345,1825,1026,574,188,1580,828,541,1826,1827,1828,1829,1830,276,546,1620,1831,1832,1833,343,1834,1835,1836,1837,1838,1839,221,91,1840,1841,650,1582,1842,76,1844,1845,1846,1847,1848,1849,1850,1026,40,1851,1852,1853,643,1854,143,68,49,93,1134,1855,1856,1625,1857,1858,274,1859,1860,1861,1287,1862,1863,68,501,1864,1167,144,1865,1866,1659,1867,1868,586,1869,1870,820,1148,1872,375,1873,1874,1875,784,1876,944,1877,1878,1879,873,22,1880,996,1881,1440,91,819,1882,1464,1883,23,208,1884,158,1886,1887,1888,1889,49,392,1891,1,1892,1893,1894,54,1895,1896,1897,1898,1900,1873,1132,1902,1115,380,1611,1217,1903,1904,1905,29,1906,1907,188,610,1333,1854,1582,1908,1909,1910,1911,1912,602,116,1913,1914,1915,1916,967,426,1917,151,54,248,1918,1644,1919,1821,1479,22,68,1241,50,1921,300,1614,1922,623,392,1923,1924,1925,1926,85,1927,925,1929,1930,814,1931,828,193,1932,996,1006,646,49,1571,1722,1933,1231,1934,1937,221,1938,881,1939,1769,1940,22,1941,1942,1598,1943,1944,1945,272,1946,1948,1949,1950,1951,528,1952,1953,927,1954,828,1955,1580,1956,1957,1348,1850,1958,1943,1959,814,1960,1961,261,339,1962,1963,1964,1676,1823,1965,380,1966,507,763,1968,221,1970,1723,532,257,1971,1972,1973,85,68,1974,378,1975,760,1977,1978,1979,1980,22,1981,1983,1984,1985,1986,1987,1988,611,650,1989,507,927,365,1821,1118,465,68,1948,1990,1991,269,1682,1866,1992,1993,604,1994,1900,1995,1996,1997,1998,247,1623,610,1999,996,2000,1084,2001,364,925,704,2002,2003,1183,679,1141,1263,1551,2005,2006,833,2007,2008,1353,2009,49,340,683,2010,594,1632,2012,392,2013,2014,2015,2016,2017,2018,158,2019,1397,119,393,2020,2021,2022,1419,22,2023,2024,380,604,2025,144,2026,2027,2028,2029,1722,261,1497,2030,36,2031,22,2032,2033,2034,2036,826,2037,1014,1423,29,692,2038,1080,1833,2039,1835,2040,2042,2043,2044,2045,1887,1746,76,2046,833,2047,254,2048,1427,2049,2050,2051,2052,231,2053,23,316,2054,49,2055,1093,2056,1333,1844,135,2057,315,819,2058,2059,2060,610,2062,2063,1691,2064,357,2065,2066,2067,819,2068,2069,68,2070,2071,2072,1743,2073,2074,91,1099,2075,50,2076,2077,2078,2079,392,2080,1114,2082,2083,2084,2085,814,2086,1147,392,1814,610,305,925,1180,2087,2088,94,434,523,757,2089,2090,234,2092,2093,794,628,2094,2095,1452,2096,164,2097,2098,2099,2100,601,828,2101,2102,232,1379,2103,2104,819,1400,2106,1315,1990,1829,2107,22,1450,2108,2109,576,2110,2111,2112,2113,1829,305,81,240,2114,2034,1961,2115,39,123,2116,164,2117,2118,307,2119,2120,731,2121,1183,953,1235,2122,2123,2124,52,2125,2126,2127,2128,2129,881,2130,392,2131,395,1577,180,287,2132,1032,2133,2134,355,2136,2137,2138,2139,604,2140,665,1197,2141,2143,221,1134,2144,2145,525,2146,208,2147,2148,201,2149,2036,2150,2128,299,896,1157,2151,682,727,1580,2152,2153,1580,2155,2156,2157,2158,803,2159,2160,828,2161,1873,2107,2162,2163,2164,2165,2166,2167,375,322,1023,343,1531,1074,1972,2168,261,2169,380,604,2170,1694,2171,2172,201,1519,2173,1343,2174,2175,2176,2177,1875,164,819,1542,2178,430,2179,254,1360,2180,2181,184,1220,2182,2183,315,1866,2034,541,2184,588,615,2185,2186,305,1208,1023,634,2187,2188,22,22,85,977,2189,2190,2191,1869,828,2192,2193,2194,2195,2196,650,881,448,575,725,2197,1746,2198,2199,221,2200,2201,919,2202,147,2203,2204,1481,2205,1460,2206,2207,601,1742,2208,2029,2209,2210,305,724,2211,1844,1835,496,2212,2071,2213,1594,2137,1315,2214,2215,91,2216,2217,2218,2219,2220,2221,568,720,497,610,2222,2223,585,2224,2225,1710,2226,2227,1237,2228,2229,2230,2231,2232,135,2145,2233,378,2235,2236,1450,620,1026,152,2237,2238,1244,1459,2239,2240,2241,2242,2243,884,151,2244,577,152,2245,2246,2247,427,2221,2249,2250,2251,1265,221,2252,22,1331,2253,2254,478,2255,602,54,2256,2257,2258,507,2260,1850,1505,2261,22,2262,660,2263,734,2264,2265,2266,1882,2267,152,430,2269,2270,231,2271,2272,2273,2149,68,2274,1431,2276,299,1124,2277,1075,2278,2279,2280,604,2281,2282,824,417,2284,2285,2286,2287,520,2288,2289,1602,159,54,2290,243,2291,2292,87,2293,2294,2069,697,2296,334,2297,970,2298,2299,372,2121,2264,1243,143,602,910,2300,431,1206,1454,214,2301,2302,2303,2304,1327,763,91,2305,2306,654,2307,1333,567,1930,2308,2309,456,221,837,1693,2310,2312,527,720,2313,392,1114,2314,2315,213,2316,2317,846,2318,2319,435,925,863,2069,2320,2321,2322,798,2323,2324,201,221,541,2326,2327,2233,208,2328,2329,2330,23,1948,305,2316,1065,332,1139,2331,2333,54,159,2334,1313,859,718,2335,1020,401,755,455,2336,2258,2337,1855,794,91,2338,243,1835,49,2339,144,1520,2341,624,76,2342,2159,1166,2343,307,2344,2345,458,991,2346,484,2347,1362,2348,392,274,354,2349,1134,2350,115,2351,2352,2199,49,2353,2354,1189,2355,718,847,932,2356,585,2235,1757,2357,2358,2159,2359,2360,2361,2362,1012,494,2363,221,1549,2364,2365,1981,188,1260,2366,983,2367,155,2368,2369,243,2370,2371,523,2372,2373,2374,2375,243,2376,2377,416,2378,602,2379,2381,54,41,1017,221,151,1235,2382,2383,1507,52,1406,2349,2384,1505,2385,1267,99,2386,2387,2388,1746,1252,2389,120,2390,2391,850,2379,2392,2393,2394,2395,2396,2397,494,1598,2398,2399,2401,2402,525,2404,351,2405,456,2406,814,315,2407,2408,2409,2410,2411,2412,1293,2413,2414,2415,2416,23,1463,2417,760,983,2418,187,2419,52,2420,1825,2421,2422,68,2423,2424,2425,2426,2428,2429,2430,2431,2169,435,2432,91,2433,221,50,2434,392,2435,2436,2437,2438,2439,2440,2441,255,900,2442,2443,423,1762,2445,2446,144,2447,279,261,2448,688,2449,2451,21,2264,1686,2453,2390,430,2454,2455,2237,544,847,1373,2457,924,2458,2459,884,68,1463,494,1666,2460,1257,2461,94,2462,91,344,306,646,2463,354,109,2464,2465,2466,305,2467,143,22,945,2468,50,2469,2470,727,2471,2473,2474,380,1432,2475,159,349,2476,2477,2478,718,1829,2479,94,2480,287,392,398,2481,416,2482,2483,91,2485,2486,692,2489,768,2490,331,2491,812,1630,2492,1518,2493,2495,2496,164,368,1460,1744,1975,221,2497,2498,2499,2072,1232,2501,1245,910,2502,2503,2504,851,68,851,756,2505,2506,1267,2508,1443,2008,2509,322,2510,2511,604,2512,2513,553,1630,1603,2514,2515,334,2516,2517,1315,514,793,2250,498,2518,2519,1303,1821,1139,2520,2521,83,2522,2523,1263,1892,2524,1835,1114,401,1137,2346,561,345,541,2525,2526,2374,915,2527,2528,585,2529,2530,68,497,1179,499,2531,2532,2533,171,2534,2535,2536,2538,803,456,2317,68,835,2539,704,378,557,2541,2520,2542,2543,2544,2545,2546,620,948,647,2547,1463,2548,1723,2549,602,2550,201,2551,2552,2553,2554,2555,601,2556,295,2176,49,692,181,1829,2557,2558,1419,1380,2559,2560,2561,1402,1141,1016,2562,1779,1490,2563,2564,243,290,2565,182,794,2566,39,180,838,2567,2568,2569,2570,68,2571,2573,549,111,2574,1883,2575,2130,232,1412,2518,2576,295,2577,484,2483,2578,2579,2580,837,1911,2581,2582,2583,2584,561,388,2586,2587,2588,2589,2590,2591,875,223,1477,1123,1850,1490,68,2592,2593,2239,2594,76,2595,2596,2597,50,2598,2215,375,2084],"time":[2160792986.933803,2160792988.519015,2160792992.400195,2160792995.762403,2160792998.815276,2160793001.377188,2160793003.553313,2160793005.566374,2160793007.331471,2160793008.988195,2160793010.482035,2160793011.902194,2160793013.265872,2160793014.537918,2160793015.767643,2160793016.966748,2160793018.114341,2160793019.238254,2160793020.346377,2160793021.425549,2160793022.49159,2160793023.547812,2160793024.598263,2160793025.634135,2160793026.663836,2160793027.689057,2160793028.713018,2160793029.729148,2160793030.742219,2160793031.75321,2160793032.76503,2160793033.771941,2160793034.777401,2160793035.782042,2160793036.788363,2160793037.791223,2160793038.793284,2160793039.795044,2160793040.799435,2160793041.799795,2160793042.800365,2160793043.800826,2160793044.804216,2160793045.804547,2160793046.804817,2160793047.804248,2160793048.806958,2160793049.806639,2160793050.80608,2160793051.80567,2160793052.807831,2160793053.807281,2160793054.806622,2160793055.805922,2160793056.808142,2160793057.807573,2160793058.806803,2160793059.806044,2160793060.808254,2160793061.807615,2160793062.807105,2160793063.806375,2160793064.736444,2160793065.5216,2160793066.314327,2160793067.134133,2160793067.980781,2160793068.745986,2160793069.346009,2160793069.969091,2160793070.644045,2160793071.37006,2160793072.146236,2160793072.970733,2160793073.82491,2160793074.707168,2160793075.603206,2160793076.514925,2160793077.448064,2160793078.397774,2160793079.350673,2160793080.311093,2160793081.285643,2160793082.259932,2160793083.238192,2160793084.224593,2160793085.209713,2160793086.196523,2160793087.196983,2160793088.194484,2160793089.191344,2160793090.193835,2160793091.197075,2160793092.195515,2160793093.192406,2160793094.189766,2160793095.187287,2160793096.186317,2160793097.189888,2160793098.188638,2160793099.186609,2160793100.18628,2160793101.18467,2160793102.18307,2160793103.181681,2160793104.187781,2160793105.186842,2160793106.185162,2160793107.183613,2160793108.183813,2160793109.182823,2160793110.181584,2160793111.180494,2160793112.180825,2160793113.180045,2160793114.179236,2160793115.178546,2160793116.184476,2160793117.188817,2160793118.187377,2160793119.185748,2160793120.198899,2160793121.201729,2160793122.203509,2160793123.20463,2160793124.20209,2160793125.198041,2160793126.194121,2160793127.190651,2160793128.194232,2160793129.191792,2160793130.188923,2160793131.186673,2160793132.188763,2160793133.186994,2160793134.185044,2160793135.188605,2160793136.188365,2160793137.186326,2160793138.184656,2160793139.182936,2160793140.182977,2160793141.181727,2160793142.180588,2160793143.179568,2160793144.179939,2160793145.179239,2160793146.17848,2160793147.189541,2160793148.196271,2160793149.200002,2160793150.201722,2160793151.203473,2160793152.209303,2160793153.205074,2160793154.200134,2160793155.195764,2160793156.193185,2160793157.191005,2160793158.188296,2160793159.185986,2160793160.185536,2160793161.183977,2160793162.182477,2160793163.186468,2160793164.186548,2160793165.184919,2160793166.195069,2160793167.19966,2160793168.20423,2160793169.205361,2160793170.206501,2160793171.207502,2160793172.216172,2160793173.217543,2160793174.217553,2160793175.217454,2160793176.217244,2160793177.216434,2160793178.210695,2160793179.216645,2160793180.218626,2160793181.218606,2160793182.217027,2160793183.216147,2160793184.211337,2160793185.205898,2160793186.200768,2160793187.196318,2160793188.199039,2160793189.196279,2160793190.192809,2160793191.20152,2160793192.206161,2160793193.208371,2160793194.215292,2160793195.215383,2160793196.216473,2160793197.210724,2160793198.205164,2160793199.200044,2160793200.196795,2160793201.193405,2160793202.190455,2160793203.187906,2160793204.198717,2160793205.202767,2160793206.205718,2160793207.206638,2160793208.204008,2160793209.199639,2160793210.195939,2160793211.192479,2160793212.1907,2160793213.18837,2160793214.186271,2160793215.184481,2160793216.184151,2160793217.194722,2160793218.199623,2160793219.203223,2160793220.206114,2160793221.207404,2160793222.203634,2160793223.209975,2160793224.213165,2160793225.214266,2160793226.213706,2160793227.208257,2160793228.204207,2160793229.199677,2160793230.195718,2160793231.192288,2160793232.195639,2160793233.193249,2160793234.190479,2160793235.18802,2160793236.19319,2160793237.191481,2160793238.189411,2160793239.187251,2160793240.186722,2160793241.185442,2160793242.183693,2160793243.182324,2160793244.182784,2160793245.181815,2160793246.180915,2160793247.180426,2160793248.181346,2160793249.180736,2160793250.180057,2160793251.184777,2160793252.185748,2160793253.184488,2160793254.183159,2160793255.182289,2160793256.1827,2160793257.18176,2160793258.192661,2160793259.197961,2160793260.203302,2160793261.211442,2160793262.213593,2160793263.214823,2160793264.215844,2160793265.210594,2160793266.204964,2160793267.200305,2160793268.197355,2160793269.193965,2160793270.202806,2160793271.206656,2160793272.210197,2160793273.210567,2160793274.211078,2160793275.206318,2160793276.214499,2160793277.216049,2160793278.21654,2160793279.2169,2160793280.217041,2160793281.211521,2160793282.205671,2160793283.200842,2160793284.197682,2160793285.194292,2160793286.203073,2160793287.206863,2160793288.210364,2160793289.217275,2160793290.218505,2160793291.218886,2160793292.219017,2160793293.213257,2160793294.207197,2160793295.213678,2160793296.216328,2160793297.217069,2160793298.217439,2160793299.22302,2160793300.22314,2160793301.216901,2160793302.210641,2160793303.204841,2160793304.201382,2160793305.197462,2160793306.194112,2160793307.191273,2160793308.201803,2160793309.205674,2160793310.208114,2160793311.215435,2160793312.223665,2160793313.222686,2160793314.227926,2160793315.227327,2160793316.227377,2160793317.225098,2160793318.223018,2160793319.216148,2160793320.210989,2160793321.205909,2160793322.201169,2160793323.19707,2160793324.19482,2160793325.1921,2160793326.189671,2160793327.199311,2160793328.204842,2160793329.207652,2160793330.215163,2160793331.215723,2160793332.211864,2160793333.218405,2160793334.219625,2160793335.220046,2160793336.226977,2160793337.232127,2160793338.229738,2160793339.222098,2160793340.215998,2160793341.209829,2160793342.204459,2160793343.199799,2160793344.19707,2160793345.19403,2160793346.203111,2160793347.206831,2160793348.210692,2160793349.217872,2160793350.217953,2160793351.212793,2160793352.220363,2160793353.221294,2160793354.221174,2160793355.226285,2160793356.232585,2160793357.231536,2160793358.228376,2160793359.226017,2160793360.219957,2160793361.213217,2160793362.219068,2160793363.219948,2160793364.221309,2160793365.220069,2160793366.213959,2160793367.20799,2160793368.20405,2160793369.20006,2160793370.196391,2160793371.205011,2160793372.209602,2160793373.211812,2160793374.218743,2160793375.218863,2160793376.219914,2160793377.225994,2160793378.226075,2160793379.225435,2160793380.226036,2160793381.223996,2160793382.217267,2160793383.210797,2160793384.218198,2160793385.219489,2160793386.219779,2160793387.218569,2160793388.21423,2160793389.22103,2160793390.220681,2160793391.214791,2160793392.210141,2160793393.205402,2160793394.201452,2160793395.197122,2160793396.206863,2160793397.210014,2160793398.211974,2160793399.212354,2160793400.214265,2160793401.209325,2160793402.204286,2160793403.200096,2160793404.197446,2160793405.194437,2160793406.203517,2160793407.207248,2160793408.214098,2160793409.214679,2160793410.209709,2160793411.20467,2160793412.21325,2160793413.215281,2160793414.216271,2160793415.215731,2160793416.211892,2160793417.206642,2160793418.213853,2160793419.215653,2160793420.217924,2160793421.218584,2160793422.217735,2160793423.217375,2160793424.213005,2160793425.207926,2160793426.203056,2160793427.198836,2160793428.196767,2160793429.194027,2160793430.191538,2160793431.189379,2160793432.188779,2160793433.1874,2160793434.19792,2160793435.202731,2160793436.207601,2160793437.215452,2160793438.222762,2160793439.222483,2160793440.217843,2160793441.212103,2160793442.206334,2160793443.201614,2160793444.210825,2160793445.213465,2160793446.214956,2160793447.215176,2160793448.211737,2160793449.206717,2160793450.202457,2160793451.198628,2160793452.196738,2160793453.205729,2160793454.209399,2160793455.21192,2160793456.21417,2160793457.20946,2160793458.204551,2160793459.212001,2160793460.215702,2160793461.217052,2160793462.217993,2160793463.217473,2160793464.213543,2160793465.208314,2160793466.203594,2160793467.199684,2160793468.197615,2160793469.206655,2160793470.210276,2160793471.212726,2160793472.221577,2160793473.222628,2160793474.222708,2160793475.221378,2160793476.216919,2160793477.211109,2160793478.21765,2160793479.219151,2160793480.221081,2160793481.220242,2160793482.214782,2160793483.209292,2160793484.205523,2160793485.213253,2160793486.215734,2160793487.217304,2160793488.218455,2160793489.218465,2160793490.213046,2160793491.207616,2160793492.204166,2160793493.200347,2160793494.208747,2160793495.211898,2160793496.215238,2160793497.222019,2160793498.221799,2160793499.216069,2160793500.21175,2160793501.2068,2160793502.202441,2160793503.198681,2160793504.214442,2160793505.217642,2160793506.218943,2160793507.225103,2160793508.225764,2160793509.219334,2160793510.213154,2160793511.207474,2160793512.203805,2160793513.200375,2160793514.197116,2160793515.194296,2160793516.205027,2160793517.208857,2160793518.211388,2160793519.218688,2160793520.223399,2160793521.228789,2160793522.22739,2160793523.22069,2160793524.21543,2160793525.209771,2160793526.204851,2160793527.200582,2160793528.198223,2160793529.207163,2160793530.210764,2160793531.213214,2160793532.221945,2160793533.221815,2160793534.215865,2160793535.210286,2160793536.206366,2160793537.202206,2160793538.210317,2160793539.213198,2160793540.219318,2160793541.220609,2160793542.221209,2160793543.221599,2160793544.22323,2160793545.22207,2160793546.215981,2160793547.210091,2160793548.211421,2160793549.207332,2160793550.202872,2160793551.199392,2160793552.197153,2160793553.194563,2160793554.203944,2160793555.208004,2160793556.212115,2160793557.219415,2160793558.219756,2160793559.214436,2160793560.210577,2160793561.205867,2160793562.201637,2160793563.209698,2160793564.213888,2160793565.215879,2160793566.217229,2160793567.21864,2160793568.22083,2160793569.221451,2160793570.220531,2160793571.220152,2160793572.215722,2160793573.210602,2160793574.205703,2160793575.201464,2160793576.202094,2160793577.199305,2160793578.196465,2160793579.205696,2160793580.210806,2160793581.213467,2160793582.214137,2160793583.209977,2160793584.206708,2160793585.214518,2160793586.216989,2160793587.218489,2160793588.22177,2160793589.22756,2160793590.226641,2160793591.220321,2160793592.221051,2160793593.224062,2160793594.223312,2160793595.222793,2160793596.224643,2160793597.226634,2160793598.227104,2160793599.226795,2160793600.228125,2160793601.227426,2160793602.226786,2160793603.226236,2160793604.232287,2160793605.230387,2160793606.223098,2160793607.216038,2160793608.222878,2160793609.223679,2160793610.223669,2160793611.22878,2160793612.22987,2160793613.229001,2160793614.228411,2160793615.227502,2160793616.228012,2160793617.225982,2160793618.224613,2160793619.218143,2160793620.224914,2160793621.225384,2160793622.225045,2160793623.229936,2160793624.229516,2160793625.222477,2160793626.227307,2160793627.227208,2160793628.227748,2160793629.227128,2160793630.231859,2160793631.229909,2160793632.22398,2160793633.22898,2160793634.228941,2160793635.228241,2160793636.234082,2160793637.238492,2160793638.242163,2160793639.238703,2160793640.231313,2160793641.223584,2160793642.216464,2160793643.210354,2160793644.206595,2160793645.214315,2160793646.216816,2160793647.218766,2160793648.221257,2160793649.227207,2160793650.232868,2160793651.237868,2160793652.243569,2160793653.239989,2160793654.231119,2160793655.23464,2160793656.23477,2160793657.233211,2160793658.230331,2160793659.228341,2160793660.222832,2160793661.216652,2160793662.210892,2160793663.206003,2160793664.211503,2160793665.208014,2160793666.203974,2160793667.212025,2160793668.216176,2160793669.217856,2160793670.219047,2160793671.218787,2160793672.220098,2160793673.214838,2160793674.221179,2160793675.222419,2160793676.2241,2160793677.22311,2160793678.2175,2160793679.211841,2160793680.222741,2160793681.224262,2160793682.224562,2160793683.223393,2160793684.219013,2160793685.213213,2160793686.208264,2160793687.214064,2160793688.217315,2160793689.217555,2160793690.212605,2160793691.207636,2160793692.204526,2160793693.212777,2160793694.215687,2160793695.217558,2160793696.219248,2160793697.219499,2160793698.214279,2160793699.220759,2160793700.22341,2160793701.22395,2160793702.229411,2160793703.228241,2160793704.223292,2160793705.228732,2160793706.228993,2160793707.228563,2160793708.228073,2160793709.221534,2160793710.215064,2160793711.209434,2160793712.217785,2160793713.219836,2160793714.220856,2160793715.220397,2160793716.221558,2160793717.216138,2160793718.210898,2160793719.206049,2160793720.203029,2160793721.199799,2160793722.197,2160793723.19455,2160793724.205341,2160793725.209411,2160793726.212212,2160793727.213262,2160793728.218933,2160793729.214393,2160793730.209253,2160793731.216424,2160793732.219785,2160793733.220905,2160793734.226936,2160793735.226246,2160793736.221366,2160793737.227087,2160793738.227607,2160793739.227408,2160793740.227158,2160793741.226079,2160793742.219709,2160793743.225349,2160793744.23015,2160793745.23017,2160793746.228231,2160793747.226891,2160793748.221721,2160793749.215942,2160793750.210492,2160793751.205772,2160793752.202953,2160793753.211553,2160793754.214844,2160793755.217064,2160793756.218865,2160793757.214025,2160793758.208946,2160793759.216256,2160793760.219677,2160793761.221147,2160793762.220778,2160793763.215509,2160793764.211529,2160793765.207409,2160793766.20351,2160793767.20014,2160793768.210121,2160793769.213561,2160793770.215782,2160793771.217592,2160793772.225733,2160793773.225403,2160793774.219344,2160793775.225084,2160793776.227075,2160793777.227195,2160793778.225685,2160793779.219466,2160793780.214626,2160793781.221387,2160793782.222967,2160793783.223747,2160793784.224278,2160793785.218508,2160793786.212689,2160793787.219349,2160793788.22218,2160793789.22303,2160793790.22235,2160793791.222101,2160793792.217861,2160793793.212522,2160793794.219622,2160793795.221453,2160793796.223693,2160793797.223124,2160793798.217554,2160793799.212064,2160793800.220185,2160793801.222005,2160793802.222826,2160793803.228726,2160793804.229187,2160793805.222767,2160793806.228148,2160793807.228488,2160793808.229368,2160793809.229389,2160793810.22913,2160793811.22936,2160793812.230101,2160793813.230411,2160793814.229552,2160793815.230022,2160793816.235653,2160793817.235773,2160793818.233724,2160793819.237844,2160793820.236965,2160793821.229375,2160793822.233795,2160793823.233296,2160793824.233816,2160793825.231787,2160793826.230047,2160793827.235018,2160793828.236468,2160793829.235518,2160793830.234049,2160793831.238139,2160793832.24412,2160793833.24233,2160793834.239901,2160793835.238301,2160793836.237742,2160793837.236092,2160793838.239852,2160793839.238383,2160793840.238133,2160793841.237134,2160793842.235594,2160793843.234134,2160793844.239905,2160793845.239455,2160793846.237246,2160793847.240996,2160793848.240797,2160793849.238787,2160793850.237268,2160793851.235658,2160793852.235788,2160793853.239909,2160793854.239049,2160793855.23739,2160793856.23733,2160793857.236191,2160793858.234831,2160793859.233682,2160793860.239403,2160793861.238213,2160793862.236474,2160793863.235164,2160793864.235294,2160793865.234065,2160793866.238215,2160793867.237276,2160793868.236986,2160793869.235907,2160793870.234477,2160793871.233227,2160793872.238908,2160793873.243128,2160793874.246379,2160793875.244349,2160793876.2434,2160793877.24079,2160793878.238461,2160793879.241731,2160793880.241251,2160793881.239182,2160793882.237142,2160793883.235383,2160793884.235413,2160793885.234203,2160793886.233074,2160793887.232104,2160793888.237855,2160793889.235585,2160793890.228056,2160793891.232656,2160793892.233847,2160793893.233007,2160793894.232157,2160793895.230028,2160793896.224868,2160793897.218568,2160793898.224839,2160793899.226069,2160793900.22795,2160793901.23351,2160793902.232191,2160793903.225541,2160793904.232402,2160793905.232472,2160793906.231773,2160793907.236334,2160793908.237034,2160793909.235735,2160793910.239355,2160793911.238156,2160793912.237796,2160793913.236276,2160793914.234827,2160793915.233587,2160793916.233738,2160793917.233208,2160793918.232389,2160793919.231589,2160793920.23741,2160793921.23667,2160793922.23522,2160793923.234201,2160793924.234501,2160793925.233602,2160793926.237882,2160793927.242363,2160793928.242163,2160793929.240373,2160793930.238324,2160793931.236484,2160793932.241415,2160793933.245315,2160793934.248296,2160793935.245816,2160793936.244207,2160793937.241627,2160793938.239227,2160793939.242178,2160793940.241628,2160793941.239659,2160793942.237659,2160793943.236149,2160793944.23583,2160793945.23464,2160793946.233561,2160793947.232611,2160793948.233022,2160793949.232402,2160793950.231702,2160793951.231113,2160793952.231753,2160793953.231314,2160793954.229465,2160793955.223015,2160793956.223556,2160793957.226926,2160793958.228017,2160793959.228407,2160793960.232988,2160793961.238148,2160793962.242759,2160793963.240129,2160793964.24543,2160793965.24346,2160793966.24084,2160793967.243451,2160793968.242661,2160793969.240382,2160793970.238242,2160793971.236352,2160793972.236003,2160793973.234863,2160793974.233654,2160793975.231284,2160793976.225754,2160793977.231095,2160793978.231425,2160793979.231156,2160793980.232016,2160793981.231547,2160793982.231007,2160793983.230827,2160793984.231818,2160793985.231348,2160793986.239669,2160793987.239329,2160793988.23936,2160793989.23802,2160793990.236621,2160793991.235221,2160793992.240832,2160793993.244912,2160793994.243092,2160793995.240793,2160793996.239913,2160793997.238084,2160793998.236374,2160793999.233624,2160794000.230755,2160794001.224035,2160794002.229576,2160794003.230127,2160794004.231277,2160794005.229698,2160794006.223458,2160794007.217208,2160794008.225089,2160794009.226389,2160794010.22686,2160794011.2259,2160794012.221351,2160794013.215811,2160794014.210821,2160794015.206522,2160794016.204092,2160794017.201262,2160794018.210473,2160794019.214364,2160794020.218364,2160794021.219145,2160794022.219985,2160794023.215395,2160794024.223676,2160794025.225346,2160794026.225987,2160794027.231687,2160794028.232008,2160794029.225818,2160794030.231049,2160794031.231309,2160794032.23211,2160794033.23698,2160794034.23519,2160794035.228151,2160794036.234381,2160794037.234202,2160794038.233292,2160794039.232603,2160794040.231793,2160794041.225453,2160794042.218644,2160794043.224764,2160794044.227475,2160794045.227965,2160794046.233446,2160794047.232627,2160794048.230367,2160794049.235798,2160794050.235698,2160794051.234949,2160794052.240749,2160794053.2396,2160794054.23784,2160794055.23664,2160794056.236811,2160794057.235631,2160794058.234472,2160794059.238792,2160794060.244723,2160794061.243093,2160794062.241034,2160794063.238904,2160794064.238494,2160794065.242295,2160794066.239535,2160794067.231706,2160794068.237266,2160794069.236596,2160794070.235247,2160794071.239377,2160794072.244828,2160794073.248358,2160794074.246259,2160794075.243399,2160794076.24206,2160794077.24513,2160794078.24172,2160794079.233361,2160794080.226631,2160794081.231792,2160794082.232042,2160794083.231612,2160794084.237753,2160794085.235763,2160794086.228374,2160794087.233024,2160794088.234205,2160794089.233485,2160794090.237926,2160794091.237176,2160794092.237136,2160794093.234507,2160794094.227278,2160794095.220328,2160794096.227249,2160794097.228169,2160794098.22823,2160794099.23347,2160794100.233421,2160794101.226911,2160794102.220131,2160794103.225922,2160794104.228182,2160794105.228483,2160794106.227333,2160794107.221363,2160794108.216784,2160794109.223644,2160794110.225315,2160794111.226205,2160794112.233356,2160794113.232266,2160794114.225847,2160794115.230987,2160794116.232408,2160794117.232028,2160794118.236759,2160794119.234979,2160794120.229629,2160794121.22285,2160794122.22849,2160794123.229251,2160794124.230511,2160794125.235762,2160794126.234332,2160794127.227472,2160794128.233813,2160794129.233833,2160794130.233064,2160794131.231044,2160794132.230924,2160794133.224555,2160794134.229915,2160794135.230346,2160794136.231346,2160794137.230067,2160794138.223697,2160794139.217527,2160794140.225128,2160794141.226579,2160794142.227049,2160794143.22737,2160794144.2277,2160794145.227121,2160794146.221221,2160794147.227132,2160794148.229222,2160794149.229433,2160794150.228193,2160794151.227363,2160794152.222684,2160794153.228904,2160794154.229835,2160794155.229965,2160794156.230096,2160794157.223916,2160794158.217806,2160794159.224107,2160794160.226717,2160794161.227418,2160794162.227758,2160794163.228099,2160794164.229579,2160794165.22972,2160794166.22852,2160794167.22248,2160794168.217831,2160794169.224871,2160794170.226522,2160794171.227322,2160794172.234513,2160794173.239883,2160794174.239084,2160794175.236444,2160794176.230324,2160794177.223415,2160794178.229015,2160794179.229756,2160794180.231006,2160794181.235887,2160794182.235697,2160794183.234907,2160794184.235338,2160794185.234528,2160794186.233879,2160794187.233139,2160794188.23249,2160794189.22599,2160794190.219591,2160794191.225701,2160794192.228342,2160794193.228832,2160794194.234353,2160794195.239534,2160794196.240284,2160794197.239264,2160794198.237835,2160794199.236535,2160794200.241916,2160794201.246146,2160794202.244497,2160794203.242237,2160794204.241767,2160794205.239988,2160794206.238338,2160794207.242159,2160794208.240869,2160794209.233179,2160794210.23739,2160794211.23678,2160794212.236911,2160794213.241281,2160794214.245372,2160794215.243882,2160794216.243503,2160794217.241553,2160794218.239833,2160794219.243454,2160794220.242024,2160794221.234215,2160794222.238375,2160794223.237716,2160794224.237876,2160794225.236836,2160794226.250227,2160794227.260788,2160794228.264268,2160794229.265139,2160794230.265729,2160794231.2596,2160794232.25028,2160794233.24051,2160794234.23191,2160794235.236431,2160794236.237581,2160794237.236972,2160794238.236533,2160794239.235963,2160794240.236684,2160794241.235244,2160794242.233745,2160794243.227435,2160794244.222815,2160794245.229406,2160794246.230836,2160794247.231807,2160794248.232387,2160794249.231798,2160794250.225908,2160794251.231998,2160794252.234379,2160794253.234439,2160794254.23306,2160794255.23219,2160794256.227691,2160794257.233621,2160794258.234442,2160794259.234582,2160794260.241383,2160794261.246183,2160794262.244963,2160794263.243494,2160794264.243274,2160794265.241725,2160794266.240225,2160794267.244746,2160794268.243666,2160794269.235976,2160794270.240197,2160794271.239667,2160794272.239788,2160794273.244158,2160794274.248519,2160794275.247039,2160794276.24664,2160794277.24467,2160794278.24273,2160794279.246361,2160794280.251481,2160794281.249462,2160794282.247142,2160794283.244753,2160794284.244193,2160794285.242554,2160794286.246344,2160794287.243765,2160794288.237265,2160794289.241726,2160794290.241236,2160794291.240187,2160794292.245747,2160794293.243378,2160794294.235578,2160794295.239908,2160794296.240659,2160794297.239759,2160794298.23756,2160794299.23072,2160794300.22555,2160794301.231841,2160794302.233091,2160794303.233522,2160794304.240342,2160794305.238923,2160794306.237273,2160794307.230493,2160794308.225454,2160794309.220004,2160794310.215244,2160794311.222785,2160794312.226496,2160794313.228076,2160794314.234477,2160794315.235407,2160794316.236707,2160794317.235378,2160794318.229028,2160794319.222859,2160794320.230449,2160794321.23181,2160794322.23232,2160794323.237951,2160794324.244681,2160794325.243922,2160794326.242342,2160794327.239592,2160794328.233843,2160794329.227173,2160794330.232893,2160794331.233774,2160794332.235164,2160794333.234085,2160794334.233276,2160794335.227316,2160794336.234417,2160794337.235187,2160794338.235128,2160794339.240308,2160794340.240109,2160794341.233529,2160794342.23842,2160794343.23836,2160794344.23892,2160794345.237111,2160794346.235781,2160794347.229402,2160794348.224422,2160794349.231132,2160794350.232603,2160794351.233273,2160794352.254294,2160794353.254305,2160794354.251725,2160794355.254496,2160794356.253496,2160794357.250566,2160794358.246517,2160794359.238157,2160794360.231517,2160794361.236848,2160794362.237268,2160794363.237069,2160794364.243309,2160794365.24272,2160794366.24151,2160794367.24018,2160794368.240591,2160794369.239761,2160794370.238832,2160794371.236832,2160794372.231422,2160794373.225153,2160794374.231333,2160794375.232554,2160794376.234254,2160794377.239765,2160794378.245135,2160794379.244556,2160794380.244826,2160794381.243367,2160794382.242097,2160794383.241108,2160794384.241259,2160794385.240359,2160794386.23946,2160794387.23867,2160794388.2392,2160794389.238631,2160794390.238301,2160794391.237782,2160794392.238502,2160794393.243023,2160794394.242513,2160794395.241423,2160794396.240424,2160794397.233454,2160794398.226794,2160794399.232545,2160794400.234625,2160794401.234946,2160794402.240356,2160794403.240427,2160794404.241047,2160794405.240308,2160794406.239478,2160794407.238729,2160794408.239359,2160794409.238799,2160794410.23824,2160794411.23776,2160794412.238861,2160794413.238491,2160794414.237962,2160794415.242892,2160794416.249013,2160794417.253073,2160794418.251414,2160794419.248904,2160794420.247874,2160794421.246235,2160794422.244395,2160794423.242826,2160794424.242996,2160794425.241866,2160794426.240767,2160794427.245117,2160794428.244328,2160794429.236978,2160794430.229689,2160794431.23528,2160794432.23697,2160794433.237021,2160794434.242171,2160794435.242072,2160794436.242542,2160794437.240452,2160794438.233533,2160794439.226883,2160794440.242224,2160794441.243664,2160794442.242595,2160794443.246945,2160794444.246926,2160794445.239266,2160794446.243466,2160794447.243157,2160794448.243317,2160794449.242238,2160794450.246538,2160794451.244429,2160794452.238489,2160794453.231729,2160794454.225419,2160794455.22,2160794456.22853,2160794457.230631,2160794458.231691,2160794459.232572,2160794460.234792,2160794461.235183,2160794462.234163,2160794463.228643,2160794464.224564,2160794465.231404,2160794466.233115,2160794467.234005,2160794468.241196,2160794469.241276,2160794470.240467,2160794471.239667,2160794472.240578,2160794473.239988,2160794474.239308,2160794475.238699,2160794476.239449,2160794477.23897,2160794478.243751,2160794479.243261,2160794480.243612,2160794481.242522,2160794482.241463,2160794483.240523,2160794484.241284,2160794485.240614,2160794486.239824,2160794487.244445,2160794488.243885,2160794489.236696,2160794490.241306,2160794491.241077,2160794492.241557,2160794493.240857,2160794494.245428,2160794495.244788,2160794496.248019,2160794497.246799,2160794498.24527,2160794499.24381,2160794500.249161,2160794501.247911,2160794502.246021,2160794503.244622,2160794504.244392,2160794505.243163,2160794506.247323,2160794507.251614,2160794508.251314,2160794509.249435,2160794510.247345,2160794511.245445,2160794512.245066,2160794513.249206,2160794514.246677,2160794515.238977,2160794516.244727,2160794517.244028,2160794518.242858,2160794519.246979,2160794520.247239,2160794521.2457,2160794522.24295,2160794523.23559,2160794524.230051,2160794525.235911,2160794526.236852,2160794527.237103,2160794528.243754,2160794529.243544,2160794530.242424,2160794531.241365,2160794532.241685,2160794533.240966,2160794534.240216,2160794535.238376,2160794536.238327,2160794537.232007,2160794538.237408,2160794539.237878,2160794540.244969,2160794541.243469,2160794542.24172,2160794543.23981,2160794544.24623,2160794545.245601,2160794546.244101,2160794547.241482,2160794548.235522,2160794549.228912,2160794550.234743,2160794551.235753,2160794552.237194,2160794553.237304,2160794554.237255,2160794555.237195,2160794556.238456,2160794557.238296,2160794558.238056,2160794559.237837,2160794560.238917,2160794561.238718,2160794562.238538,2160794563.237029,2160794564.232319,2160794565.226299,2160794566.23265,2160794567.23411,2160794568.236041,2160794569.241421,2160794570.241602,2160794571.241162,2160794572.247173,2160794573.246383,2160794574.244894,2160794575.243515,2160794576.243855,2160794577.242886,2160794578.241986,2160794579.246426,2160794580.246917,2160794581.245727,2160794582.244508,2160794583.243288,2160794584.243399,2160794585.247499,2160794586.246629,2160794587.24525,2160794588.24522,2160794589.244041,2160794590.242931,2160794591.247202,2160794592.250622,2160794593.249143,2160794594.247443,2160794595.246123,2160794596.245904,2160794597.244644,2160794598.248705,2160794599.252915,2160794600.252576,2160794601.250336,2160794602.248196,2160794603.246317,2160794604.245947,2160794605.244698,2160794606.243488,2160794607.242778,2160794608.243159,2160794609.242399,2160794610.24161,2160794611.24108,2160794612.241631,2160794613.240011,2160794614.233471,2160794615.227122,2160794616.222842,2160794617.230133,2160794618.232303,2160794619.233613,2160794620.235814,2160794621.236365,2160794622.236645,2160794623.235766,2160794624.231196,2160794625.225597,2160794626.232237,2160794627.234098,2160794628.236138,2160794629.237019,2160794630.237339,2160794631.23758,2160794632.24428,2160794633.243011,2160794634.236091,2160794635.229371,2160794636.236432,2160794637.237452,2160794638.237593,2160794639.236483,2160794640.231783,2160794641.226064,2160794642.232914,2160794643.234335,2160794644.236625,2160794645.242436,2160794646.241516,2160794647.240637,2160794648.247397,2160794649.246808,2160794650.245448,2160794651.249438,2160794652.248599,2160794653.240869,2160794654.24509,2160794655.24455,2160794656.244951,2160794657.244031,2160794658.243111,2160794659.242302,2160794660.243442,2160794661.248093,2160794662.246193,2160794663.238973,2160794664.245204,2160794665.244844,2160794666.243795,2160794667.243085,2160794668.243496,2160794669.242726,2160794670.247197,2160794671.251798,2160794672.251748,2160794673.249799,2160794674.247829,2160794675.24616,2160794676.24615,2160794677.245331,2160794678.244241,2160794679.243271,2160794680.248932,2160794681.248032,2160794682.246423,2160794683.243783,2160794684.237763,2160794685.231114,2160794686.236854,2160794687.237785,2160794688.239205,2160794689.244596,2160794690.249836,2160794691.254347,2160794692.254677,2160794693.252458,2160794694.250208,2160794695.253478,2160794696.258019,2160794697.255769,2160794698.25295,2160794699.25077,2160794700.249851,2160794701.248171,2160794702.251921,2160794703.255812,2160794704.255192,2160794705.253123,2160794706.250833,2160794707.248794,2160794708.253534,2160794709.252074,2160794710.249965,2160794711.253015,2160794712.252636,2160794713.250606,2160794714.254037,2160794715.252397,2160794716.251508,2160794717.249648,2160794718.248229,2160794719.246679,2160794720.24661,2160794721.24559,2160794722.244531,2160794723.243661,2160794724.242922,2160794725.241682,2160794726.235142,2160794727.240513,2160794728.242223,2160794729.242064,2160794730.247014,2160794731.245535,2160794732.239835,2160794733.244906,2160794734.244926,2160794735.244346,2160794736.250227,2160794737.254707,2160794738.251968,2160794739.243908,2160794740.249199,2160794741.248549,2160794742.247059,2160794743.24452,2160794744.24392,2160794745.237191,2160794746.242201,2160794747.242402,2160794748.243212,2160794749.248093,2160794750.246363,2160794751.239283,2160794752.233934,2160794753.228084,2160794754.222934,2160794755.230125,2160794756.233705,2160794757.234976,2160794758.236056,2160794759.242047,2160794760.243967,2160794761.243678,2160794762.241948,2160794763.235818,2160794764.231119,2160794765.237479,2160794766.23888,2160794767.239501,2160794768.246452,2160794769.251632,2160794770.250743,2160794771.249183,2160794772.248993,2160794773.247644,2160794774.245234,2160794775.238124,2160794776.232545,2160794777.238645,2160794778.239786,2160794779.240156,2160794780.241617,2160794781.246857,2160794782.246648,2160794783.245778,2160794784.246158,2160794785.245299,2160794786.244439,2160794787.24397,2160794788.24456,2160794789.243961,2160794790.242211,2160794791.235671,2160794792.230562,2160794793.237092,2160794794.238403,2160794795.238993,2160794796.245954,2160794797.245924,2160794798.245014,2160794799.244115,2160794800.244625,2160794801.244016,2160794802.243316,2160794803.243047,2160794804.243777,2160794805.243347,2160794806.248088,2160794807.247778,2160794808.247859,2160794809.24709,2160794810.24602,2160794811.245031,2160794812.250702,2160794813.249832,2160794814.248202,2160794815.247103,2160794816.247083,2160794817.245994,2160794818.243804,2160794819.236944,2160794820.231575,2160794821.226145,2160794822.232995,2160794823.235026,2160794824.237316,2160794825.238357,2160794826.238807,2160794827.239168,2160794828.245618,2160794829.245619,2160794830.244809,2160794831.24931,2160794832.25516,2160794833.253671,2160794834.251771,2160794835.249771,2160794836.249252,2160794837.247872,2160794838.246573,2160794839.245573,2160794840.245864,2160794841.245394,2160794842.244884,2160794843.243915,2160794844.250035,2160794845.254596,2160794846.258156,2160794847.256757,2160794848.255627,2160794849.253178,2160794850.256268,2160794851.259639,2160794852.259049,2160794853.256499,2160794854.25384,2160794855.25149,2160794856.256151,2160794857.254401,2160794858.252162,2160794859.255423,2160794860.260333,2160794861.258004,2160794862.254914,2160794863.252574,2160794864.251855,2160794865.250255,2160794866.249506,2160794867.247426,2160794868.247917,2160794869.247237,2160794870.246227,2160794871.245328,2160794872.251468,2160794873.255809,2160794874.259489,2160794875.25764,2160794876.25649,2160794877.253971,2160794878.256631,2160794879.254631,2160794880.254802,2160794881.257982,2160794882.254633,2160794883.251523,2160794884.245003,2160794885.249214,2160794886.248534,2160794887.247375,2160794888.246695,2160794889.244966,2160794890.238066,2160794891.243076,2160794892.244767,2160794893.244317,2160794894.249028,2160794895.253848,2160794896.254319,2160794897.252649,2160794898.25079,2160794899.24906,2160794900.25435,2160794901.253031,2160794902.251061,2160794903.249272,2160794904.249192,2160794905.248053,2160794906.246803,2160794907.244614,2160794908.247125,2160794909.246695,2160794910.246305,2160794911.245626,2160794912.246526,2160794913.245727,2160794914.244917,2160794915.244198,2160794916.250138,2160794917.248319,2160794918.241159,2160794919.245459,2160794920.24662,2160794921.24599,2160794922.245081,2160794923.244301,2160794924.245092,2160794925.244582,2160794926.249292,2160794927.247603,2160794928.241733,2160794929.246604,2160794930.246484,2160794931.245825,2160794932.246665,2160794933.245925,2160794934.245106,2160794935.249366,2160794936.249967,2160794937.248947,2160794938.247628,2160794939.246488,2160794940.246768,2160794941.246039,2160794942.245239,2160794943.24455,2160794944.24521,2160794945.249991,2160794946.254391,2160794947.253272,2160794948.253132,2160794949.251422,2160794950.249713,2160794951.253483,2160794952.253424,2160794953.251714,2160794954.250425,2160794955.248936,2160794956.248806,2160794957.253037,2160794958.257277,2160794959.261018,2160794960.260188,2160794961.257389,2160794962.254719,2160794963.257699,2160794964.25692,2160794965.25463,2160794966.252491,2160794967.250651,2160794968.250281,2160794969.249002,2160794970.246792,2160794971.239753,2160794972.234273,2160794973.240413,2160794974.241554,2160794975.241944,2160794976.243705,2160794977.243695,2160794978.243476,2160794979.248616,2160794980.249657,2160794981.248707,2160794982.247957,2160794983.247018,2160794984.247388,2160794985.246699,2160794986.251349,2160794987.24957,2160794988.24371,2160794989.248461,2160794990.248351,2160794991.247641,2160794992.247052,2160794993.240352,2160794994.233702,2160794995.239563,2160794996.242113,2160794997.242474,2160794998.247884,2160794999.253335,2160795000.254015,2160795001.252886,2160795002.251347,2160795003.250117,2160795004.255378,2160795005.254248,2160795006.252509,2160795007.250849,2160795008.25068,2160795009.24955,2160795010.24845,2160795011.247841,2160795012.248291,2160795013.247572,2160795014.246862,2160795015.246233,2160795016.246913,2160795017.251744,2160795018.250054,2160795019.243054,2160795020.249065,2160795021.248875,2160795022.247976,2160795023.252396,2160795024.258157,2160795025.256597,2160795026.254377,2160795027.252618,2160795028.252098,2160795029.250699,2160795030.249669,2160795031.24856,2160795032.24882,2160795033.24829,2160795034.247431,2160795035.246821,2160795036.252632,2160795037.257192,2160795038.255753,2160795039.254063,2160795040.253444,2160795041.251824,2160795042.255824,2160795043.254205,2160795044.253955,2160795045.257526,2160795046.255936,2160795047.254177,2160795048.253707,2160795049.252338,2160795050.250778,2160795051.249409,2160795052.25518,2160795053.25286,2160795054.24527,2160795055.249311,2160795056.250181,2160795057.249132,2160795058.253392,2160795059.251283,2160795060.250613,2160795061.255093,2160795062.253994,2160795063.252284,2160795064.257615,2160795065.254815,2160795066.246715,2160795067.238916,2160795068.245626,2160795069.245757,2160795070.245317,2160795071.250158,2160795072.256278,2160795073.253759,2160795074.257479,2160795075.25574,2160795076.25481,2160795077.25786,2160795078.256021,2160795079.253871,2160795080.253202,2160795081.251532,2160795082.249962,2160795083.248943,2160795084.249153,2160795085.248214,2160795086.247254,2160795087.246405,2160795088.246915,2160795089.246345,2160795090.250956,2160795091.249246,2160795092.243377,2160795093.248197,2160795094.248108,2160795095.247368,2160795096.253189,2160795097.257279,2160795098.25573,2160795099.253961,2160795100.253241,2160795101.251702,2160795102.255392,2160795103.254342,2160795104.253713,2160795105.252033,2160795106.250484,2160795107.249064,2160795108.249125,2160795109.253425,2160795110.251335,2160795111.243876,2160795112.249586,2160795113.249207,2160795114.248107,2160795115.252398,2160795116.258028,2160795117.256529,2160795118.254459,2160795119.252339,2160795120.25166,2160795121.25552,2160795122.252961,2160795123.245161,2160795124.250571,2160795125.249922,2160795126.248632,2160795127.252723,2160795128.251663,2160795129.244083,2160795130.236664,2160795131.241834,2160795132.243505,2160795133.243635,2160795134.243716,2160795135.243566,2160795136.244597,2160795137.249707,2160795138.249417,2160795139.248468,2160795140.247678,2160795141.241089,2160795142.234259,2160795143.239919,2160795144.24206,2160795145.242381,2160795146.242811,2160795147.242862,2160795148.244063,2160795149.249273,2160795150.248204,2160795151.241224,2160795152.235784,2160795153.241725,2160795154.242735,2160795155.243046,2160795156.244406,2160795157.244306,2160795158.244127,2160795159.243907,2160795160.244948,2160795161.244708,2160795162.243319,2160795163.237049,2160795164.232189,2160795165.2387,2160795166.24036,2160795167.241121,2160795168.251181,2160795169.250122,2160795170.242942,2160795171.235932,2160795172.242623,2160795173.243373,2160795174.243294,2160795175.248384,2160795176.249455,2160795177.248525,2160795178.247496,2160795179.246576,2160795180.247016,2160795181.251647,2160795182.251097,2160795183.249878,2160795184.250238,2160795185.249209,2160795186.247969,2160795187.247289,2160795188.24764,2160795189.24689,2160795190.246121,2160795191.245411,2160795192.246102,2160795193.245622,2160795194.250053,2160795195.250164,2160795196.251994,2160795197.254805,2160795198.252435,2160795199.244965,2160795200.250796,2160795201.250206,2160795202.248987,2160795203.246697,2160795204.241128,2160795205.234588,2160795206.240358,2160795207.241399,2160795208.243149,2160795209.24851,2160795210.25374,2160795211.251911,2160795212.246031,2160795213.250432,2160795214.250152,2160795215.249172,2160795216.254943,2160795217.258784,2160795218.257004,2160795219.260044,2160795220.259245,2160795221.256725,2160795222.254356,2160795223.252266,2160795224.251756,2160795225.250677,2160795226.249357,2160795227.248208,2160795228.248528,2160795229.247658,2160795230.246829,2160795231.251319,2160795232.25186,2160795233.25064,2160795234.249421,2160795235.248271,2160795236.248812,2160795237.247982,2160795238.247172,2160795239.246503,2160795240.253183,2160795241.252984,2160795242.251375,2160795243.249965,2160795244.250996,2160795245.249666,2160795246.248547,2160795247.252847,2160795248.266158,2160795249.263308,2160795250.259419,2160795251.251319,2160795252.254909,2160795253.25339,2160795254.25192,2160795255.250331,2160795256.250501,2160795257.254602,2160795258.252312,2160795259.244682,2160795260.250483,2160795261.249893,2160795262.248654,2160795263.247504,2160795264.250975,2160795265.250085,2160795266.248865,2160795267.247766,2160795268.248306,2160795269.252337,2160795270.251387,2160795271.249978,2160795272.250228,2160795273.249038,2160795274.247769,2160795275.246689,2160795276.25227,2160795277.25171,2160795278.250091,2160795279.248891,2160795280.248971,2160795281.247882,2160795282.252082,2160795283.251133,2160795284.250923,2160795285.249834,2160795286.248464,2160795287.247234,2160795288.252735,2160795289.257016,2160795290.254186,2160795291.257697,2160795292.257038,2160795293.254698,2160795294.252558,2160795295.255789,2160795296.260599,2160795297.2585,2160795298.2546,2160795299.251401,2160795300.244631,2160795301.249031,2160795302.248642,2160795303.247692,2160795304.253313,2160795305.252253,2160795306.250534,2160795307.247854,2160795308.241694,2160795309.234995,2160795310.240585,2160795311.241476,2160795312.243056,2160795313.248497,2160795314.248267,2160795315.247457,2160795316.247918,2160795317.246048,2160795318.239218,2160795319.232669,2160795320.239779,2160795321.2409,2160795322.24115,2160795323.240231,2160795324.235531,2160795325.229851,2160795326.236352,2160795327.237962,2160795328.243053,2160795329.249013,2160795330.247874,2160795331.241094,2160795332.247345,2160795333.247255,2160795334.246396,2160795335.245606,2160795336.246116,2160795337.245507,2160795338.244818,2160795339.244258,2160795340.244999,2160795341.244599,2160795342.24302,2160795343.23658,2160795344.23158,2160795345.238001,2160795346.239651,2160795347.240322,2160795348.242042,2160795349.242193,2160795350.242183,2160795351.247394,2160795352.248614,2160795353.247755,2160795354.247085,2160795355.246225,2160795356.246686,2160795357.245996,2160795358.250607,2160795359.250017,2160795360.250048,2160795361.249178,2160795362.248189,2160795363.247109,2160795364.247739,2160795365.24701,2160795366.24616,2160795367.250751,2160795368.251381,2160795369.250132,2160795370.248772,2160795371.247622,2160795372.247843,2160795373.252013,2160795374.251234,2160795375.249914,2160795376.249925,2160795377.249135,2160795378.248175,2160795379.247216,2160795380.252876,2160795381.257237,2160795382.255657,2160795383.253868,2160795384.253168,2160795385.251489,2160795386.25528,2160795387.25377,2160795388.253171,2160795389.251471,2160795390.249872,2160795391.248492,2160795392.248562,2160795393.247643,2160795394.246653,2160795395.246404,2160795396.246884,2160795397.246304,2160795398.245655,2160795399.245385,2160795400.246116,2160795401.245636,2160795402.250367,2160795403.248817,2160795404.243297,2160795405.248088,2160795406.247968,2160795407.247269,2160795408.2607,2160795409.25393,2160795410.24561,2160795411.250061,2160795412.250721,2160795413.249621,2160795414.253742,2160795415.252742,2160795416.252443,2160795417.256233,2160795418.254824,2160795419.252924,2160795420.252465,2160795421.249835,2160795422.242705,2160795423.235625,2160795424.242286,2160795425.243017,2160795426.242997,2160795427.248327,2160795428.256778,2160795429.255898,2160795430.252889,2160795431.245099,2160795432.238879,2160795433.24416,2160795434.244701,2160795435.244502,2160795436.250802,2160795437.250293,2160795438.248993,2160795439.247784,2160795440.246924,2160795441.240084,2160795442.233685,2160795443.239015,2160795444.241646,2160795445.242076,2160795446.247537,2160795447.252927,2160795448.254048,2160795449.252768,2160795450.251208,2160795451.249749,2160795452.255239,2160795453.25401,2160795454.25217,2160795455.25075,2160795456.253851,2160795457.252651,2160795458.256382,2160795459.260282,2160795460.265253,2160795461.262543,2160795462.259554,2160795463.256624,2160795464.255494,2160795465.258475,2160795466.256625,2160795467.254446,2160795468.252906,2160795469.245156,2160795470.237637,2160795471.242667,2160795472.244308,2160795473.244298,2160795474.244399,2160795475.244209,2160795476.245399,2160795477.25018,2160795478.24983,2160795479.248861,2160795480.249191,2160795481.247212,2160795482.245642,2160795483.238992,2160795484.245373,2160795485.245674,2160795486.245254,2160795487.250005,2160795488.249756,2160795489.242676,2160795490.247196,2160795491.247057,2160795492.247537,2160795493.252328,2160795494.251618,2160795495.250359,2160795496.250719,2160795497.249629,2160795498.24855,2160795499.2465,2160795500.246171,2160795501.239651,2160795502.233151,2160795503.238972,2160795504.241432,2160795505.241943,2160795506.247463,2160795507.246664,2160795508.241464,2160795509.246875,2160795510.247105,2160795511.246745,2160795512.246536,2160795513.240086,2160795514.233656,2160795515.239627,2160795516.242008,2160795517.242568,2160795518.248119,2160795519.248349,2160795520.252119,2160795521.25141,2160795522.24923,2160795523.242201,2160795524.236751,2160795525.242861,2160795526.243902,2160795527.244182,2160795528.245583,2160795529.245563,2160795530.245324,2160795531.250414,2160795532.251405,2160795533.250495,2160795534.249426,2160795535.248457,2160795536.248937,2160795537.248588,2160795538.247968,2160795539.247298,2160795540.253379,2160795541.252639,2160795542.25142,2160795543.25008,2160795544.250231,2160795545.249351,2160795546.248451,2160795547.248002,2160795548.248852,2160795549.248233,2160795550.252843,2160795551.252234,2160795552.252324,2160795553.251405,2160795554.250275,2160795555.249215,2160795556.254846,2160795557.253916,2160795558.252427,2160795559.251247,2160795560.251168,2160795561.250158,2160795562.249118,2160795563.253229,2160795564.259689,2160795565.25836,2160795566.25656,2160795567.254621,2160795568.254151,2160795569.257902,2160795570.256442,2160795571.254502,2160795572.254293,2160795573.252773,2160795574.251374,2160795575.254994,2160795576.255095,2160795577.253535,2160795578.251975,2160795579.250606,2160795580.250636,2160795581.254997,2160795582.252968,2160795583.245508,2160795584.239579,2160795585.245109,2160795586.24577,2160795587.24579,2160795588.252281,2160795589.251851,2160795590.250641,2160795591.254912,2160795592.255112,2160795593.253563,2160795594.252313,2160795595.250944,2160795596.250974,2160795597.255315,2160795598.253235,2160795599.245785,2160795600.251396,2160795601.250936,2160795602.249837,2160795603.248787,2160795604.254408,2160795605.258788,2160795606.257188,2160795607.254149,2160795608.247479,2160795609.240109,2160795610.24516,2160795611.2456,2160795612.246571,2160795613.251601,2160795614.251232,2160795615.250332,2160795616.250623,2160795617.249733,2160795618.248753,2160795619.246904,2160795620.241444,2160795621.235184,2160795622.241115,2160795623.242475,2160795624.244166,2160795625.244456,2160795626.249847,2160795627.248857,2160795628.243448,2160795629.248608,2160795630.248799,2160795631.24839,2160795632.25445,2160795633.253751,2160795634.252321,2160795635.251312,2160795636.251372,2160795637.250453,2160795638.254813,2160795639.253933,2160795640.253974,2160795641.252654,2160795642.251715,2160795643.250295,2160795644.250836,2160795645.250306,2160795646.249526,2160795647.248747,2160795648.255037,2160795649.254228,2160795650.252748,2160795651.251689,2160795652.252029,2160795653.250929,2160795654.25517,2160795655.25429,2160795656.254621,2160795657.253461,2160795658.252132,2160795659.250932,2160795660.256683,2160795661.260813,2160795662.259064,2160795663.257134,2160795664.256634,2160795665.254725,2160795666.253025,2160795667.256836,2160795668.255756,2160795669.248026,2160795670.240417,2160795671.233827,2160795672.229417,2160795673.236648,2160795674.238888,2160795675.240299,2160795676.242989,2160795677.24358,2160795678.243881,2160795679.249431,2160795680.259162,2160795681.258323,2160795682.261603,2160795683.258613,2160795684.251544,2160795685.243784,2160795686.248445,2160795687.248525,2160795688.249245,2160795689.254256,2160795690.258996,2160795691.257847,2160795692.257367,2160795693.255578,2160795694.253918,2160795695.252499,2160795696.252429,2160795697.251449,2160795698.2505,2160795699.24961,2160795700.250151,2160795701.248511,2160795702.241871,2160795703.235472,2160795704.242672,2160795705.244063,2160795706.244383,2160795707.244574,2160795708.251264,2160795709.256475,2160795710.255575,2160795711.254045,2160795712.256846,2160795713.255566,2160795714.254227,2160795715.252807,2160795716.252718,2160795717.256488,2160795718.255439,2160795719.253799,2160795720.258889,2160795721.2576,2160795722.25551,2160795723.253911,2160795724.253511,2160795725.252182,2160795726.250952,2160795727.249893,2160795728.250194,2160795729.249434,2160795730.248954,2160795731.248255,2160795732.248895,2160795733.253626,2160795734.253076,2160795735.251877,2160795736.252047,2160795737.250977,2160795738.250068,2160795739.254068,2160795740.254449,2160795741.253139,2160795742.25206,2160795743.25088,2160795744.251031,2160795745.255451,2160795746.254601,2160795747.253192,2160795748.253102,2160795749.252163,2160795750.251053,2160795751.250004,2160795752.250284,2160795753.249534,2160795754.248935,2160795755.248555,2160795756.249276,2160795757.248726,2160795758.253407,2160795759.258167,2160795760.263568,2160795761.261848,2160795762.259148,2160795763.256679,2160795764.261039,2160795765.2645,2160795766.26711,2160795767.264331,2160795768.262441,2160795769.259641,2160795770.257292,2160795771.260392,2160795772.259753,2160795773.257543,2160795774.255444,2160795775.253645,2160795776.253325,2160795777.251096,2160795778.243936,2160795779.237056,2160795780.243827,2160795781.244787,2160795782.244888,2160795783.250238,2160795784.251469,2160795785.250709,2160795786.248759,2160795787.24211,2160795788.23669,2160795789.23128,2160795790.238011,2160795791.239931,2160795792.242292,2160795793.248322,2160795794.253723,2160795795.253473,2160795796.258964,2160795797.257634,2160795798.255655,2160795799.252815,2160795800.246745,2160795801.239826,2160795802.245156,2160795803.246027,2160795804.247267,2160795805.252508,2160795806.251258,2160795807.244478,2160795808.239029,2160795809.244839,2160795810.24584,2160795811.24609,2160795812.252761,2160795813.257821,2160795814.255692,2160795815.259632,2160795816.259453,2160795817.257443,2160795818.255493,2160795819.253924,2160795820.253654,2160795821.252825,2160795822.251686,2160795823.250696,2160795824.256327,2160795825.255487,2160795826.253888,2160795827.252448,2160795828.252409,2160795829.251429,2160795830.250459,2160795831.24995,2160795832.25049,2160795833.249841,2160795834.254151,2160795835.253542,2160795836.253872,2160795837.257973,2160795838.256823,2160795839.255183,2160795840.255184,2160795841.253834,2160795842.252755,2160795843.256545,2160795844.257046,2160795845.255486,2160795846.254216,2160795847.253067,2160795848.253167,2160795849.252168,2160795850.256458,2160795851.255599,2160795852.256589,2160795853.255679,2160795854.25381,2160795855.25367,2160795856.258721,2160795857.263461,2160795858.266332,2160795859.264422,2160795860.263273,2160795861.260643,2160795862.258503,2160795863.256414,2160795864.256074,2160795865.259565,2160795866.258435,2160795867.256345,2160795868.256716,2160795869.255107,2160795870.253597,2160795871.252568,2160795872.253088,2160795873.252069,2160795874.251099,2160795875.25524,2160795876.25616,2160795877.254741,2160795878.258631,2160795879.257752,2160795880.257742,2160795881.261292,2160795882.259653,2160795883.257633,2160795884.257724,2160795885.256134,2160795886.254484,2160795887.258375,2160795888.258675,2160795889.256896,2160795890.255716,2160795891.254007,2160795892.254167,2160795893.253047,2160795894.257658,2160795895.257338,2160795896.256929,2160795897.256239,2160795898.25434,2160795899.25304,2160795900.253681,2160795901.252891,2160795902.251871,2160795903.251022,2160795904.251772,2160795905.251143,2160795906.255713,2160795907.255134,2160795908.255464,2160795909.254504,2160795910.253305,2160795911.252215,2160795912.252716,2160795913.251886,2160795914.251067,2160795915.250357,2160795916.251227,2160795917.250738,2160795918.250109,2160795919.254869,2160795920.26084,2160795921.259521,2160795922.257761,2160795923.255941,2160795924.255722,2160795925.259672,2160795926.263673,2160795927.261953,2160795928.261454,2160795929.259244,2160795930.257184,2160795931.260635,2160795932.260605,2160795933.258616,2160795934.256846,2160795935.260407,2160795936.259267,2160795937.251337,2160795938.255198,2160795939.254498,2160795940.254759,2160795941.259039,2160795942.25806,2160795943.2565,2160795944.25684,2160795945.255461,2160795946.254181,2160795947.258332,2160795948.258772,2160795949.257193,2160795950.256083,2160795951.254683,2160795952.254944,2160795953.253934,2160795954.253245,2160795955.252415,2160795956.253076,2160795957.252376,2160795958.251666,2160795959.251017,2160795960.252237,2160795961.251718,2160795962.251128,2160795963.250609,2160795964.251549,2160795965.2511,2160795966.25076,2160795967.250311,2160795968.251372,2160795969.250952,2160795970.250502,2160795971.250093,2160795972.256273,2160795973.260734,2160795974.259514,2160795975.257655,2160795976.257835,2160795977.256246,2160795978.254776,2160795979.258806,2160795980.259337,2160795981.257687,2160795982.256308,2160795983.255028,2160795984.254959,2160795985.259229,2160795986.2635,2160795987.26723,2160795988.266491,2160795989.263671,2160795990.260991,2160795991.263672,2160795992.262952,2160795993.260723,2160795994.258613,2160795995.262063,2160795996.262004,2160795997.259934,2160795998.258305,2160795999.257295,2160796000.257016,2160796001.254696,2160796002.252796,2160796003.245917,2160796004.252097,2160796005.252238,2160796006.251668,2160796007.256349,2160796008.256029,2160796009.254159,2160796010.2586,2160796011.25771,2160796012.257531,2160796013.261502,2160796014.265462,2160796015.263843,2160796016.262813,2160796017.260654,2160796018.258584,2160796019.256845,2160796020.256545,2160796021.255345,2160796022.254206,2160796023.253556,2160796024.254017,2160796025.253277,2160796026.251488,2160796027.250148,2160796028.245008,2160796029.250469,2160796030.251059,2160796031.25097,2160796032.25748,2160796033.256991,2160796034.255741,2160796035.254541,2160796036.255052,2160796037.254202,2160796038.253333,2160796039.257803,2160796040.258404,2160796041.257044,2160796042.255715,2160796043.254895,2160796044.255045,2160796045.254156,2160796046.253306,2160796047.252847,2160796048.254107,2160796049.253497,2160796050.252828,2160796051.257558,2160796052.258519,2160796053.257249,2160796054.25622,2160796055.25506,2160796056.255491,2160796057.254621,2160796058.259021,2160796059.263532,2160796060.263712,2160796061.261933,2160796062.259884,2160796063.258084,2160796064.263175,2160796065.261775,2160796066.259796,2160796067.258006,2160796068.257697,2160796069.256447,2160796070.260498,2160796071.264768,2160796072.264478,2160796073.261199,2160796074.253119,2160796075.245399,2160796076.23994,2160796077.24619,2160796078.247581,2160796079.248261,2160796080.250272,2160796081.250592,2160796082.250533,2160796083.255733,2160796084.257194,2160796085.256354,2160796086.260634,2160796087.259755,2160796088.259475,2160796089.258416,2160796090.257056,2160796091.255837,2160796092.261347,2160796093.259277,2160796094.251618,2160796095.255818,2160796096.256589,2160796097.255799,2160796098.25486,2160796099.25929,2160796100.25872,2160796101.251421,2160796102.255771,2160796103.255462,2160796104.255942,2160796105.260443,2160796106.259683,2160796107.258393,2160796108.258734,2160796109.257565,2160796110.256425,2160796111.260706,2160796112.261357,2160796113.259967,2160796114.258487,2160796115.257188,2160796116.257308,2160796117.256399,2160796118.255489,2160796119.254719,2160796120.25528,2160796121.26,2160796122.259391,2160796123.258181,2160796124.261362,2160796125.260232,2160796126.258803,2160796127.257773,2160796128.257893,2160796129.256884,2160796130.261334,2160796131.260455,2160796132.260225,2160796133.259186,2160796134.257816,2160796135.256636,2160796136.256847,2160796137.255987,2160796138.255138,2160796139.254408,2160796140.259979,2160796141.259239,2160796142.257879,2160796143.26193,2160796144.26212,2160796145.260501,2160796146.259351,2160796147.257922,2160796148.257982,2160796149.262233,2160796150.266553,2160796151.265044,2160796152.264544,2160796153.262504,2160796154.260545,2160796155.264095,2160796156.268866,2160796157.266826,2160796158.264247,2160796159.261898,2160796160.261108,2160796161.259509,2160796162.263539,2160796163.262299,2160796164.26178,2160796165.26018,2160796166.258701,2160796167.257381,2160796168.257822,2160796169.256912,2160796170.255982,2160796171.254123,2160796172.248693,2160796173.242383,2160796174.248264,2160796175.249454,2160796176.251455,2160796177.256985,2160796178.262276,2160796179.267167,2160796180.266027,2160796181.269477,2160796182.267448,2160796183.264958,2160796184.262929,2160796185.255079,2160796186.247469,2160796187.25236,2160796188.25393,2160796189.253871,2160796190.258961,2160796191.264042,2160796192.264392,2160796193.262772,2160796194.261093,2160796195.259793,2160796196.259754,2160796197.258704,2160796198.257715,2160796199.257215,2160796200.257665,2160796201.257026,2160796202.256306,2160796203.255727,2160796204.256437,2160796205.255998,2160796206.260749,2160796207.265249,2160796208.26546,2160796209.26365,2160796210.261901,2160796211.260461,2160796212.260641,2160796213.259572,2160796214.258512,2160796215.257913,2160796216.258333,2160796217.257664,2160796218.256914,2160796219.256254,2160796220.256965,2160796221.256495,2160796222.261216,2160796223.260766,2160796224.260987,2160796225.260157,2160796226.259088,2160796227.258048,2160796228.263918,2160796229.263339,2160796230.261829,2160796231.26068,2160796232.26071,2160796233.259551,2160796234.263811,2160796235.268172,2160796236.268032,2160796237.266212,2160796238.264163,2160796239.262293,2160796240.267524,2160796241.270984,2160796242.268915,2160796243.266445,2160796244.272126,2160796245.270136,2160796246.267656,2160796247.270657,2160796248.270317,2160796249.267798,2160796250.265388,2160796251.263308,2160796252.263009,2160796253.261829,2160796254.26049,2160796255.25926,2160796256.258731,2160796257.251781,2160796258.245002,2160796259.250592,2160796260.253153,2160796261.253513,2160796262.253624,2160796263.258974,2160796264.265865,2160796265.264865,2160796266.268076,2160796267.266446,2160796268.265657,2160796269.264137,2160796270.262467,2160796271.260948,2160796272.265808,2160796273.264629,2160796274.262829,2160796275.26149,2160796276.26129,2160796277.26023,2160796278.259411,2160796279.258451,2160796280.258802,2160796281.263412,2160796282.267993,2160796283.271653,2160796284.271004,2160796285.268734,2160796286.266264,2160796287.264035,2160796288.268705,2160796289.272376,2160796290.270166,2160796291.267837,2160796292.266717,2160796293.264817,2160796294.263148,2160796295.261508,2160796296.261319,2160796297.265199,2160796298.26411,2160796299.26255,2160796300.267641,2160796301.266191,2160796302.264101,2160796303.262232,2160796304.262152,2160796305.260873,2160796306.259633,2160796307.258564,2160796308.258875,2160796309.258195,2160796310.262696,2160796311.262026,2160796312.261996,2160796313.261117,2160796314.259917,2160796315.258898,2160796316.258218,2160796317.256708,2160796318.250019,2160796319.255029,2160796320.25661,2160796321.25639,2160796322.261311,2160796323.266191,2160796324.266502,2160796325.264742,2160796326.263033,2160796327.261453,2160796328.261333,2160796329.259274,2160796330.252294,2160796331.245554,2160796332.252405,2160796333.253465,2160796334.253696,2160796335.259026,2160796336.260337,2160796337.259527,2160796338.258658,2160796339.257868,2160796340.258428,2160796341.256889,2160796342.250409,2160796343.243939,2160796344.23956,2160796345.24657,2160796346.248681,2160796347.249951,2160796348.257442,2160796349.263142,2160796350.267923,2160796351.266973,2160796352.266394,2160796353.264504,2160796354.268015,2160796355.266446,2160796356.265676,2160796357.264207,2160796358.262647,2160796359.261108,2160796360.266008,2160796361.264819,2160796362.263059,2160796363.261779,2160796364.26163,2160796365.26049,2160796366.259381,2160796367.263711,2160796368.281792,2160796369.279052,2160796370.280933,2160796371.277513,2160796372.275103,2160796373.276644,2160796374.273594,2160796375.270405,2160796376.268785,2160796377.266395,2160796378.264256,2160796379.267686,2160796380.272617,2160796381.269457,2160796382.272298,2160796383.269938,2160796384.268499,2160796385.266179,2160796386.264079,2160796387.26227,2160796388.26196,2160796389.259791,2160796390.257931,2160796391.251241,2160796392.257302,2160796393.257522,2160796394.256963,2160796395.255473,2160796396.250213,2160796397.244114,2160796398.250124,2160796399.251445,2160796400.253255,2160796401.258896,2160796402.264017,2160796403.263437,2160796404.263498,2160796405.262128,2160796406.260769,2160796407.259739,2160796408.25903,2160796409.25751,2160796410.25581,2160796411.260821,2160796412.261701,2160796413.260802,2160796414.265002,2160796415.263073,2160796416.256853,2160796417.261294,2160796418.260974,2160796419.260124,2160796420.265855,2160796421.263855,2160796422.256266,2160796423.260376,2160796424.261337,2160796425.260507,2160796426.259597,2160796427.257838,2160796428.257678,2160796429.251218,2160796430.256259,2160796431.256619,2160796432.25765,2160796433.26236,2160796434.262031,2160796435.261071,2160796436.266722,2160796437.265632,2160796438.263863,2160796439.261303,2160796440.255373,2160796441.248594,2160796442.254024,2160796443.254865,2160796444.256745,2160796445.261976,2160796446.261826,2160796447.261006,2160796448.261867,2160796449.261278,2160796450.260388,2160796451.259559,2160796452.26563,2160796453.26477,2160796454.26325,2160796455.262151,2160796456.262561,2160796457.261522,2160796458.265762,2160796459.270183,2160796460.270223,2160796461.268304,2160796462.266224,2160796463.264344,2160796464.269475,2160796465.273265,2160796466.271546,2160796467.269036,2160796468.268247,2160796469.266217,2160796470.264357,2160796471.268018,2160796472.273168,2160796473.271779,2160796474.274449,2160796475.27198,2160796476.27047,2160796477.26837,2160796478.266201,2160796479.264291,2160796480.269132,2160796481.266652,2160796482.258672,2160796483.262423,2160796484.262983,2160796485.261934,2160796486.266094,2160796487.264115,2160796488.257875,2160796489.250935,2160796490.256076,2160796491.256606,2160796492.257737,2160796493.262937,2160796494.261728,2160796495.254858,2160796496.260879,2160796497.260829,2160796498.26,2160796499.264551,2160796500.264111,2160796501.256811,2160796502.261112,2160796503.260822,2160796504.261193,2160796505.265833,2160796506.264094,2160796507.262064,2160796508.256234,2160796509.261015,2160796510.261005,2160796511.260486,2160796512.266396,2160796513.270867,2160796514.269337,2160796515.267278,2160796516.266638,2160796517.264978,2160796518.268739,2160796519.267399,2160796520.26682,2160796521.26519,2160796522.263801,2160796523.262451,2160796524.262521,2160796525.261592,2160796526.260712,2160796527.259883,2160796528.260433,2160796529.259844,2160796530.259244,2160796531.258704,2160796532.259455,2160796533.259065,2160796534.258586,2160796535.258176,2160796536.259087,2160796537.258757,2160796538.258537,2160796539.258118,2160796540.259318,2160796541.258999,2160796542.258559,2160796543.2582,2160796544.25908,2160796545.258771,2160796546.258691,2160796547.258312,2160796548.259223,2160796549.258923,2160796550.263784,2160796551.268704,2160796552.267965,2160796553.271725,2160796554.270165,2160796555.267956,2160796556.272566,2160796557.270717,2160796558.268367,2160796559.266538,2160796560.278748,2160796561.277219,2160796562.279559,2160796563.28207,2160796564.28031,2160796565.27688,2160796566.273351,2160796567.270341,2160796568.274272,2160796569.277382,2160796570.274722,2160796571.271823,2160796572.269603,2160796573.261253,2160796574.253304,2160796575.257904,2160796576.259235,2160796577.258985,2160796578.263876,2160796579.262566,2160796580.256836,2160796581.261617,2160796582.261607,2160796583.261048,2160796584.266978,2160796585.271469,2160796586.269939,2160796587.26831,2160796588.27364,2160796589.271911,2160796590.269561,2160796591.266471,2160796592.265312,2160796593.266452,2160796594.265643,2160796595.264343,2160796596.264364,2160796597.268514,2160796598.267355,2160796599.265675,2160796600.265736,2160796601.264346,2160796602.262967,2160796603.267187,2160796604.267338,2160796605.265808,2160796606.264539,2160796607.263209,2160796608.263219,2160796609.26225,2160796610.26127,2160796611.260401,2160796612.260911,2160796613.265642,2160796614.264982,2160796615.263743,2160796616.264213,2160796617.263103,2160796618.262034,2160796619.261034,2160796620.261645,2160796621.260935,2160796622.265516,2160796623.263936,2160796624.257966,2160796625.262527,2160796626.262337,2160796627.261578,2160796628.267418,2160796629.271559,2160796630.269979,2160796631.2682,2160796632.26756,2160796633.26589,2160796634.271611,2160796635.275521,2160796636.275172,2160796637.272482,2160796638.269873,2160796639.267613,2160796640.266883,2160796641.270614,2160796642.269204,2160796643.267285,2160796644.267605,2160796645.266006,2160796646.264516,2160796647.263507,2160796648.264108,2160796649.262938,2160796650.267319,2160796651.265449,2160796652.259769,2160796653.2527,2160796654.25785,2160796655.258391,2160796656.259861,2160796657.258691,2160796658.252442,2160796659.246292,2160796660.253793,2160796661.255153,2160796662.255674,2160796663.261264,2160796664.267955,2160796665.267125,2160796666.265565,2160796667.264106,2160796668.264356,2160796669.268437,2160796670.267407,2160796671.265898,2160796672.265758,2160796673.264478,2160796674.263259,2160796675.262179,2160796676.26249,2160796677.26175,2160796678.260961,2160796679.265551,2160796680.266212,2160796681.265022,2160796682.263712,2160796683.262573,2160796684.262863,2160796685.262534,2160796686.261734,2160796687.260994,2160796688.261595,2160796689.261065,2160796690.260486,2160796691.264926,2160796692.265727,2160796693.264637,2160796694.263458,2160796695.262439,2160796696.262749,2160796697.262,2160796698.26162,2160796699.26098,2160796700.264651,2160796701.269522,2160796702.268582,2160796703.267032,2160796704.267153,2160796705.265793,2160796706.264374,2160796707.268464,2160796708.273965,2160796709.277175,2160796710.275086,2160796711.272286,2160796712.270966,2160796713.274117,2160796714.272487,2160796715.270118,2160796716.269228,2160796717.267688,2160796718.266139,2160796719.264619,2160796720.26981,2160796721.2686,2160796722.266801,2160796723.265451,2160796724.265241,2160796725.264052,2160796726.263242,2160796727.262263,2160796728.262603,2160796729.262173,2160796730.261404,2160796731.260724,2160796732.261335,2160796733.260835,2160796734.260406,2160796735.259866,2160796736.261036,2160796737.260617,2160796738.260117,2160796739.264938,2160796740.265748,2160796741.264669,2160796742.26253,2160796743.25579],"weight":[1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1],"weightType":"samples","threadCPUDelta":[0,1585,3881,3362,3052,2561,2176,2013,1765,1656,1493,1420,1363,1272,1229,1199,1147,1123,1108,1079,1066,1056,1050,1035,1029,1025,1023,1016,1013,1010,1011,1006,1005,1004,1006,1002,1002,1001,1004,1000,1000,1000,1003,1000,1000,999,1002,999,999,999,1002,999,999,999,1002,999,999,999,1002,999,999,999,930,785,792,819,846,765,600,623,674,726,776,824,854,882,896,911,933,949,952,960,974,974,978,986,985,986,1000,997,996,1002,1003,998,996,997,997,999,1003,998,997,999,998,998,998,1006,999,998,998,1000,999,998,998,1000,999,999,999,1005,1004,998,998,1013,1002,1001,1001,997,995,996,996,1003,997,997,997,1002,998,998,1003,999,997,998,998,1000,998,998,998,1000,999,999,1011,1006,1003,1001,1001,1005,995,995,995,997,997,997,997,999,998,998,1003,1000,998,1010,1004,1004,1001,1001,1001,1008,1001,1000,999,999,999,994,1005,1001,999,998,999,995,994,994,995,1002,997,996,1008,1004,1002,1006,1000,1001,994,994,994,996,996,997,997,1010,1004,1002,1000,997,995,996,996,998,997,997,998,999,1010,1004,1003,1002,1001,996,1006,1003,1001,999,994,995,995,996,996,1003,997,997,997,1005,998,997,997,999,998,998,998,1000,999,999,999,1000,999,999,1004,1000,998,998,999,1000,999,1010,1005,1005,1008,1002,1001,1001,994,994,995,997,996,1008,1003,1003,1000,1000,995,1008,1001,1000,1000,1000,994,994,995,996,996,1008,1003,1003,1006,1001,1000,1000,994,993,1006,1002,1000,1000,1005,1000,993,993,994,996,996,996,997,1010,1003,1002,1007,1008,999,1005,999,1000,997,997,993,994,994,995,995,997,997,997,1009,1005,1002,1007,1000,996,1006,1001,1000,1006,1005,997,992,993,993,994,995,997,996,1009,1003,1003,1007,1000,994,1007,1000,999,1005,1006,998,996,997,993,993,1005,1000,1001,998,993,994,996,996,996,1008,1004,1002,1006,1000,1001,1006,1000,999,1000,997,993,993,1007,1001,1000,998,995,1006,999,994,995,995,996,995,1009,1003,1001,1000,1001,995,994,995,997,996,1009,1003,1006,1000,995,994,1008,1002,1000,999,996,994,1007,1001,1002,1000,999,999,995,994,995,995,997,997,997,997,999,998,1010,1004,1004,1007,1007,999,995,994,994,995,1009,1002,1001,1000,996,994,995,996,998,1008,1003,1002,1002,995,995,1007,1003,1001,1000,999,996,994,995,996,997,1009,1003,1002,1008,1001,1000,998,995,994,1006,1001,1001,999,994,994,996,1007,1002,1001,1001,1000,994,994,996,996,1008,1003,1003,1006,999,994,995,995,995,996,1015,1003,1001,1006,1000,993,993,994,996,996,996,997,1010,1003,1002,1007,1004,1005,998,993,994,994,995,995,997,1008,1003,1002,1008,999,994,994,996,995,1008,1002,1006,1001,1000,1000,1001,998,993,994,1001,995,995,996,997,997,1009,1004,1004,1007,1000,994,996,995,995,1008,1004,1001,1001,1001,1002,1000,999,999,995,994,995,995,1000,997,997,1009,1005,1002,1000,995,996,1007,1002,1001,1003,1005,999,993,1000,1003,999,999,1001,1001,1000,999,1001,999,999,999,1006,998,992,992,1006,1000,999,1005,1001,999,999,999,1000,997,998,993,1006,1000,999,1004,999,992,1004,999,1000,999,1004,998,994,1005,999,999,1005,1004,1003,996,992,992,992,993,996,1007,1002,1001,1002,1005,1005,1005,1005,996,991,1003,1000,998,997,998,994,993,994,995,1005,996,995,1008,1004,1001,1001,999,1001,994,1006,1001,1001,999,994,994,1010,1001,1000,998,995,994,995,1005,1003,1000,995,995,996,1008,1002,1001,1001,1000,994,1006,1002,1000,1005,998,995,1005,1000,999,999,993,993,994,1008,1002,1001,999,1001,994,994,995,996,996,997,997,1010,1004,1002,1001,1005,995,994,1007,1003,1001,1006,999,995,1005,1000,999,999,998,993,1005,1004,1000,998,998,994,994,994,995,997,1008,1003,1002,1001,995,994,1007,1003,1001,999,994,996,995,996,996,1009,1003,1002,1001,1008,999,993,1005,1001,1000,998,993,995,1006,1001,1000,1000,994,994,1006,1002,1000,999,999,995,994,1007,1001,1002,999,994,994,1008,1001,1000,1005,1000,993,1005,1000,1000,1000,999,1000,1000,1000,999,1000,1005,1000,997,1004,999,992,1004,999,1000,997,998,1004,1001,999,998,1004,1005,998,997,998,999,998,1003,998,999,999,998,998,1005,999,997,1003,999,997,998,998,1000,1004,999,998,999,998,998,998,1005,998,998,998,1000,998,1004,999,999,998,998,998,1005,1004,1003,997,999,997,997,1003,999,997,997,998,1000,998,998,999,1005,997,992,1004,1001,999,999,997,994,993,1006,1001,1001,1005,998,993,1006,1000,999,1004,1000,998,1003,998,999,998,998,998,1000,999,999,999,1005,999,998,998,1000,999,1004,1004,999,998,997,998,1004,1003,1002,997,998,997,997,1002,999,998,998,998,999,998,998,999,1000,999,999,999,1000,999,998,993,1000,1003,1001,1000,1004,1005,1004,997,1005,998,997,1002,999,997,997,998,999,998,998,997,994,1005,1000,999,1000,999,999,999,1000,999,1008,999,1000,998,998,998,1005,1004,998,997,999,998,998,997,997,993,1005,1000,1001,998,993,993,1007,1001,1000,999,995,994,995,995,997,997,1009,1003,1004,1000,1000,995,1008,1001,1000,1005,1000,993,1005,1000,1000,1004,998,992,1006,999,999,999,999,993,993,1006,1002,1000,1005,999,997,1005,999,999,1005,998,998,998,1000,998,998,1004,1005,998,997,997,999,1003,997,992,1005,999,998,1004,1005,1003,997,997,998,1003,996,991,993,1005,1000,999,1006,998,992,1004,1001,999,1004,999,999,997,992,993,1006,1000,1000,1005,999,993,993,1005,1002,1000,998,994,995,1006,1001,1000,1007,998,993,1005,1001,999,1004,998,994,993,1005,1000,1001,1005,998,993,1006,1000,999,997,999,993,1005,1000,1001,998,993,993,1007,1001,1000,1000,1000,999,994,1005,1002,1000,998,999,995,1006,1000,1000,1000,993,993,1006,1002,1000,1000,1000,1001,1000,998,993,995,1007,1001,1000,1007,1005,999,997,993,993,1005,1000,1001,1004,999,999,1000,999,999,999,999,993,993,1006,1002,1000,1005,1005,1000,998,998,998,1005,1004,998,997,999,998,998,1003,998,992,1004,999,1000,1004,1004,998,999,998,998,1003,998,992,1004,999,1000,998,1013,1010,1003,1000,1000,993,990,990,991,1004,1001,999,999,999,1000,998,998,993,995,1006,1001,1000,1000,999,994,1006,1002,1000,998,999,995,1005,1000,1000,1006,1004,998,998,999,998,998,1004,998,992,1004,999,1000,1004,1004,998,999,998,998,1003,1005,997,997,997,999,998,1003,997,993,1004,999,998,1005,997,992,1004,1000,999,997,993,994,1006,1001,1000,1006,998,998,993,994,994,995,1007,1003,1001,1006,1000,1001,998,993,993,1007,1001,1000,1005,1006,999,998,997,994,993,1005,1000,1001,998,999,994,1007,1000,999,1005,999,993,1004,999,1000,998,998,993,995,1006,1001,1000,1005,1000,997,1002,999,997,995,991,993,1005,1000,999,1006,999,998,998,1000,999,999,998,994,993,1006,1001,1001,1005,1005,999,1000,998,998,999,1000,999,999,999,1000,999,999,999,1000,1004,999,998,999,993,993,1005,1002,1000,1005,1000,1000,999,999,999,1000,999,999,999,1001,999,999,1004,1006,1004,998,997,998,998,998,998,1000,998,998,1004,999,992,992,1005,1001,1000,1005,999,1000,997,993,993,1006,1001,998,1004,999,992,1004,999,1000,998,1004,997,994,993,993,994,1008,1002,1001,1000,1002,1000,998,994,995,1006,1001,1000,1007,1000,999,999,1000,999,999,999,1000,999,1004,999,1000,998,998,999,1000,999,999,1004,999,992,1004,999,1000,999,1004,999,1003,998,998,998,1005,998,998,998,999,998,1004,1004,999,998,997,998,999,1004,997,992,1005,999,998,1004,1000,998,997,992,994,1005,1000,1000,1006,999,998,998,1000,999,999,998,999,993,1005,1000,1007,998,998,998,1006,999,998,997,994,993,1005,1001,1001,1000,999,999,1001,999,999,999,1001,999,999,998,995,993,1006,1001,1001,1005,1000,999,1006,999,998,998,1000,999,999,1004,1000,998,998,998,1000,1004,999,998,999,998,998,1004,1003,998,998,998,999,998,1004,1004,999,997,997,998,999,998,998,999,1000,999,999,999,1000,998,993,993,995,1007,1002,1001,1002,1000,1000,999,995,994,1006,1001,1002,1000,1000,1000,1006,998,993,993,1007,1001,1000,998,995,994,1006,1001,1002,1005,999,999,1006,999,998,1003,999,992,1004,999,1000,999,999,999,1001,1004,998,992,1006,999,998,999,1000,999,1004,1004,999,998,998,998,999,999,998,999,1005,999,998,997,993,993,1005,1000,1001,1005,1005,1004,1000,997,997,1003,1004,997,997,997,999,998,1003,1003,999,997,997,997,1004,998,997,1003,999,997,1003,998,999,998,998,998,999,998,998,999,999,998,993,1005,1001,999,1004,998,994,1005,1000,999,1005,1004,997,991,1005,999,998,997,999,993,1005,1000,1000,1004,998,992,994,994,994,1007,1003,1001,1001,1005,1001,999,998,993,995,1006,1001,1000,1006,1005,999,998,999,998,997,992,994,1006,1001,1000,1001,1005,999,999,1000,999,999,999,1000,999,998,993,994,1006,1001,1000,1006,999,999,999,1000,999,999,999,1000,999,1004,999,1000,999,998,999,1005,999,998,998,999,998,997,993,994,994,1006,1002,1002,1001,1000,1000,1006,1000,999,1004,1005,998,998,998,999,998,998,999,1000,999,999,999,1006,1004,1003,998,998,997,1003,1003,999,997,997,997,1004,998,997,1003,1004,997,996,997,999,998,999,997,1000,999,998,999,1006,1004,1003,998,998,997,1002,998,1000,1003,996,996,993,1004,999,998,999,998,993,1005,1001,999,1004,1004,1000,998,998,998,1005,998,998,998,999,998,998,997,1002,999,999,999,1000,999,999,999,1005,998,992,1004,1001,999,999,999,1000,999,1004,998,994,1004,999,999,1000,999,999,1004,1000,998,998,998,1000,999,999,999,1000,1004,1004,998,999,998,998,1003,999,998,998,998,999,1004,1004,1003,999,997,997,1002,999,997,997,998,999,998,997,992,994,1006,1001,1000,1001,999,999,1005,1001,999,999,999,1000,999,1004,998,994,1004,999,999,999,993,993,1005,1002,1000,1005,1005,1000,998,998,998,1005,998,998,998,999,998,998,999,1000,999,999,999,1000,1004,998,993,1006,999,999,1004,1005,998,997,998,999,998,998,998,1000,999,999,999,1005,1004,998,998,999,998,1004,998,999,1003,998,998,999,998,998,998,1005,997,992,1004,1000,998,1004,997,999,1004,998,998,1005,997,991,992,1006,1000,999,1004,1006,997,1003,998,999,1003,998,997,999,998,998,998,1000,999,999,999,1000,999,1004,998,994,1004,999,999,1005,1004,998,998,999,998,1003,998,999,998,998,998,1000,1004,997,992,1005,999,998,1004,1005,998,997,997,999,1003,997,992,1005,999,998,1004,998,992,992,1005,1001,1000,1000,999,1001,1005,999,999,999,993,993,1005,1002,1000,1000,1000,1001,1005,998,993,994,1005,1001,1000,1001,999,999,999,1001,999,998,993,995,1006,1001,1000,1010,998,992,992,1006,1000,999,1005,1001,999,998,999,1000,1004,999,998,1000,998,998,999,1000,999,999,999,1000,999,1004,1000,1001,1002,997,992,1005,999,998,997,994,993,1005,1001,1001,1005,1005,998,994,1004,999,999,1005,1003,998,1003,999,997,997,997,999,998,998,998,1000,999,999,1004,1000,998,998,998,1000,999,999,999,1006,999,998,998,1001,998,998,1004,1005,997,996,991,1003,998,998,998,1000,1004,997,992,1005,999,998,998,1003,999,998,998,1000,1004,999,998,1000,998,998,998,1005,999,998,998,1000,998,1004,999,999,998,998,998,1005,1004,997,1003,999,997,997,1003,1004,997,996,996,993,1004,999,999,1005,998,998,997,993,993,1005,1000,1001,1005,999,999,1000,998,993,993,1007,1001,1000,999,995,994,1006,1001,1005,1005,998,993,1006,999,999,999,1000,999,999,999,1000,999,998,993,995,1006,1001,1000,1001,1000,999,1005,1001,999,999,999,1000,999,1004,999,1000,999,999,998,1000,999,999,1004,1000,998,998,998,1000,1004,999,998,1000,999,999,999,1005,1004,998,998,999,998,1003,998,999,998,998,998,1000,999,999,999,1000,999,999,999,1000,999,1004,998,994,1004,999,999,998,993,991,1004,1000,998,1004,999,999,1003,998,998,999,997,992,992,1006,1000,999,1005,1000,999,996,992,993,1005,1000,999,1006,999,998,998,999,993,993,1005,1002,1000,1005,1005,1001,998,998,998,1005,998,998,998,1003,998,1003,1003,1004,997,997,997,998,1002,998,997,998,992,992,1005,1001,999,1000,999,1001,1004,999,999,1000,998,998,993,1006,1000,999,1004,999,992,1004,999,1000,1004,999,998,1000,998,998,997,999,993,993,1005,1002,1000,1005,999,994,1005,1000,999,999,993,993,1005,1002,1000,1005,1000,1003,999,997,992,994,1006,1001,1000,1001,999,999,1005,1000,999,998,999,1000,999,999,999,1006,999,998,998,1000,999,999,999,1000,999,1004,999,1000,999,998,998,1005,999,998,998,999,998,998,1004,1006,998,998,998,999,1003,998,998,999,998,998,1003,1000,998,998,998,1000,1004,997,992,994,1005,1000,1000,1006,999,998,1004,1000,998,998,998,1000,1004,997,992,1005,999,998,998,1005,1004,998,996,993,992,1005,1000,1000,1005,999,999,1000,999,999,998,994,993,1005,1001,1001,1000,1005,999,994,1005,1000,999,1006,999,998,998,1000,999,1004,999,1000,998,999,998,1000,999,999,999,1006,999,998,998,1000,998,1004,999,1000,998,998,998,1005,1004,998,998,999,998,998,1003,998,992,992,993,995,1007,1002,1001,1002,1000,1000,1005,1009,999,1003,997,992,992,1004,1000,1000,1005,1004,998,999,998,998,998,999,999,999,999,1000,998,993,993,1007,1001,1000,1000,1006,1005,999,998,1002,998,998,998,999,1003,998,998,1005,998,997,998,999,998,998,998,1000,999,999,999,1000,1004,999,998,1000,998,999,1004,1000,998,998,998,1000,1004,999,998,999,999,998,998,1000,999,999,999,1000,999,1004,1004,1005,998,997,997,1004,1003,1002,997,998,997,997,1003,999,997,997,998,999,997,992,993,1006,1000,1000,1005,1001,999,998,993,994,994,1006,1001,1002,1006,1005,999,1005,998,998,997,993,993,1005,1000,1001,1005,998,993,994,1005,1001,1000,1006,1005,997,1003,999,997,998,998,999,999,998,999,1005,999,998,998,999,999,999,999,1000,999,1004,999,1000,1004,998,998,1000,998,998,1003,1000,998,998,998,1000,999,1004,999,1000,999,998,999,1005,1004,1002,998,998,997,997,997,999,1003,998,997,1000,998,998,998,1000,998,999,1004,1000,998,1003,999,999,1003,998,997,1000,998,998,1003,1000,998,998,998,1000,998,1004,999,999,999,998,998,1000,999,998,999,1000,999,1004,999,1000,999,998,998,1000,999,999,999,1000,999,999,1004,1005,998,998,998,999,1003,1004,998,999,997,997,1003,999,998,998,1003,998,992,1003,999,1000,1004,999,998,1000,998,998,1004,1000,998,998,998,1000,998,999,999,1000,999,999,999,1001,999,999,999,1000,999,999,999,1001,999,999,999,1006,1004,998,998,1000,998,998,1004,1000,998,998,998,999,1004,1004,1003,999,997,997,1002,999,997,997,1003,999,997,998,998,999,997,998,993,1006,1000,999,1004,999,998,1004,999,999,1003,1003,998,998,997,997,998,999,998,998,999,1000,999,998,998,994,1005,1000,999,1006,999,998,998,1000,999,999,1004,1000,998,998,999,1000,999,999,999,1001,999,999,1004,1000,998,998,998,1000,999,1004,1004,1000,998,997,998,1005,998,998,998,999,998,1004,1004,999,996,991,992,994,1006,1001,1000,1002,1000,999,1005,1001,999,1004,999,999,998,998,998,1005,997,992,1004,1000,999,999,1004,999,992,1004,999,1000,1004,999,998,1000,998,998,1004,1000,998,998,998,1000,999,999,999,1000,1004,999,998,1003,998,998,998,1000,998,1004,999,999,998,998,998,1000,999,999,999,1005,999,998,1004,1000,998,998,998,1000,1004,1004,998,999,997,998,1003,1004,997,997,997,999,998,1004,998,999,998,998,998,1000,999,999,998,994,993,1005,1001,1002,1005,1005,1004,998,1003,997,997,997,992,992,1004,1001,999,1005,1005,1000,998,998,998,999,998,999,999,1000,999,999,999,1000,999,1004,1004,1000,998,998,998,1000,998,998,999,1000,999,999,999,1000,999,1004,999,1000,999,998,998,1005,999,998,998,1000,998,1004,1004,999,998,997,998,1005,1003,997,997,1005,998,997,1003,999,997,997,997,999,998,998,998,999,993,993,1005,1002,1000,1000,1005,1006,999,1003,998,999,998,998,998,1004,998,998,998,999,998,999,999,1000,1004,1004,1003,999,997,997,997,1004,1003,997,997,998,998,998,998,999,1003,998,998,1005,998,997,998,999,998,998,998,1000,999,1004,999,999,999,998,998,999,998,993,1005,1001,999,1004,1004,1000,998,998,998,999,997,993,993,1006,1001,1000,1005,1001,999,999,999,1000,998,993,993,995,1007,1002,1001,1007,1005,1004,999,999,998,1003,998,999,998,998,998,1004,998,998,998,999,998,998,1004,1004,997,1001,996,997,1001,996,996,998,997,997,1003,1004,996,1002,997,998,997,997,998,999,997,998,993,1006,1000,999,998,994,993,1006,1001,1001,1005,1005,999,1000,998,998,998,999,998,998,1005,1000,999,1004,998,993,1004,999,999,1005,998,992,1004,1000,999,999,998,999,993,1005,1000,1001,1004,999,999,1005,998,998,997,994,993,1005,1000,1001,1005,999,999,1000,999,999,999,1006,999,998,998,1000,998,1004,1004,1000,998,997,998,1005,1003,998,997,999,997,998,1003,1005,998,1002,997,998,997,997,998,1004,997,992,1003,1000,998,1004,998,993,993,1005,1000,1001,1005,998,993,1006,999,999,1004,999,992,1004,999,1000,1004,998,997,994,1004,999,999,1005,1004,998,997,999,998,1003,998,999,998,998,998,1000,999,999,999,1000,999,999,999,1000,999,999,999,1000,999,999,999,1001,999,999,999,1000,999,999,999,1000,999,1004,1004,999,1003,998,997,1004,998,997,998,998,998,1002,1002,998,996,996,996,1003,1003,997,997,997,991,992,1004,1001,999,1004,998,994,1004,999,999,1005,1004,998,998,1005,998,997,996,998,1001,999,998,1000,1004,998,998,1000,998,998,1004,1000,998,998,998,1000,999,999,999,1000,1004,999,998,1000,998,998,999,1000,999,1004,998,994,1004,999,999,1005,1004,998,998,999,998,997,1003,999,997,997,997,999,1003,998,998,1000,998,998,998,1000,998,1004,998,994,992,1005,1000,1001,998,993,993,1007,1001,1000,1005,1006,999,998,998,1000,1004,998,998,999,998,998,998,1000,999,999,1004,1000,998,998,998,1000,999,999,999,1000,999,999,1004,1000,998,998,998,1000,999,999,999,1003,1004,999,998,1000,998,998,1004,1005,1003,997,997,998,1003,998,997,999,998,998,998,1005,998,998,998,999,998,999,999,1000,999,999,999,1000,999,999,999,1001,999,999,1004,1000,998,997,993]},"stackTable":{"length":2599,"prefix":[null,null,null,null,3,null,5,3,null,8,null,10,11,null,13,null,15,10,3,null,19,8,null,null,null,24,null,10,24,28,3,null,3,null,19,34,null,null,37,24,null,null,3,null,43,15,null,46,28,null,null,19,51,null,null,8,null,null,57,28,15,null,28,null,63,28,10,8,null,null,69,null,71,43,69,19,null,null,77,77,3,null,15,28,15,28,28,null,null,88,37,null,19,92,null,null,28,28,null,98,null,null,101,15,null,104,8,null,24,28,15,null,69,10,113,null,77,69,null,118,63,28,15,122,71,null,125,3,28,null,null,130,28,null,19,null,8,3,null,138,28,null,141,null,null,8,10,146,71,104,8,28,null,null,153,69,10,63,null,null,null,160,46,15,8,null,165,3,138,null,169,null,88,null,19,174,null,176,null,178,28,null,null,15,null,null,10,null,null,null,189,190,77,null,104,null,195,28,null,198,10,null,69,69,15,204,8,10,null,190,null,210,null,null,null,19,8,28,10,218,69,null,77,null,8,71,15,37,10,160,null,37,null,15,28,null,10,28,null,178,8,null,241,242,null,15,125,43,10,null,8,null,71,15,253,null,10,256,null,null,8,28,198,15,88,69,19,266,24,null,77,8,28,null,28,10,69,77,190,8,null,280,15,69,37,10,285,28,null,28,null,15,69,10,293,null,null,8,null,null,null,15,301,null,303,null,10,28,null,null,309,37,null,312,null,69,8,3,null,null,319,28,null,15,323,77,8,null,327,null,329,null,null,8,null,null,8,46,19,338,null,3,null,8,8,8,null,null,347,8,19,null,37,3,353,null,69,28,null,358,77,null,361,19,363,69,8,3,367,28,160,null,371,71,null,37,15,104,null,10,null,69,null,382,15,null,19,386,null,3,null,390,28,null,46,null,15,160,88,71,3,400,null,null,403,null,405,null,19,28,null,410,10,412,null,null,null,8,28,null,419,null,19,28,19,424,37,null,null,77,28,28,null,15,433,null,3,71,24,69,71,15,37,5,10,190,28,382,null,390,19,382,8,3,453,null,8,null,457,71,77,77,3,462,71,77,28,466,null,468,null,null,null,472,390,19,3,476,null,37,403,382,null,15,483,10,485,null,77,419,327,null,15,null,493,10,63,28,3,null,71,28,15,502,69,71,10,null,null,508,28,null,511,19,513,null,515,63,3,518,28,null,37,69,15,null,10,null,28,3,529,8,8,null,312,77,338,37,3,null,24,null,69,15,543,null,28,10,547,null,69,8,77,329,69,69,null,null,3,24,24,null,63,43,null,3,138,null,null,69,15,176,77,10,165,null,77,24,null,null,19,null,3,361,null,null,28,165,141,15,589,28,165,null,593,19,77,405,10,null,63,null,46,15,null,10,null,3,607,88,null,37,37,null,472,319,28,19,71,3,71,null,621,28,null,null,null,null,69,null,629,19,null,3,8,361,8,8,77,15,639,null,null,71,3,null,71,null,138,null,649,24,15,10,null,null,160,511,null,8,null,null,3,77,71,null,null,null,88,null,669,410,19,104,69,3,null,null,null,null,210,466,69,71,10,684,null,189,69,null,null,690,24,468,511,15,403,8,10,698,null,8,24,104,null,15,382,8,10,null,138,null,8,37,19,24,28,10,717,71,71,468,511,null,723,null,19,71,77,10,729,null,69,8,null,8,69,15,null,77,10,160,190,null,743,403,28,null,28,19,37,77,3,752,null,null,null,8,10,null,null,null,null,null,8,19,null,766,null,3,138,28,88,null,8,15,null,10,8,null,69,null,405,15,28,null,3,390,77,210,28,28,28,null,8,null,795,303,13,15,77,19,null,37,19,28,77,10,null,808,515,37,8,71,138,28,15,515,424,null,null,3,511,null,null,138,37,15,210,null,19,null,10,28,3,24,null,null,28,null,165,null,125,511,15,844,46,null,10,3,28,71,77,15,19,null,3,63,null,28,160,382,15,862,8,10,37,462,null,868,null,870,19,28,10,874,493,null,3,null,3,880,8,8,null,15,419,511,10,69,390,3,891,null,null,28,69,null,897,77,37,19,null,547,169,327,3,906,null,69,101,15,null,77,10,28,8,19,10,28,3,920,13,511,390,null,15,926,10,28,303,190,null,37,null,19,null,3,937,24,28,null,15,942,null,77,28,190,71,511,63,37,null,77,15,954,955,160,10,37,3,138,511,28,493,null,390,8,10,null,529,null,280,629,77,69,15,28,19,10,979,980,null,null,28,null,28,null,511,null,113,null,69,null,null,104,null,19,10,998,405,468,null,1002,210,410,null,3,15,160,19,1010,null,3,null,327,71,null,8,15,28,28,19,1022,8,3,1025,280,null,210,null,15,403,77,10,1034,280,468,309,621,69,8,19,160,3,69,43,null,77,15,null,3,28,160,125,null,1055,null,15,138,28,19,1061,null,165,329,190,8,160,28,15,null,null,null,3,28,28,null,null,19,8,63,329,37,69,null,null,593,280,10,3,69,690,160,null,null,19,77,10,1098,null,241,1101,190,43,515,69,15,null,19,1109,419,3,71,28,160,null,null,10,10,1119,null,1055,8,69,382,15,1126,138,10,28,190,71,69,null,null,null,null,3,210,468,null,69,15,165,10,null,3,null,198,null,1150,69,15,468,104,10,77,3,1158,118,71,28,15,69,10,28,null,468,null,1169,77,69,743,null,1174,71,null,19,382,null,3,37,28,null,null,null,19,null,1188,361,3,null,138,160,1188,329,69,19,8,null,10,null,null,43,null,808,241,1207,15,1209,null,1211,10,1213,329,null,null,69,71,37,511,null,329,15,null,10,null,null,1228,190,329,null,8,515,37,15,125,19,1238,3,28,null,null,8,null,15,280,15,1248,77,10,null,10,1253,77,28,null,77,19,null,10,1261,69,8,null,null,1266,null,null,1269,43,19,382,280,3,43,8,28,1228,null,null,15,1282,77,868,309,210,8,null,8,15,19,1292,null,3,649,24,160,null,1299,28,15,511,null,8,3,138,null,125,null,63,19,28,28,null,null,null,43,69,28,null,1321,15,null,19,3,null,69,15,null,28,19,1332,8,3,24,515,15,24,77,515,24,null,28,null,null,382,8,19,24,10,null,null,8,8,515,15,null,null,null,3,null,8,382,null,28,null,null,8,15,19,1371,8,71,1055,8,null,15,null,8,10,3,1382,98,88,69,468,null,1388,37,19,515,37,28,165,57,77,1266,15,37,10,920,303,511,1169,77,15,19,1408,3,37,28,511,15,28,1292,104,3,71,743,8,null,null,15,1424,10,77,3,28,138,13,null,null,1433,71,19,28,28,10,1439,71,null,280,null,3,160,24,null,37,null,19,165,10,1453,808,468,null,15,37,null,3,28,28,71,77,null,1466,19,382,3,1470,361,null,71,15,511,null,19,403,3,1480,125,8,160,280,15,1486,329,null,101,28,104,43,10,1494,511,null,190,69,71,19,24,3,71,69,104,null,null,1508,210,null,19,28,293,3,1515,1101,169,198,null,null,1521,19,10,621,3,24,891,77,10,null,28,3,1533,28,null,511,37,null,1539,null,1541,19,319,28,729,28,190,37,104,77,null,77,19,28,28,10,1557,361,190,null,null,1562,160,15,1169,10,690,3,1569,160,125,176,15,19,1575,3,1541,160,null,1150,null,null,1583,69,19,468,null,10,1589,1590,69,28,null,511,null,15,1597,37,10,28,8,24,104,null,null,19,8,390,null,1610,null,null,77,19,28,28,10,null,190,69,8,28,165,37,15,210,10,410,28,3,24,511,71,15,null,24,19,1638,8,303,280,15,null,1253,1645,138,28,382,19,19,69,3,69,280,1515,null,null,null,null,69,19,28,69,10,null,3,24,null,null,null,1671,69,19,24,621,729,null,190,null,1680,69,null,138,69,8,15,28,160,19,8,3,160,303,160,null,null,1697,null,1699,19,515,8,1207,190,28,15,386,3,71,327,303,null,null,null,69,19,1541,28,10,1720,69,69,329,329,19,null,null,null,1729,19,28,10,1733,null,null,303,329,null,19,10,null,null,null,15,null,69,10,null,1749,8,null,3,43,69,15,8,10,null,3,1760,null,329,169,382,88,null,1767,null,15,1770,37,10,3,160,468,303,null,37,19,141,37,69,69,69,24,3,515,28,125,468,125,104,19,125,null,1796,3,8,63,361,312,8,19,8,8,10,3,1808,1809,8,71,405,24,19,null,1729,null,190,69,8,15,8,10,8,69,15,329,null,10,104,null,null,8,1541,15,null,329,10,3,24,77,null,1843,15,327,104,10,63,37,null,24,null,403,511,3,71,46,303,null,null,37,19,10,178,8,8,515,69,15,19,1871,69,3,null,160,null,null,1466,1575,515,71,8,160,15,1885,69,69,10,3,1890,8,37,46,515,15,28,24,19,1899,3,1901,43,138,null,382,15,3,71,null,1749,null,210,43,77,15,19,24,190,15,1920,10,190,69,8,69,160,15,1928,69,10,3,15,null,19,1935,1936,390,169,null,28,327,8,null,10,null,3,1947,null,null,390,1101,280,101,10,28,190,1055,390,15,28,329,null,3,69,104,null,1967,15,1969,77,null,1901,28,null,null,1976,8,null,19,28,10,1982,165,null,null,69,138,null,null,280,37,15,1188,390,71,3,71,511,null,515,3,8,null,2004,390,19,null,3,468,null,2011,24,15,1188,511,10,160,3,71,null,null,28,15,1638,null,3,138,77,null,77,19,null,8,3,2035,69,null,19,28,10,2041,null,303,189,24,808,37,10,null,280,57,8,138,15,468,3,138,28,null,null,2061,8,19,327,3,null,69,null,77,382,null,15,69,null,189,63,77,37,160,15,2081,8,69,10,null,130,37,10,71,3,2091,null,null,24,15,null,10,null,null,28,327,null,null,10,2105,77,329,69,19,null,165,3,69,241,8,10,410,190,null,8,15,104,468,24,160,10,null,165,28,241,null,8,null,null,2135,303,868,210,98,104,null,2142,15,88,10,280,3,37,24,43,null,327,null,2154,15,28,10,null,3,37,1266,28,null,28,null,1126,63,160,null,88,1209,10,71,3,138,71,371,160,766,19,3,71,null,28,15,138,3,468,511,null,19,28,8,10,24,71,null,15,8,19,8,649,280,88,511,null,795,28,19,3,null,null,15,null,10,28,28,3,null,null,15,null,10,77,1890,723,280,8,null,28,null,15,null,2234,10,28,382,null,null,null,8,19,2105,190,8,8,null,2248,77,15,10,190,1169,null,8,15,280,19,2259,3,28,null,69,15,37,19,10,2268,69,309,1843,77,28,15,2275,10,null,3,327,null,null,null,2283,390,null,19,null,1253,28,28,312,null,926,10,2295,null,null,493,19,8,77,24,28,69,15,null,3,1843,303,null,2311,19,10,327,null,77,69,165,8,10,303,400,null,null,2325,24,null,10,28,8,null,2332,19,null,3,868,8,15,19,2340,3,327,160,null,723,69,10,null,511,37,77,69,19,28,190,69,69,15,28,160,34,3,77,null,2135,954,8,10,1228,309,71,43,null,160,15,null,10,28,null,2380,15,511,309,69,null,165,323,10,null,3,24,125,511,null,null,88,46,88,19,2400,69,10,2403,69,71,28,69,37,15,125,160,null,null,3,390,null,15,160,71,3,28,71,303,280,null,null,2427,77,77,19,3,515,511,null,37,390,19,28,null,3,null,468,null,2444,69,15,19,8,3,2450,null,2452,null,null,1935,2456,8,453,327,8,1248,8,160,327,null,71,19,null,3,71,null,2472,24,null,19,361,28,77,8,null,19,null,10,2484,808,3,2487,2488,null,77,15,null,10,2494,null,null,8,15,null,2500,3,null,null,15,null,19,2507,1034,null,190,null,28,null,88,15,327,28,468,37,15,null,589,10,63,15,2507,null,3,210,null,null,138,19,104,160,10,2537,361,15,2540,43,10,8,null,3,28,160,69,15,8,19,468,null,10,390,403,19,1494,329,160,null,63,15,2259,3,null,8,null,null,28,19,2572,3,43,null,88,690,10,null,null,329,null,69,null,2585,69,69,19,24,808,312,88,1486,8,10,null,190],"frame":[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,52,147,148,149,150,151,152,153,154,155,156,157,158,159,160,119,161,162,163,164,165,166,167,168,169,170,171,172,173,174,119,175,176,177,178,179,180,181,182,183,184,185,186,28,187,188,189,190,191,192,193,194,168,195,196,197,198,113,35,199,200,201,132,202,203,204,205,206,207,208,209,210,173,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,172,173,244,245,173,246,247,248,249,99,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,12,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,14,306,307,308,309,310,311,312,258,313,314,315,316,317,318,319,320,321,322,12,323,324,325,326,327,328,329,330,331,332,333,334,335,280,12,336,337,338,339,340,341,342,343,113,35,344,345,322,12,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,288,371,372,373,374,375,376,35,377,378,379,380,381,382,383,384,385,153,34,35,386,387,388,389,390,391,119,392,393,394,146,395,396,397,398,399,400,401,402,403,52,404,405,406,407,408,409,410,411,412,269,413,414,415,416,417,418,419,420,172,173,421,422,423,381,424,425,426,34,35,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,6,443,444,51,52,363,364,445,446,349,447,448,449,450,99,451,452,453,454,455,456,457,458,123,459,460,461,462,463,464,465,466,467,468,35,469,470,471,472,473,474,475,476,477,478,479,480,481,482,210,173,483,484,485,486,487,488,489,490,491,492,493,494,146,52,495,496,92,93,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,14,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,99,210,173,535,536,537,168,538,539,540,324,541,542,543,349,544,545,546,547,548,93,549,550,551,552,553,422,321,554,555,556,557,558,559,560,561,562,563,564,565,566,567,6,568,569,570,571,572,573,574,575,245,173,576,577,578,579,580,581,582,583,584,99,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,6,614,331,615,616,617,618,619,620,621,622,119,623,624,625,626,627,628,468,35,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,458,123,646,647,648,649,650,349,651,652,653,654,122,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,239,690,691,692,693,591,694,695,696,697,698,699,700,701,702,703,704,203,705,706,707,708,709,710,168,711,712,713,714,715,716,717,718,321,719,720,721,722,723,724,725,726,727,728,729,314,730,731,732,733,734,735,736,52,737,738,739,740,741,742,743,744,745,99,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,520,766,767,768,769,770,771,772,773,774,775,776,777,376,35,778,779,780,114,781,321,782,783,784,785,786,52,142,787,788,789,11,12,790,791,792,793,794,795,796,797,798,799,12,800,801,802,803,804,379,805,806,807,808,364,540,689,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,349,825,826,827,322,12,828,829,830,831,832,833,834,835,836,245,173,837,838,839,616,824,840,841,842,843,844,845,846,847,848,849,809,233,234,850,851,852,853,854,855,856,813,857,858,859,860,861,254,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,35,881,882,883,884,885,886,887,172,173,888,889,890,891,892,669,893,894,700,895,896,678,897,898,899,900,901,902,903,904,905,906,376,35,907,122,123,908,909,540,910,911,99,912,913,440,914,915,916,669,917,918,919,920,921,922,777,923,924,925,926,927,928,929,930,931,932,933,934,935,936,122,123,937,938,939,177,940,941,942,943,944,945,946,947,948,949,950,951,952,953,954,955,956,957,958,959,203,960,961,962,963,349,964,965,966,967,968,969,473,970,871,99,140,971,972,973,974,975,439,678,976,977,978,187,979,980,981,579,548,93,982,47,983,984,985,786,395,986,987,988,554,989,990,991,992,993,994,995,888,649,996,997,998,863,999,1000,1001,1002,888,1003,1004,1005,1006,1007,985,1008,1009,253,173,321,1010,1011,1012,1013,1014,1015,1016,1017,1018,1019,1020,1021,1022,1023,912,1024,1025,769,1026,1027,1028,1029,1030,1031,1032,1033,1034,1035,1010,1036,1037,1038,1039,1040,844,1041,1042,1043,1044,1045,1046,1047,1048,1049,1050,1051,1052,1053,677,440,1054,14,1055,1056,1057,1058,1059,1060,1061,1062,1063,1064,736,1065,1066,1067,1068,1069,1070,1071,1072,1073,1074,290,1075,1076,1077,548,93,1078,1079,1080,1081,1082,1083,1084,1085,1086,1087,1088,1089,1090,1091,810,1092,1093,1094,1095,1096,1097,253,173,192,1098,1099,1100,99,1101,1102,803,1103,1104,148,1105,1106,1107,1108,1109,335,1110,1111,1112,440,1113,794,1114,627,1115,1116,1117,1118,786,52,1119,1120,381,1121,1122,1123,1124,1125,1126,1127,1128,1129,1130,1131,1132,170,1133,1134,1135,1136,1137,1138,1139,1140,1141,1142,1143,1144,349,1145,1146,1147,1148,1149,1150,1151,1152,1153,458,123,1154,1155,1156,1157,1158,1159,1160,1161,1162,1163,1164,1165,1166,1167,1168,1169,1170,1171,1172,1173,1174,1175,1176,579,1177,1178,1179,1180,1181,1182,1183,1184,1185,1186,1187,1188,1189,1190,810,1191,1192,14,1193,1194,1195,1196,1197,1198,1199,1200,1201,1202,1203,1204,1205,14,1206,1207,1072,1208,1209,1210,1211,1212,888,1213,464,1214,309,1215,1216,1217,1218,1219,280,12,1220,1221,1222,1223,1224,1225,1226,443,1227,1228,1217,1229,1230,1231,439,1232,1233,1234,1235,1236,1237,119,1238,1239,379,1240,1241,1242,1243,1244,678,1245,1246,1247,1248,183,1249,1250,1251,1252,1253,1254,1255,376,35,523,1256,1257,1258,1259,1260,1261,1262,1263,1264,1265,1266,1267,1268,1269,113,35,1270,1271,1272,1273,1274,1275,155,1276,1055,1056,1277,1278,1279,1280,11,1281,1282,1283,99,1284,1285,354,896,678,1286,1287,1288,1289,1290,1291,1292,1293,1294,1295,511,1296,1297,1298,412,1299,579,1300,488,1301,123,379,203,813,1302,1303,691,1304,1305,1217,1306,1307,1281,1308,1309,1310,1311,1244,678,1312,1313,743,1314,1315,79,1316,203,1317,349,1318,1319,1320,1321,1322,635,1323,1324,1325,1326,1327,1328,761,762,344,400,1329,1330,1022,1331,1332,1333,1334,14,1112,678,1335,1336,47,1337,1338,123,1339,168,1340,1341,1342,1343,1344,99,1345,1346,1347,1348,809,233,234,1349,1350,1351,1352,1353,548,93,1354,1355,1356,1357,1358,1359,1360,1361,1362,1363,89,1364,99,1365,1366,1367,1368,1369,1370,1371,1372,369,1373,1374,1375,1376,1377,1378,813,1379,691,1380,1381,99,1382,1383,1384,1385,1386,403,1226,1387,1157,1388,1389,1390,233,234,1391,1392,1393,1394,1395,1396,1397,1398,1399,1400,1401,1402,1403,1404,1405,1406,1407,1408,1409,1410,1411,1412,1413,1414,1415,14,1416,405,1417,1418,123,1419,1420,1421,1418,1422,1423,845,1424,1425,1426,1427,1428,1001,1429,200,1430,1072,1431,1432,1433,763,1434,1435,1436,1437,1438,1439,936,1440,356,93,1441,1442,1443,1437,1444,1445,1446,1447,1448,379,1449,1450,309,1451,1452,1453,1454,1455,1456,1457,1458,1459,1460,1461,403,52,1462,1463,1464,1465,1466,1467,1468,1469,1470,1471,438,1472,1473,1474,1475,1476,1477,1478,1479,1480,1481,1482,1483,1484,1485,616,617,1486,1487,381,1488,1489,1490,1491,1492,363,93,1070,1493,1494,1495,1496,1497,1498,1499,1120,888,1500,1501,1502,1503,1504,1505,1506,1507,368,1508,1509,1049,1510,1511,1512,691,1513,1514,1515,1516,1517,1518,1519,1520,1521,1522,870,233,234,1523,1524,813,1525,1526,1527,1528,1529,1300,1530,1531,1532,1533,1534,1535,1536,1537,1538,1539,1540,1541,1542,1543,1544,540,1545,1546,1547,967,1548,1549,1550,1551,99,1552,1544,1107,1553,1554,1555,1556,1557,1558,1459,1347,1559,1560,976,1282,1561,1562,1563,1564,853,1565,1566,1567,1568,1569,1570,1055,1087,1571,1572,1573,1574,1575,1576,983,655,1577,1578,1579,1580,1581,1582,1583,1584,1585,403,395,1586,1587,1588,1589,1590,1591,1592,11,12,146,52,1593,1594,1595,1596,724,1597,1598,1599,381,1600,142,190,1601,1602,1603,1604,775,253,173,1605,1606,1607,1608,1609,1610,34,35,1611,1612,724,1613,1614,870,233,234,1615,888,1616,1617,940,1618,1619,1620,1621,51,52,1622,1623,1624,1625,1626,540,1627,1628,1109,349,1629,1630,1288,1631,1632,1633,1634,1635,1636,763,1637,1232,1638,1639,1640,1641,1642,1643,1644,1645,1646,1647,1648,1649,1200,1650,1651,1652,1653,1654,1655,1656,1210,1657,1658,1659,1660,1661,1662,1663,1664,1665,1282,1666,1667,1668,540,1669,1670,1671,1672,625,1673,321,1674,1675,1676,1677,1678,1679,1680,1681,1682,1683,1684,1089,52,1685,919,1686,1687,1688,1689,1690,1691,1692,1338,123,1693,1694,1695,1696,1697,47,1698,1699,1700,1701,1702,1703,1241,1704,1705,666,1706,1707,1130,1708,1709,1710,1711,1712,1713,1487,1714,1715,327,1716,1717,1718,1719,1720,73,1721,1381,1722,1723,39,1724,1725,1726,1727,799,12,1728,1729,919,1730,153,1731,1732,1733,1190,1734,1735,1736,1737,324,1738,1739,1740,1741,1742,1743,1744,1745,1746,364,1747,1748,1749,1750,1751,1515,1752,1753,1754,1755,1756,131,1757,1758,1759,1760,1761,1762,1763,1764,1765,1766,960,1767,1768,1769,1770,1771,1772,864,1773,349,670,1774,1775,1776,311,1777,826,1778,1779,1780,1781,379,1775,1782,1783,1784,691,1785,1606,1786,1787,1788,1789,540,1790,1791,413,1792,52,1793,1794,1795,1796,1232,1797,1798,1799,1800,1801,1802,230,153,1803,1804,1805,1806,1807,1808,1809,1810,467,1811,1812,1813,1814,1815,1816,1817,1818,1819,1820,1435,1006,1821,540,1822,1823,1824,1825,1826,1827,161,1828,1829,1830,454,1831,1832,1833,1834,1065,1835,1836,1837,1838,921,1839,52,14,1840,1841,1842,1843,1844,1845,1846,349,1847,1848,1849,1850,1851,1852,1853,513,93,1854,1855,1856,1857,1459,1858,1859,1860,1861,1862,1863,1443,1864,1865,1301,655,1866,1867,1868,1869,1870,1871,1872,823,617,1873,39,203,1874,1875,1055,1582,1876,1877,1104,1878,1879,1880,1881,1882,1883,1884,1885,1886,1887,667,1888,1594,1889,1281,1890,1087,1891,1892,1276,1089,1893,1894,1895,1896,1897,1898,1899,1900,813,1901,1902,744,1903,1904,345,1905,1906,1907,908,1908,1909,1547,114,1910,1911,1912,1913,1914,1915,1916,1917,1918,1919,1920,1921,1371,47,1922,1923,1746,93,1924,326,1925,1926,119,1927,1928,1929,1686,783,1930,1931,1409,1932,755,1933,1934,1935,1936,1937,114,1938,1939,1940,203,1941,1942,1943,1944,1945,1946,1947,1948,1949,1950,1951,1952,1953,1954,1022,1799,1955,623,1956,1957,1958,1959,1960,1961,1962,1963,1964,1965,1966,1967,1624,794,1968,1086,1087,1969,1301,123,1970,1971,1972,1973,1974,1975,89,1976,1977,1978,292,1336,1979,1980,1981,1982,1983,1984,1985,314,1986,1987,1988,1075,1989,1990,1991,817,1992,1993,1994,1995,1996,1997,1998,1999,2000,2001,2002,2003,99,2004,2005,324,2006,786,52,2007,2008,2009,2010,871,540,2011,254,1438,2012,1582,2013,2014,1082,2015,2016,18,2017,2018,2019,2020,6,2021,2022,2023,2024,2025,2026,2027,2028,2029,2030,799,12,1930,1091,871,381,2031,2032,2033,2034,2035,349,2036,2037,2038,2039,2040,1019,1147,2041,2042,2043,2044,245,173,678,2045,868,2046,1420,2047,2048,2049,2027,1854,1274,2050,2051,2052,254,2053,2054,2055,234,2056,2057,25,2058,2059,2060,2061,2062,2063,2064,2065,882,1190,2066,632,361,2067,2068,2069,2070,2071,2072,2073,2074,2075,2076,2077,2078,2079,168,2080,1232,1157,2081,2082,960,2083,1319,2084,2085,2086,2087,2088,2089,969,473,2090,635,2091,2092,47,2093,2094,2095,1577,2096,2097,2098,142,2099,2100,2101,2102,2103,2104,2105,12,1919,2106,2107,2108],"category":[1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1],"subcategory":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"stringArray":["0x7f7021f6308b","sign_44","0x91b19","0x913b6","0x905aa","0x72bdd","0x92883","libc.so.6","0x1a0998","0x72ea4","0x92aa8","0x11e1e","0x9051f","0x73e38","0xce94","0x9484f","0x1a1004","0x903ad","0x6c112","0x74037","0x70339","0x9046a","0x736b7","0x11cdc","0x939c7","0x93857","0x93e8f","0x1a0745","0x949c9","0x72129","0x98f6a","0x98d1a","0x732b2","0x91e2a","0x6d1f5","0x9243a","0x73879","0x78c34","0x96887","0x92ab0","0x10db4","0x995c9","0x94d79","0x9141f","0x6e567","0x92fe5","0xf150","0x6b19c","0x92ae3","0x1a1009","0x98446","0x93b47","0x948dc","0x73f0a","0x78c14","0x923b7","0x92b43","0x11c6b","0x9284c","0x90873","0x9a343","0x98a0e","0x70009","0x92f24","0x9841e","0x92fcd","0xde2a","0x98d20","0x70530","0x121e1","0x93cd7","0x92aa0","0x115e0","0x92ab8","0x105bd","0xf3b5","0x11843","0x6e4dd","0x9342d","0x92ac0","0xf9e3","0xf9bc","0x6bd51","0x923d3","0x6a87d","0x98cb3","0x72adc","0x98992","0x989cb","0x9139a","0x94f17","0xed6e","0x10be0","0x92b52","0x732cc","0x78b89","0x91abf","0x9364a","0x98c2f","0x98a1a","0x94ef7","0x1a09ad","0x9535a","0x93488","0x1a0977","0x7156c","0x94f1f","0xf17f","0x1208c","0x8f322","0x9928d","0x98c9c","0x71959","0x91e14","0x113ad","0x73495","0x78c3a","0x91956","0xfc6f","0x11444","0x957c5","0x1a100e","0xda15","0x98bfe","0x73756","0x78be4","0x101b4","0x9493c","0xec90","0x70b90","0x9882a","0x91a77","0x9722d","0x1a0a2c","0x98bd3","0x91ab2","0x70c2a","0x92909","0x11bfa","0x73c57","0x92fc5","0xd055","0x98982","0x9491c","0x1a09a2","0x9018d","0x9534d","0x12012","0x733e4","0x1066a","0xf1e7","0x122be","0x981ed","0x94c87","0x90417","0x1a09fc","0x11a8e","0x73e46","0xda73","0x94d8a","0x9343f","0x93eb2","0x9a049","0x736ff","0x11c61","0x9492c","0xd7f7","0x6b9a9","0xd09c","0x94e29","0x1a098a","0x933d9","0xece6","0x933e8","0x73685","0x12ab4","0x92a0b","0x90ac8","0x9a13b","0x989b0","0x9535f","0x92b1f","0x7073b","0x9214b","0x952f9","0x6ddc0","0x93689","0x94772","0x90848","0x98a14","0xfe1d","0x93b6a","0xf0a5","0x8f7b3","0x11229","0x98a96","0x957b5","0x70c6e","0x92a96","0x1116b","0x11a2b","0x124b9","0x72309","0x94ec1","0x92a98","0x1a0985","0x93109","0x951d9","0x91aa4","0x6b846","0x121b4","0x97fa1","0x73dcc","0x113f6","0x92b3e","0xfaf9","0x91337","0x11dbd","0x10041","0x72b5e","0x109db","0x708e2","0x9a0c8","0x92473","0x10c8b","0x956e7","0x6a51f","0x98c03","0x9128a","0x6d92a","0x98a99","0x947c7","0x9a358","0x11b53","0x947ef","0x78b12","0x12abb","0x94d95","0x6b151","0xef26","0xf285","0x7218b","0x91d01","0x1237b","0x93038","0x1003d","0x92339","0x732a6","0x94f99","0x94ed0","0x12356","0x98d02","0x6c383","0xeaae","0x11353","0x73a84","0x12ab8","0x99584","0x91c01","0xf64b","0x12a78","0x98a31","0x8f9d3","0x98d7b","0x6b7fe","0x118a3","0xfba4","0x985b3","0x11c70","0x94f07","0xdb91","0x70701","0x11847","0x10f58","0x73226","0xce82","0x98324","0x90f8c","0x98c80","0x94c18","0x73ed6","0x115a1","0x736f1","0x91951","0x9199b","0x11bbe","0x950bf","0x91a1d","0x91944","0x6ca3f","0x1a1033","0x94934","0xe285","0x91cca","0x6d546","0x98cb8","0x94c94","0x90a9d","0x993ab","0x108a9","0x9676f","0xd08d","0x929b0","0x11a33","0x12042","0x73882","0x92406","0x934e4","0x989fe","0x94d70","0x73769","0x78c04","0xfcf5","0x129b0","0x94814","0x94f0f","0xe54b","0x9105b","0x93349","0x1230d","0x93677","0x96b78","0x126e3","0x1a1013","0x73af0","0x932b9","0x73b86","0x91b4d","0x11c5c","0x11ce1","0x11cbe","0x9584e","0x8ff91","0x1170d","0x1276b","0x733a8","0x924bd","0x10b85","0x92249","0x11a64","0x98a3f","0x78c84","0x97e66","0xf5e0","0x9480c","0x114b8","0x110ea","0x124c5","0x98ae5","0x9a1e9","0x94e5f","0x1a1036","0x10479","0x92427","0x1081b","0x6ed26","0xf063","0x912b9","0x705ea","0x94d9e","0x11653","0x94944","0xeff9","0x6a60e","0x943f0","0x73df2","0x78b8d","0x91976","0x71cdc","0x92fdd","0xedd6","0x98d2e","0x91c38","0x92881","0x6b79f","0x9a2b1","0xede9","0x10141","0x73fcb","0x91d55","0x92ad3","0x1a0980","0x93782","0x1a096e","0x9672c","0x6c025","0x985a2","0x9376c","0x91303","0x91e71","0x92415","0x120f5","0x98c54","0x94883","0x954b0","0x6dad9","0x98ce1","0x78c18","0x10de8","0x92e24","0x90e95","0xfca7","0x98b24","0x98eb5","0x94ff8","0x73bc2","0x94c99","0x70626","0x10259","0x9941e","0x112df","0x1031f","0x722e5","0x10ae1","0x1a0991","0x989c3","0x989fb","0xf2ed","0x91324","0xef2b","0x70ee4","0xf03c","0x11b67","0x91b2b","0x11c7a","0x974dc","0x10575","0xf8dd","0xf8f5","0x102d3","0xfe29","0x97fe5","0x1a0866","0x94924","0xcf0e","0x91adf","0x92da4","0x8fe6c","0x11da5","0xea4b","0x73822","0x737e7","0x78c2d","0x91b87","0x10f4d","0xf3d5","0x91922","0x91141","0xf850","0x11ccb","0x91c77","0x6e10d","0x953c0","0x6cd9d","0xda4b","0x98c2c","0x7392d","0x95bb5","0x10361","0x9842f","0x73b55","0x1138d","0x1046d","0x735c8","0x94d8f","0x8f938","0x10e8b","0x983bc","0x94eff","0xd5bd","0x73c76","0x92fd5","0xe42f","0xd979","0x73b60","0x78bf4","0x98a58","0x948c2","0x1072f","0x115f0","0x71cc2","0x91b3d","0x6d303","0x93337","0x98b94","0x11e16","0x11cb0","0x9459c","0xd3c4","0xfb87","0xce9c","0x10a2d","0x726ac","0x936ee","0x992e4","0x9344e","0x116dc","0x92c4f","0x98b60","0x96369","0x11336","0x12446","0xfce0","0xe67d","0x112a4","0x11982","0x91b6c","0x91ec2","0x70e66","0x9939a","0x99341","0x91a84","0xd868","0xf3c7","0x93b12","0x6ae67","0xd5e5","0x92838","0x92142","0x117af","0x7135e","0xf60a","0x7191a","0xdf01","0x91b5f","0xf8e9","0x99592","0x9545f","0x9235b","0x728fc","0x95257","0x71d67","0x11757","0x94ea2","0x92392","0x98564","0xde45","0x98847","0xd7bd","0x953fd","0x6d37b","0xf7e8","0x1a097b","0x917f8","0xdd39","0x91aec","0x6edc4","0x94d7d","0x6baf5","0x93288","0x73aaa","0xe83f","0x948f0","0x10937","0x10e0a","0x9118b","0x98a68","0x72e31","0x1012e","0x72737","0x1009f","0x93759","0x1a0730","0x98abe","0x91b9a","0x95365","0x91a5d","0x8fb8c","0x11225","0x9347a","0x70804","0x948e7","0x6a7dc","0x11b61","0x1109c","0x12383","0x11ede","0xf665","0x933df","0x92211","0x102c0","0x6e0e3","0x92fa3","0x10449","0x92b3a","0xd092","0x94df7","0x994b8","0x73955","0x70027","0x950c8","0x935d8","0x9a3ec","0xcf25","0x977cb","0x126de","0x94d38","0x91c89","0x708f7","0xfa69","0x10699","0x92ef3","0x94cf8","0x95818","0xeab3","0x8fd1b","0x1015d","0x1a0918","0x71685","0xf2e8","0x11456","0x72b64","0x93e7d","0x94a54","0x91b5a","0x93cd0","0x1a0875","0xff45","0x7338a","0x78c08","0x94a68","0x993e7","0x111d1","0x932b4","0x934d3","0x99232","0xd45b","0xd537","0x73fa7","0x1a0937","0x11bcf","0x9234b","0x120f0","0x99503","0xf419","0x952f4","0x6b02c","0xf498","0x1217d","0x71b03","0x9108d","0xd1f5","0x922a5","0x1243d","0x106a0","0x6d9f4","0x993c4","0x98492","0x103e3","0x10231","0xd05a","0xcf96","0x9540d","0x91c26","0x6b789","0x10555","0xfb8b","0x78be8","0x922fa","0x1135c","0x12148","0x91c5b","0x11fae","0x11398","0x6f9af","0x9645b","0xfbfb","0x6f332","0x9a39d","0x98bbf","0x929fb","0x1a0a0a","0x1a09a6","0x98a4a","0x977c2","0x984a0","0x7390e","0x10ca1","0xf655","0x73c9e","0x78c24","0x90e5a","0x91d2e","0x932a7","0x11de9","0x72eee","0x94567","0x95278","0x919bf","0x9476c","0x978b9","0x12612","0x9483f","0x1a0a2f","0x91504","0x6af4f","0x98a4d","0xea7e","0x92b28","0x11f45","0x6fa8a","0x9431a","0x6a2a6","0x1222a","0x93187","0x1155e","0x94e85","0x6ff50","0x98a47","0x92e40","0x6cf4f","0xec88","0xfab2","0x98438","0x98b69","0x985f1","0x92eea","0x11bf0","0x901e6","0x11b3e","0xe5d3","0x731ba","0xfa64","0x6d9a9","0x92859","0x10d9e","0x73ece","0x9837e","0xfaef","0x6cd78","0x9482c","0xf8af","0x10d13","0x11b7a","0xff13","0xd1e3","0x982a3","0x720d4","0xe313","0x92b24","0x948d4","0x73ae6","0xd2c8","0x9192b","0x92156","0xd1b4","0x10eb1","0x6d847","0x933c3","0x7152b","0x9343a","0x6f5c4","0x9899a","0x733b0","0x994da","0x94247","0x94133","0x98a52","0x941b4","0xdeb5","0x976d5","0xeb29","0xd6e1","0x73aba","0x78bb0","0x1a0f00","0x91a97","0x6dfed","0x984b4","0x1034f","0xfc8b","0x6fafd","0x73777","0x94b79","0x6b133","0xd790","0x93609","0x989ce","0x9a340","0xf5cd","0x12437","0x70f41","0x10711","0x94e39","0x8ffa1","0x10d19","0x71dbf","0x983b4","0x737c4","0x94bea","0x73e86","0x91068","0x11f9d","0x12a1d","0x935f7","0x7201e","0x1a1024","0xd48b","0x6b713","0x11a7c","0xed5c","0x73312","0x94c09","0x911aa","0x98b71","0x11864","0x8fa6e","0xfbdc","0x10d2f","0x6fa3d","0x937fe","0x78705","0x78b0b","0x922e8","0x112d2","0x1a0973","0x6deaa","0x94353","0xf8d7","0x6d248","0x98ba8","0x11f68","0x7007e","0x70c55","0x98a1f","0x73eb0","0x78c00","0xd5cf","0xecf8","0x9536e","0x6e06c","0x98a7b","0xe075","0x98c42","0x91c60","0x10bfd","0x95238","0x7085d","0x921e5","0x99302","0x98354","0x942db","0x924dd","0xfd1d","0x985bb","0x98b5b","0x104cf","0xcf2a","0xdc9d","0x10760","0x958e7","0xf639","0x9a07a","0x72a98","0x108a3","0x73c20","0xcf01","0xd650","0x98283","0x91c3d","0xee92","0x11b5c","0x72280","0x93c9d","0x9124f","0xdd29","0x1a092b","0xfdf4","0x1140a","0x6cce0","0x98c97","0x71ca8","0x78737","0x78b4a","0x1a0931","0x91118","0x91a07","0x98d90","0x92f2c","0x98c60","0x91bf2","0xd553","0x93cfa","0x95269","0x11234","0x92efb","0x936ca","0xef5f","0x91de7","0x6a4ad","0x1a0964","0xd177","0x8f6bf","0x1a091c","0x1a0911","0x91bc8","0x71448","0x9a31d","0x734bd","0x919b7","0x72c8b","0x935ca","0x12484","0x10125","0x9251c","0x11da0","0x6a819","0x98a17","0x98b84","0x11ecc","0xdb0b","0x91c8e","0x9426a","0x73d79","0xfb63","0x73407","0xdda4","0xd55f","0x99522","0x11aff","0x11d53","0x6dfa9","0x9a0e5","0x6e854","0x115fa","0x914a9","0xfe3c","0x6ba8b","0x93822","0x70dfc","0x982ca","0x9a3da","0xec15","0x90d92","0x1a1000","0x922a0","0x6b92c","0xd188","0x98c48","0x93224","0xd88b","0xe23f","0x1267f","0x99fa2","0x98cfd","0x71b52","0x943e8","0x94c04","0x92485","0x702dd","0x98bb3","0x981d5","0x913ff","0x8f4da","0x6e0be","0x126e9","0xddb3","0xe790","0x10e9d","0x1194c","0x91261","0x90e2a","0xdebf","0x6e4b6","0x6d081","0x11649","0x9a173","0x94c68","0x9244c","0x6a924","0xfa8f","0x73382","0x952e3","0xf2b8","0xe1d9","0x110d5","0x6d827","0x9431d","0x1a101a","0x6d00b","0x102e7","0x9a0ef","0x92f64","0x92327","0x9569f","0x1224e","0x11181","0xf221","0xd02a","0x725d6","0x988bc","0x10051","0x110e4","0x94d29","0x9587b","0x94e98","0x94ae9","0x6af8e","0x91cdf","0x1196e","0x6e07d","0x6ae78","0x92e0b","0x73c2b","0x950b9","0x94dd5","0x1a08fe","0x114a0","0x6f4a3","0xd65f","0x6d28d","0xfa42","0xffb7","0x98c6c","0x72e5e","0x119a6","0x6ea48","0x98527","0x94998","0xd18c","0x95b66","0x1a09ea","0xfb9b","0x1185c","0x1a09ef","0x8fe84","0x10155","0x92b94","0xf557","0x951d4","0x6b0b6","0x1092d","0x98b43","0x944d5","0x96bb0","0x90f5d","0x6e7fb","0x94824","0x11a16","0x6ba63","0x92b07","0xd54f","0x9a27f","0xe3af","0x11412","0x6d896","0x128bb","0x935ee","0x73773","0x91b30","0x95a2b","0xf351","0x92ff4","0xf7b8","0x788ea","0x12aab","0x937aa","0x73ad0","0x78bd0","0xe445","0x965a9","0x91b1e","0x1191c","0x1001d","0x10a53","0xd242","0x9122c","0x73f70","0x93589","0x725e6","0x94239","0x9481c","0x10a9d","0x98acb","0xe4bd","0x919e8","0x1238f","0x10b6f","0x6f239","0xee3f","0x70976","0x98a6b","0x941f8","0x9246e","0x11be1","0x92b36","0x6df01","0xdb15","0x73e18","0x78bcd","0xfc01","0x6ea85","0x91a69","0x7871e","0xfc5a","0x989eb","0x975de","0xfd7b","0x70c63","0x952e7","0x11d5e","0x91cb0","0x9373e","0x91523","0x8f66c","0xf1b4","0x73320","0xdf5c","0x6e077","0xf32a","0x12736","0x98975","0x950a7","0x91613","0x73be5","0xfb15","0x99365","0x12441","0x946bb","0x124ad","0x6e629","0x928fc","0x70582","0x98fb9","0x9a08e","0x96787","0xee51","0x98ac3","0x7144b","0xd44b","0x91da2","0x12285","0x72244","0xd63f","0x936f2","0x97360","0xded3","0x6cd91","0x98606","0x98c0c","0x94ebc","0x95b1e","0x92251","0xf502","0x11a9a","0x9839d","0x966cd","0x72e3f","0x911df","0x74018","0x71350","0x94547","0x116aa","0x705f2","0x9356a","0x98b3b","0x11e0a","0x71b2a","0x99415","0xe5d9","0x6b093","0x99437","0xf756","0xe477","0x9958d","0x93429","0x98cad","0x94f32","0x958b1","0xf35f","0x11c4f","0x6d298","0x991d5","0x7398a","0x91bed","0x925c7","0x12a0b","0x123e6","0xe703","0x94bf7","0x9176a","0x91d37","0x6ed9a","0x92fb8","0x11e04","0xf4ea","0x95264","0x9835c","0x9366a","0x90d08","0x12526","0x6c3d5","0x78753","0x11d58","0x103f3","0x123b8","0x942ae","0x72959","0x91bdf","0x1293a","0x71517","0x73695","0x78b7f","0x1a098e","0xeab9","0x1134b","0xd6e5","0x8f2bb","0x10c99","0x6a643","0x10d27","0x98cf4","0xdb9b","0x9a367","0xf8d2","0x71b87","0x6c683","0xe43d","0xd136","0x1a09e5","0xf936","0x6af60","0x6ec3f","0x10829","0x989f5","0xcfd4","0x71c7e","0x98b55","0x78c1b","0x6c1c4","0x10603","0x12a99","0x9398d","0x948e1","0x78c29","0x6c294","0xf6b2","0x72ae7","0x98e7b","0xd17f","0x95029","0x97ab3","0x10346","0x7138f","0x989ab","0x98b9a","0x73f2d","0x10681","0x94229","0xd800","0x8f34a","0x9a2eb","0x993bf","0x97396","0x10af7","0x92fbb","0x6f8bd","0xdf3b","0xd5b9","0x9551c","0x6ba94","0x108bf","0x95340","0x6e7e4","0x98a70","0x98d4e","0xfff6","0xfc87","0x900c9","0x121ca","0x732d8","0xf50a","0x116a4","0x94513","0x10661","0x70222","0xd1ac","0x91b7a","0x1a099d","0xea2b","0x12909","0x9a2c5","0xdd2d","0xce98","0xe6f5","0x90fa5","0x98255","0xf2fb","0xd113","0x942c4","0x98b02","0x11526","0x10365","0x6c6c3","0x99359","0x6e759","0x100c3","0x11800","0x9129a","0x8f684","0x100c7","0x92d60","0x98cb0","0x73e9d","0x93ca2","0x902c7","0x6c0f6","0x73b7b","0x6f792","0x994c2","0xfb01","0x6e6eb","0x933a8","0x989b6","0x98b78","0x943e5","0x1077f","0x900e1","0x934bb","0x6cc01","0x98502","0x78bec","0x98a55","0x982c2","0x10c6e","0xf876","0x8fe06","0xf8ed","0x6e684","0x98b1c","0x98def","0x9283b","0x93c1f","0x9a0aa","0x714d1","0x1a08fb","0x6ba53","0x9a102","0xeddb","0x6a609","0x73377","0x7013e","0x9a125","0x94d17","0x1a0737","0x95308","0x8f7fc","0x118cc","0x7100c","0xd3c0","0x944e1","0x117a3","0x98b4c","0x94c0f","0xd4e1","0x94a5f","0x10793","0x6fd16","0x982dd","0x122fb","0x995aa","0xf20e","0x96ccf","0x92f74","0x6d85a","0x1236c","0x93e9d","0x949b7","0x97a42","0xf8c5","0x6e0b8","0x98736","0x98317","0x73af9","0x94436","0x112ac","0x1223c","0x9882d","0xd87b","0x10945","0x72183","0x6f176","0x98a28","0x73b75","0xd5dd","0xff37","0x6d168","0x9436d","0x995e4","0x1258a","0xdea3","0x6dbc7","0x94ca8","0xd07c","0x98896","0xf4d5","0x6a8ea","0x73b8e","0x11ae1","0x6b7bd","0x113db","0xdc17","0x78bef","0x92623","0x91434","0x9226b","0x8ff3d","0x11828","0x6d821","0x989d8","0x118c0","0x72083","0x94526","0x72ebc","0x99519","0x94648","0x94293","0x8fd7f","0x11704","0x994e9","0x1a0a06","0x963b5","0x98a60","0x927d3","0x110da","0x933d4","0x11305","0x1266d","0x6f1bd","0x98b19","0x9a2f8","0x12701","0x9a294","0x9a132","0x92377","0x92943","0x8f7bb","0x11c3e","0x6e7dc","0xe1f7","0x12759","0x12aa8","0x98556","0x6f9a0","0xfe91","0x12432","0x94572","0x96740","0x92289","0x11287","0x6cc1c","0x98a8e","0x73b68","0x1117d","0x11092","0xe3b7","0xe293","0x6a830","0x91a36","0x92230","0x95c0c","0x1a09aa","0x6cba5","0x989a3","0x922ed","0x92de8","0xe7e5","0xe7c2","0x911ec","0x6aeb8","0x73c7f","0x9216c","0x91395","0x95149","0x92b49","0x114c2","0x7123f","0x90618","0x1a0969","0x12a82","0x959f5","0x7082e","0xf265","0x10f70","0x73ab6","0x121cf","0x6ebe8","0x94409","0x94305","0xe20d","0xefec","0xec03","0x8f529","0x10ad7","0x910ea","0x6f37b","0x7313e","0x9a325","0xd106","0xe77a","0x90e6d","0x107a3","0x10bf3","0x11380","0x119bc","0x11592","0x9964e","0x7131b","0xdfe2","0x98b3e","0xd4c3","0xec56","0x6ba97","0xe8e7","0x904cc","0x6f795","0x120fb","0xd8f3","0x11597","0xd443","0x12308","0x6d196","0x120a3","0x11d46","0x7339d","0x12840","0xff2f","0x99542","0x7363b","0x941b1","0x1a0734","0x948cb","0x11626","0x12371","0x714f1","0x122b2","0x70f2c","0x12072","0x1156b","0x6f3f8","0xe6d7","0x91a72","0x6b934","0xf4fc","0x90ebd","0x922cd","0x12845","0x71ae3","0x91315","0xe7ff","0x7328c","0x9936e","0xf7d4","0x92fbd","0x70dee","0x6ae1e","0xdec3","0x10725","0x949c4","0x9931c","0x9202f","0x6d5f4","0x104f3","0x94398","0x972b8","0x106c8","0x6c047","0x9a1fd","0x126f5","0x12946","0xe3a1","0x1147a","0x6f3b6","0x11639","0x7343f","0x93577","0x9a009","0x90ed8","0x91fe9","0xe5ef","0x102c4","0x11bdc","0x9a021","0x736d1","0x78bc4","0x11852","0x11570","0x6eb9f","0x11cf0","0x10e6d","0x1a0ff3","0xe49f","0x6ece8","0x98252","0x994d4","0xf068","0xd1bc","0x936c6","0xf1a6","0x6cf42","0x10213","0x92f14","0x9259d","0xfac8","0x6ae29","0x6e789","0x996e9","0x6ff33","0x989f8","0x1163f","0x11c3a","0x11401","0x9a49c","0x117ea","0x708a3","0x6f34e","0x9279c","0xee1c","0x9278b","0x98233","0x12a8a","0x9299b","0x6f7a4","0x942b1","0x963a5","0x93445","0xed74","0x1a090b","0xd85b","0x72eff","0x98c23","0xe820","0x6a55b","0xdfee","0x91ad5","0x6fa93","0x11622","0xf569","0x927e3","0x73ff3","0xfdec","0x93194","0x78c10","0x98bf6","0x9195f","0x8f6d7","0x1a102e","0x12532","0x92d13","0x6cf9c","0x98a2e","0x73a94","0xdc05","0x95137","0x911a5","0x118ae","0xd073","0x963ce","0x948d8","0x109c5","0x6f6b8","0x105db","0xeb37","0xff33","0x6d79d","0x1069c","0xcf92","0x90072","0x6e644","0x125a8","0x8fd64","0xe948","0x73790","0x95a46","0x70daa","0x96e98","0x99448","0x6e561","0x103c7","0xd022","0x6b6d6","0x9a3af","0x6b4af","0x1060b","0x9355d","0x92686","0x98aee","0x90d77","0xd01a","0xfd15","0x93572","0xfc05","0x73185","0x91a54","0x11ef8","0x11ad7","0x96ac7","0x6a676","0x9858e","0x730aa","0x94578","0xe0ac","0x992b9","0x99319","0xfbbe","0x10a45","0x943ba","0xdcab","0x11f04","0xd272","0xd183","0x6f0cc","0xd00c","0x98cd8","0x94213","0x9677f","0x12a59","0x7002c","0x6a5bd","0x92d1c","0x119e4","0x93333","0xf6e4","0x95038","0x11a21","0x94155","0xd8f9","0xf829","0x10f3f","0x9a320","0x12036","0x1145c","0x93709","0x1088c","0x6dd10","0x10532","0x789a6","0x91084","0x9435b","0x99508","0x9254a","0x70752","0x941cc","0x9657b","0x98a78","0x11c2b","0x91ada","0x90466","0x736ab","0xfbe9","0xe429","0x119c7","0x6ee6e","0x94193","0x6a57c","0x116b4","0x78a1e","0x11bab","0x6de81","0x98d17","0x9149c","0x12237","0x71869","0xf130","0xd6db","0x9945e","0x9a1ca","0x72dd9","0x94737","0x98c10","0x789f6","0x919ae","0x11ccf","0x922c0","0x9539d","0xe29b","0x1a094a","0xf213","0x8f521","0x713c4","0x6e0de","0xd967","0x6cbdf","0x107fe","0x96fe2","0x129a4","0x90214","0x714a0","0x6d8d7","0x93420","0x6e0c6","0x10f55","0x98c75","0x96bcf","0x94442","0xd86d","0x9a2a0","0x976cc","0xec6c","0x6a67e","0x10243","0x71010","0xd673","0x10537","0x1a0fd2","0x73afe","0x6e055","0x1045b","0x9354a","0x98bc2","0x72b34","0xd4cd","0x70538","0xcf54","0x8f8d5","0x6e54a","0x98c91","0x126d1","0x714da","0x995ad","0xffc3","0x92d79","0x6ddf9","0x12833","0xdeb0","0xe9d5","0xd166","0x95821","0x11ce7","0x98513","0x6e305","0x94759","0x949d8","0x92762","0x70871","0x98a34","0x98b1f","0x91e45","0x93104","0x712da","0x91404","0xf6ca","0xde35","0x1250f","0x951c7","0x989c8","0x963c7","0x7277b","0x92893","0x6f43c","0x98bc5","0xf56f","0x91bac","0x8fdfd","0x93358","0x1261e","0x98bcd","0x12600","0x11beb","0x937b8","0xfda3","0x7059e","0x6ff8f","0x98c78","0x1a0a01","0x922b2","0x706b6","0xdf45","0x7259a","0x98c83","0x95860","0x1112c","0x6b390","0x10734","0x6ffcd","0x114ca","0xf9d1","0x98ecc","0x70c10","0x92e95","0x125ee","0x944d0","0x92463","0x8fa8e","0x103d5","0xe8c0","0x92fab","0x72eaa","0x94575","0x78a66","0x98af9","0x919f1","0x732f2","0x93d03","0x911b6","0x12514","0xfd9f","0x9934c","0x9852a","0x11127","0x6f33b","0x95158","0x707d4","0xe205","0x8f67c","0x6ec6a","0x72786","0x91caa","0xfa57","0x1119c","0x11c67","0x72d64","0x91c50","0x93e51","0x1a0762","0x99516","0x92062","0x6e599","0x98424","0x11b3a","0x8f930","0x11b70","0x71c6f","0x9567b","0x129bc","0x716c5","0x6d2f8","0x9a051","0x948a5","0x113a4","0x7011f","0x9420a","0xf8fd","0x11735","0x98cc9","0x11896","0x1190a","0x70548","0x989db","0x9a162","0x6c0c9","0xfd0d","0x939c0","0x78b2f","0x1292e","0x71946","0x1094d","0x993bc","0x1067d","0xef91","0x945bf","0x9a26b","0x72791","0x9120c","0x6ef82","0x98a22","0x90605","0xd346","0x11767","0x943b4","0xdecb","0x78c0b","0x6cdd3","0x933c7","0x72206","0x99307","0xeb6a","0xcf9a","0x9127d","0x8fe0f","0xef19","0x11976","0x116ed","0x10613","0x9847b","0x1129c","0x10e23","0x6f3a0","0x9a1cd","0x921cd","0x923f3","0x944de","0x6abc2","0x9a36d","0xfffb","0x71a05","0x98588","0x104eb","0xdc35","0x91c13","0x8f7c3","0xfa7b","0xf866","0x72e56","0xe561","0xd6a3","0x96a58","0x108f3","0xec7d","0x6cc97","0x984cb","0x944ec","0x6ae51","0x93069","0xcef8","0x96d10","0x112f4","0x739b2","0x127e1","0x9470c","0x1a0fcd","0x94f94","0x91278","0x123d7","0x12822","0x12606","0x9a04e","0x923e0","0x10691","0x91169","0x6c16f","0x102db","0x93dba","0x99412","0x8fa23","0x6fa29","0x11198","0x98ae0","0xfa7f","0x127bd","0x918b8","0x6b87f","0x93344","0x91bb1","0xfb7f","0x6f453","0x9134f","0x6ca63","0x932c8","0x93546","0x12166","0x701fa","0x9047b","0x94b48","0x91d84","0x6f4d2","0x942cc","0x94ab8","0x94234","0x964e7","0xeb13","0x6fed8","0x10aef","0x6e79a","0x95552","0x6ec8c","0xdaf9","0x6f2b2","0x911ff","0x6e355","0x921a0","0x902a7","0xd557","0x7211d","0xf056","0x9a32a","0x73ea8","0x78bf0","0x78b59","0x125fb","0x91f3a","0x6eaeb","0x9833a","0x9a016","0x11014","0x70d09","0x1232b","0x70e0e","0xcf13","0x936ea","0x73788","0xed69","0x7036a","0x9a2d7","0x913cd","0x6d7f0","0x72cff","0x9178e","0x128a9","0x91c72","0x9007b","0x98b08","0x70a06","0x957eb","0xec70","0x72d29","0x9444e","0x94d24","0x9562a","0x118ff","0x8f7ab","0x1150e","0x11466","0x6f787","0x99354","0xfce8","0xd2f8","0xeebe","0x71d22","0x943c5","0x98379"],"tid":"1785864.1","unregisterTime":2160796743.709309}],"pages":[],"profilerOverhead":[],"counters":[]} \ No newline at end of file diff --git a/libcrux-ml-dsa/src/arithmetic.rs b/libcrux-ml-dsa/src/arithmetic.rs index f69a2bf95..5a90dc3ff 100644 --- a/libcrux-ml-dsa/src/arithmetic.rs +++ b/libcrux-ml-dsa/src/arithmetic.rs @@ -86,18 +86,15 @@ pub(crate) fn make_hint( hint: [[i32; COEFFICIENTS_IN_RING_ELEMENT]; DIMENSION], - re_vector: [PolynomialRingElement; DIMENSION], -) -> [PolynomialRingElement; DIMENSION] { - let mut result = [PolynomialRingElement::::zero(); DIMENSION]; - + re_vector: &mut [PolynomialRingElement; DIMENSION], +) { for i in 0..DIMENSION { - // XXX: Why can't we keep the hint as simd units? - PolynomialRingElement::::from_i32_array(&hint[i], &mut result[i]); + let mut tmp = PolynomialRingElement::zero(); + PolynomialRingElement::::from_i32_array(&hint[i], &mut tmp); - for j in 0..result[0].simd_units.len() { - SIMDUnit::use_hint::(&re_vector[i].simd_units[j], &mut result[i].simd_units[j]); + for j in 0..re_vector[0].simd_units.len() { + SIMDUnit::use_hint::(&re_vector[i].simd_units[j], &mut tmp.simd_units[j]); } + re_vector[i] = tmp; } - - result } diff --git a/libcrux-ml-dsa/src/encoding/commitment.rs b/libcrux-ml-dsa/src/encoding/commitment.rs index d540d9f15..90f661046 100644 --- a/libcrux-ml-dsa/src/encoding/commitment.rs +++ b/libcrux-ml-dsa/src/encoding/commitment.rs @@ -1,7 +1,7 @@ use crate::{helper::cloop, polynomial::PolynomialRingElement, simd::traits::Operations}; #[inline(always)] -fn serialize(re: PolynomialRingElement, serialized: &mut [u8]) { +fn serialize(re: &PolynomialRingElement, serialized: &mut [u8]) { let output_bytes_per_simd_unit = serialized.len() / (8 * 4); cloop! { @@ -22,19 +22,17 @@ pub(crate) fn serialize_vector< const RING_ELEMENT_SIZE: usize, const OUTPUT_SIZE: usize, >( - vector: [PolynomialRingElement; DIMENSION], -) -> [u8; OUTPUT_SIZE] { - let mut serialized = [0u8; OUTPUT_SIZE]; + vector: &[PolynomialRingElement; DIMENSION], + serialized: &mut [u8; OUTPUT_SIZE], +) { let mut offset: usize = 0; cloop! { for ring_element in vector.iter() { - serialize::(*ring_element, &mut serialized[offset..offset + RING_ELEMENT_SIZE]); + serialize::(ring_element, &mut serialized[offset..offset + RING_ELEMENT_SIZE]); offset += RING_ELEMENT_SIZE; } } - - serialized } #[cfg(test)] @@ -79,7 +77,7 @@ mod tests { ]; let mut result = [0u8; 192]; - serialize::(re, &mut result); + serialize::(&re, &mut result); assert_eq!(result, serialized); // Test serialization when LOW_ORDER_ROUNDING_RANGE = 261,888 @@ -108,7 +106,7 @@ mod tests { ]; let mut result = [0u8; 128]; - serialize::(re, &mut result); + serialize::(&re, &mut result); assert_eq!(result, serialized); } diff --git a/libcrux-ml-dsa/src/encoding/verification_key.rs b/libcrux-ml-dsa/src/encoding/verification_key.rs index 48e76334b..a5a2fe33c 100644 --- a/libcrux-ml-dsa/src/encoding/verification_key.rs +++ b/libcrux-ml-dsa/src/encoding/verification_key.rs @@ -30,7 +30,6 @@ pub(crate) fn generate_serialized< verification_key_serialized } -#[allow(non_snake_case)] #[inline(always)] pub(crate) fn deserialize< SIMDUnit: Operations, @@ -43,7 +42,7 @@ pub(crate) fn deserialize< [PolynomialRingElement; ROWS_IN_A], ) { let mut t1 = [PolynomialRingElement::::zero(); ROWS_IN_A]; - let (seed_for_A, serialized_remaining) = serialized.split_at(SEED_FOR_A_SIZE); + let (seed_for_a, serialized_remaining) = serialized.split_at(SEED_FOR_A_SIZE); for i in 0..ROWS_IN_A { t1::deserialize::( @@ -52,5 +51,5 @@ pub(crate) fn deserialize< ); } - (seed_for_A.try_into().unwrap(), t1) + (seed_for_a.try_into().unwrap(), t1) } diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index ba3b314d3..72329377c 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -357,12 +357,13 @@ pub(crate) fn sign_internal< let mut commitment_hash_candidate = [0; COMMITMENT_HASH_SIZE]; { - let commitment_serialized = encoding::commitment::serialize_vector::< + let mut commitment_serialized = [0u8; COMMITMENT_VECTOR_SIZE]; + encoding::commitment::serialize_vector::< SIMDUnit, ROWS_IN_A, COMMITMENT_RING_ELEMENT_SIZE, COMMITMENT_VECTOR_SIZE, - >(commitment); + >(&commitment, &mut commitment_serialized); let mut shake = Shake256Xof::init(); shake.absorb(&message_representative); @@ -603,13 +604,14 @@ pub(crate) fn verify_internal< let mut commitment_hash = [0; COMMITMENT_HASH_SIZE]; { - let commitment = use_hint::(signature.hint, t1); - let commitment_serialized = encoding::commitment::serialize_vector::< + use_hint::(signature.hint, &mut t1); + let mut commitment_serialized = [0u8; COMMITMENT_VECTOR_SIZE]; + encoding::commitment::serialize_vector::< SIMDUnit, ROWS_IN_A, COMMITMENT_RING_ELEMENT_SIZE, COMMITMENT_VECTOR_SIZE, - >(commitment); + >(&t1, &mut commitment_serialized); let mut shake = Shake256Xof::init(); shake.absorb(&message_representative); From 8f1e801e6ca8577fec3129104b268a2a6e2aaf69 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Mon, 23 Dec 2024 15:26:00 +0000 Subject: [PATCH 18/58] more --- .../src/encoding/verification_key.rs | 13 ++++--------- libcrux-ml-dsa/src/ml_dsa_generic.rs | 19 +++++++++++++------ 2 files changed, 17 insertions(+), 15 deletions(-) diff --git a/libcrux-ml-dsa/src/encoding/verification_key.rs b/libcrux-ml-dsa/src/encoding/verification_key.rs index a5a2fe33c..7fd4bf8b6 100644 --- a/libcrux-ml-dsa/src/encoding/verification_key.rs +++ b/libcrux-ml-dsa/src/encoding/verification_key.rs @@ -36,20 +36,15 @@ pub(crate) fn deserialize< const ROWS_IN_A: usize, const VERIFICATION_KEY_SIZE: usize, >( - serialized: &[u8; VERIFICATION_KEY_SIZE], -) -> ( - [u8; SEED_FOR_A_SIZE], - [PolynomialRingElement; ROWS_IN_A], + serialized: &[u8], + t1: &mut [PolynomialRingElement; ROWS_IN_A], ) { - let mut t1 = [PolynomialRingElement::::zero(); ROWS_IN_A]; - let (seed_for_a, serialized_remaining) = serialized.split_at(SEED_FOR_A_SIZE); + debug_assert!(serialized.len() == VERIFICATION_KEY_SIZE - SEED_FOR_A_SIZE); for i in 0..ROWS_IN_A { t1::deserialize::( - &serialized_remaining[i * RING_ELEMENT_OF_T1S_SIZE..(i + 1) * RING_ELEMENT_OF_T1S_SIZE], + &serialized[i * RING_ELEMENT_OF_T1S_SIZE..(i + 1) * RING_ELEMENT_OF_T1S_SIZE], &mut t1[i], ); } - - (seed_for_a.try_into().unwrap(), t1) } diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index 72329377c..aef0d89b2 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -541,15 +541,22 @@ pub(crate) fn verify_internal< const ONES_IN_VERIFIER_CHALLENGE: usize, const MAX_ONES_IN_HINT: usize, >( - verification_key_serialized: &[u8; VERIFICATION_KEY_SIZE], + verification_key: &[u8; VERIFICATION_KEY_SIZE], message: &[u8], domain_separation_context: Option, signature_serialized: &[u8; SIGNATURE_SIZE], ) -> Result<(), VerificationError> { - let (seed_for_a, mut t1) = - encoding::verification_key::deserialize::( - verification_key_serialized, - ); + let (seed_for_a, t1_serialized) = verification_key.split_at(SEED_FOR_A_SIZE); + let mut t1 = [PolynomialRingElement::::zero(); ROWS_IN_A]; + encoding::verification_key::deserialize::( + t1_serialized, + &mut t1, + ); + + // let (seed_for_a, mut t1) = + // encoding::verification_key::deserialize::( + // verification_key_serialized, + // ); let signature = match Signature::::deserialize::< @@ -575,7 +582,7 @@ pub(crate) fn verify_internal< let mut verification_key_hash = [0; BYTES_FOR_VERIFICATION_KEY_HASH]; Shake256::shake256::( - verification_key_serialized, + verification_key, &mut verification_key_hash, ); let mut message_representative = [0; MESSAGE_REPRESENTATIVE_SIZE]; From 91d77a68ffbadc62cd77fe169e2c6712018932e8 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Mon, 23 Dec 2024 16:31:18 +0000 Subject: [PATCH 19/58] avx2 ntt cleanup --- libcrux-ml-dsa/src/encoding/signature.rs | 15 +- libcrux-ml-dsa/src/matrix.rs | 3 +- libcrux-ml-dsa/src/ml_dsa_generic.rs | 39 ++-- libcrux-ml-dsa/src/simd/avx2/arithmetic.rs | 24 ++- libcrux-ml-dsa/src/simd/avx2/invntt.rs | 32 +-- libcrux-ml-dsa/src/simd/avx2/ntt.rs | 239 ++++++++------------- 6 files changed, 151 insertions(+), 201 deletions(-) diff --git a/libcrux-ml-dsa/src/encoding/signature.rs b/libcrux-ml-dsa/src/encoding/signature.rs index 12fe7f9e7..c8e9be9ee 100644 --- a/libcrux-ml-dsa/src/encoding/signature.rs +++ b/libcrux-ml-dsa/src/encoding/signature.rs @@ -66,7 +66,6 @@ impl< } } - #[allow(non_snake_case)] #[inline(always)] pub(crate) fn deserialize< const GAMMA1_EXPONENT: usize, @@ -75,7 +74,8 @@ impl< const SIGNATURE_SIZE: usize, >( serialized: &[u8; SIGNATURE_SIZE], - ) -> Result { + signature: &mut Self, + ) -> Result<(), VerificationError> { let (commitment_hash, rest_of_serialized) = serialized.split_at(COMMITMENT_HASH_SIZE); let (signer_response_serialized, hint_serialized) = rest_of_serialized.split_at(GAMMA1_RING_ELEMENT_SIZE * COLUMNS_IN_A); @@ -141,10 +141,11 @@ impl< return Err(VerificationError::MalformedHintError); } - Ok(Signature { - commitment_hash: commitment_hash.try_into().unwrap(), - signer_response, - hint, - }) + // Set output + signature.commitment_hash = commitment_hash.try_into().unwrap(); + signature.signer_response = signer_response; + signature.hint = hint; + + Ok(()) } } diff --git a/libcrux-ml-dsa/src/matrix.rs b/libcrux-ml-dsa/src/matrix.rs index 0728c56ee..713d2bafc 100644 --- a/libcrux-ml-dsa/src/matrix.rs +++ b/libcrux-ml-dsa/src/matrix.rs @@ -113,10 +113,11 @@ pub(crate) fn compute_w_approx< const COLUMNS_IN_A: usize, >( A_as_ntt: &[[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A], - mut signer_response: [PolynomialRingElement; COLUMNS_IN_A], + signer_response: &[PolynomialRingElement; COLUMNS_IN_A], verifier_challenge_as_ntt: &PolynomialRingElement, t1: &mut [PolynomialRingElement; ROWS_IN_A], ) { + let mut signer_response = signer_response.clone(); // Move signer response into NTT for i in 0..signer_response.len() { ntt(&mut signer_response[i]); diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index aef0d89b2..4d3aac122 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -301,7 +301,7 @@ pub(crate) fn sign_internal< let mut message_representative = [0; MESSAGE_REPRESENTATIVE_SIZE]; derive_message_representative::( verification_key_hash, - domain_separation_context, + &domain_separation_context, message, &mut message_representative, ); @@ -494,7 +494,7 @@ pub(crate) fn sign_internal< #[inline(always)] fn derive_message_representative( verification_key_hash: &[u8], - domain_separation_context: Option, + domain_separation_context: &Option, message: &[u8], message_representative: &mut [u8; 64], ) { @@ -553,22 +553,21 @@ pub(crate) fn verify_internal< &mut t1, ); - // let (seed_for_a, mut t1) = - // encoding::verification_key::deserialize::( - // verification_key_serialized, - // ); - - let signature = - match Signature::::deserialize::< - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - MAX_ONES_IN_HINT, - SIGNATURE_SIZE, - >(signature_serialized) - { - Ok(s) => s, - Err(e) => return Err(e), - }; + let mut signature = Signature { + commitment_hash: [0u8; COMMITMENT_HASH_SIZE], + signer_response: [PolynomialRingElement::zero(); COLUMNS_IN_A], + hint: [[0i32; COEFFICIENTS_IN_RING_ELEMENT]; ROWS_IN_A], + }; + match Signature::::deserialize::< + GAMMA1_EXPONENT, + GAMMA1_RING_ELEMENT_SIZE, + MAX_ONES_IN_HINT, + SIGNATURE_SIZE, + >(signature_serialized, &mut signature) + { + Ok(_) => (), + Err(e) => return Err(e), + }; // We use if-else branches because early returns will not go through hax. if vector_infinity_norm_exceeds::( @@ -588,7 +587,7 @@ pub(crate) fn verify_internal< let mut message_representative = [0; MESSAGE_REPRESENTATIVE_SIZE]; derive_message_representative::( &verification_key_hash, - domain_separation_context, + &domain_separation_context, message, &mut message_representative, ); @@ -604,7 +603,7 @@ pub(crate) fn verify_internal< compute_w_approx::( &matrix, - signature.signer_response, + &signature.signer_response, &verifier_challenge, &mut t1, ); diff --git a/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs b/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs index b67140c46..88e1927d8 100644 --- a/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs +++ b/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs @@ -16,17 +16,17 @@ fn to_unsigned_representatives(t: &mut Vec256) { } #[inline(always)] -pub fn add(lhs: &mut Vec256, rhs: &Vec256) { +pub(super) fn add(lhs: &mut Vec256, rhs: &Vec256) { *lhs = mm256_add_epi32(*lhs, *rhs) } #[inline(always)] -pub fn subtract(lhs: &mut Vec256, rhs: &Vec256) { +pub(super) fn subtract(lhs: &mut Vec256, rhs: &Vec256) { *lhs = mm256_sub_epi32(*lhs, *rhs) } #[inline(always)] -pub fn montgomery_multiply_by_constant(lhs: Vec256, constant: i32) -> Vec256 { +pub(super) fn montgomery_multiply_by_constant(lhs: Vec256, constant: i32) -> Vec256 { let rhs = mm256_set1_epi32(constant); let field_modulus = mm256_set1_epi32(FIELD_MODULUS); let inverse_of_modulus_mod_montgomery_r = @@ -52,7 +52,7 @@ pub fn montgomery_multiply_by_constant(lhs: Vec256, constant: i32) -> Vec256 { } #[inline(always)] -pub fn montgomery_multiply(lhs: &mut Vec256, rhs: &Vec256) { +pub(super) fn montgomery_multiply(lhs: &mut Vec256, rhs: &Vec256) { let field_modulus = mm256_set1_epi32(FIELD_MODULUS); let inverse_of_modulus_mod_montgomery_r = mm256_set1_epi32(INVERSE_OF_MODULUS_MOD_MONTGOMERY_R as i32); @@ -75,7 +75,7 @@ pub fn montgomery_multiply(lhs: &mut Vec256, rhs: &Vec256) { } #[inline(always)] -pub fn shift_left_then_reduce(simd_unit: &mut Vec256) { +pub(super) fn shift_left_then_reduce(simd_unit: &mut Vec256) { let shifted = mm256_slli_epi32::(*simd_unit); let quotient = mm256_add_epi32(shifted, mm256_set1_epi32(1 << 22)); @@ -90,7 +90,7 @@ pub fn shift_left_then_reduce(simd_unit: &mut Vec256) { // TODO: Revisit this function when doing the range analysis and testing // additional KATs. #[inline(always)] -pub fn infinity_norm_exceeds(simd_unit: &Vec256, bound: i32) -> bool { +pub(super) fn infinity_norm_exceeds(simd_unit: &Vec256, bound: i32) -> bool { let absolute_values = mm256_abs_epi32(*simd_unit); // We will test if |simd_unit| > bound - 1, because if this is the case then @@ -106,7 +106,7 @@ pub fn infinity_norm_exceeds(simd_unit: &Vec256, bound: i32) -> bool { } #[inline(always)] -pub fn power2round(r0: &mut Vec256, r1: &mut Vec256) { +pub(super) fn power2round(r0: &mut Vec256, r1: &mut Vec256) { to_unsigned_representatives(r0); *r1 = mm256_add_epi32( @@ -121,7 +121,7 @@ pub fn power2round(r0: &mut Vec256, r1: &mut Vec256) { #[allow(non_snake_case)] #[inline(always)] -pub fn decompose(r: &Vec256, r0: &mut Vec256, r1: &mut Vec256) { +pub(super) fn decompose(r: &Vec256, r0: &mut Vec256, r1: &mut Vec256) { let mut r = r.clone(); to_unsigned_representatives(&mut r); @@ -182,7 +182,11 @@ pub fn decompose(r: &Vec256, r0: &mut Vec256, r1: &mut Vec256 } #[inline(always)] -pub fn compute_hint(low: &Vec256, high: &Vec256, hint: &mut Vec256) -> usize { +pub(super) fn compute_hint( + low: &Vec256, + high: &Vec256, + hint: &mut Vec256, +) -> usize { let gamma2 = mm256_set1_epi32(GAMMA2); let minus_gamma2 = mm256_set1_epi32(-GAMMA2); @@ -206,7 +210,7 @@ pub fn compute_hint(low: &Vec256, high: &Vec256, hint: &mut V } #[inline(always)] -pub(crate) fn use_hint(r: &Vec256, hint: &mut Vec256) { +pub(super) fn use_hint(r: &Vec256, hint: &mut Vec256) { let (mut r0, mut r1) = (zero(), zero()); decompose::(r, &mut r0, &mut r1); diff --git a/libcrux-ml-dsa/src/simd/avx2/invntt.rs b/libcrux-ml-dsa/src/simd/avx2/invntt.rs index 53f08c830..5337a68f8 100644 --- a/libcrux-ml-dsa/src/simd/avx2/invntt.rs +++ b/libcrux-ml-dsa/src/simd/avx2/invntt.rs @@ -6,7 +6,9 @@ use libcrux_intrinsics::avx2::*; #[inline(always)] #[allow(unsafe_code)] pub(crate) fn invert_ntt_montgomery(re: &mut AVX2RingElement) { - unsafe { + #[cfg_attr(not(hax), target_feature(enable = "avx2"))] + #[allow(unsafe_code)] + unsafe fn inv_inner(re: &mut AVX2RingElement) { invert_ntt_at_layer_0(re); invert_ntt_at_layer_1(re); invert_ntt_at_layer_2(re); @@ -15,16 +17,19 @@ pub(crate) fn invert_ntt_montgomery(re: &mut AVX2RingElement) { invert_ntt_at_layer_5(re); invert_ntt_at_layer_6(re); invert_ntt_at_layer_7(re); + + for i in 0..re.len() { + // After invert_ntt_at_layer, elements are of the form a * MONTGOMERY_R^{-1} + // we multiply by (MONTGOMERY_R^2) * (1/2^8) mod Q = 41,978 to both: + // + // - Divide the elements by 256 and + // - Convert the elements form montgomery domain to the standard domain. + const FACTOR: i32 = 41_978; + re[i] = arithmetic::montgomery_multiply_by_constant(re[i], FACTOR); + } } - for i in 0..re.len() { - // After invert_ntt_at_layer, elements are of the form a * MONTGOMERY_R^{-1} - // we multiply by (MONTGOMERY_R^2) * (1/2^8) mod Q = 41,978 to both: - // - // - Divide the elements by 256 and - // - Convert the elements form montgomery domain to the standard domain. - const FACTOR: i32 = 41_978; - re[i] = arithmetic::montgomery_multiply_by_constant(re[i], FACTOR); - } + + unsafe { inv_inner(re) }; } #[inline(always)] @@ -270,11 +275,8 @@ fn outer_3_plus( re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT], ) { for j in OFFSET..OFFSET + STEP_BY { - // XXX: make nicer - let rejs = re[j + STEP_BY]; - let mut a_minus_b = rejs; - arithmetic::subtract(&mut a_minus_b, &re[j]); - arithmetic::add(&mut re[j], &rejs); + let a_minus_b = mm256_sub_epi32(re[j + STEP_BY], re[j]); + re[j] = mm256_add_epi32(re[j], re[j + STEP_BY]); re[j + STEP_BY] = arithmetic::montgomery_multiply_by_constant(a_minus_b, ZETA); } () diff --git a/libcrux-ml-dsa/src/simd/avx2/ntt.rs b/libcrux-ml-dsa/src/simd/avx2/ntt.rs index cf64b0088..ece8055c2 100644 --- a/libcrux-ml-dsa/src/simd/avx2/ntt.rs +++ b/libcrux-ml-dsa/src/simd/avx2/ntt.rs @@ -5,8 +5,8 @@ use libcrux_intrinsics::avx2::*; #[inline(always)] fn butterfly_2( - a: Vec256, - b: Vec256, + re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT], + index: usize, zeta_a0: i32, zeta_a1: i32, zeta_a2: i32, @@ -15,7 +15,7 @@ fn butterfly_2( zeta_b1: i32, zeta_b2: i32, zeta_b3: i32, -) -> (Vec256, Vec256) { +) { // We shuffle the terms to group those that need to be multiplied // with zetas in the high QWORDS of the vectors, i.e. if the inputs are // a = (a7, a6, a5, a4, a3, a2, a1, a0) @@ -24,166 +24,133 @@ fn butterfly_2( // a_shuffled = ( a7, a5, a6, a4, a3, a1, a2, a0) // b_shuffled = ( b7, b5, b6, b4, b3, b1, b2, b0) const SHUFFLE: i32 = 0b11_01_10_00; - let a_shuffled = mm256_shuffle_epi32::(a); - let b_shuffled = mm256_shuffle_epi32::(b); + let a = mm256_shuffle_epi32::(re[index]); + let b = mm256_shuffle_epi32::(re[index + 1]); // Now we can use the same approach as for `butterfly_4`, only // zetas need to be adjusted. - let mut summands = mm256_unpacklo_epi64(a_shuffled, b_shuffled); - let mut zeta_products = mm256_unpackhi_epi64(a_shuffled, b_shuffled); + let summands = mm256_unpacklo_epi64(a, b); + let mut zeta_products = mm256_unpackhi_epi64(a, b); let zetas = mm256_set_epi32( zeta_b3, zeta_b2, zeta_a3, zeta_a2, zeta_b1, zeta_b0, zeta_a1, zeta_a0, ); arithmetic::montgomery_multiply(&mut zeta_products, &zetas); - let mut sub_terms = summands; - arithmetic::subtract(&mut sub_terms, &zeta_products); - arithmetic::add(&mut summands, &zeta_products); - let add_terms = summands; + let sub_terms = mm256_sub_epi32(summands, zeta_products); + let add_terms = mm256_add_epi32(summands, zeta_products); let a_terms_shuffled = mm256_unpacklo_epi64(add_terms, sub_terms); let b_terms_shuffled = mm256_unpackhi_epi64(add_terms, sub_terms); // Here, we undo the initial shuffle (it's self-inverse). - let a_out = mm256_shuffle_epi32::(a_terms_shuffled); - let b_out = mm256_shuffle_epi32::(b_terms_shuffled); - - (a_out, b_out) + re[index] = mm256_shuffle_epi32::(a_terms_shuffled); + re[index + 1] = mm256_shuffle_epi32::(b_terms_shuffled); } // Compute (a,b) ↦ (a + ζb, a - ζb) at layer 1 for 2 SIMD Units in one go. #[inline(always)] fn butterfly_4( - a: Vec256, - b: Vec256, + re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT], + index: usize, zeta_a0: i32, zeta_a1: i32, zeta_b0: i32, zeta_b1: i32, -) -> (Vec256, Vec256) { - let mut summands = mm256_unpacklo_epi64(a, b); - let mut zeta_products = mm256_unpackhi_epi64(a, b); +) { + let summands = mm256_unpacklo_epi64(re[index], re[index + 1]); + let mut zeta_products = mm256_unpackhi_epi64(re[index], re[index + 1]); let zetas = mm256_set_epi32( zeta_b1, zeta_b1, zeta_a1, zeta_a1, zeta_b0, zeta_b0, zeta_a0, zeta_a0, ); arithmetic::montgomery_multiply(&mut zeta_products, &zetas); - let mut sub_terms = summands; - arithmetic::subtract(&mut sub_terms, &zeta_products); - arithmetic::add(&mut summands, &zeta_products); - let add_terms = summands; + let sub_terms = mm256_sub_epi32(summands, zeta_products); + let add_terms = mm256_add_epi32(summands, zeta_products); // Results are shuffled across the two SIMD registers. // We need to bring them in the right order. - let a_out = mm256_unpacklo_epi64(add_terms, sub_terms); - let b_out = mm256_unpackhi_epi64(add_terms, sub_terms); - - (a_out, b_out) + re[index] = mm256_unpacklo_epi64(add_terms, sub_terms); + re[index + 1] = mm256_unpackhi_epi64(add_terms, sub_terms); } // Compute (a,b) ↦ (a + ζb, a - ζb) at layer 2 for 2 SIMD Units in one go. #[inline(always)] -fn butterfly_8(a: Vec256, b: Vec256, zeta0: i32, zeta1: i32) -> (Vec256, Vec256) { - let mut summands = mm256_set_m128i(mm256_castsi256_si128(b), mm256_castsi256_si128(a)); - let mut zeta_products = mm256_permute2x128_si256::<0b0001_0011>(b, a); +fn butterfly_8( + re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT], + index: usize, + zeta0: i32, + zeta1: i32, +) { + let summands = mm256_set_m128i( + mm256_castsi256_si128(re[index + 1]), + mm256_castsi256_si128(re[index]), + ); + let mut zeta_products = mm256_permute2x128_si256::<0b0001_0011>(re[index + 1], re[index]); let zetas = mm256_set_epi32(zeta1, zeta1, zeta1, zeta1, zeta0, zeta0, zeta0, zeta0); arithmetic::montgomery_multiply(&mut zeta_products, &zetas); - let mut sub_terms = summands; - arithmetic::subtract(&mut sub_terms, &zeta_products); - arithmetic::add(&mut summands, &zeta_products); - let add_terms = summands; + let sub_terms = mm256_sub_epi32(summands, zeta_products); + let add_terms = mm256_add_epi32(summands, zeta_products); - let a_out = mm256_set_m128i( + re[index] = mm256_set_m128i( mm256_castsi256_si128(sub_terms), mm256_castsi256_si128(add_terms), ); - let b_out = mm256_permute2x128_si256::<0b0001_0011>(sub_terms, add_terms); - - (a_out, b_out) + re[index + 1] = mm256_permute2x128_si256::<0b0001_0011>(sub_terms, add_terms); } #[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] unsafe fn ntt_at_layer_0(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { - #[inline(always)] - fn round( - re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT], - index: usize, - zeta_0: i32, - zeta_1: i32, - zeta_2: i32, - zeta_3: i32, - zeta_4: i32, - zeta_5: i32, - zeta_6: i32, - zeta_7: i32, - ) { - let (a, b) = butterfly_2( - re[index], - re[index + 1], - zeta_0, - zeta_1, - zeta_2, - zeta_3, - zeta_4, - zeta_5, - zeta_6, - zeta_7, - ); - re[index] = a; - re[index + 1] = b; - } - - round( + butterfly_2( re, 0, 2091667, 3407706, 2316500, 3817976, -3342478, 2244091, -2446433, -3562462, ); - round( + butterfly_2( re, 2, 266997, 2434439, -1235728, 3513181, -3520352, -3759364, -1197226, -3193378, ); - round( + butterfly_2( re, 4, 900702, 1859098, 909542, 819034, 495491, -1613174, -43260, -522500, ); - round( + butterfly_2( re, 6, -655327, -3122442, 2031748, 3207046, -3556995, -525098, -768622, -3595838, ); - round( + butterfly_2( re, 8, 342297, 286988, -2437823, 4108315, 3437287, -3342277, 1735879, 203044, ); - round( + butterfly_2( re, 10, 2842341, 2691481, -2590150, 1265009, 4055324, 1247620, 2486353, 1595974, ); - round( + butterfly_2( re, 12, -3767016, 1250494, 2635921, -3548272, -2994039, 1869119, 1903435, -1050970, ); - round( + butterfly_2( re, 14, -1333058, 1237275, -3318210, -1430225, -451100, 1312455, 3306115, -1962642, ); - round( + butterfly_2( re, 16, -1279661, 1917081, -2546312, -1374803, 1500165, 777191, 2235880, 3406031, ); - round( + butterfly_2( re, 18, -542412, -2831860, -1671176, -1846953, -2584293, -3724270, 594136, -3776993, ); - round( + butterfly_2( re, 20, -2013608, 2432395, 2454455, -164721, 1957272, 3369112, 185531, -1207385, ); - round( + butterfly_2( re, 22, -3183426, 162844, 1616392, 3014001, 810149, 1652634, -3694233, -1799107, ); - round( + butterfly_2( re, 24, -3038916, 3523897, 3866901, 269760, 2213111, -975884, 1717735, 472078, ); - round( + butterfly_2( re, 26, -426683, 1723600, -1803090, 1910376, -1667432, -1104333, -260646, -3833893, ); - round( + butterfly_2( re, 28, -2939036, -2235985, -420899, -2286327, 183443, -976891, 1612842, -3545687, ); - round( + butterfly_2( re, 30, -554416, 3919660, -48306, -1362209, 3937738, 1400424, -846154, 1976782, ); } @@ -191,69 +158,43 @@ unsafe fn ntt_at_layer_0(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { #[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] unsafe fn ntt_at_layer_1(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { - #[inline(always)] - fn round( - re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT], - index: usize, - zeta_0: i32, - zeta_1: i32, - zeta_2: i32, - zeta_3: i32, - ) { - let (a, b) = butterfly_4(re[index], re[index + 1], zeta_0, zeta_1, zeta_2, zeta_3); - re[index] = a; - re[index + 1] = b; - } - - round(re, 0, -3930395, -1528703, -3677745, -3041255); - round(re, 2, -1452451, 3475950, 2176455, -1585221); - round(re, 4, -1257611, 1939314, -4083598, -1000202); - round(re, 6, -3190144, -3157330, -3632928, 126922); - round(re, 8, 3412210, -983419, 2147896, 2715295); - round(re, 10, -2967645, -3693493, -411027, -2477047); - round(re, 12, -671102, -1228525, -22981, -1308169); - round(re, 14, -381987, 1349076, 1852771, -1430430); - round(re, 16, -3343383, 264944, 508951, 3097992); - round(re, 18, 44288, -1100098, 904516, 3958618); - round(re, 20, -3724342, -8578, 1653064, -3249728); - round(re, 22, 2389356, -210977, 759969, -1316856); - round(re, 24, 189548, -3553272, 3159746, -1851402); - round(re, 26, -2409325, -177440, 1315589, 1341330); - round(re, 28, 1285669, -1584928, -812732, -1439742); - round(re, 30, -3019102, -3881060, -3628969, 3839961); + butterfly_4(re, 0, -3930395, -1528703, -3677745, -3041255); + butterfly_4(re, 2, -1452451, 3475950, 2176455, -1585221); + butterfly_4(re, 4, -1257611, 1939314, -4083598, -1000202); + butterfly_4(re, 6, -3190144, -3157330, -3632928, 126922); + butterfly_4(re, 8, 3412210, -983419, 2147896, 2715295); + butterfly_4(re, 10, -2967645, -3693493, -411027, -2477047); + butterfly_4(re, 12, -671102, -1228525, -22981, -1308169); + butterfly_4(re, 14, -381987, 1349076, 1852771, -1430430); + butterfly_4(re, 16, -3343383, 264944, 508951, 3097992); + butterfly_4(re, 18, 44288, -1100098, 904516, 3958618); + butterfly_4(re, 20, -3724342, -8578, 1653064, -3249728); + butterfly_4(re, 22, 2389356, -210977, 759969, -1316856); + butterfly_4(re, 24, 189548, -3553272, 3159746, -1851402); + butterfly_4(re, 26, -2409325, -177440, 1315589, 1341330); + butterfly_4(re, 28, 1285669, -1584928, -812732, -1439742); + butterfly_4(re, 30, -3019102, -3881060, -3628969, 3839961); } #[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] unsafe fn ntt_at_layer_2(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { - #[inline(always)] - fn round( - re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT], - index: usize, - zeta_0: i32, - zeta_1: i32, - ) { - let (a, b) = butterfly_8(re[index], re[index + 1], zeta_0, zeta_1); - re[index] = a; - re[index + 1] = b; - } - - round(re, 0, 2706023, 95776); - round(re, 2, 3077325, 3530437); - round(re, 4, -1661693, -3592148); - round(re, 6, -2537516, 3915439); - round(re, 8, -3861115, -3043716); - round(re, 10, 3574422, -2867647); - round(re, 12, 3539968, -300467); - round(re, 14, 2348700, -539299); - round(re, 16, -1699267, -1643818); - round(re, 18, 3505694, -3821735); - round(re, 20, 3507263, -2140649); - round(re, 22, -1600420, 3699596); - round(re, 24, 811944, 531354); - round(re, 26, 954230, 3881043); - round(re, 28, 3900724, -2556880); - round(re, 30, 2071892, -2797779); + butterfly_8(re, 0, 2706023, 95776); + butterfly_8(re, 2, 3077325, 3530437); + butterfly_8(re, 4, -1661693, -3592148); + butterfly_8(re, 6, -2537516, 3915439); + butterfly_8(re, 8, -3861115, -3043716); + butterfly_8(re, 10, 3574422, -2867647); + butterfly_8(re, 12, 3539968, -300467); + butterfly_8(re, 14, 2348700, -539299); + butterfly_8(re, 16, -1699267, -1643818); + butterfly_8(re, 18, 3505694, -3821735); + butterfly_8(re, 20, 3507263, -2140649); + butterfly_8(re, 22, -1600420, 3699596); + butterfly_8(re, 24, 811944, 531354); + butterfly_8(re, 26, 954230, 3881043); + butterfly_8(re, 28, 3900724, -2556880); + butterfly_8(re, 30, 2071892, -2797779); } /// This is equivalent to the pqclean 0 and 1 @@ -369,12 +310,11 @@ unsafe fn ntt_at_layer_5_to_3(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { let offset = (index * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT; for j in offset..offset + STEP_BY { - let mut t = re[j + STEP_BY]; - arithmetic::montgomery_multiply(&mut t, &rhs); + arithmetic::montgomery_multiply(&mut re[j + STEP_BY], &rhs); - re[j + STEP_BY] = re[j]; - arithmetic::subtract(&mut re[j + STEP_BY], &t); - arithmetic::add(&mut re[j], &t); + let tmp = mm256_sub_epi32(re[j], re[j + STEP_BY]); + re[j] = mm256_add_epi32(re[j], re[j + STEP_BY]); + re[j + STEP_BY] = tmp; } () // Needed because of https://github.com/hacspec/hax/issues/720 } @@ -446,11 +386,14 @@ unsafe fn ntt_at_layer_5_to_3(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { #[allow(unsafe_code)] #[inline(always)] pub(crate) fn ntt(re: &mut AVX2RingElement) { - unsafe { + #[cfg_attr(not(hax), target_feature(enable = "avx2"))] + unsafe fn avx2_ntt(re: &mut AVX2RingElement) { ntt_at_layer_7_and_6(re); ntt_at_layer_5_to_3(re); ntt_at_layer_2(re); ntt_at_layer_1(re); ntt_at_layer_0(re); } + + unsafe { avx2_ntt(re) } } From a596b564bbc047e157eb19f66887f965403a30e6 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Mon, 30 Dec 2024 06:47:00 +0000 Subject: [PATCH 20/58] rebase fixups --- libcrux-ml-dsa/src/simd/avx2.rs | 58 ++++++------------- .../src/simd/avx2/encoding/error.rs | 6 +- libcrux-ml-dsa/src/simd/portable.rs | 7 +++ 3 files changed, 29 insertions(+), 42 deletions(-) diff --git a/libcrux-ml-dsa/src/simd/avx2.rs b/libcrux-ml-dsa/src/simd/avx2.rs index 96f0f0dbd..ec63bf096 100644 --- a/libcrux-ml-dsa/src/simd/avx2.rs +++ b/libcrux-ml-dsa/src/simd/avx2.rs @@ -32,6 +32,7 @@ impl Operations for AVX2SIMDUnit { fn add(lhs: &mut Vec256, rhs: &Vec256) { arithmetic::add(lhs, rhs) } + #[inline(always)] fn subtract(lhs: &mut Vec256, rhs: &Vec256) { arithmetic::subtract(lhs, rhs) @@ -41,6 +42,7 @@ impl Operations for AVX2SIMDUnit { fn montgomery_multiply(lhs: &mut Vec256, rhs: &Vec256) { arithmetic::montgomery_multiply(lhs, rhs); } + #[inline(always)] fn shift_left_then_reduce(simd_unit: &mut Vec256) { arithmetic::shift_left_then_reduce::(simd_unit) @@ -62,9 +64,14 @@ impl Operations for AVX2SIMDUnit { } #[inline(always)] - fn compute_hint(low: &Vec256, high: &Vec256,hint: &mut Self::Coefficient,) -> usize { + fn compute_hint( + low: &Vec256, + high: &Vec256, + hint: &mut Self::Coefficient, + ) -> usize { arithmetic::compute_hint::(low, high, hint) } + #[inline(always)] fn use_hint(simd_unit: &Vec256, hint: &mut Vec256) { arithmetic::use_hint::(simd_unit, hint); @@ -74,10 +81,12 @@ impl Operations for AVX2SIMDUnit { fn rejection_sample_less_than_field_modulus(randomness: &[u8], out: &mut [i32]) -> usize { rejection_sample::less_than_field_modulus::sample(randomness, out) } + #[inline(always)] fn rejection_sample_less_than_eta_equals_2(randomness: &[u8], out: &mut [i32]) -> usize { rejection_sample::less_than_eta::sample::<2>(randomness, out) } + #[inline(always)] fn rejection_sample_less_than_eta_equals_4(randomness: &[u8], out: &mut [i32]) -> usize { rejection_sample::less_than_eta::sample::<4>(randomness, out) @@ -101,6 +110,7 @@ impl Operations for AVX2SIMDUnit { fn error_serialize(simd_unit: &Vec256, serialized: &mut [u8]) { encoding::error::serialize::(simd_unit, serialized) } + #[inline(always)] fn error_deserialize(serialized: &[u8], out: &mut Self::Coefficient) { encoding::error::deserialize::(serialized, out); @@ -120,49 +130,19 @@ impl Operations for AVX2SIMDUnit { fn t1_serialize(simd_unit: &Self::Coefficient, out: &mut [u8]) { encoding::t1::serialize(simd_unit, out); } + #[inline(always)] fn t1_deserialize(serialized: &[u8], out: &mut Self::Coefficient) { encoding::t1::deserialize(serialized, out); } #[inline(always)] - fn ntt(simd_units: [Self; SIMD_UNITS_IN_RING_ELEMENT]) -> [Self; SIMD_UNITS_IN_RING_ELEMENT] { - // XXX: We can't use from_fn or map here because of Eurydice. - // But this should be rewritten anyway to avoid having to do the map. - // See linked Eurydice issues in #706 - let mut re = [libcrux_intrinsics::avx2::mm256_setzero_si256(); SIMD_UNITS_IN_RING_ELEMENT]; - for i in 0..SIMD_UNITS_IN_RING_ELEMENT { - re[i] = simd_units[i].coefficients; - } - let result = ntt::ntt(re); - - let mut out = [vector_type::ZERO(); SIMD_UNITS_IN_RING_ELEMENT]; - for i in 0..result.len() { - out[i] = Self { - coefficients: result[i], - }; - } - out - } - - #[inline(always)] - fn invert_ntt_montgomery( - simd_units: [Self; SIMD_UNITS_IN_RING_ELEMENT], - ) -> [Self; SIMD_UNITS_IN_RING_ELEMENT] { - // XXX: We can't use from_fn or map here because of Eurydice. - // But this should be rewritten anyway to avoid having to do the map. - let mut re = [libcrux_intrinsics::avx2::mm256_setzero_si256(); SIMD_UNITS_IN_RING_ELEMENT]; - for i in 0..SIMD_UNITS_IN_RING_ELEMENT { - re[i] = simd_units[i].coefficients; - } - let result = invntt::invert_ntt_montgomery(re); - - let mut out = [vector_type::ZERO(); SIMD_UNITS_IN_RING_ELEMENT]; - for i in 0..result.len() { - out[i] = Self { - coefficients: result[i], - }; - } - out + fn ntt(simd_units: &mut AVX2RingElement) { + ntt::ntt(simd_units); + } + + #[inline(always)] + fn invert_ntt_montgomery(simd_units: &mut AVX2RingElement) { + invntt::invert_ntt_montgomery(simd_units); } } diff --git a/libcrux-ml-dsa/src/simd/avx2/encoding/error.rs b/libcrux-ml-dsa/src/simd/avx2/encoding/error.rs index 243b74c8e..eb26e5338 100644 --- a/libcrux-ml-dsa/src/simd/avx2/encoding/error.rs +++ b/libcrux-ml-dsa/src/simd/avx2/encoding/error.rs @@ -129,8 +129,8 @@ pub(crate) fn deserialize_to_unsigned(serialized: &[u8]) -> Ve } #[inline(always)] -pub(crate) fn deserialize(serialized: &[u8]) -> Vec256 { - let deserialized = deserialize_to_unsigned::(serialized); +pub(crate) fn deserialize(serialized: &[u8], out: &mut Vec256) { + let unsigned = deserialize_to_unsigned::(serialized); - mm256_sub_epi32(mm256_set1_epi32(ETA as i32), deserialized) + *out = mm256_sub_epi32(mm256_set1_epi32(ETA as i32), unsigned); } diff --git a/libcrux-ml-dsa/src/simd/portable.rs b/libcrux-ml-dsa/src/simd/portable.rs index eb3b8fd48..cb5e19e05 100644 --- a/libcrux-ml-dsa/src/simd/portable.rs +++ b/libcrux-ml-dsa/src/simd/portable.rs @@ -66,6 +66,7 @@ impl Operations for PortableSIMDUnit { ) -> usize { arithmetic::compute_hint::(low, high, hint) } + fn use_hint(simd_unit: &Coefficients, hint: &mut Coefficients) { arithmetic::use_hint::(simd_unit, hint) } @@ -73,9 +74,11 @@ impl Operations for PortableSIMDUnit { fn rejection_sample_less_than_field_modulus(randomness: &[u8], out: &mut [i32]) -> usize { sample::rejection_sample_less_than_field_modulus(randomness, out) } + fn rejection_sample_less_than_eta_equals_2(randomness: &[u8], out: &mut [i32]) -> usize { sample::rejection_sample_less_than_eta_equals_2(randomness, out) } + fn rejection_sample_less_than_eta_equals_4(randomness: &[u8], out: &mut [i32]) -> usize { sample::rejection_sample_less_than_eta_equals_4(randomness, out) } @@ -86,6 +89,7 @@ impl Operations for PortableSIMDUnit { ) { encoding::gamma1::serialize::(simd_unit, serialized) } + fn gamma1_deserialize(serialized: &[u8], out: &mut Coefficients) { encoding::gamma1::deserialize::(serialized, out) } @@ -97,6 +101,7 @@ impl Operations for PortableSIMDUnit { fn error_serialize(simd_unit: &Coefficients, serialized: &mut [u8]) { encoding::error::serialize::(simd_unit, serialized) } + fn error_deserialize(serialized: &[u8], out: &mut Coefficients) { encoding::error::deserialize::(serialized, out); } @@ -104,6 +109,7 @@ impl Operations for PortableSIMDUnit { fn t0_serialize(simd_unit: &Coefficients, out: &mut [u8]) { encoding::t0::serialize(simd_unit, out) } + fn t0_deserialize(serialized: &[u8], out: &mut Coefficients) { encoding::t0::deserialize(serialized, out) } @@ -111,6 +117,7 @@ impl Operations for PortableSIMDUnit { fn t1_serialize(simd_unit: &Self::Coefficient, out: &mut [u8]) { encoding::t1::serialize(simd_unit, out); } + fn t1_deserialize(serialized: &[u8], out: &mut Self::Coefficient) { encoding::t1::deserialize(serialized, out); } From 0bf36b1277100b23dad516ce98bfef86f6495afd Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Tue, 31 Dec 2024 12:54:53 +0000 Subject: [PATCH 21/58] more cleanup --- libcrux-ml-dsa/src/arithmetic.rs | 7 +-- libcrux-ml-dsa/src/encoding/signing_key.rs | 10 ++-- .../src/encoding/verification_key.rs | 5 +- libcrux-ml-dsa/src/matrix.rs | 16 +++--- libcrux-ml-dsa/src/ml_dsa_generic.rs | 4 ++ libcrux-ml-dsa/src/polynomial.rs | 10 ++-- libcrux-ml-dsa/src/sample.rs | 1 - libcrux-ml-dsa/src/samplex4.rs | 5 +- libcrux-ml-dsa/src/simd/avx2.rs | 49 +++++++++++-------- libcrux-ml-dsa/src/simd/avx2/vector_type.rs | 18 ++++--- libcrux-ml-dsa/src/simd/portable.rs | 4 +- .../src/simd/portable/vector_type.rs | 4 +- libcrux-ml-dsa/src/simd/tests.rs | 33 +++++++++---- libcrux-ml-dsa/src/simd/traits.rs | 2 +- 14 files changed, 96 insertions(+), 72 deletions(-) diff --git a/libcrux-ml-dsa/src/arithmetic.rs b/libcrux-ml-dsa/src/arithmetic.rs index 5a90dc3ff..cfcd0b534 100644 --- a/libcrux-ml-dsa/src/arithmetic.rs +++ b/libcrux-ml-dsa/src/arithmetic.rs @@ -8,15 +8,16 @@ pub(crate) fn vector_infinity_norm_exceeds; DIMENSION], bound: i32, ) -> bool { + let mut result = false; cloop! { for ring_element in vector.iter() { - if ring_element.infinity_norm_exceeds(bound) { - return true; + if !result && ring_element.infinity_norm_exceeds(bound) { + result = result || true; } } } - false + result } #[inline(always)] diff --git a/libcrux-ml-dsa/src/encoding/signing_key.rs b/libcrux-ml-dsa/src/encoding/signing_key.rs index 8630401ba..80f0f26fa 100644 --- a/libcrux-ml-dsa/src/encoding/signing_key.rs +++ b/libcrux-ml-dsa/src/encoding/signing_key.rs @@ -10,7 +10,6 @@ use crate::{ simd::traits::Operations, }; -#[allow(non_snake_case)] #[inline(always)] pub(crate) fn generate_serialized< SIMDUnit: Operations, @@ -21,8 +20,8 @@ pub(crate) fn generate_serialized< const ERROR_RING_ELEMENT_SIZE: usize, const SIGNING_KEY_SIZE: usize, >( - seed_for_A: &[u8], - seed_for_signing: &[u8], + seed_matrix: &[u8], + seed_signing: &[u8], verification_key: &[u8], s1_2: &[PolynomialRingElement], t0: [PolynomialRingElement; ROWS_IN_A], @@ -30,11 +29,10 @@ pub(crate) fn generate_serialized< let mut signing_key_serialized = [0u8; SIGNING_KEY_SIZE]; let mut offset = 0; - signing_key_serialized[offset..offset + SEED_FOR_A_SIZE].copy_from_slice(seed_for_A); + signing_key_serialized[offset..offset + SEED_FOR_A_SIZE].copy_from_slice(seed_matrix); offset += SEED_FOR_A_SIZE; - signing_key_serialized[offset..offset + SEED_FOR_SIGNING_SIZE] - .copy_from_slice(seed_for_signing); + signing_key_serialized[offset..offset + SEED_FOR_SIGNING_SIZE].copy_from_slice(seed_signing); offset += SEED_FOR_SIGNING_SIZE; let mut verification_key_hash = [0; BYTES_FOR_VERIFICATION_KEY_HASH]; diff --git a/libcrux-ml-dsa/src/encoding/verification_key.rs b/libcrux-ml-dsa/src/encoding/verification_key.rs index 7fd4bf8b6..7438173f7 100644 --- a/libcrux-ml-dsa/src/encoding/verification_key.rs +++ b/libcrux-ml-dsa/src/encoding/verification_key.rs @@ -6,18 +6,17 @@ use crate::{ simd::traits::Operations, }; -#[allow(non_snake_case)] #[inline(always)] pub(crate) fn generate_serialized< SIMDUnit: Operations, const ROWS_IN_A: usize, const VERIFICATION_KEY_SIZE: usize, >( - seed_for_A: &[u8], + seed: &[u8], t1: [PolynomialRingElement; ROWS_IN_A], ) -> [u8; VERIFICATION_KEY_SIZE] { let mut verification_key_serialized = [0u8; VERIFICATION_KEY_SIZE]; - verification_key_serialized[0..SEED_FOR_A_SIZE].copy_from_slice(seed_for_A); + verification_key_serialized[0..SEED_FOR_A_SIZE].copy_from_slice(seed); cloop! { for (i, ring_element) in t1.iter().enumerate() { diff --git a/libcrux-ml-dsa/src/matrix.rs b/libcrux-ml-dsa/src/matrix.rs index 713d2bafc..486557cce 100644 --- a/libcrux-ml-dsa/src/matrix.rs +++ b/libcrux-ml-dsa/src/matrix.rs @@ -8,7 +8,6 @@ use crate::{ }; /// Compute InvertNTT(Â ◦ ŝ₁) + s₂ -#[inline(always)] pub(crate) fn compute_as1_plus_s2< SIMDUnit: Operations, const ROWS_IN_A: usize, @@ -105,26 +104,25 @@ pub(crate) fn subtract_vectors( } /// Compute InvertNTT(Â ◦ ẑ - ĉ ◦ NTT(t₁2ᵈ)) -#[allow(non_snake_case)] #[inline(always)] pub(crate) fn compute_w_approx< SIMDUnit: Operations, const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, >( - A_as_ntt: &[[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A], + matrix: &[[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A], signer_response: &[PolynomialRingElement; COLUMNS_IN_A], verifier_challenge_as_ntt: &PolynomialRingElement, t1: &mut [PolynomialRingElement; ROWS_IN_A], ) { - let mut signer_response = signer_response.clone(); - // Move signer response into NTT - for i in 0..signer_response.len() { - ntt(&mut signer_response[i]); - } + // let mut signer_response = signer_response.clone(); + // // Move signer response into NTT + // for i in 0..signer_response.len() { + // ntt(&mut signer_response[i]); + // } cloop! { - for (i, row) in A_as_ntt.iter().enumerate() { + for (i, row) in matrix.iter().enumerate() { let mut inner_result = PolynomialRingElement::::zero(); cloop! { for (j, ring_element) in row.iter().enumerate() { diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index 4d3aac122..208899ed8 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -601,6 +601,10 @@ pub(crate) fn verify_internal< >(signature.commitment_hash, &mut verifier_challenge); ntt(&mut verifier_challenge); + // Move signer response into ntt + for i in 0..signature.signer_response.len() { + ntt(&mut signature.signer_response[i]); + } compute_w_approx::( &matrix, &signature.signer_response, diff --git a/libcrux-ml-dsa/src/polynomial.rs b/libcrux-ml-dsa/src/polynomial.rs index b42a441b3..38679ebfc 100644 --- a/libcrux-ml-dsa/src/polynomial.rs +++ b/libcrux-ml-dsa/src/polynomial.rs @@ -32,8 +32,9 @@ impl PolynomialRingElement { pub(crate) fn from_i32_array(array: &[i32], result: &mut Self) { debug_assert!(array.len() >= 256); for i in 0..SIMD_UNITS_IN_RING_ELEMENT { - result.simd_units[i] = SIMDUnit::from_coefficient_array( + SIMDUnit::from_coefficient_array( &array[i * COEFFICIENTS_IN_SIMD_UNIT..(i + 1) * COEFFICIENTS_IN_SIMD_UNIT], + &mut result.simd_units[i], ); } } @@ -47,13 +48,14 @@ impl PolynomialRingElement { #[inline(always)] pub(crate) fn infinity_norm_exceeds(&self, bound: i32) -> bool { + let mut result = false; for i in 0..self.simd_units.len() { - if SIMDUnit::infinity_norm_exceeds(&self.simd_units[i], bound) { - return true; + if !result && SIMDUnit::infinity_norm_exceeds(&self.simd_units[i], bound) { + result = result || true; } } - false + result } #[inline(always)] diff --git a/libcrux-ml-dsa/src/sample.rs b/libcrux-ml-dsa/src/sample.rs index fd740d217..4fd5e114f 100644 --- a/libcrux-ml-dsa/src/sample.rs +++ b/libcrux-ml-dsa/src/sample.rs @@ -491,7 +491,6 @@ pub(crate) fn sample_challenge_ring_element< let randomness = state.squeeze_first_block(); let mut signs = u64::from_le_bytes(randomness[0..8].try_into().unwrap()); - let mut result = [0i32; 256]; let mut out_index = result.len() - NUMBER_OF_ONES; diff --git a/libcrux-ml-dsa/src/samplex4.rs b/libcrux-ml-dsa/src/samplex4.rs index e2b9f814b..64b1b9510 100644 --- a/libcrux-ml-dsa/src/samplex4.rs +++ b/libcrux-ml-dsa/src/samplex4.rs @@ -364,7 +364,6 @@ pub(crate) mod portable { pub(crate) struct PortableSampler {} impl X4Sampler for PortableSampler { - #[inline(always)] fn matrix( seed: &[u8], matrix: &mut [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A], @@ -406,7 +405,6 @@ pub(crate) mod avx2 { pub(crate) struct AVX2Sampler {} impl X4Sampler for AVX2Sampler { - #[inline(always)] #[allow(unsafe_code)] fn matrix( seed: &[u8], @@ -418,8 +416,7 @@ pub(crate) mod avx2 { #[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] - - pub(crate) unsafe fn matrix_avx2< + unsafe fn matrix_avx2< SIMDUnit: Operations, const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, diff --git a/libcrux-ml-dsa/src/simd/avx2.rs b/libcrux-ml-dsa/src/simd/avx2.rs index ec63bf096..8c16fada8 100644 --- a/libcrux-ml-dsa/src/simd/avx2.rs +++ b/libcrux-ml-dsa/src/simd/avx2.rs @@ -7,73 +7,76 @@ mod ntt; mod rejection_sample; mod vector_type; -use vector_type::Vec256; pub(crate) use vector_type::{AVX2RingElement, AVX2SIMDUnit}; impl Operations for AVX2SIMDUnit { - type Coefficient = Vec256; + type Coefficient = vector_type::Vec256; #[inline(always)] - fn zero() -> Vec256 { + fn zero() -> Self::Coefficient { vector_type::zero() } #[inline(always)] - fn from_coefficient_array(coefficient_array: &[i32]) -> Vec256 { - vector_type::from_coefficient_array(coefficient_array) + fn from_coefficient_array(coefficient_array: &[i32], out: &mut Self::Coefficient) { + vector_type::from_coefficient_array(coefficient_array, out) } #[inline(always)] - fn to_coefficient_array(value: &Vec256, out: &mut [i32]) { + fn to_coefficient_array(value: &Self::Coefficient, out: &mut [i32]) { vector_type::to_coefficient_array(value, out) } #[inline(always)] - fn add(lhs: &mut Vec256, rhs: &Vec256) { + fn add(lhs: &mut Self::Coefficient, rhs: &Self::Coefficient) { arithmetic::add(lhs, rhs) } #[inline(always)] - fn subtract(lhs: &mut Vec256, rhs: &Vec256) { + fn subtract(lhs: &mut Self::Coefficient, rhs: &Self::Coefficient) { arithmetic::subtract(lhs, rhs) } #[inline(always)] - fn montgomery_multiply(lhs: &mut Vec256, rhs: &Vec256) { + fn montgomery_multiply(lhs: &mut Self::Coefficient, rhs: &Self::Coefficient) { arithmetic::montgomery_multiply(lhs, rhs); } #[inline(always)] - fn shift_left_then_reduce(simd_unit: &mut Vec256) { + fn shift_left_then_reduce(simd_unit: &mut Self::Coefficient) { arithmetic::shift_left_then_reduce::(simd_unit) } #[inline(always)] - fn power2round(t0: &mut Vec256, t1: &mut Vec256) { + fn power2round(t0: &mut Self::Coefficient, t1: &mut Self::Coefficient) { arithmetic::power2round(t0, t1); } #[inline(always)] - fn infinity_norm_exceeds(simd_unit: &Vec256, bound: i32) -> bool { + fn infinity_norm_exceeds(simd_unit: &Self::Coefficient, bound: i32) -> bool { arithmetic::infinity_norm_exceeds(simd_unit, bound) } #[inline(always)] - fn decompose(simd_unit: &Vec256, low: &mut Vec256, high: &mut Vec256) { + fn decompose( + simd_unit: &Self::Coefficient, + low: &mut Self::Coefficient, + high: &mut Self::Coefficient, + ) { arithmetic::decompose::(simd_unit, low, high); } #[inline(always)] fn compute_hint( - low: &Vec256, - high: &Vec256, + low: &Self::Coefficient, + high: &Self::Coefficient, hint: &mut Self::Coefficient, ) -> usize { arithmetic::compute_hint::(low, high, hint) } #[inline(always)] - fn use_hint(simd_unit: &Vec256, hint: &mut Vec256) { + fn use_hint(simd_unit: &Self::Coefficient, hint: &mut Self::Coefficient) { arithmetic::use_hint::(simd_unit, hint); } @@ -93,21 +96,27 @@ impl Operations for AVX2SIMDUnit { } #[inline(always)] - fn gamma1_serialize(simd_unit: &Vec256, serialized: &mut [u8]) { + fn gamma1_serialize( + simd_unit: &Self::Coefficient, + serialized: &mut [u8], + ) { encoding::gamma1::serialize::(simd_unit, serialized) } #[inline(always)] - fn gamma1_deserialize(serialized: &[u8], out: &mut Vec256) { + fn gamma1_deserialize( + serialized: &[u8], + out: &mut Self::Coefficient, + ) { encoding::gamma1::deserialize::(serialized, out); } #[inline(always)] - fn commitment_serialize(simd_unit: &Vec256, serialized: &mut [u8]) { + fn commitment_serialize(simd_unit: &Self::Coefficient, serialized: &mut [u8]) { encoding::commitment::serialize(simd_unit, serialized) } #[inline(always)] - fn error_serialize(simd_unit: &Vec256, serialized: &mut [u8]) { + fn error_serialize(simd_unit: &Self::Coefficient, serialized: &mut [u8]) { encoding::error::serialize::(simd_unit, serialized) } diff --git a/libcrux-ml-dsa/src/simd/avx2/vector_type.rs b/libcrux-ml-dsa/src/simd/avx2/vector_type.rs index 4736369d8..1016ce22b 100644 --- a/libcrux-ml-dsa/src/simd/avx2/vector_type.rs +++ b/libcrux-ml-dsa/src/simd/avx2/vector_type.rs @@ -1,20 +1,24 @@ -use super::SIMD_UNITS_IN_RING_ELEMENT; - -pub(super) use libcrux_intrinsics::avx2::Vec256; - +/// An empty type to implement the SIMD operations on #[derive(Clone, Copy)] pub struct AVX2SIMDUnit {} -pub(crate) type AVX2RingElement = [Vec256; SIMD_UNITS_IN_RING_ELEMENT]; +/// The vector type +pub(crate) type Vec256 = libcrux_intrinsics::avx2::Vec256; + +/// An avx2 encoded ring element +pub(crate) type AVX2RingElement = [Vec256; super::SIMD_UNITS_IN_RING_ELEMENT]; +/// Create an all-zero vector coefficient pub(crate) fn zero() -> Vec256 { libcrux_intrinsics::avx2::mm256_setzero_si256() } -pub(crate) fn from_coefficient_array(coefficient_array: &[i32]) -> Vec256 { - libcrux_intrinsics::avx2::mm256_loadu_si256_i32(coefficient_array) +/// Create a coefficient from an `i32` array +pub(crate) fn from_coefficient_array(coefficient_array: &[i32], out: &mut Vec256) { + *out = libcrux_intrinsics::avx2::mm256_loadu_si256_i32(coefficient_array) } +/// Write out the coefficient to an `i32` array #[inline(always)] pub(crate) fn to_coefficient_array(value: &Vec256, out: &mut [i32]) { libcrux_intrinsics::avx2::mm256_storeu_si256_i32(out, *value); diff --git a/libcrux-ml-dsa/src/simd/portable.rs b/libcrux-ml-dsa/src/simd/portable.rs index cb5e19e05..393d78785 100644 --- a/libcrux-ml-dsa/src/simd/portable.rs +++ b/libcrux-ml-dsa/src/simd/portable.rs @@ -19,8 +19,8 @@ impl Operations for PortableSIMDUnit { vector_type::zero() } - fn from_coefficient_array(array: &[i32]) -> Coefficients { - vector_type::from_coefficient_array(array) + fn from_coefficient_array(array: &[i32], out: &mut Coefficients) { + vector_type::from_coefficient_array(array, out) } fn to_coefficient_array(value: &Coefficients, out: &mut [i32]) { diff --git a/libcrux-ml-dsa/src/simd/portable/vector_type.rs b/libcrux-ml-dsa/src/simd/portable/vector_type.rs index 6a3abf05f..db019f0dc 100644 --- a/libcrux-ml-dsa/src/simd/portable/vector_type.rs +++ b/libcrux-ml-dsa/src/simd/portable/vector_type.rs @@ -12,8 +12,8 @@ pub(crate) fn zero() -> Coefficients { [0i32; COEFFICIENTS_IN_SIMD_UNIT] } -pub(crate) fn from_coefficient_array(array: &[i32]) -> Coefficients { - array[0..COEFFICIENTS_IN_SIMD_UNIT].try_into().unwrap() +pub(crate) fn from_coefficient_array(array: &[i32], out: &mut Coefficients) { + out.copy_from_slice(&array[0..COEFFICIENTS_IN_SIMD_UNIT]) } #[inline(always)] diff --git a/libcrux-ml-dsa/src/simd/tests.rs b/libcrux-ml-dsa/src/simd/tests.rs index 6673a663f..d9c23a052 100644 --- a/libcrux-ml-dsa/src/simd/tests.rs +++ b/libcrux-ml-dsa/src/simd/tests.rs @@ -2,9 +2,13 @@ use crate::simd::traits::*; fn test_decompose_generic() { // When GAMMA2 = 95,232 - let input = SIMDUnit::from_coefficient_array(&[ - 5520769, 5416853, 180455, 8127421, 5159850, 5553986, 3391280, 3968290, - ]); + let mut input = SIMDUnit::zero(); + SIMDUnit::from_coefficient_array( + &[ + 5520769, 5416853, 180455, 8127421, 5159850, 5553986, 3391280, 3968290, + ], + &mut input, + ); let expected_low = [-2687, 83861, -10009, -62531, 17322, 30530, -37072, -31454]; let expected_high = [29, 28, 1, 43, 27, 29, 18, 21]; @@ -21,9 +25,13 @@ fn test_decompose_generic() { assert_eq!(out, expected_high); // When GAMMA2 = 261,888 - let input = SIMDUnit::from_coefficient_array(&[ - 2108939, 7162128, 6506792, 7957464, 2350341, 8333084, 496214, 2168929, - ]); + let mut input = SIMDUnit::zero(); + SIMDUnit::from_coefficient_array( + &[ + 2108939, 7162128, 6506792, 7957464, 2350341, 8333084, 496214, 2168929, + ], + &mut input, + ); let expected_low = [ 13835, -170736, 221480, 100824, 255237, -47333, -27562, 73825, @@ -42,14 +50,19 @@ fn test_decompose_generic() { } fn test_power2round_generic() { - let mut input = SIMDUnit::from_coefficient_array(&[ - 6950677, 3362411, 5783989, 5909314, 6459529, 5751812, 864332, 3667708, - ]); + let mut input = SIMDUnit::zero(); + SIMDUnit::from_coefficient_array( + &[ + 6950677, 3362411, 5783989, 5909314, 6459529, 5751812, 864332, 3667708, + ], + &mut input, + ); let expected_low = [3861, 3691, 437, 2882, -3959, 1028, -4020, -2308]; let expected_high = [848, 410, 706, 721, 789, 702, 106, 448]; - let mut high = SIMDUnit::from_coefficient_array(&[0; 8]); + let mut high = SIMDUnit::zero(); + SIMDUnit::from_coefficient_array(&[0; 8], &mut high); SIMDUnit::power2round(&mut input, &mut high); let low = input; diff --git a/libcrux-ml-dsa/src/simd/traits.rs b/libcrux-ml-dsa/src/simd/traits.rs index b53c9464e..c467a932d 100644 --- a/libcrux-ml-dsa/src/simd/traits.rs +++ b/libcrux-ml-dsa/src/simd/traits.rs @@ -20,7 +20,7 @@ pub(crate) trait Operations: Copy + Clone { #[allow(non_snake_case)] fn zero() -> Self::Coefficient; - fn from_coefficient_array(array: &[i32]) -> Self::Coefficient; + fn from_coefficient_array(array: &[i32], out: &mut Self::Coefficient); fn to_coefficient_array(value: &Self::Coefficient, out: &mut [i32]); // Arithmetic From cf04cd09f791c089d6b79ca06b9b61fc88698989 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Wed, 1 Jan 2025 14:20:57 +0000 Subject: [PATCH 22/58] start getting rid of const generics --- libcrux-ml-dsa/src/encoding/signing_key.rs | 7 +- .../src/encoding/verification_key.rs | 12 +- libcrux-ml-dsa/src/ml_dsa_44.rs | 31 ++--- libcrux-ml-dsa/src/ml_dsa_65.rs | 29 ++--- libcrux-ml-dsa/src/ml_dsa_87.rs | 29 ++--- libcrux-ml-dsa/src/ml_dsa_generic.rs | 72 +++++++++--- .../src/ml_dsa_generic/instantiations.rs | 57 ++++++--- .../src/ml_dsa_generic/instantiations/avx2.rs | 111 +++++++++++------- .../src/ml_dsa_generic/multiplexing.rs | 80 +++++++------ macros/src/lib.rs | 80 ++++++++++++- 10 files changed, 319 insertions(+), 189 deletions(-) diff --git a/libcrux-ml-dsa/src/encoding/signing_key.rs b/libcrux-ml-dsa/src/encoding/signing_key.rs index 80f0f26fa..b855d0991 100644 --- a/libcrux-ml-dsa/src/encoding/signing_key.rs +++ b/libcrux-ml-dsa/src/encoding/signing_key.rs @@ -18,15 +18,14 @@ pub(crate) fn generate_serialized< const COLUMNS_IN_A: usize, const ETA: usize, const ERROR_RING_ELEMENT_SIZE: usize, - const SIGNING_KEY_SIZE: usize, >( seed_matrix: &[u8], seed_signing: &[u8], verification_key: &[u8], s1_2: &[PolynomialRingElement], t0: [PolynomialRingElement; ROWS_IN_A], -) -> [u8; SIGNING_KEY_SIZE] { - let mut signing_key_serialized = [0u8; SIGNING_KEY_SIZE]; + signing_key_serialized: &mut [u8], +) { let mut offset = 0; signing_key_serialized[offset..offset + SEED_FOR_A_SIZE].copy_from_slice(seed_matrix); @@ -61,6 +60,4 @@ pub(crate) fn generate_serialized< offset += RING_ELEMENT_OF_T0S_SIZE; } } - - signing_key_serialized } diff --git a/libcrux-ml-dsa/src/encoding/verification_key.rs b/libcrux-ml-dsa/src/encoding/verification_key.rs index 7438173f7..7ba7f9321 100644 --- a/libcrux-ml-dsa/src/encoding/verification_key.rs +++ b/libcrux-ml-dsa/src/encoding/verification_key.rs @@ -7,15 +7,11 @@ use crate::{ }; #[inline(always)] -pub(crate) fn generate_serialized< - SIMDUnit: Operations, - const ROWS_IN_A: usize, - const VERIFICATION_KEY_SIZE: usize, ->( +pub(crate) fn generate_serialized( seed: &[u8], t1: [PolynomialRingElement; ROWS_IN_A], -) -> [u8; VERIFICATION_KEY_SIZE] { - let mut verification_key_serialized = [0u8; VERIFICATION_KEY_SIZE]; + verification_key_serialized: &mut [u8], +) { verification_key_serialized[0..SEED_FOR_A_SIZE].copy_from_slice(seed); cloop! { @@ -25,8 +21,6 @@ pub(crate) fn generate_serialized< .copy_from_slice(&t1::serialize::(*ring_element)); } } - - verification_key_serialized } #[inline(always)] diff --git a/libcrux-ml-dsa/src/ml_dsa_44.rs b/libcrux-ml-dsa/src/ml_dsa_44.rs index 6fd367893..66fbb357c 100644 --- a/libcrux-ml-dsa/src/ml_dsa_44.rs +++ b/libcrux-ml-dsa/src/ml_dsa_44.rs @@ -4,12 +4,11 @@ use crate::{constants::*, ml_dsa_generic, types::*, SigningError, VerificationEr const ROWS_IN_A: usize = 4; const COLUMNS_IN_A: usize = 4; -const ROW_COLUMN: usize = ROWS_IN_A + COLUMNS_IN_A; const ETA: usize = 2; // To sample a value in the interval [-ETA, ETA], we can sample a value (say 'v') // in the interval [0, 2 * ETA] and then compute ETA - v. This can be done in -// 3 bits when ETA is 3. +// 3 bits when ETA is 2. const BITS_PER_ERROR_COEFFICIENT: usize = 3; const ERROR_RING_ELEMENT_SIZE: usize = @@ -73,15 +72,9 @@ macro_rules! instantiate { pub fn generate_key_pair( randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], ) -> MLDSA44KeyPair { - let (signing_key, verification_key) = p::generate_key_pair::< - ROWS_IN_A, - COLUMNS_IN_A, - ROW_COLUMN, - ETA, - ERROR_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - VERIFICATION_KEY_SIZE, - >(randomness); + let mut signing_key = [0u8; SIGNING_KEY_SIZE]; + let mut verification_key = [0u8; VERIFICATION_KEY_SIZE]; + p::generate_key_pair_v44(randomness, &mut signing_key, &mut verification_key); MLDSA44KeyPair { signing_key: MLDSASigningKey::new(signing_key), @@ -285,15 +278,13 @@ instantiate! {neon, ml_dsa_generic::instantiations::neon, "Neon Optimised ML-DSA /// This function returns an [`MLDSA44KeyPair`]. #[cfg(not(eurydice))] pub fn generate_key_pair(randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE]) -> MLDSA44KeyPair { - let (signing_key, verification_key) = ml_dsa_generic::multiplexing::generate_key_pair::< - ROWS_IN_A, - COLUMNS_IN_A, - ROW_COLUMN, - ETA, - ERROR_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - VERIFICATION_KEY_SIZE, - >(randomness); + let mut signing_key = [0u8; SIGNING_KEY_SIZE]; + let mut verification_key = [0u8; VERIFICATION_KEY_SIZE]; + ml_dsa_generic::multiplexing::generate_key_pair_v44( + randomness, + &mut signing_key, + &mut verification_key, + ); MLDSA44KeyPair { signing_key: MLDSASigningKey::new(signing_key), diff --git a/libcrux-ml-dsa/src/ml_dsa_65.rs b/libcrux-ml-dsa/src/ml_dsa_65.rs index 182e47d37..3503c7c81 100644 --- a/libcrux-ml-dsa/src/ml_dsa_65.rs +++ b/libcrux-ml-dsa/src/ml_dsa_65.rs @@ -4,7 +4,6 @@ use crate::{constants::*, ml_dsa_generic, types::*, SigningError, VerificationEr const ROWS_IN_A: usize = 6; const COLUMNS_IN_A: usize = 5; -const ROW_COLUMN: usize = ROWS_IN_A + COLUMNS_IN_A; const ETA: usize = 4; @@ -75,15 +74,9 @@ macro_rules! instantiate { pub fn generate_key_pair( randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], ) -> MLDSA65KeyPair { - let (signing_key, verification_key) = p::generate_key_pair::< - ROWS_IN_A, - COLUMNS_IN_A, - ROW_COLUMN, - ETA, - ERROR_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - VERIFICATION_KEY_SIZE, - >(randomness); + let mut signing_key = [0u8; SIGNING_KEY_SIZE]; + let mut verification_key = [0u8; VERIFICATION_KEY_SIZE]; + p::generate_key_pair_v65(randomness, &mut signing_key, &mut verification_key); MLDSA65KeyPair { signing_key: MLDSASigningKey::new(signing_key), @@ -286,15 +279,13 @@ instantiate! {neon, ml_dsa_generic::instantiations::neon, "Neon Optimised ML-DSA /// This function returns an [`MLDSA65KeyPair`]. #[cfg(not(eurydice))] pub fn generate_key_pair(randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE]) -> MLDSA65KeyPair { - let (signing_key, verification_key) = ml_dsa_generic::multiplexing::generate_key_pair::< - ROWS_IN_A, - COLUMNS_IN_A, - ROW_COLUMN, - ETA, - ERROR_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - VERIFICATION_KEY_SIZE, - >(randomness); + let mut signing_key = [0u8; SIGNING_KEY_SIZE]; + let mut verification_key = [0u8; VERIFICATION_KEY_SIZE]; + ml_dsa_generic::multiplexing::generate_key_pair_v65( + randomness, + &mut signing_key, + &mut verification_key, + ); MLDSA65KeyPair { signing_key: MLDSASigningKey::new(signing_key), diff --git a/libcrux-ml-dsa/src/ml_dsa_87.rs b/libcrux-ml-dsa/src/ml_dsa_87.rs index 1d5208343..3c31f4394 100644 --- a/libcrux-ml-dsa/src/ml_dsa_87.rs +++ b/libcrux-ml-dsa/src/ml_dsa_87.rs @@ -7,7 +7,6 @@ use crate::{constants::*, ml_dsa_generic, types::*, SigningError, VerificationEr const ROWS_IN_A: usize = 8; const COLUMNS_IN_A: usize = 7; -const ROW_COLUMN: usize = ROWS_IN_A + COLUMNS_IN_A; const ETA: usize = 2; @@ -78,15 +77,9 @@ macro_rules! instantiate { pub fn generate_key_pair( randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], ) -> MLDSA87KeyPair { - let (signing_key, verification_key) = p::generate_key_pair::< - ROWS_IN_A, - COLUMNS_IN_A, - ROW_COLUMN, - ETA, - ERROR_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - VERIFICATION_KEY_SIZE, - >(randomness); + let mut signing_key = [0u8; SIGNING_KEY_SIZE]; + let mut verification_key = [0u8; VERIFICATION_KEY_SIZE]; + p::generate_key_pair_v87(randomness, &mut signing_key, &mut verification_key); MLDSA87KeyPair { signing_key: MLDSASigningKey::new(signing_key), @@ -290,15 +283,13 @@ instantiate! {neon, ml_dsa_generic::instantiations::neon, "Neon Optimised ML-DSA /// This function returns an [`MLDSA87KeyPair`]. #[cfg(not(eurydice))] pub fn generate_key_pair(randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE]) -> MLDSA87KeyPair { - let (signing_key, verification_key) = ml_dsa_generic::multiplexing::generate_key_pair::< - ROWS_IN_A, - COLUMNS_IN_A, - ROW_COLUMN, - ETA, - ERROR_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - VERIFICATION_KEY_SIZE, - >(randomness); + let mut signing_key = [0u8; SIGNING_KEY_SIZE]; + let mut verification_key = [0u8; VERIFICATION_KEY_SIZE]; + ml_dsa_generic::multiplexing::generate_key_pair_v87( + randomness, + &mut signing_key, + &mut verification_key, + ); MLDSA87KeyPair { signing_key: MLDSASigningKey::new(signing_key), diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index 208899ed8..646b79904 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -25,6 +25,45 @@ pub(crate) mod instantiations; pub(crate) mod multiplexing; /// Generate a key pair. +#[libcrux_macros::consts( + // Key size specific constants + v44 { + const ROWS_IN_A: usize = 4; + const COLUMNS_IN_A: usize = 4; + const ETA: usize = 2; + const BITS_PER_ERROR_COEFFICIENT: usize = 3; + }, + v65 { + const ROWS_IN_A: usize = 6; + const COLUMNS_IN_A: usize = 5; + const ETA: usize = 4; + const BITS_PER_ERROR_COEFFICIENT: usize = 4; + }, + v87 { + const ROWS_IN_A: usize = 8; + const COLUMNS_IN_A: usize = 7; + const ETA: usize = 2; + const BITS_PER_ERROR_COEFFICIENT: usize = 3; + }, + + // Derived constants + derived { + const ROW_COLUMN: usize = ROWS_IN_A + COLUMNS_IN_A; + const ERROR_RING_ELEMENT_SIZE: usize = + (BITS_PER_ERROR_COEFFICIENT * COEFFICIENTS_IN_RING_ELEMENT) / 8; + const SIGNING_KEY_SIZE: usize = SEED_FOR_A_SIZE + + SEED_FOR_SIGNING_SIZE + + BYTES_FOR_VERIFICATION_KEY_HASH + + (ROWS_IN_A + COLUMNS_IN_A) * ERROR_RING_ELEMENT_SIZE + + ROWS_IN_A * RING_ELEMENT_OF_T0S_SIZE; + const VERIFICATION_KEY_SIZE: usize = SEED_FOR_A_SIZE + + (COEFFICIENTS_IN_RING_ELEMENT + * ROWS_IN_A + * (FIELD_MODULUS_MINUS_ONE_BIT_LENGTH - BITS_IN_LOWER_PART_OF_T)) + / 8; + + } +)] #[inline(always)] pub(crate) fn generate_key_pair< SIMDUnit: Operations, @@ -33,16 +72,15 @@ pub(crate) fn generate_key_pair< Shake256: shake256::DsaXof, Shake256Xof: shake256::Xof, Shake256X4: shake256::XofX4, - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, - const ROW_COLUMN: usize, - const ETA: usize, - const ERROR_RING_ELEMENT_SIZE: usize, - const SIGNING_KEY_SIZE: usize, - const VERIFICATION_KEY_SIZE: usize, >( randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], -) -> ([u8; SIGNING_KEY_SIZE], [u8; VERIFICATION_KEY_SIZE]) { + signing_key: &mut [u8], + verification_key: &mut [u8], +) { + // Check key sizes + debug_assert!(signing_key.len() == SIGNING_KEY_SIZE); + debug_assert!(verification_key.len() == VERIFICATION_KEY_SIZE); + // 128 = SEED_FOR_A_SIZE + SEED_FOR_ERROR_VECTORS_SIZE + SEED_FOR_SIGNING_SIZE let mut seed_expanded = [0; 128]; { @@ -71,29 +109,27 @@ pub(crate) fn generate_key_pair< let mut t1 = [PolynomialRingElement::::zero(); ROWS_IN_A]; power2round_vector::(&mut t0, &mut t1); - let verification_key_serialized = encoding::verification_key::generate_serialized::< - SIMDUnit, - ROWS_IN_A, - VERIFICATION_KEY_SIZE, - >(seed_for_a, t1); + encoding::verification_key::generate_serialized::( + seed_for_a, + t1, + verification_key, + ); - let signing_key_serialized = encoding::signing_key::generate_serialized::< + encoding::signing_key::generate_serialized::< SIMDUnit, Shake256, ROWS_IN_A, COLUMNS_IN_A, ETA, ERROR_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, >( seed_for_a, seed_for_signing, - &verification_key_serialized, + &verification_key, &s1_s2, t0, + signing_key, ); - - (signing_key_serialized, verification_key_serialized) } #[allow(non_snake_case)] diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs index 5761756c6..ccf8ada03 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs @@ -9,32 +9,51 @@ macro_rules! instantiate { }; /// Generate key pair. - pub(crate) fn generate_key_pair< - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, - const ROW_COLUMN: usize, - const ETA: usize, - const ERROR_RING_ELEMENT_SIZE: usize, - const SIGNING_KEY_SIZE: usize, - const VERIFICATION_KEY_SIZE: usize, - >( + pub(crate) fn generate_key_pair_v87( randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], - ) -> ([u8; SIGNING_KEY_SIZE], [u8; VERIFICATION_KEY_SIZE]) { - crate::ml_dsa_generic::generate_key_pair::< + signing_key: &mut [u8], + verification_key: &mut [u8], + ) { + crate::ml_dsa_generic::generate_key_pair_v87::< $simdunit, $sampler, $shake128x4, $shake256, $shake256xof, $shake256x4, - ROWS_IN_A, - COLUMNS_IN_A, - ROW_COLUMN, - ETA, - ERROR_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - VERIFICATION_KEY_SIZE, - >(randomness) + >(randomness, signing_key, verification_key) + } + + /// Generate key pair. + pub(crate) fn generate_key_pair_v65( + randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], + signing_key: &mut [u8], + verification_key: &mut [u8], + ) { + crate::ml_dsa_generic::generate_key_pair_v65::< + $simdunit, + $sampler, + $shake128x4, + $shake256, + $shake256xof, + $shake256x4, + >(randomness, signing_key, verification_key) + } + + /// Generate key pair. + pub(crate) fn generate_key_pair_v44( + randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], + signing_key: &mut [u8], + verification_key: &mut [u8], + ) { + crate::ml_dsa_generic::generate_key_pair_v44::< + $simdunit, + $sampler, + $shake128x4, + $shake256, + $shake256xof, + $shake256x4, + >(randomness, signing_key, verification_key) } /// Sign. diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs index 25063cd60..c88a78b10 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs @@ -11,18 +11,12 @@ mod avx2_feature { /// Generate key pair. #[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] - pub(super) unsafe fn generate_key_pair< - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, - const ROW_COLUMN: usize, - const ETA: usize, - const ERROR_RING_ELEMENT_SIZE: usize, - const SIGNING_KEY_SIZE: usize, - const VERIFICATION_KEY_SIZE: usize, - >( + pub(super) unsafe fn generate_key_pair_v44( randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], - ) -> ([u8; SIGNING_KEY_SIZE], [u8; VERIFICATION_KEY_SIZE]) { - crate::ml_dsa_generic::generate_key_pair::< + signing_key: &mut [u8], + verification_key: &mut [u8], + ) { + crate::ml_dsa_generic::generate_key_pair_v44::< crate::simd::avx2::AVX2SIMDUnit, crate::samplex4::avx2::AVX2Sampler, crate::hash_functions::simd256::Shake128x4, @@ -31,14 +25,47 @@ mod avx2_feature { // It doesn' make sense to do these in parallel. crate::hash_functions::portable::Shake256Xof, crate::hash_functions::simd256::Shake256x4, - ROWS_IN_A, - COLUMNS_IN_A, - ROW_COLUMN, - ETA, - ERROR_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - VERIFICATION_KEY_SIZE, - >(randomness) + >(randomness, signing_key, verification_key) + } + + /// Generate key pair. + #[cfg_attr(not(hax), target_feature(enable = "avx2"))] + #[allow(unsafe_code)] + pub(super) unsafe fn generate_key_pair_v65( + randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], + signing_key: &mut [u8], + verification_key: &mut [u8], + ) { + crate::ml_dsa_generic::generate_key_pair_v65::< + crate::simd::avx2::AVX2SIMDUnit, + crate::samplex4::avx2::AVX2Sampler, + crate::hash_functions::simd256::Shake128x4, + crate::hash_functions::simd256::Shake256, + // We use the portable version here. + // It doesn' make sense to do these in parallel. + crate::hash_functions::portable::Shake256Xof, + crate::hash_functions::simd256::Shake256x4, + >(randomness, signing_key, verification_key) + } + + /// Generate key pair. + #[cfg_attr(not(hax), target_feature(enable = "avx2"))] + #[allow(unsafe_code)] + pub(super) unsafe fn generate_key_pair_v87( + randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], + signing_key: &mut [u8], + verification_key: &mut [u8], + ) { + crate::ml_dsa_generic::generate_key_pair_v87::< + crate::simd::avx2::AVX2SIMDUnit, + crate::samplex4::avx2::AVX2Sampler, + crate::hash_functions::simd256::Shake128x4, + crate::hash_functions::simd256::Shake256, + // We use the portable version here. + // It doesn' make sense to do these in parallel. + crate::hash_functions::portable::Shake256Xof, + crate::hash_functions::simd256::Shake256x4, + >(randomness, signing_key, verification_key) } /// Sign. @@ -345,28 +372,32 @@ mod avx2_feature { /// Generate key pair. #[allow(unsafe_code)] -pub(crate) fn generate_key_pair< - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, - const ROW_COLUMN: usize, - const ETA: usize, - const ERROR_RING_ELEMENT_SIZE: usize, - const SIGNING_KEY_SIZE: usize, - const VERIFICATION_KEY_SIZE: usize, ->( +pub(crate) fn generate_key_pair_v44( randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], -) -> ([u8; SIGNING_KEY_SIZE], [u8; VERIFICATION_KEY_SIZE]) { - unsafe { - avx2_feature::generate_key_pair::< - ROWS_IN_A, - COLUMNS_IN_A, - ROW_COLUMN, - ETA, - ERROR_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - VERIFICATION_KEY_SIZE, - >(randomness) - } + signing_key: &mut [u8], + verification_key: &mut [u8], +) { + unsafe { avx2_feature::generate_key_pair_v44(randomness, signing_key, verification_key) } +} + +/// Generate key pair. +#[allow(unsafe_code)] +pub(crate) fn generate_key_pair_v65( + randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], + signing_key: &mut [u8], + verification_key: &mut [u8], +) { + unsafe { avx2_feature::generate_key_pair_v65(randomness, signing_key, verification_key) } +} + +/// Generate key pair. +#[allow(unsafe_code)] +pub(crate) fn generate_key_pair_v87( + randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], + signing_key: &mut [u8], + verification_key: &mut [u8], +) { + unsafe { avx2_feature::generate_key_pair_v87(randomness, signing_key, verification_key) } } /// Sign. diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/multiplexing.rs b/libcrux-ml-dsa/src/ml_dsa_generic/multiplexing.rs index 71930bae8..b48224351 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic/multiplexing.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic/multiplexing.rs @@ -7,7 +7,9 @@ use libcrux_platform; #[cfg(feature = "simd256")] use instantiations::avx2::{ - generate_key_pair as generate_key_pair_avx2, sign as sign_avx2, + generate_key_pair_v44 as generate_key_pair_v44_avx2, + generate_key_pair_v65 as generate_key_pair_v65_avx2, + generate_key_pair_v87 as generate_key_pair_v87_avx2, sign as sign_avx2, sign_pre_hashed_shake128 as sign_pre_hashed_shake128_avx2, verify as verify_avx2, verify_pre_hashed_shake128 as verify_pre_hashed_shake128_avx2, }; @@ -48,52 +50,52 @@ use instantiations::portable::{ #[cfg(not(feature = "simd128"))] use instantiations::portable::{ - generate_key_pair as generate_key_pair_neon, sign as sign_neon, + generate_key_pair_v44 as generate_key_pair_v44_neon, + generate_key_pair_v65 as generate_key_pair_v65_neon, + generate_key_pair_v87 as generate_key_pair_v87_neon, sign as sign_neon, sign_pre_hashed_shake128 as sign_pre_hashed_shake128_neon, verify as verify_neon, verify_pre_hashed_shake128 as verify_pre_hashed_shake128_neon, }; -pub(crate) fn generate_key_pair< - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, - const ROW_COLUMN: usize, - const ETA: usize, - const ERROR_RING_ELEMENT_SIZE: usize, - const SIGNING_KEY_SIZE: usize, - const VERIFICATION_KEY_SIZE: usize, ->( +pub(crate) fn generate_key_pair_v44( randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], -) -> ([u8; SIGNING_KEY_SIZE], [u8; VERIFICATION_KEY_SIZE]) { + signing_key: &mut [u8], + verification_key: &mut [u8], +) { if libcrux_platform::simd256_support() { - generate_key_pair_avx2::< - ROWS_IN_A, - COLUMNS_IN_A, - ROW_COLUMN, - ETA, - ERROR_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - VERIFICATION_KEY_SIZE, - >(randomness) + generate_key_pair_v44_avx2(randomness, signing_key, verification_key); } else if libcrux_platform::simd128_support() { - generate_key_pair_neon::< - ROWS_IN_A, - COLUMNS_IN_A, - ROW_COLUMN, - ETA, - ERROR_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - VERIFICATION_KEY_SIZE, - >(randomness) + generate_key_pair_v44_neon(randomness, signing_key, verification_key); } else { - instantiations::portable::generate_key_pair::< - ROWS_IN_A, - COLUMNS_IN_A, - ROW_COLUMN, - ETA, - ERROR_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - VERIFICATION_KEY_SIZE, - >(randomness) + instantiations::portable::generate_key_pair_v44(randomness, signing_key, verification_key); + } +} + +pub(crate) fn generate_key_pair_v65( + randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], + signing_key: &mut [u8], + verification_key: &mut [u8], +) { + if libcrux_platform::simd256_support() { + generate_key_pair_v65_avx2(randomness, signing_key, verification_key); + } else if libcrux_platform::simd128_support() { + generate_key_pair_v65_neon(randomness, signing_key, verification_key); + } else { + instantiations::portable::generate_key_pair_v65(randomness, signing_key, verification_key); + } +} + +pub(crate) fn generate_key_pair_v87( + randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], + signing_key: &mut [u8], + verification_key: &mut [u8], +) { + if libcrux_platform::simd256_support() { + generate_key_pair_v87_avx2(randomness, signing_key, verification_key); + } else if libcrux_platform::simd128_support() { + generate_key_pair_v87_neon(randomness, signing_key, verification_key); + } else { + instantiations::portable::generate_key_pair_v87(randomness, signing_key, verification_key); } } diff --git a/macros/src/lib.rs b/macros/src/lib.rs index bb3f4ea55..0228f0cfb 100644 --- a/macros/src/lib.rs +++ b/macros/src/lib.rs @@ -1,6 +1,11 @@ -//! This module contains code from HACL. +//! This is a collection of libcrux internal proc macros. use proc_macro::{Delimiter, TokenStream, TokenTree}; +use quote::quote; +use std::collections::HashMap; +use syn::{ + parse_macro_input, Ident, ItemFn, Stmt +}; fn skip_comma>(ts: &mut T) { match ts.next() { @@ -46,3 +51,76 @@ pub fn unroll_for(ts: TokenStream) -> TokenStream { TokenStream::from(brace(TokenStream::from_iter(chunks.into_iter().flatten()))) // "{ let i = 0; println!(\"FROM MACRO{}\", i); }".parse().unwrap() } + +#[proc_macro_attribute] +pub fn consts(args: TokenStream, item: TokenStream) -> TokenStream { + let ItemFn { + attrs, + vis, + sig, + block, + .. + } = parse_macro_input!(item as ItemFn); + + let mut variants_map: HashMap = HashMap::new(); + let mut derived_const_vec = Vec::new(); + + // Parse an attribute list of the type + // #[my_consts( + // v4x4{const X: usize = 4; const Y: usize = 4;}, + // v6x5{const X: usize = 5; const Y: usize = 6;}, + // derived { + // const Z: usize = X + Y; + // } + // )] + let parser = syn::meta::parser(|meta| { + let ident = meta.path.clone(); + + if ident.get_ident().unwrap().to_string() == "derived" { + let content; + syn::braced!(content in meta.input); + + while !content.is_empty() { + derived_const_vec.push(content.parse::().unwrap()); + } + + return Ok(()); + } + + let content; + syn::braced!(content in meta.input); + + let mut const_vec = Vec::new(); + while !content.is_empty() { + const_vec.push(content.parse::().unwrap()); + } + + variants_map.insert(quote! {#ident}.to_string(), const_vec); + Ok(()) + }); + parse_macro_input!(args with parser); + + let mut expanded = quote! {}; + + for (variant, consts) in variants_map.iter() { + // add the variant at the end of the function name + let mut this_sig = sig.clone(); + this_sig.ident = Ident::new( + &format!("{}_{}", this_sig.ident, variant), + this_sig.ident.span(), + ); + + let fun = quote! { + #(#attrs)* + #vis #this_sig { + #(#consts)* + #(#derived_const_vec)* + + #block + } + }; + expanded.extend(fun); + } + + expanded.into() +} From f03f73f3a68cda79e2683c30852df5fd108aa726 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Wed, 1 Jan 2025 15:30:29 +0000 Subject: [PATCH 23/58] wip --- libcrux-ml-dsa/src/constants.rs | 66 +++++++++++++++++++ libcrux-ml-dsa/src/encoding/error.rs | 4 +- libcrux-ml-dsa/src/encoding/signing_key.rs | 2 +- libcrux-ml-dsa/src/ml_dsa_generic.rs | 43 +++++------- .../src/ml_dsa_generic/instantiations.rs | 66 ++++++------------- libcrux-ml-dsa/src/samplex4.rs | 38 ++++++++++- 6 files changed, 145 insertions(+), 74 deletions(-) diff --git a/libcrux-ml-dsa/src/constants.rs b/libcrux-ml-dsa/src/constants.rs index 90810b72f..0d5cbe6e5 100644 --- a/libcrux-ml-dsa/src/constants.rs +++ b/libcrux-ml-dsa/src/constants.rs @@ -30,3 +30,69 @@ pub(crate) const REJECTION_SAMPLE_BOUND_SIGN: usize = 814; /// The length of `context` is serialized to a single `u8`. pub(crate) const CONTEXT_MAX_LEN: usize = 255; + +/// ML-DSA-44-specific parameters +#[cfg(feature = "mldsa44")] +pub(crate) mod v44 { + pub(crate) const ROWS_IN_A: usize = 4; + pub(crate) const COLUMNS_IN_A: usize = 4; + + pub(crate) const ETA: usize = 2; + + // To sample a value in the interval [-ETA, ETA], we can sample a value (say 'v') + // in the interval [0, 2 * ETA] and then compute ETA - v. This can be done in + // 3 bits when ETA is 2. + pub(crate) const BITS_PER_ERROR_COEFFICIENT: usize = 3; +} + +/// ML-DSA-65-specific parameters +#[cfg(feature = "mldsa65")] +pub(crate) mod v65 { + pub(crate) const ROWS_IN_A: usize = 6; + pub(crate) const COLUMNS_IN_A: usize = 5; + + pub(crate) const ETA: usize = 4; + + // To sample a value in the interval [-ETA, ETA], we can sample a value (say 'v') + // in the interval [0, 2 * ETA] and then compute ETA - v. This can be done in + // 4 bits when ETA is 4. + pub(crate) const BITS_PER_ERROR_COEFFICIENT: usize = 4; +} + +/// ML-DSA-87-specific parameters +#[cfg(feature = "mldsa87")] +pub(crate) mod v87 { + pub(crate) const ROWS_IN_A: usize = 8; + pub(crate) const COLUMNS_IN_A: usize = 7; + + pub(crate) const ETA: usize = 2; + + // To sample a value in the interval [-ETA, ETA], we can sample a value (say 'v') + // in the interval [0, 2 * ETA] and then compute ETA - v. This can be done in + // 3 bits when ETA is 2. + pub(crate) const BITS_PER_ERROR_COEFFICIENT: usize = 3; +} + +pub(crate) const fn error_ring_element_size(bits_per_error_coefficient: usize) -> usize { + (bits_per_error_coefficient * COEFFICIENTS_IN_RING_ELEMENT) / 8 +} + +pub(crate) const fn signing_key_size( + rows_in_a: usize, + columns_in_a: usize, + error_ring_element_size: usize, +) -> usize { + SEED_FOR_A_SIZE + + SEED_FOR_SIGNING_SIZE + + BYTES_FOR_VERIFICATION_KEY_HASH + + (rows_in_a + columns_in_a) * error_ring_element_size + + rows_in_a * RING_ELEMENT_OF_T0S_SIZE +} + +pub(crate) const fn verification_key_size(rows_in_a: usize) -> usize { + SEED_FOR_A_SIZE + + (COEFFICIENTS_IN_RING_ELEMENT + * rows_in_a + * (FIELD_MODULUS_MINUS_ONE_BIT_LENGTH - BITS_IN_LOWER_PART_OF_T)) + / 8 +} diff --git a/libcrux-ml-dsa/src/encoding/error.rs b/libcrux-ml-dsa/src/encoding/error.rs index 37b52a833..c4f82484c 100644 --- a/libcrux-ml-dsa/src/encoding/error.rs +++ b/libcrux-ml-dsa/src/encoding/error.rs @@ -3,9 +3,9 @@ use crate::{helper::cloop, ntt::ntt, polynomial::PolynomialRingElement, simd::traits::Operations}; #[inline(always)] -pub(crate) fn serialize( +pub(crate) fn serialize( re: &PolynomialRingElement, - serialized: &mut [u8], //OUTPUT_SIZE + serialized: &mut [u8], // OUTPUT_SIZE ) { let output_bytes_per_simd_unit = if ETA == 2 { 3 } else { 4 }; cloop! { diff --git a/libcrux-ml-dsa/src/encoding/signing_key.rs b/libcrux-ml-dsa/src/encoding/signing_key.rs index b855d0991..b0e1e8242 100644 --- a/libcrux-ml-dsa/src/encoding/signing_key.rs +++ b/libcrux-ml-dsa/src/encoding/signing_key.rs @@ -44,7 +44,7 @@ pub(crate) fn generate_serialized< offset += BYTES_FOR_VERIFICATION_KEY_HASH; for i in 0..s1_2.len() { - encoding::error::serialize::( + encoding::error::serialize::( &s1_2[i], &mut signing_key_serialized[offset..offset + ERROR_RING_ELEMENT_SIZE], ); diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index 646b79904..752a94025 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -2,7 +2,7 @@ use crate::{ arithmetic::{ decompose_vector, make_hint, power2round_vector, use_hint, vector_infinity_norm_exceeds, }, - constants::*, + constants::{self, *}, encoding::{self, signature::Signature}, hash_functions::{shake128, shake256}, matrix::{ @@ -28,39 +28,32 @@ pub(crate) mod multiplexing; #[libcrux_macros::consts( // Key size specific constants v44 { - const ROWS_IN_A: usize = 4; - const COLUMNS_IN_A: usize = 4; - const ETA: usize = 2; - const BITS_PER_ERROR_COEFFICIENT: usize = 3; + const ROWS_IN_A: usize = constants::v44::ROWS_IN_A; + const COLUMNS_IN_A: usize = constants::v44::COLUMNS_IN_A; + const ETA: usize = constants::v44::ETA; + const BITS_PER_ERROR_COEFFICIENT: usize = constants::v44::BITS_PER_ERROR_COEFFICIENT; }, v65 { - const ROWS_IN_A: usize = 6; - const COLUMNS_IN_A: usize = 5; - const ETA: usize = 4; - const BITS_PER_ERROR_COEFFICIENT: usize = 4; + const ROWS_IN_A: usize = constants::v65::ROWS_IN_A; + const COLUMNS_IN_A: usize = constants::v65::COLUMNS_IN_A; + const ETA: usize = constants::v65::ETA; + const BITS_PER_ERROR_COEFFICIENT: usize = constants::v65::BITS_PER_ERROR_COEFFICIENT; }, v87 { - const ROWS_IN_A: usize = 8; - const COLUMNS_IN_A: usize = 7; - const ETA: usize = 2; - const BITS_PER_ERROR_COEFFICIENT: usize = 3; + const ROWS_IN_A: usize = constants::v87::ROWS_IN_A; + const COLUMNS_IN_A: usize = constants::v87::COLUMNS_IN_A; + const ETA: usize = constants::v87::ETA; + const BITS_PER_ERROR_COEFFICIENT: usize = constants::v87::BITS_PER_ERROR_COEFFICIENT; }, // Derived constants derived { const ROW_COLUMN: usize = ROWS_IN_A + COLUMNS_IN_A; - const ERROR_RING_ELEMENT_SIZE: usize = - (BITS_PER_ERROR_COEFFICIENT * COEFFICIENTS_IN_RING_ELEMENT) / 8; - const SIGNING_KEY_SIZE: usize = SEED_FOR_A_SIZE - + SEED_FOR_SIGNING_SIZE - + BYTES_FOR_VERIFICATION_KEY_HASH - + (ROWS_IN_A + COLUMNS_IN_A) * ERROR_RING_ELEMENT_SIZE - + ROWS_IN_A * RING_ELEMENT_OF_T0S_SIZE; - const VERIFICATION_KEY_SIZE: usize = SEED_FOR_A_SIZE - + (COEFFICIENTS_IN_RING_ELEMENT - * ROWS_IN_A - * (FIELD_MODULUS_MINUS_ONE_BIT_LENGTH - BITS_IN_LOWER_PART_OF_T)) - / 8; + // const ROW_X_COLUMN: usize = ROWS_IN_A * COLUMNS_IN_A; + const ERROR_RING_ELEMENT_SIZE: usize = error_ring_element_size(BITS_PER_ERROR_COEFFICIENT); + const SIGNING_KEY_SIZE: usize = signing_key_size( + ROWS_IN_A, COLUMNS_IN_A, ERROR_RING_ELEMENT_SIZE); + const VERIFICATION_KEY_SIZE: usize = verification_key_size(ROWS_IN_A); } )] diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs index ccf8ada03..371a54b74 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs @@ -8,53 +8,29 @@ macro_rules! instantiate { types::{SigningError, VerificationError}, }; - /// Generate key pair. - pub(crate) fn generate_key_pair_v87( - randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], - signing_key: &mut [u8], - verification_key: &mut [u8], - ) { - crate::ml_dsa_generic::generate_key_pair_v87::< - $simdunit, - $sampler, - $shake128x4, - $shake256, - $shake256xof, - $shake256x4, - >(randomness, signing_key, verification_key) + macro_rules! generate_key_pair { + ($name:ident) => { + /// Generate key pair. + pub(crate) fn $name( + randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], + signing_key: &mut [u8], + verification_key: &mut [u8], + ) { + crate::ml_dsa_generic::$name::< + $simdunit, + $sampler, + $shake128x4, + $shake256, + $shake256xof, + $shake256x4, + >(randomness, signing_key, verification_key) + } + }; } - /// Generate key pair. - pub(crate) fn generate_key_pair_v65( - randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], - signing_key: &mut [u8], - verification_key: &mut [u8], - ) { - crate::ml_dsa_generic::generate_key_pair_v65::< - $simdunit, - $sampler, - $shake128x4, - $shake256, - $shake256xof, - $shake256x4, - >(randomness, signing_key, verification_key) - } - - /// Generate key pair. - pub(crate) fn generate_key_pair_v44( - randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], - signing_key: &mut [u8], - verification_key: &mut [u8], - ) { - crate::ml_dsa_generic::generate_key_pair_v44::< - $simdunit, - $sampler, - $shake128x4, - $shake256, - $shake256xof, - $shake256x4, - >(randomness, signing_key, verification_key) - } + generate_key_pair!(generate_key_pair_v44); + generate_key_pair!(generate_key_pair_v65); + generate_key_pair!(generate_key_pair_v87); /// Sign. pub(crate) fn sign< diff --git a/libcrux-ml-dsa/src/samplex4.rs b/libcrux-ml-dsa/src/samplex4.rs index 64b1b9510..97f29383c 100644 --- a/libcrux-ml-dsa/src/samplex4.rs +++ b/libcrux-ml-dsa/src/samplex4.rs @@ -14,6 +14,42 @@ pub(crate) trait X4Sampler { ); } +#[inline(always)] +pub(crate) fn _matrix< + SIMDUnit: Operations, + Shake128: shake128::XofX4, + const ROWS_IN_A: usize, + const COLUMNS_IN_A: usize, + const ROW_X_COLUMN: usize, +>( + seed: &[u8], + matrix: &mut [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A], +) { + let mut rand_stack0 = [0u8; shake128::FIVE_BLOCKS_SIZE]; + let mut rand_stack1 = [0u8; shake128::FIVE_BLOCKS_SIZE]; + let mut rand_stack2 = [0u8; shake128::FIVE_BLOCKS_SIZE]; + let mut rand_stack3 = [0u8; shake128::FIVE_BLOCKS_SIZE]; + let mut tmp_stack = [[0i32; 263], [0i32; 263], [0i32; 263], [0i32; 263]]; + + let mut x = 0; + let mut y = 0; + for _ in 0..ROW_X_COLUMN.div_ceil(4) { + sample_up_to_four_ring_elements::( + seed, + matrix, + &mut rand_stack0, + &mut rand_stack1, + &mut rand_stack2, + &mut rand_stack3, + &mut tmp_stack, + &[(x, y), (x + 1, y + 1), (x + 2, y + 2), (x + 3, y + 3)], + 4, + ); + x = ((x as usize + 4) % ROWS_IN_A) as u8; + y = ((y as usize + 4) % COLUMNS_IN_A) as u8; + } +} + #[inline(always)] #[cfg(feature = "mldsa44")] pub(crate) fn matrix_4_by_4< @@ -410,7 +446,7 @@ pub(crate) mod avx2 { seed: &[u8], matrix: &mut [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A], ) { - unsafe { matrix_avx2(seed, matrix) } + unsafe { matrix_avx2::(seed, matrix) } } } From f70ede996130bedcac3173197094949a5db8d563 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Wed, 1 Jan 2025 18:52:12 +0000 Subject: [PATCH 24/58] wip --- libcrux-ml-dsa/src/arithmetic.rs | 6 +-- libcrux-ml-dsa/src/encoding/error.rs | 44 ++++++++++++---- libcrux-ml-dsa/src/encoding/signing_key.rs | 22 ++++---- .../src/encoding/verification_key.rs | 4 +- libcrux-ml-dsa/src/ml_dsa_generic.rs | 23 ++++----- libcrux-ml-dsa/src/sample.rs | 51 +++++++++---------- libcrux-ml-dsa/src/samplex4.rs | 16 +++--- libcrux-ml-dsa/src/simd/avx2.rs | 10 ++-- .../src/simd/avx2/encoding/error.rs | 26 +++++----- .../avx2/rejection_sample/less_than_eta.rs | 4 +- libcrux-ml-dsa/src/simd/portable.rs | 10 ++-- .../src/simd/portable/encoding/error.rs | 25 ++++----- libcrux-ml-dsa/src/simd/traits.rs | 10 +++- 13 files changed, 137 insertions(+), 114 deletions(-) diff --git a/libcrux-ml-dsa/src/arithmetic.rs b/libcrux-ml-dsa/src/arithmetic.rs index cfcd0b534..b39302a52 100644 --- a/libcrux-ml-dsa/src/arithmetic.rs +++ b/libcrux-ml-dsa/src/arithmetic.rs @@ -30,9 +30,9 @@ pub(crate) fn shift_left_then_reduce( } #[inline(always)] -pub(crate) fn power2round_vector( - t: &mut [PolynomialRingElement; DIMENSION], - t1: &mut [PolynomialRingElement; DIMENSION], +pub(crate) fn power2round_vector( + t: &mut [PolynomialRingElement], + t1: &mut [PolynomialRingElement], ) { for i in 0..t.len() { for j in 0..t[i].simd_units.len() { diff --git a/libcrux-ml-dsa/src/encoding/error.rs b/libcrux-ml-dsa/src/encoding/error.rs index c4f82484c..6cd11cd21 100644 --- a/libcrux-ml-dsa/src/encoding/error.rs +++ b/libcrux-ml-dsa/src/encoding/error.rs @@ -1,16 +1,23 @@ // Functions for serializing and deserializing an error ring element. -use crate::{helper::cloop, ntt::ntt, polynomial::PolynomialRingElement, simd::traits::Operations}; +use crate::{ + helper::cloop, + ntt::ntt, + polynomial::PolynomialRingElement, + simd::traits::{Eta, Operations}, +}; #[inline(always)] -pub(crate) fn serialize( +pub(crate) fn serialize( + eta: Eta, re: &PolynomialRingElement, serialized: &mut [u8], // OUTPUT_SIZE ) { - let output_bytes_per_simd_unit = if ETA == 2 { 3 } else { 4 }; + let output_bytes_per_simd_unit = chunk_size(eta); + cloop! { for (i, simd_unit) in re.simd_units.iter().enumerate() { - SIMDUnit::error_serialize::( + SIMDUnit::error_serialize(eta, simd_unit, &mut serialized[i * output_bytes_per_simd_unit..(i + 1) * output_bytes_per_simd_unit] ); @@ -20,14 +27,25 @@ pub(crate) fn serialize( } #[inline(always)] -fn deserialize( +fn chunk_size(eta: Eta) -> usize { + let output_bytes_per_simd_unit = match eta { + Eta::Two => 3, + Eta::Four => 4, + }; + output_bytes_per_simd_unit +} + +#[inline(always)] +fn deserialize( + eta: Eta, serialized: &[u8], result: &mut PolynomialRingElement, ) { - let chunk_size = if ETA == 2 { 3 } else { 4 }; + let chunk_size = chunk_size(eta); for i in 0..result.simd_units.len() { - SIMDUnit::error_deserialize::( + SIMDUnit::error_deserialize( + eta, &serialized[i * chunk_size..(i + 1) * chunk_size], &mut result.simd_units[i], ); @@ -45,9 +63,15 @@ pub(crate) fn deserialize_to_vector_then_ntt< serialized: &[u8], ring_elements: &mut [PolynomialRingElement; DIMENSION], ) { + let eta = match ETA { + 2 => Eta::Two, + 4 => Eta::Four, + _ => unreachable!(), + }; + cloop! { for (i, bytes) in serialized.chunks_exact(RING_ELEMENT_SIZE).enumerate() { - deserialize::(bytes, &mut ring_elements[i]); + deserialize::(eta, bytes, &mut ring_elements[i]); ntt(&mut ring_elements[i]); } } @@ -83,7 +107,7 @@ mod tests { ]; let mut deserialized = PolynomialRingElement::::zero(); - deserialize::(&serialized, &mut deserialized); + deserialize::(Eta::Two, &serialized, &mut deserialized); assert_eq!(deserialized.to_i32_array(), expected_coefficients); let serialized = [ @@ -111,7 +135,7 @@ mod tests { ]; let mut deserialized = PolynomialRingElement::::zero(); - deserialize::(&serialized, &mut deserialized); + deserialize::(Eta::Four, &serialized, &mut deserialized); assert_eq!(deserialized.to_i32_array(), expected_coefficients); } diff --git a/libcrux-ml-dsa/src/encoding/signing_key.rs b/libcrux-ml-dsa/src/encoding/signing_key.rs index b0e1e8242..cdd948b37 100644 --- a/libcrux-ml-dsa/src/encoding/signing_key.rs +++ b/libcrux-ml-dsa/src/encoding/signing_key.rs @@ -7,23 +7,18 @@ use crate::{ hash_functions::shake256, helper::cloop, polynomial::PolynomialRingElement, - simd::traits::Operations, + simd::traits::{Eta, Operations}, }; #[inline(always)] -pub(crate) fn generate_serialized< - SIMDUnit: Operations, - Shake256: shake256::DsaXof, - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, - const ETA: usize, - const ERROR_RING_ELEMENT_SIZE: usize, ->( +pub(crate) fn generate_serialized( + eta: Eta, + error_ring_element_size: usize, seed_matrix: &[u8], seed_signing: &[u8], verification_key: &[u8], s1_2: &[PolynomialRingElement], - t0: [PolynomialRingElement; ROWS_IN_A], + t0: &[PolynomialRingElement], signing_key_serialized: &mut [u8], ) { let mut offset = 0; @@ -44,11 +39,12 @@ pub(crate) fn generate_serialized< offset += BYTES_FOR_VERIFICATION_KEY_HASH; for i in 0..s1_2.len() { - encoding::error::serialize::( + encoding::error::serialize::( + eta, &s1_2[i], - &mut signing_key_serialized[offset..offset + ERROR_RING_ELEMENT_SIZE], + &mut signing_key_serialized[offset..offset + error_ring_element_size], ); - offset += ERROR_RING_ELEMENT_SIZE; + offset += error_ring_element_size; } cloop! { diff --git a/libcrux-ml-dsa/src/encoding/verification_key.rs b/libcrux-ml-dsa/src/encoding/verification_key.rs index 7ba7f9321..878ae4aed 100644 --- a/libcrux-ml-dsa/src/encoding/verification_key.rs +++ b/libcrux-ml-dsa/src/encoding/verification_key.rs @@ -7,9 +7,9 @@ use crate::{ }; #[inline(always)] -pub(crate) fn generate_serialized( +pub(crate) fn generate_serialized( seed: &[u8], - t1: [PolynomialRingElement; ROWS_IN_A], + t1: &[PolynomialRingElement], verification_key_serialized: &mut [u8], ) { verification_key_serialized[0..SEED_FOR_A_SIZE].copy_from_slice(seed); diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index 752a94025..9b0bfd533 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -14,7 +14,7 @@ use crate::{ pre_hash::{DomainSeparationContext, PreHash}, sample::{sample_challenge_ring_element, sample_mask_vector}, samplex4::{self, X4Sampler}, - simd::traits::Operations, + simd::traits::{Eta, Operations}, types::{SigningError, VerificationError}, MLDSASignature, }; @@ -30,19 +30,19 @@ pub(crate) mod multiplexing; v44 { const ROWS_IN_A: usize = constants::v44::ROWS_IN_A; const COLUMNS_IN_A: usize = constants::v44::COLUMNS_IN_A; - const ETA: usize = constants::v44::ETA; + const ETA: Eta = Eta::Two; // constants::v44::ETA; const BITS_PER_ERROR_COEFFICIENT: usize = constants::v44::BITS_PER_ERROR_COEFFICIENT; }, v65 { const ROWS_IN_A: usize = constants::v65::ROWS_IN_A; const COLUMNS_IN_A: usize = constants::v65::COLUMNS_IN_A; - const ETA: usize = constants::v65::ETA; + const ETA: Eta = Eta::Four; // constants::v65::ETA; const BITS_PER_ERROR_COEFFICIENT: usize = constants::v65::BITS_PER_ERROR_COEFFICIENT; }, v87 { const ROWS_IN_A: usize = constants::v87::ROWS_IN_A; const COLUMNS_IN_A: usize = constants::v87::COLUMNS_IN_A; - const ETA: usize = constants::v87::ETA; + const ETA: Eta = Eta::Two; // constants::v87::ETA; const BITS_PER_ERROR_COEFFICIENT: usize = constants::v87::BITS_PER_ERROR_COEFFICIENT; }, @@ -91,7 +91,8 @@ pub(crate) fn generate_key_pair< Sampler::matrix::(seed_for_a, &mut a_as_ntt); let mut s1_s2 = [PolynomialRingElement::::zero(); ROW_COLUMN]; - samplex4::sample_s1_and_s2::( + samplex4::sample_s1_and_s2::( + ETA, seed_for_error_vectors, &mut s1_s2, ); @@ -100,27 +101,25 @@ pub(crate) fn generate_key_pair< compute_as1_plus_s2::(&a_as_ntt, &s1_s2, &mut t0); let mut t1 = [PolynomialRingElement::::zero(); ROWS_IN_A]; - power2round_vector::(&mut t0, &mut t1); + power2round_vector::(&mut t0, &mut t1); - encoding::verification_key::generate_serialized::( + encoding::verification_key::generate_serialized::( seed_for_a, - t1, + &t1, verification_key, ); encoding::signing_key::generate_serialized::< SIMDUnit, Shake256, - ROWS_IN_A, - COLUMNS_IN_A, + >( ETA, ERROR_RING_ELEMENT_SIZE, - >( seed_for_a, seed_for_signing, &verification_key, &s1_s2, - t0, + &t0, signing_key, ); } diff --git a/libcrux-ml-dsa/src/sample.rs b/libcrux-ml-dsa/src/sample.rs index 4fd5e114f..0b10b5122 100644 --- a/libcrux-ml-dsa/src/sample.rs +++ b/libcrux-ml-dsa/src/sample.rs @@ -4,7 +4,7 @@ use crate::{ hash_functions::{shake128, shake256}, helper::cloop, polynomial::PolynomialRingElement, - simd::traits::Operations, + simd::traits::{Eta, Operations}, }; #[inline(always)] @@ -238,15 +238,15 @@ fn rejection_sample_less_than_eta_equals_4( done } #[inline(always)] -pub(crate) fn rejection_sample_less_than_eta( +pub(crate) fn rejection_sample_less_than_eta( + eta: Eta, randomness: &[u8], sampled: &mut usize, out: &mut [i32; 263], ) -> bool { - match ETA as u8 { - 2 => rejection_sample_less_than_eta_equals_2::(randomness, sampled, out), - 4 => rejection_sample_less_than_eta_equals_4::(randomness, sampled, out), - _ => unreachable!(), + match eta { + Eta::Two => rejection_sample_less_than_eta_equals_2::(randomness, sampled, out), + Eta::Four => rejection_sample_less_than_eta_equals_4::(randomness, sampled, out), } } @@ -261,20 +261,9 @@ pub(crate) fn add_error_domain_separator(slice: &[u8], domain_separator: u16) -> out } -// #[inline(always)] -// fn update_seed(mut seed: [u8; 66], domain_separator: &mut u16) -> [u8; 66] { -// seed[64] = *domain_separator as u8; -// seed[65] = (*domain_separator >> 8) as u8; -// *domain_separator += 1; -// seed -// } - #[inline(always)] -pub(crate) fn sample_four_error_ring_elements< - SIMDUnit: Operations, - Shake256: shake256::XofX4, - const ETA: usize, ->( +pub(crate) fn sample_four_error_ring_elements( + eta: Eta, seed: &[u8], start_index: u16, re: &mut [PolynomialRingElement], @@ -303,22 +292,26 @@ pub(crate) fn sample_four_error_ring_elements< let mut sampled2 = 0; let mut sampled3 = 0; - let mut done0 = rejection_sample_less_than_eta::( + let mut done0 = rejection_sample_less_than_eta::( + eta, &randomnesses.0, &mut sampled0, &mut out[0], ); - let mut done1 = rejection_sample_less_than_eta::( + let mut done1 = rejection_sample_less_than_eta::( + eta, &randomnesses.1, &mut sampled1, &mut out[1], ); - let mut done2 = rejection_sample_less_than_eta::( + let mut done2 = rejection_sample_less_than_eta::( + eta, &randomnesses.2, &mut sampled2, &mut out[2], ); - let mut done3 = rejection_sample_less_than_eta::( + let mut done3 = rejection_sample_less_than_eta::( + eta, &randomnesses.3, &mut sampled3, &mut out[3], @@ -328,28 +321,32 @@ pub(crate) fn sample_four_error_ring_elements< // Always sample another 4, but we only use it if we actually need it. let randomnesses = state.squeeze_next_block_x4(); if !done0 { - done0 = rejection_sample_less_than_eta::( + done0 = rejection_sample_less_than_eta::( + eta, &randomnesses.0, &mut sampled0, &mut out[0], ); } if !done1 { - done1 = rejection_sample_less_than_eta::( + done1 = rejection_sample_less_than_eta::( + eta, &randomnesses.1, &mut sampled1, &mut out[1], ); } if !done2 { - done2 = rejection_sample_less_than_eta::( + done2 = rejection_sample_less_than_eta::( + eta, &randomnesses.2, &mut sampled2, &mut out[2], ); } if !done3 { - done3 = rejection_sample_less_than_eta::( + done3 = rejection_sample_less_than_eta::( + eta, &randomnesses.3, &mut sampled3, &mut out[3], diff --git a/libcrux-ml-dsa/src/samplex4.rs b/libcrux-ml-dsa/src/samplex4.rs index 97f29383c..bed8912d6 100644 --- a/libcrux-ml-dsa/src/samplex4.rs +++ b/libcrux-ml-dsa/src/samplex4.rs @@ -2,7 +2,7 @@ use crate::{ hash_functions::{shake128, shake256}, polynomial::PolynomialRingElement, sample::{sample_four_error_ring_elements, sample_up_to_four_ring_elements}, - simd::traits::Operations, + simd::traits::{Eta, Operations}, }; /// The x4 sampling implementation that is selected during multiplexing. @@ -508,16 +508,12 @@ pub(crate) fn matrix_generic< } #[inline(always)] -pub(crate) fn sample_s1_and_s2< - SIMDUnit: Operations, - Shake256X4: shake256::XofX4, - const ETA: usize, - const ROW_COLUMN: usize, ->( +pub(crate) fn sample_s1_and_s2( + eta: Eta, seed: &[u8], - s1_s2: &mut [PolynomialRingElement; ROW_COLUMN], + s1_s2: &mut [PolynomialRingElement], ) { - for i in 0..ROW_COLUMN.div_ceil(4) { - sample_four_error_ring_elements::(seed, 4 * i as u16, s1_s2); + for i in 0..s1_s2.len().div_ceil(4) { + sample_four_error_ring_elements::(eta, seed, 4 * i as u16, s1_s2); } } diff --git a/libcrux-ml-dsa/src/simd/avx2.rs b/libcrux-ml-dsa/src/simd/avx2.rs index 8c16fada8..4809c75bd 100644 --- a/libcrux-ml-dsa/src/simd/avx2.rs +++ b/libcrux-ml-dsa/src/simd/avx2.rs @@ -9,6 +9,8 @@ mod vector_type; pub(crate) use vector_type::{AVX2RingElement, AVX2SIMDUnit}; +use super::traits::Eta; + impl Operations for AVX2SIMDUnit { type Coefficient = vector_type::Vec256; @@ -116,13 +118,13 @@ impl Operations for AVX2SIMDUnit { } #[inline(always)] - fn error_serialize(simd_unit: &Self::Coefficient, serialized: &mut [u8]) { - encoding::error::serialize::(simd_unit, serialized) + fn error_serialize(eta: Eta, simd_unit: &Self::Coefficient, serialized: &mut [u8]) { + encoding::error::serialize(eta, simd_unit, serialized) } #[inline(always)] - fn error_deserialize(serialized: &[u8], out: &mut Self::Coefficient) { - encoding::error::deserialize::(serialized, out); + fn error_deserialize(eta: Eta, serialized: &[u8], out: &mut Self::Coefficient) { + encoding::error::deserialize(eta, serialized, out); } #[inline(always)] diff --git a/libcrux-ml-dsa/src/simd/avx2/encoding/error.rs b/libcrux-ml-dsa/src/simd/avx2/encoding/error.rs index eb26e5338..54c59e20d 100644 --- a/libcrux-ml-dsa/src/simd/avx2/encoding/error.rs +++ b/libcrux-ml-dsa/src/simd/avx2/encoding/error.rs @@ -1,5 +1,7 @@ use libcrux_intrinsics::avx2::*; +use crate::simd::avx2::Eta; + #[inline(always)] fn serialize_when_eta_is_2(simd_unit: &Vec256, out: &mut [u8]) { let mut serialized = [0u8; 16]; @@ -66,11 +68,10 @@ fn serialize_when_eta_is_4(simd_unit: &Vec256, out: &mut [u8]) { } #[inline(always)] -pub fn serialize(simd_unit: &Vec256, serialized: &mut [u8]) { - match ETA as u8 { - 2 => serialize_when_eta_is_2(simd_unit, serialized), - 4 => serialize_when_eta_is_4(simd_unit, serialized), - _ => unreachable!(), +pub fn serialize(eta: Eta, simd_unit: &Vec256, serialized: &mut [u8]) { + match eta { + Eta::Two => serialize_when_eta_is_2(simd_unit, serialized), + Eta::Four => serialize_when_eta_is_4(simd_unit, serialized), } } @@ -120,17 +121,16 @@ fn deserialize_to_unsigned_when_eta_is_4(bytes: &[u8]) -> Vec256 { mm256_and_si256(coefficients, mm256_set1_epi32(COEFFICIENT_MASK)) } #[inline(always)] -pub(crate) fn deserialize_to_unsigned(serialized: &[u8]) -> Vec256 { - match ETA as u8 { - 2 => deserialize_to_unsigned_when_eta_is_2(serialized), - 4 => deserialize_to_unsigned_when_eta_is_4(serialized), - _ => unreachable!(), +pub(crate) fn deserialize_to_unsigned(eta: Eta, serialized: &[u8]) -> Vec256 { + match eta { + Eta::Two => deserialize_to_unsigned_when_eta_is_2(serialized), + Eta::Four => deserialize_to_unsigned_when_eta_is_4(serialized), } } #[inline(always)] -pub(crate) fn deserialize(serialized: &[u8], out: &mut Vec256) { - let unsigned = deserialize_to_unsigned::(serialized); +pub(crate) fn deserialize(eta: Eta, serialized: &[u8], out: &mut Vec256) { + let unsigned = deserialize_to_unsigned(eta, serialized); - *out = mm256_sub_epi32(mm256_set1_epi32(ETA as i32), unsigned); + *out = mm256_sub_epi32(mm256_set1_epi32(eta as i32), unsigned); } diff --git a/libcrux-ml-dsa/src/simd/avx2/rejection_sample/less_than_eta.rs b/libcrux-ml-dsa/src/simd/avx2/rejection_sample/less_than_eta.rs index 052a6b855..db83d8b62 100644 --- a/libcrux-ml-dsa/src/simd/avx2/rejection_sample/less_than_eta.rs +++ b/libcrux-ml-dsa/src/simd/avx2/rejection_sample/less_than_eta.rs @@ -1,4 +1,4 @@ -use crate::simd::avx2::{encoding, rejection_sample::shuffle_table::SHUFFLE_TABLE}; +use crate::simd::avx2::{encoding, rejection_sample::shuffle_table::SHUFFLE_TABLE, Eta}; use libcrux_intrinsics::avx2::*; @@ -27,7 +27,7 @@ fn shift_interval(coefficients: Vec256) -> Vec256 { pub(crate) fn sample(input: &[u8], output: &mut [i32]) -> usize { // Whether or not ETA is 2 or 4, we always split the input bytestream into // values that are 4-bits wide. - let potential_coefficients = encoding::error::deserialize_to_unsigned::<4>(input); + let potential_coefficients = encoding::error::deserialize_to_unsigned(Eta::Four, input); let interval_boundary: i32 = match ETA as u8 { 2 => 15, diff --git a/libcrux-ml-dsa/src/simd/portable.rs b/libcrux-ml-dsa/src/simd/portable.rs index 393d78785..659ad2361 100644 --- a/libcrux-ml-dsa/src/simd/portable.rs +++ b/libcrux-ml-dsa/src/simd/portable.rs @@ -12,6 +12,8 @@ mod sample; use vector_type::Coefficients; pub(crate) use vector_type::PortableSIMDUnit; +use super::traits::Eta; + impl Operations for PortableSIMDUnit { type Coefficient = Coefficients; @@ -98,12 +100,12 @@ impl Operations for PortableSIMDUnit { encoding::commitment::serialize(simd_unit, serialized) } - fn error_serialize(simd_unit: &Coefficients, serialized: &mut [u8]) { - encoding::error::serialize::(simd_unit, serialized) + fn error_serialize(eta: Eta, simd_unit: &Coefficients, serialized: &mut [u8]) { + encoding::error::serialize(eta, simd_unit, serialized) } - fn error_deserialize(serialized: &[u8], out: &mut Coefficients) { - encoding::error::deserialize::(serialized, out); + fn error_deserialize(eta: Eta, serialized: &[u8], out: &mut Coefficients) { + encoding::error::deserialize(eta, serialized, out); } fn t0_serialize(simd_unit: &Coefficients, out: &mut [u8]) { diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/error.rs b/libcrux-ml-dsa/src/simd/portable/encoding/error.rs index 34320e662..f69e08891 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/error.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/error.rs @@ -1,9 +1,12 @@ -use crate::{helper::cloop, simd::portable::vector_type::Coefficients}; +use crate::{ + helper::cloop, + simd::{portable::vector_type::Coefficients, traits::Eta}, +}; #[inline(always)] fn serialize_when_eta_is_2(simd_unit: &Coefficients, serialized: &mut [u8]) { debug_assert!(serialized.len() == 3); - + const ETA: i32 = 2; let coefficient0 = (ETA - simd_unit[0]) as u8; @@ -37,11 +40,10 @@ fn serialize_when_eta_is_4(simd_unit: &Coefficients, serialized: &mut [u8]) { } #[inline(always)] -pub(crate) fn serialize(simd_unit: &Coefficients, serialized: &mut [u8]) { - match ETA as u8 { - 2 => serialize_when_eta_is_2(simd_unit, serialized), - 4 => serialize_when_eta_is_4(simd_unit, serialized), - _ => unreachable!(), +pub(crate) fn serialize(eta: Eta, simd_unit: &Coefficients, serialized: &mut [u8]) { + match eta { + Eta::Two => serialize_when_eta_is_2(simd_unit, serialized), + Eta::Four => serialize_when_eta_is_4(simd_unit, serialized), } } @@ -79,10 +81,9 @@ fn deserialize_when_eta_is_4(serialized: &[u8], simd_units: &mut Coefficients) { } } #[inline(always)] -pub(crate) fn deserialize(serialized: &[u8], out: &mut Coefficients) { - match ETA as u8 { - 2 => deserialize_when_eta_is_2(serialized, out), - 4 => deserialize_when_eta_is_4(serialized, out), - _ => unreachable!(), +pub(crate) fn deserialize(eta: Eta, serialized: &[u8], out: &mut Coefficients) { + match eta { + Eta::Two => deserialize_when_eta_is_2(serialized, out), + Eta::Four => deserialize_when_eta_is_4(serialized, out), } } diff --git a/libcrux-ml-dsa/src/simd/traits.rs b/libcrux-ml-dsa/src/simd/traits.rs index c467a932d..c09d2e485 100644 --- a/libcrux-ml-dsa/src/simd/traits.rs +++ b/libcrux-ml-dsa/src/simd/traits.rs @@ -14,6 +14,12 @@ pub const INVERSE_OF_MODULUS_MOD_MONTGOMERY_R: u64 = 58_728_449; /// We use 'fer' as a shorthand for this type. pub(crate) type FieldElementTimesMontgomeryR = i32; +#[derive(Debug, Clone, Copy, PartialEq, Eq)] +pub(crate) enum Eta { + Two = 2, + Four = 4, +} + pub(crate) trait Operations: Copy + Clone { type Coefficient: Copy; // XXX: make generic? drop copy? @@ -76,8 +82,8 @@ pub(crate) trait Operations: Copy + Clone { fn commitment_serialize(simd_unit: &Self::Coefficient, serialized: &mut [u8]); // Error - fn error_serialize(simd_unit: &Self::Coefficient, serialized: &mut [u8]); - fn error_deserialize(serialized: &[u8], out: &mut Self::Coefficient); + fn error_serialize(eta: Eta, simd_unit: &Self::Coefficient, serialized: &mut [u8]); + fn error_deserialize(eta: Eta, serialized: &[u8], out: &mut Self::Coefficient); // t0 fn t0_serialize(simd_unit: &Self::Coefficient, out: &mut [u8]); // out len 13 From 6d0b1f133f870604514eff208ff1b25f627c9136 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Wed, 1 Jan 2025 20:25:19 +0000 Subject: [PATCH 25/58] flat matrix; perf regresion --- libcrux-ml-dsa/src/constants.rs | 19 +- libcrux-ml-dsa/src/encoding/error.rs | 6 +- libcrux-ml-dsa/src/encoding/signing_key.rs | 4 +- libcrux-ml-dsa/src/matrix.rs | 119 ++--- libcrux-ml-dsa/src/ml_dsa_generic.rs | 43 +- libcrux-ml-dsa/src/sample.rs | 44 +- libcrux-ml-dsa/src/samplex4.rs | 496 ++---------------- libcrux-ml-dsa/src/simd/avx2.rs | 4 +- libcrux-ml-dsa/src/simd/portable.rs | 4 +- .../src/simd/portable/encoding/error.rs | 5 +- libcrux-ml-dsa/src/simd/traits.rs | 8 +- 11 files changed, 166 insertions(+), 586 deletions(-) diff --git a/libcrux-ml-dsa/src/constants.rs b/libcrux-ml-dsa/src/constants.rs index 0d5cbe6e5..04f8de619 100644 --- a/libcrux-ml-dsa/src/constants.rs +++ b/libcrux-ml-dsa/src/constants.rs @@ -31,13 +31,22 @@ pub(crate) const REJECTION_SAMPLE_BOUND_SIGN: usize = 814; /// The length of `context` is serialized to a single `u8`. pub(crate) const CONTEXT_MAX_LEN: usize = 255; +/// Eta values +#[derive(Debug, Clone, Copy, PartialEq, Eq)] +pub(crate) enum Eta { + Two = 2, + Four = 4, +} + /// ML-DSA-44-specific parameters #[cfg(feature = "mldsa44")] pub(crate) mod v44 { + use super::Eta; + pub(crate) const ROWS_IN_A: usize = 4; pub(crate) const COLUMNS_IN_A: usize = 4; - pub(crate) const ETA: usize = 2; + pub(crate) const ETA: Eta = Eta::Two; // To sample a value in the interval [-ETA, ETA], we can sample a value (say 'v') // in the interval [0, 2 * ETA] and then compute ETA - v. This can be done in @@ -48,10 +57,12 @@ pub(crate) mod v44 { /// ML-DSA-65-specific parameters #[cfg(feature = "mldsa65")] pub(crate) mod v65 { + use super::Eta; + pub(crate) const ROWS_IN_A: usize = 6; pub(crate) const COLUMNS_IN_A: usize = 5; - pub(crate) const ETA: usize = 4; + pub(crate) const ETA: Eta = Eta::Four; // To sample a value in the interval [-ETA, ETA], we can sample a value (say 'v') // in the interval [0, 2 * ETA] and then compute ETA - v. This can be done in @@ -62,10 +73,12 @@ pub(crate) mod v65 { /// ML-DSA-87-specific parameters #[cfg(feature = "mldsa87")] pub(crate) mod v87 { + use super::Eta; + pub(crate) const ROWS_IN_A: usize = 8; pub(crate) const COLUMNS_IN_A: usize = 7; - pub(crate) const ETA: usize = 2; + pub(crate) const ETA: Eta = Eta::Two; // To sample a value in the interval [-ETA, ETA], we can sample a value (say 'v') // in the interval [0, 2 * ETA] and then compute ETA - v. This can be done in diff --git a/libcrux-ml-dsa/src/encoding/error.rs b/libcrux-ml-dsa/src/encoding/error.rs index 6cd11cd21..e6b415c98 100644 --- a/libcrux-ml-dsa/src/encoding/error.rs +++ b/libcrux-ml-dsa/src/encoding/error.rs @@ -1,10 +1,8 @@ // Functions for serializing and deserializing an error ring element. use crate::{ - helper::cloop, - ntt::ntt, - polynomial::PolynomialRingElement, - simd::traits::{Eta, Operations}, + constants::Eta, helper::cloop, ntt::ntt, polynomial::PolynomialRingElement, + simd::traits::Operations, }; #[inline(always)] diff --git a/libcrux-ml-dsa/src/encoding/signing_key.rs b/libcrux-ml-dsa/src/encoding/signing_key.rs index cdd948b37..d1bfc1f68 100644 --- a/libcrux-ml-dsa/src/encoding/signing_key.rs +++ b/libcrux-ml-dsa/src/encoding/signing_key.rs @@ -1,13 +1,13 @@ use crate::{ constants::{ - BYTES_FOR_VERIFICATION_KEY_HASH, RING_ELEMENT_OF_T0S_SIZE, SEED_FOR_A_SIZE, + Eta, BYTES_FOR_VERIFICATION_KEY_HASH, RING_ELEMENT_OF_T0S_SIZE, SEED_FOR_A_SIZE, SEED_FOR_SIGNING_SIZE, }, encoding, hash_functions::shake256, helper::cloop, polynomial::PolynomialRingElement, - simd::traits::{Eta, Operations}, + simd::traits::Operations, }; #[inline(always)] diff --git a/libcrux-ml-dsa/src/matrix.rs b/libcrux-ml-dsa/src/matrix.rs index 486557cce..cf247d517 100644 --- a/libcrux-ml-dsa/src/matrix.rs +++ b/libcrux-ml-dsa/src/matrix.rs @@ -1,33 +1,23 @@ use crate::{ arithmetic::shift_left_then_reduce, constants::BITS_IN_LOWER_PART_OF_T, - helper::cloop, ntt::{invert_ntt_montgomery, ntt, ntt_multiply_montgomery}, polynomial::PolynomialRingElement, simd::traits::Operations, }; /// Compute InvertNTT(Â ◦ ŝ₁) + s₂ -pub(crate) fn compute_as1_plus_s2< - SIMDUnit: Operations, - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, ->( - a_as_ntt: &[[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A], +pub(crate) fn compute_as1_plus_s2( + rows_in_a: usize, + columns_in_a: usize, + a_as_ntt: &[PolynomialRingElement], + s1_ntt: &[PolynomialRingElement], s1_s2: &[PolynomialRingElement], - result: &mut [PolynomialRingElement; ROWS_IN_A], + result: &mut [PolynomialRingElement], ) { - // XXX: Make this better - let mut s1_ntt = [PolynomialRingElement::::zero(); COLUMNS_IN_A]; - for i in 0..s1_ntt.len() { - s1_ntt[i] = s1_s2[i]; - ntt(&mut s1_ntt[i]); - } - - for i in 0..ROWS_IN_A { - for j in 0..COLUMNS_IN_A { - // XXX: Make this better - let mut product = a_as_ntt[i][j]; + for i in 0..rows_in_a { + for j in 0..columns_in_a { + let mut product = a_as_ntt[i * columns_in_a + j]; ntt_multiply_montgomery::(&mut product, &s1_ntt[j]); PolynomialRingElement::add(&mut result[i], &product); } @@ -35,40 +25,26 @@ pub(crate) fn compute_as1_plus_s2< for i in 0..result.len() { invert_ntt_montgomery::(&mut result[i]); - PolynomialRingElement::add(&mut result[i], &s1_s2[COLUMNS_IN_A + i]); + PolynomialRingElement::add(&mut result[i], &s1_s2[columns_in_a + i]); } } /// Compute InvertNTT(Â ◦ ŷ) #[inline(always)] -pub(crate) fn compute_matrix_x_mask< - SIMDUnit: Operations, - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, ->( - matrix: &[[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A], - mask: &[PolynomialRingElement; COLUMNS_IN_A], - result: &mut [PolynomialRingElement; ROWS_IN_A], +pub(crate) fn compute_matrix_x_mask( + rows_in_a: usize, + columns_in_a: usize, + matrix: &[PolynomialRingElement], + mask: &[PolynomialRingElement], + result: &mut [PolynomialRingElement], ) { - // XXX: Make this better - let mut mask_ntt = mask.clone(); - for i in 0..mask_ntt.len() { - ntt(&mut mask_ntt[i]); - } - - cloop! { - for (i, row) in matrix.iter().enumerate() { - cloop! { - for (j, ring_element) in row.iter().enumerate() { - // XXX: Make this better - let mut product = mask_ntt[j]; - ntt_multiply_montgomery(&mut product, &ring_element); - PolynomialRingElement::::add(&mut result[i], &product); - } - } - - invert_ntt_montgomery(&mut result[i]); + for i in 0..rows_in_a { + for j in 0..columns_in_a { + let mut product = mask[j]; + ntt_multiply_montgomery(&mut product, &matrix[i * columns_in_a + j]); + PolynomialRingElement::::add(&mut result[i], &product); } + invert_ntt_montgomery(&mut result[i]); } } @@ -105,40 +81,27 @@ pub(crate) fn subtract_vectors( /// Compute InvertNTT(Â ◦ ẑ - ĉ ◦ NTT(t₁2ᵈ)) #[inline(always)] -pub(crate) fn compute_w_approx< - SIMDUnit: Operations, - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, ->( - matrix: &[[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A], - signer_response: &[PolynomialRingElement; COLUMNS_IN_A], +pub(crate) fn compute_w_approx( + rows_in_a: usize, + columns_in_a: usize, + matrix: &[PolynomialRingElement], + signer_response: &[PolynomialRingElement], verifier_challenge_as_ntt: &PolynomialRingElement, - t1: &mut [PolynomialRingElement; ROWS_IN_A], + t1: &mut [PolynomialRingElement], ) { - // let mut signer_response = signer_response.clone(); - // // Move signer response into NTT - // for i in 0..signer_response.len() { - // ntt(&mut signer_response[i]); - // } - - cloop! { - for (i, row) in matrix.iter().enumerate() { - let mut inner_result = PolynomialRingElement::::zero(); - cloop! { - for (j, ring_element) in row.iter().enumerate() { - // XXX: make nicer - let mut product = ring_element.clone(); - ntt_multiply_montgomery(&mut product, &signer_response[j]); - PolynomialRingElement::::add(&mut inner_result, &product); - } - } - - shift_left_then_reduce::(&mut t1[i]); - ntt(&mut t1[i]); - ntt_multiply_montgomery(&mut t1[i], verifier_challenge_as_ntt); - PolynomialRingElement::::subtract(&mut inner_result, &t1[i]); - t1[i] = inner_result; - invert_ntt_montgomery(&mut t1[i]); + for i in 0..rows_in_a { + let mut inner_result = PolynomialRingElement::::zero(); + for j in 0..columns_in_a { + let mut product = matrix[i * columns_in_a + j]; + ntt_multiply_montgomery(&mut product, &signer_response[j]); + PolynomialRingElement::::add(&mut inner_result, &product); } + + shift_left_then_reduce::(&mut t1[i]); + ntt(&mut t1[i]); + ntt_multiply_montgomery(&mut t1[i], verifier_challenge_as_ntt); + PolynomialRingElement::::subtract(&mut inner_result, &t1[i]); + t1[i] = inner_result; + invert_ntt_montgomery(&mut t1[i]); } } diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index 9b0bfd533..dbdc43c1b 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -14,7 +14,7 @@ use crate::{ pre_hash::{DomainSeparationContext, PreHash}, sample::{sample_challenge_ring_element, sample_mask_vector}, samplex4::{self, X4Sampler}, - simd::traits::{Eta, Operations}, + simd::traits::Operations, types::{SigningError, VerificationError}, MLDSASignature, }; @@ -30,26 +30,26 @@ pub(crate) mod multiplexing; v44 { const ROWS_IN_A: usize = constants::v44::ROWS_IN_A; const COLUMNS_IN_A: usize = constants::v44::COLUMNS_IN_A; - const ETA: Eta = Eta::Two; // constants::v44::ETA; + const ETA: Eta = constants::v44::ETA; const BITS_PER_ERROR_COEFFICIENT: usize = constants::v44::BITS_PER_ERROR_COEFFICIENT; }, v65 { const ROWS_IN_A: usize = constants::v65::ROWS_IN_A; const COLUMNS_IN_A: usize = constants::v65::COLUMNS_IN_A; - const ETA: Eta = Eta::Four; // constants::v65::ETA; + const ETA: Eta = constants::v65::ETA; const BITS_PER_ERROR_COEFFICIENT: usize = constants::v65::BITS_PER_ERROR_COEFFICIENT; }, v87 { const ROWS_IN_A: usize = constants::v87::ROWS_IN_A; const COLUMNS_IN_A: usize = constants::v87::COLUMNS_IN_A; - const ETA: Eta = Eta::Two; // constants::v87::ETA; + const ETA: Eta = constants::v87::ETA; const BITS_PER_ERROR_COEFFICIENT: usize = constants::v87::BITS_PER_ERROR_COEFFICIENT; }, // Derived constants derived { const ROW_COLUMN: usize = ROWS_IN_A + COLUMNS_IN_A; - // const ROW_X_COLUMN: usize = ROWS_IN_A * COLUMNS_IN_A; + const ROW_X_COLUMN: usize = ROWS_IN_A * COLUMNS_IN_A; const ERROR_RING_ELEMENT_SIZE: usize = error_ring_element_size(BITS_PER_ERROR_COEFFICIENT); const SIGNING_KEY_SIZE: usize = signing_key_size( ROWS_IN_A, COLUMNS_IN_A, ERROR_RING_ELEMENT_SIZE); @@ -87,8 +87,8 @@ pub(crate) fn generate_key_pair< let (seed_for_error_vectors, seed_for_signing) = seed_expanded.split_at(SEED_FOR_ERROR_VECTORS_SIZE); - let mut a_as_ntt = [[PolynomialRingElement::::zero(); COLUMNS_IN_A]; ROWS_IN_A]; - Sampler::matrix::(seed_for_a, &mut a_as_ntt); + let mut a_as_ntt = [PolynomialRingElement::::zero(); ROW_X_COLUMN]; + Sampler::matrix_flat::(ROWS_IN_A, COLUMNS_IN_A, seed_for_a, &mut a_as_ntt); let mut s1_s2 = [PolynomialRingElement::::zero(); ROW_COLUMN]; samplex4::sample_s1_and_s2::( @@ -98,7 +98,14 @@ pub(crate) fn generate_key_pair< ); let mut t0 = [PolynomialRingElement::::zero(); ROWS_IN_A]; - compute_as1_plus_s2::(&a_as_ntt, &s1_s2, &mut t0); + { + let mut s1_ntt = [PolynomialRingElement::::zero(); COLUMNS_IN_A]; + s1_ntt.copy_from_slice(&s1_s2[0..COLUMNS_IN_A]); + for i in 0..s1_ntt.len() { + ntt(&mut s1_ntt[i]); + } + compute_as1_plus_s2::( ROWS_IN_A, COLUMNS_IN_A, &a_as_ntt,&s1_ntt, &s1_s2, &mut t0); + } let mut t1 = [PolynomialRingElement::::zero(); ROWS_IN_A]; power2round_vector::(&mut t0, &mut t1); @@ -323,8 +330,8 @@ pub(crate) fn sign_internal< ); // Sample matrix A. - let mut matrix = [[PolynomialRingElement::::zero(); COLUMNS_IN_A]; ROWS_IN_A]; - Sampler::matrix::(&seed_for_a, &mut matrix); + let mut matrix = [PolynomialRingElement::::zero(); 56]; // FIXME + Sampler::matrix_flat::(ROWS_IN_A, COLUMNS_IN_A, &seed_for_a, &mut matrix); let mut message_representative = [0; MESSAGE_REPRESENTATIVE_SIZE]; derive_message_representative::( @@ -375,9 +382,15 @@ pub(crate) fn sign_internal< { let mut a_x_mask = [PolynomialRingElement::zero(); ROWS_IN_A]; - compute_matrix_x_mask::( + let mut mask_ntt = mask.clone(); + for i in 0..mask_ntt.len() { + ntt(&mut mask_ntt[i]); + } + compute_matrix_x_mask::( + ROWS_IN_A, + COLUMNS_IN_A, &matrix, - &mask, + &mask_ntt, &mut a_x_mask, ); decompose_vector::(&a_x_mask, &mut w0, &mut commitment); @@ -604,8 +617,8 @@ pub(crate) fn verify_internal< ) { return Err(VerificationError::SignerResponseExceedsBoundError); } - let mut matrix = [[PolynomialRingElement::::zero(); COLUMNS_IN_A]; ROWS_IN_A]; - Sampler::matrix::(&seed_for_a, &mut matrix); + let mut matrix = [PolynomialRingElement::::zero(); 56]; // FIXME + Sampler::matrix_flat::(ROWS_IN_A, COLUMNS_IN_A, &seed_for_a, &mut matrix); let mut verification_key_hash = [0; BYTES_FOR_VERIFICATION_KEY_HASH]; Shake256::shake256::( @@ -633,7 +646,7 @@ pub(crate) fn verify_internal< for i in 0..signature.signer_response.len() { ntt(&mut signature.signer_response[i]); } - compute_w_approx::( + compute_w_approx::(ROWS_IN_A, COLUMNS_IN_A, &matrix, &signature.signer_response, &verifier_challenge, diff --git a/libcrux-ml-dsa/src/sample.rs b/libcrux-ml-dsa/src/sample.rs index 0b10b5122..28e979de2 100644 --- a/libcrux-ml-dsa/src/sample.rs +++ b/libcrux-ml-dsa/src/sample.rs @@ -1,10 +1,10 @@ use crate::{ - constants::COEFFICIENTS_IN_RING_ELEMENT, + constants::{Eta, COEFFICIENTS_IN_RING_ELEMENT}, encoding, hash_functions::{shake128, shake256}, helper::cloop, polynomial::PolynomialRingElement, - simd::traits::{Eta, Operations}, + simd::traits::Operations, }; #[inline(always)] @@ -39,21 +39,6 @@ fn generate_domain_separator((row, column): (u8, u8)) -> u16 { (column as u16) | ((row as u16) << 8) } -pub(crate) type Matrix = - [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A]; - -// Doing deep updates like `a[1][1] = 3` causes a memory blowup in F* -// https://github.com/hacspec/hax/issues/1098 -// So we are instead using a matrix abstraction with a custom update function here. -fn update_matrix( - m: &mut Matrix, - i: usize, - j: usize, - v: PolynomialRingElement, -) { - m[i][j] = v; -} - #[inline(always)] pub(crate) fn add_domain_separator(slice: &[u8], indices: (u8, u8)) -> [u8; 34] { let mut out = [0u8; 34]; @@ -76,29 +61,33 @@ pub(crate) fn add_domain_separator(slice: &[u8], indices: (u8, u8)) -> [u8; 34] /// provided index in `indices[i]`. /// `rand_stack` is a working buffer that holds initial Shake output. #[inline(always)] -pub(crate) fn sample_up_to_four_ring_elements< +pub(crate) fn sample_up_to_four_ring_elements_flat< SIMDUnit: Operations, Shake128: shake128::XofX4, - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, >( + rows: usize, + columns: usize, seed: &[u8], - matrix: &mut Matrix, + matrix: &mut [PolynomialRingElement], rand_stack0: &mut [u8; shake128::FIVE_BLOCKS_SIZE], rand_stack1: &mut [u8; shake128::FIVE_BLOCKS_SIZE], rand_stack2: &mut [u8; shake128::FIVE_BLOCKS_SIZE], rand_stack3: &mut [u8; shake128::FIVE_BLOCKS_SIZE], tmp_stack: &mut [[i32; 263]], - indices: &[(u8, u8); 4], + start_index: usize, elements_requested: usize, ) { debug_assert!(elements_requested <= 4); // Prepare the seeds - let seed0 = add_domain_separator(seed, indices[0]); - let seed1 = add_domain_separator(seed, indices[1]); - let seed2 = add_domain_separator(seed, indices[2]); - let seed3 = add_domain_separator(seed, indices[3]); + fn xy(index: usize, width: usize) -> (u8, u8) { + ((index / width) as u8, (index % width) as u8) + } + + let seed0 = add_domain_separator(seed, xy(start_index, columns)); + let seed1 = add_domain_separator(seed, xy(start_index + 1, columns)); + let seed2 = add_domain_separator(seed, xy(start_index + 2, columns)); + let seed3 = add_domain_separator(seed, xy(start_index + 3, columns)); let mut state = Shake128::init_absorb(&seed0, &seed1, &seed2, &seed3); @@ -171,10 +160,9 @@ pub(crate) fn sample_up_to_four_ring_elements< } for k in 0..elements_requested { - let (i, j) = indices[k]; PolynomialRingElement::::from_i32_array( &tmp_stack[k], - &mut matrix[i as usize][j as usize], + &mut matrix[start_index + k], ); } diff --git a/libcrux-ml-dsa/src/samplex4.rs b/libcrux-ml-dsa/src/samplex4.rs index bed8912d6..daa575803 100644 --- a/libcrux-ml-dsa/src/samplex4.rs +++ b/libcrux-ml-dsa/src/samplex4.rs @@ -1,29 +1,28 @@ use crate::{ + constants::Eta, hash_functions::{shake128, shake256}, polynomial::PolynomialRingElement, - sample::{sample_four_error_ring_elements, sample_up_to_four_ring_elements}, - simd::traits::{Eta, Operations}, + sample::{sample_four_error_ring_elements, sample_up_to_four_ring_elements_flat}, + simd::traits::Operations, }; /// The x4 sampling implementation that is selected during multiplexing. pub(crate) trait X4Sampler { /// Sample the matrix A using platform specific implementation. - fn matrix( + fn matrix_flat( + rows: usize, + columns: usize, seed: &[u8], - matrix: &mut [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A], + matrix: &mut [PolynomialRingElement], ); } #[inline(always)] -pub(crate) fn _matrix< - SIMDUnit: Operations, - Shake128: shake128::XofX4, - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, - const ROW_X_COLUMN: usize, ->( +pub(crate) fn matrix_flat( + rows: usize, + columns: usize, seed: &[u8], - matrix: &mut [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A], + matrix: &mut [PolynomialRingElement], ) { let mut rand_stack0 = [0u8; shake128::FIVE_BLOCKS_SIZE]; let mut rand_stack1 = [0u8; shake128::FIVE_BLOCKS_SIZE]; @@ -31,10 +30,15 @@ pub(crate) fn _matrix< let mut rand_stack3 = [0u8; shake128::FIVE_BLOCKS_SIZE]; let mut tmp_stack = [[0i32; 263], [0i32; 263], [0i32; 263], [0i32; 263]]; - let mut x = 0; - let mut y = 0; - for _ in 0..ROW_X_COLUMN.div_ceil(4) { - sample_up_to_four_ring_elements::( + for start_index in (0..matrix.len()).step_by(4) { + let elements_requested = if start_index + 4 <= matrix.len() { + 4 + } else { + matrix.len() - start_index + }; + sample_up_to_four_ring_elements_flat::( + rows, + columns, seed, matrix, &mut rand_stack0, @@ -42,378 +46,32 @@ pub(crate) fn _matrix< &mut rand_stack2, &mut rand_stack3, &mut tmp_stack, - &[(x, y), (x + 1, y + 1), (x + 2, y + 2), (x + 3, y + 3)], - 4, + start_index, + elements_requested, ); - x = ((x as usize + 4) % ROWS_IN_A) as u8; - y = ((y as usize + 4) % COLUMNS_IN_A) as u8; } } -#[inline(always)] -#[cfg(feature = "mldsa44")] -pub(crate) fn matrix_4_by_4< - SIMDUnit: Operations, - Shake128: shake128::XofX4, - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, ->( - seed: &[u8], - matrix: &mut [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A], -) { - let mut rand_stack0 = [0u8; shake128::FIVE_BLOCKS_SIZE]; - let mut rand_stack1 = [0u8; shake128::FIVE_BLOCKS_SIZE]; - let mut rand_stack2 = [0u8; shake128::FIVE_BLOCKS_SIZE]; - let mut rand_stack3 = [0u8; shake128::FIVE_BLOCKS_SIZE]; - let mut tmp_stack = [[0i32; 263], [0i32; 263], [0i32; 263], [0i32; 263]]; - - sample_up_to_four_ring_elements::( - seed, - matrix, - &mut rand_stack0, - &mut rand_stack1, - &mut rand_stack2, - &mut rand_stack3, - &mut tmp_stack, - &[(0, 0), (0, 1), (0, 2), (0, 3)], - 4, - ); - sample_up_to_four_ring_elements::( - seed, - matrix, - &mut rand_stack0, - &mut rand_stack1, - &mut rand_stack2, - &mut rand_stack3, - &mut tmp_stack, - &[(1, 0), (1, 1), (1, 2), (1, 3)], - 4, - ); - sample_up_to_four_ring_elements::( - seed, - matrix, - &mut rand_stack0, - &mut rand_stack1, - &mut rand_stack2, - &mut rand_stack3, - &mut tmp_stack, - &[(2, 0), (2, 1), (2, 2), (2, 3)], - 4, - ); - sample_up_to_four_ring_elements::( - seed, - matrix, - &mut rand_stack0, - &mut rand_stack1, - &mut rand_stack2, - &mut rand_stack3, - &mut tmp_stack, - &[(3, 0), (3, 1), (3, 2), (3, 3)], - 4, - ); -} - -#[inline(always)] -#[cfg(feature = "mldsa65")] -pub(crate) fn matrix_6_by_5< - SIMDUnit: Operations, - Shake128: shake128::XofX4, - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, ->( - seed: &[u8], - matrix: &mut [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A], -) { - let mut rand_stack0 = [0u8; shake128::FIVE_BLOCKS_SIZE]; - let mut rand_stack1 = [0u8; shake128::FIVE_BLOCKS_SIZE]; - let mut rand_stack2 = [0u8; shake128::FIVE_BLOCKS_SIZE]; - let mut rand_stack3 = [0u8; shake128::FIVE_BLOCKS_SIZE]; - let mut tmp_stack = [[0i32; 263], [0i32; 263], [0i32; 263], [0i32; 263]]; - - sample_up_to_four_ring_elements::( - seed, - matrix, - &mut rand_stack0, - &mut rand_stack1, - &mut rand_stack2, - &mut rand_stack3, - &mut tmp_stack, - &[(0, 0), (0, 1), (0, 2), (0, 3)], - 4, - ); - sample_up_to_four_ring_elements::( - seed, - matrix, - &mut rand_stack0, - &mut rand_stack1, - &mut rand_stack2, - &mut rand_stack3, - &mut tmp_stack, - &[(0, 4), (1, 0), (1, 1), (1, 2)], - 4, - ); - sample_up_to_four_ring_elements::( - seed, - matrix, - &mut rand_stack0, - &mut rand_stack1, - &mut rand_stack2, - &mut rand_stack3, - &mut tmp_stack, - &[(1, 3), (1, 4), (2, 0), (2, 1)], - 4, - ); - sample_up_to_four_ring_elements::( - seed, - matrix, - &mut rand_stack0, - &mut rand_stack1, - &mut rand_stack2, - &mut rand_stack3, - &mut tmp_stack, - &[(2, 2), (2, 3), (2, 4), (3, 0)], - 4, - ); - sample_up_to_four_ring_elements::( - seed, - matrix, - &mut rand_stack0, - &mut rand_stack1, - &mut rand_stack2, - &mut rand_stack3, - &mut tmp_stack, - &[(3, 1), (3, 2), (3, 3), (3, 4)], - 4, - ); - sample_up_to_four_ring_elements::( - seed, - matrix, - &mut rand_stack0, - &mut rand_stack1, - &mut rand_stack2, - &mut rand_stack3, - &mut tmp_stack, - &[(4, 0), (4, 1), (4, 2), (4, 3)], - 4, - ); - sample_up_to_four_ring_elements::( - seed, - matrix, - &mut rand_stack0, - &mut rand_stack1, - &mut rand_stack2, - &mut rand_stack3, - &mut tmp_stack, - &[(4, 4), (5, 0), (5, 1), (5, 2)], - 4, - ); - - // The last 2 sampled ring elements are discarded here. - sample_up_to_four_ring_elements::( - seed, - matrix, - &mut rand_stack0, - &mut rand_stack1, - &mut rand_stack2, - &mut rand_stack3, - &mut tmp_stack, - &[(5, 3), (5, 4), (5, 5), (5, 6)], - 2, - ); -} - -#[inline(always)] -#[cfg(feature = "mldsa87")] -pub(crate) fn matrix_8_by_7< - SIMDUnit: Operations, - Shake128: shake128::XofX4, - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, ->( - seed: &[u8], - matrix: &mut [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A], -) { - let mut rand_stack0 = [0u8; shake128::FIVE_BLOCKS_SIZE]; - let mut rand_stack1 = [0u8; shake128::FIVE_BLOCKS_SIZE]; - let mut rand_stack2 = [0u8; shake128::FIVE_BLOCKS_SIZE]; - let mut rand_stack3 = [0u8; shake128::FIVE_BLOCKS_SIZE]; - let mut tmp_stack = [[0i32; 263], [0i32; 263], [0i32; 263], [0i32; 263]]; - - sample_up_to_four_ring_elements::( - seed, - matrix, - &mut rand_stack0, - &mut rand_stack1, - &mut rand_stack2, - &mut rand_stack3, - &mut tmp_stack, - &[(0, 0), (0, 1), (0, 2), (0, 3)], - 4, - ); - sample_up_to_four_ring_elements::( - seed, - matrix, - &mut rand_stack0, - &mut rand_stack1, - &mut rand_stack2, - &mut rand_stack3, - &mut tmp_stack, - &[(0, 4), (0, 5), (0, 6), (1, 0)], - 4, - ); - sample_up_to_four_ring_elements::( - seed, - matrix, - &mut rand_stack0, - &mut rand_stack1, - &mut rand_stack2, - &mut rand_stack3, - &mut tmp_stack, - &[(1, 1), (1, 2), (1, 3), (1, 4)], - 4, - ); - sample_up_to_four_ring_elements::( - seed, - matrix, - &mut rand_stack0, - &mut rand_stack1, - &mut rand_stack2, - &mut rand_stack3, - &mut tmp_stack, - &[(1, 5), (1, 6), (2, 0), (2, 1)], - 4, - ); - sample_up_to_four_ring_elements::( - seed, - matrix, - &mut rand_stack0, - &mut rand_stack1, - &mut rand_stack2, - &mut rand_stack3, - &mut tmp_stack, - &[(2, 2), (2, 3), (2, 4), (2, 5)], - 4, - ); - sample_up_to_four_ring_elements::( - seed, - matrix, - &mut rand_stack0, - &mut rand_stack1, - &mut rand_stack2, - &mut rand_stack3, - &mut tmp_stack, - &[(2, 6), (3, 0), (3, 1), (3, 2)], - 4, - ); - sample_up_to_four_ring_elements::( - seed, - matrix, - &mut rand_stack0, - &mut rand_stack1, - &mut rand_stack2, - &mut rand_stack3, - &mut tmp_stack, - &[(3, 3), (3, 4), (3, 5), (3, 6)], - 4, - ); - sample_up_to_four_ring_elements::( - seed, - matrix, - &mut rand_stack0, - &mut rand_stack1, - &mut rand_stack2, - &mut rand_stack3, - &mut tmp_stack, - &[(4, 0), (4, 1), (4, 2), (4, 3)], - 4, - ); - sample_up_to_four_ring_elements::( - seed, - matrix, - &mut rand_stack0, - &mut rand_stack1, - &mut rand_stack2, - &mut rand_stack3, - &mut tmp_stack, - &[(4, 4), (4, 5), (4, 6), (5, 0)], - 4, - ); - sample_up_to_four_ring_elements::( - seed, - matrix, - &mut rand_stack0, - &mut rand_stack1, - &mut rand_stack2, - &mut rand_stack3, - &mut tmp_stack, - &[(5, 1), (5, 2), (5, 3), (5, 4)], - 4, - ); - sample_up_to_four_ring_elements::( - seed, - matrix, - &mut rand_stack0, - &mut rand_stack1, - &mut rand_stack2, - &mut rand_stack3, - &mut tmp_stack, - &[(5, 5), (5, 6), (6, 0), (6, 1)], - 4, - ); - sample_up_to_four_ring_elements::( - seed, - matrix, - &mut rand_stack0, - &mut rand_stack1, - &mut rand_stack2, - &mut rand_stack3, - &mut tmp_stack, - &[(6, 2), (6, 3), (6, 4), (6, 5)], - 4, - ); - sample_up_to_four_ring_elements::( - seed, - matrix, - &mut rand_stack0, - &mut rand_stack1, - &mut rand_stack2, - &mut rand_stack3, - &mut tmp_stack, - &[(6, 6), (7, 0), (7, 1), (7, 2)], - 4, - ); - sample_up_to_four_ring_elements::( - seed, - matrix, - &mut rand_stack0, - &mut rand_stack1, - &mut rand_stack2, - &mut rand_stack3, - &mut tmp_stack, - &[(7, 3), (7, 4), (7, 5), (7, 6)], - 4, - ); -} - +/// Portable sampling pub(crate) mod portable { use super::*; pub(crate) struct PortableSampler {} impl X4Sampler for PortableSampler { - fn matrix( + fn matrix_flat( + rows: usize, + columns: usize, seed: &[u8], - matrix: &mut [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A], + matrix: &mut [PolynomialRingElement], ) { - matrix_generic::< - SIMDUnit, - crate::hash_functions::portable::Shake128X4, - ROWS_IN_A, - COLUMNS_IN_A, - >(seed, matrix) + matrix_flat::( + rows, columns, seed, matrix, + ) } } } +/// Neon sampling #[cfg(feature = "simd128")] pub(crate) mod neon { use super::*; @@ -421,20 +79,20 @@ pub(crate) mod neon { pub(crate) struct NeonSampler {} impl X4Sampler for NeonSampler { #[inline(always)] - fn matrix( + fn matrix_flat( + rows: usize, + columns: usize, seed: &[u8], - matrix: &mut [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A], + matrix: &mut [PolynomialRingElement], ) { - matrix_generic::< - SIMDUnit, - crate::hash_functions::neon::Shake128x4, - ROWS_IN_A, - COLUMNS_IN_A, - >(seed, matrix) + matrix_flat::( + rows, columns, seed, matrix, + ) } } } +/// AVX2 sampling #[cfg(feature = "simd256")] pub(crate) mod avx2 { use super::*; @@ -442,69 +100,27 @@ pub(crate) mod avx2 { pub(crate) struct AVX2Sampler {} impl X4Sampler for AVX2Sampler { #[allow(unsafe_code)] - fn matrix( + fn matrix_flat( + rows: usize, + columns: usize, seed: &[u8], - matrix: &mut [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A], + matrix: &mut [PolynomialRingElement], ) { - unsafe { matrix_avx2::(seed, matrix) } + #[cfg_attr(not(hax), target_feature(enable = "avx2"))] + #[allow(unsafe_code)] + unsafe fn inner( + rows: usize, + columns: usize, + seed: &[u8], + matrix: &mut [PolynomialRingElement], + ) { + matrix_flat::( + rows, columns, seed, matrix, + ) + } + unsafe { inner(rows, columns, seed, matrix) }; } } - - #[cfg_attr(not(hax), target_feature(enable = "avx2"))] - #[allow(unsafe_code)] - unsafe fn matrix_avx2< - SIMDUnit: Operations, - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, - >( - seed: &[u8], - matrix: &mut [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A], - ) { - match (ROWS_IN_A as u8, COLUMNS_IN_A as u8) { - #[cfg(feature = "mldsa44")] - (4, 4) => matrix_4_by_4::< - SIMDUnit, - crate::hash_functions::simd256::Shake128x4, - ROWS_IN_A, - COLUMNS_IN_A, - >(seed, matrix), - #[cfg(feature = "mldsa65")] - (6, 5) => matrix_6_by_5::< - SIMDUnit, - crate::hash_functions::simd256::Shake128x4, - ROWS_IN_A, - COLUMNS_IN_A, - >(seed, matrix), - #[cfg(feature = "mldsa87")] - (8, 7) => matrix_8_by_7::< - SIMDUnit, - crate::hash_functions::simd256::Shake128x4, - ROWS_IN_A, - COLUMNS_IN_A, - >(seed, matrix), - _ => unreachable!(), - } - } -} - -pub(crate) fn matrix_generic< - SIMDUnit: Operations, - Shake128: shake128::XofX4, - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, ->( - seed: &[u8], - matrix: &mut [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A], -) { - match (ROWS_IN_A as u8, COLUMNS_IN_A as u8) { - #[cfg(feature = "mldsa44")] - (4, 4) => matrix_4_by_4::(seed, matrix), - #[cfg(feature = "mldsa65")] - (6, 5) => matrix_6_by_5::(seed, matrix), - #[cfg(feature = "mldsa87")] - (8, 7) => matrix_8_by_7::(seed, matrix), - _ => unreachable!(), - } } #[inline(always)] diff --git a/libcrux-ml-dsa/src/simd/avx2.rs b/libcrux-ml-dsa/src/simd/avx2.rs index 4809c75bd..ae86e1f22 100644 --- a/libcrux-ml-dsa/src/simd/avx2.rs +++ b/libcrux-ml-dsa/src/simd/avx2.rs @@ -1,4 +1,4 @@ -use crate::simd::traits::{Operations, SIMD_UNITS_IN_RING_ELEMENT}; +use crate::{constants::Eta, simd::traits::{Operations, SIMD_UNITS_IN_RING_ELEMENT}}; mod arithmetic; mod encoding; @@ -9,8 +9,6 @@ mod vector_type; pub(crate) use vector_type::{AVX2RingElement, AVX2SIMDUnit}; -use super::traits::Eta; - impl Operations for AVX2SIMDUnit { type Coefficient = vector_type::Vec256; diff --git a/libcrux-ml-dsa/src/simd/portable.rs b/libcrux-ml-dsa/src/simd/portable.rs index 659ad2361..b9359427d 100644 --- a/libcrux-ml-dsa/src/simd/portable.rs +++ b/libcrux-ml-dsa/src/simd/portable.rs @@ -1,4 +1,4 @@ -use crate::simd::traits::{Operations, SIMD_UNITS_IN_RING_ELEMENT}; +use crate::{constants::Eta, simd::traits::{Operations, SIMD_UNITS_IN_RING_ELEMENT}}; mod arithmetic; mod vector_type; @@ -12,8 +12,6 @@ mod sample; use vector_type::Coefficients; pub(crate) use vector_type::PortableSIMDUnit; -use super::traits::Eta; - impl Operations for PortableSIMDUnit { type Coefficient = Coefficients; diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/error.rs b/libcrux-ml-dsa/src/simd/portable/encoding/error.rs index f69e08891..d852c3d74 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/error.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/error.rs @@ -1,7 +1,4 @@ -use crate::{ - helper::cloop, - simd::{portable::vector_type::Coefficients, traits::Eta}, -}; +use crate::{constants::Eta, helper::cloop, simd::portable::vector_type::Coefficients}; #[inline(always)] fn serialize_when_eta_is_2(simd_unit: &Coefficients, serialized: &mut [u8]) { diff --git a/libcrux-ml-dsa/src/simd/traits.rs b/libcrux-ml-dsa/src/simd/traits.rs index c09d2e485..63fea210a 100644 --- a/libcrux-ml-dsa/src/simd/traits.rs +++ b/libcrux-ml-dsa/src/simd/traits.rs @@ -1,3 +1,5 @@ +use crate::constants::Eta; + // Each field element occupies 32 bits and the size of a simd_unit is 256 bits. pub(crate) const COEFFICIENTS_IN_SIMD_UNIT: usize = 8; @@ -14,12 +16,6 @@ pub const INVERSE_OF_MODULUS_MOD_MONTGOMERY_R: u64 = 58_728_449; /// We use 'fer' as a shorthand for this type. pub(crate) type FieldElementTimesMontgomeryR = i32; -#[derive(Debug, Clone, Copy, PartialEq, Eq)] -pub(crate) enum Eta { - Two = 2, - Four = 4, -} - pub(crate) trait Operations: Copy + Clone { type Coefficient: Copy; // XXX: make generic? drop copy? From 411033ca4cb6bd9bcc81f0d9d9d803d261ec4499 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Wed, 1 Jan 2025 20:44:52 +0000 Subject: [PATCH 26/58] wip --- libcrux-ml-dsa/src/ml_dsa_44.rs | 7 ++++++ libcrux-ml-dsa/src/ml_dsa_65.rs | 7 ++++++ libcrux-ml-dsa/src/ml_dsa_87.rs | 7 ++++++ libcrux-ml-dsa/src/ml_dsa_generic.rs | 17 +++++++------- .../src/ml_dsa_generic/instantiations.rs | 6 +++++ .../src/ml_dsa_generic/instantiations/avx2.rs | 12 ++++++++++ .../src/ml_dsa_generic/multiplexing.rs | 12 ++++++++++ libcrux-ml-dsa/src/sample.rs | 22 ++++++++----------- 8 files changed, 68 insertions(+), 22 deletions(-) diff --git a/libcrux-ml-dsa/src/ml_dsa_44.rs b/libcrux-ml-dsa/src/ml_dsa_44.rs index 66fbb357c..f4a6c0daf 100644 --- a/libcrux-ml-dsa/src/ml_dsa_44.rs +++ b/libcrux-ml-dsa/src/ml_dsa_44.rs @@ -4,6 +4,7 @@ use crate::{constants::*, ml_dsa_generic, types::*, SigningError, VerificationEr const ROWS_IN_A: usize = 4; const COLUMNS_IN_A: usize = 4; +const ROWS_X_COLUMNS: usize = ROWS_IN_A * COLUMNS_IN_A; const ETA: usize = 2; // To sample a value in the interval [-ETA, ETA], we can sample a value (say 'v') @@ -96,6 +97,7 @@ macro_rules! instantiate { p::sign::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, ETA, ERROR_RING_ELEMENT_SIZE, GAMMA1_EXPONENT, @@ -123,6 +125,7 @@ macro_rules! instantiate { p::sign_internal::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, ETA, ERROR_RING_ELEMENT_SIZE, GAMMA1_EXPONENT, @@ -178,6 +181,7 @@ macro_rules! instantiate { p::sign_pre_hashed_shake128::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, ETA, ERROR_RING_ELEMENT_SIZE, GAMMA1_EXPONENT, @@ -311,6 +315,7 @@ pub fn sign( ml_dsa_generic::multiplexing::sign::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, ETA, ERROR_RING_ELEMENT_SIZE, GAMMA1_EXPONENT, @@ -340,6 +345,7 @@ pub fn sign_internal( ml_dsa_generic::multiplexing::sign_internal::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, ETA, ERROR_RING_ELEMENT_SIZE, GAMMA1_EXPONENT, @@ -439,6 +445,7 @@ pub fn sign_pre_hashed_shake128( ml_dsa_generic::multiplexing::sign_pre_hashed_shake128::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, ETA, ERROR_RING_ELEMENT_SIZE, GAMMA1_EXPONENT, diff --git a/libcrux-ml-dsa/src/ml_dsa_65.rs b/libcrux-ml-dsa/src/ml_dsa_65.rs index 3503c7c81..eeb76e793 100644 --- a/libcrux-ml-dsa/src/ml_dsa_65.rs +++ b/libcrux-ml-dsa/src/ml_dsa_65.rs @@ -4,6 +4,7 @@ use crate::{constants::*, ml_dsa_generic, types::*, SigningError, VerificationEr const ROWS_IN_A: usize = 6; const COLUMNS_IN_A: usize = 5; +const ROWS_X_COLUMNS: usize = ROWS_IN_A * COLUMNS_IN_A; const ETA: usize = 4; @@ -95,6 +96,7 @@ macro_rules! instantiate { p::sign_internal::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, ETA, ERROR_RING_ELEMENT_SIZE, GAMMA1_EXPONENT, @@ -150,6 +152,7 @@ macro_rules! instantiate { p::sign::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, ETA, ERROR_RING_ELEMENT_SIZE, GAMMA1_EXPONENT, @@ -179,6 +182,7 @@ macro_rules! instantiate { p::sign_pre_hashed_shake128::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, ETA, ERROR_RING_ELEMENT_SIZE, GAMMA1_EXPONENT, @@ -312,6 +316,7 @@ pub fn sign( ml_dsa_generic::multiplexing::sign::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, ETA, ERROR_RING_ELEMENT_SIZE, GAMMA1_EXPONENT, @@ -384,6 +389,7 @@ pub fn sign_pre_hashed_shake128( ml_dsa_generic::multiplexing::sign_pre_hashed_shake128::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, ETA, ERROR_RING_ELEMENT_SIZE, GAMMA1_EXPONENT, @@ -449,6 +455,7 @@ pub fn sign_internal( ml_dsa_generic::multiplexing::sign_internal::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, ETA, ERROR_RING_ELEMENT_SIZE, GAMMA1_EXPONENT, diff --git a/libcrux-ml-dsa/src/ml_dsa_87.rs b/libcrux-ml-dsa/src/ml_dsa_87.rs index 3c31f4394..20e5d6136 100644 --- a/libcrux-ml-dsa/src/ml_dsa_87.rs +++ b/libcrux-ml-dsa/src/ml_dsa_87.rs @@ -7,6 +7,7 @@ use crate::{constants::*, ml_dsa_generic, types::*, SigningError, VerificationEr const ROWS_IN_A: usize = 8; const COLUMNS_IN_A: usize = 7; +const ROWS_X_COLUMNS: usize = ROWS_IN_A * COLUMNS_IN_A; const ETA: usize = 2; @@ -99,6 +100,7 @@ macro_rules! instantiate { p::sign_internal::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, ETA, ERROR_RING_ELEMENT_SIZE, GAMMA1_EXPONENT, @@ -154,6 +156,7 @@ macro_rules! instantiate { p::sign::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, ETA, ERROR_RING_ELEMENT_SIZE, GAMMA1_EXPONENT, @@ -183,6 +186,7 @@ macro_rules! instantiate { p::sign_pre_hashed_shake128::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, ETA, ERROR_RING_ELEMENT_SIZE, GAMMA1_EXPONENT, @@ -316,6 +320,7 @@ pub fn sign( ml_dsa_generic::multiplexing::sign::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, ETA, ERROR_RING_ELEMENT_SIZE, GAMMA1_EXPONENT, @@ -388,6 +393,7 @@ pub fn sign_pre_hashed_shake128( ml_dsa_generic::multiplexing::sign_pre_hashed_shake128::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, ETA, ERROR_RING_ELEMENT_SIZE, GAMMA1_EXPONENT, @@ -454,6 +460,7 @@ pub fn sign_internal( ml_dsa_generic::multiplexing::sign_internal::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, ETA, ERROR_RING_ELEMENT_SIZE, GAMMA1_EXPONENT, diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index dbdc43c1b..70fbef822 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -145,6 +145,7 @@ pub(crate) fn sign_pre_hashed< const PH_DIGEST_LEN: usize, const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, + const ROWS_X_COLUMNS: usize, const ETA: usize, const ERROR_RING_ELEMENT_SIZE: usize, const GAMMA1_EXPONENT: usize, @@ -180,6 +181,7 @@ pub(crate) fn sign_pre_hashed< Shake256X4, ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, ETA, ERROR_RING_ELEMENT_SIZE, GAMMA1_EXPONENT, @@ -200,7 +202,6 @@ pub(crate) fn sign_pre_hashed< ) } -#[allow(non_snake_case)] #[inline(always)] pub(crate) fn sign< SIMDUnit: Operations, @@ -211,6 +212,7 @@ pub(crate) fn sign< Shake256X4: shake256::XofX4, const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, + const ROWS_X_COLUMNS: usize, const ETA: usize, const ERROR_RING_ELEMENT_SIZE: usize, const GAMMA1_EXPONENT: usize, @@ -242,6 +244,7 @@ pub(crate) fn sign< Shake256X4, ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, ETA, ERROR_RING_ELEMENT_SIZE, GAMMA1_EXPONENT, @@ -266,7 +269,6 @@ pub(crate) fn sign< /// /// If no `domain_separation_context` is supplied, it is assumed that /// `message` already contains the domain separation. -#[allow(non_snake_case)] #[inline(always)] pub(crate) fn sign_internal< SIMDUnit: Operations, @@ -277,6 +279,7 @@ pub(crate) fn sign_internal< Shake256X4: shake256::XofX4, const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, + const ROWS_X_COLUMNS: usize, const ETA: usize, const ERROR_RING_ELEMENT_SIZE: usize, const GAMMA1_EXPONENT: usize, @@ -330,7 +333,7 @@ pub(crate) fn sign_internal< ); // Sample matrix A. - let mut matrix = [PolynomialRingElement::::zero(); 56]; // FIXME + let mut matrix = [PolynomialRingElement::::zero(); ROWS_X_COLUMNS]; Sampler::matrix_flat::(ROWS_IN_A, COLUMNS_IN_A, &seed_for_a, &mut matrix); let mut message_representative = [0; MESSAGE_REPRESENTATIVE_SIZE]; @@ -417,9 +420,7 @@ pub(crate) fn sign_internal< sample_challenge_ring_element::< SIMDUnit, Shake256, - ONES_IN_VERIFIER_CHALLENGE, - COMMITMENT_HASH_SIZE, - >(commitment_hash_candidate, &mut verifier_challenge); + >(&commitment_hash_candidate,ONES_IN_VERIFIER_CHALLENGE, &mut verifier_challenge); ntt(&mut verifier_challenge); // We need to clone here in case we need s1_as_ntt or s2_as_ntt again in @@ -637,9 +638,7 @@ pub(crate) fn verify_internal< sample_challenge_ring_element::< SIMDUnit, Shake256, - ONES_IN_VERIFIER_CHALLENGE, - COMMITMENT_HASH_SIZE, - >(signature.commitment_hash, &mut verifier_challenge); + >(&signature.commitment_hash,ONES_IN_VERIFIER_CHALLENGE, &mut verifier_challenge); ntt(&mut verifier_challenge); // Move signer response into ntt diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs index 371a54b74..989dbf453 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs @@ -36,6 +36,7 @@ macro_rules! instantiate { pub(crate) fn sign< const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, + const ROWS_X_COLUMNS: usize, const ETA: usize, const ERROR_RING_ELEMENT_SIZE: usize, const GAMMA1_EXPONENT: usize, @@ -63,6 +64,7 @@ macro_rules! instantiate { $shake256x4, ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, ETA, ERROR_RING_ELEMENT_SIZE, GAMMA1_EXPONENT, @@ -83,6 +85,7 @@ macro_rules! instantiate { pub(crate) fn sign_internal< const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, + const ROWS_X_COLUMNS: usize, const ETA: usize, const ERROR_RING_ELEMENT_SIZE: usize, const GAMMA1_EXPONENT: usize, @@ -109,6 +112,7 @@ macro_rules! instantiate { $shake256x4, ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, ETA, ERROR_RING_ELEMENT_SIZE, GAMMA1_EXPONENT, @@ -128,6 +132,7 @@ macro_rules! instantiate { pub(crate) fn sign_pre_hashed_shake128< const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, + const ROWS_X_COLUMNS: usize, const ETA: usize, const ERROR_RING_ELEMENT_SIZE: usize, const GAMMA1_EXPONENT: usize, @@ -158,6 +163,7 @@ macro_rules! instantiate { 256, ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, ETA, ERROR_RING_ELEMENT_SIZE, GAMMA1_EXPONENT, diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs index c88a78b10..137544c38 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs @@ -74,6 +74,7 @@ mod avx2_feature { pub(super) unsafe fn sign< const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, + const ROWS_X_COLUMNS: usize, const ETA: usize, const ERROR_RING_ELEMENT_SIZE: usize, const GAMMA1_EXPONENT: usize, @@ -103,6 +104,7 @@ mod avx2_feature { crate::hash_functions::simd256::Shake256x4, ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, ETA, ERROR_RING_ELEMENT_SIZE, GAMMA1_EXPONENT, @@ -125,6 +127,7 @@ mod avx2_feature { pub(super) unsafe fn sign_internal< const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, + const ROWS_X_COLUMNS: usize, const ETA: usize, const ERROR_RING_ELEMENT_SIZE: usize, const GAMMA1_EXPONENT: usize, @@ -153,6 +156,7 @@ mod avx2_feature { crate::hash_functions::simd256::Shake256x4, ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, ETA, ERROR_RING_ELEMENT_SIZE, GAMMA1_EXPONENT, @@ -174,6 +178,7 @@ mod avx2_feature { pub(super) unsafe fn sign_pre_hashed_shake128< const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, + const ROWS_X_COLUMNS: usize, const ETA: usize, const ERROR_RING_ELEMENT_SIZE: usize, const GAMMA1_EXPONENT: usize, @@ -208,6 +213,7 @@ mod avx2_feature { 256, ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, ETA, ERROR_RING_ELEMENT_SIZE, GAMMA1_EXPONENT, @@ -406,6 +412,7 @@ pub(crate) fn generate_key_pair_v87( pub(crate) fn sign< const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, + const ROWS_X_COLUMNS: usize, const ETA: usize, const ERROR_RING_ELEMENT_SIZE: usize, const GAMMA1_EXPONENT: usize, @@ -428,6 +435,7 @@ pub(crate) fn sign< avx2_feature::sign::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, ETA, ERROR_RING_ELEMENT_SIZE, GAMMA1_EXPONENT, @@ -450,6 +458,7 @@ pub(crate) fn sign< pub(crate) fn sign_internal< const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, + const ROWS_X_COLUMNS: usize, const ETA: usize, const ERROR_RING_ELEMENT_SIZE: usize, const GAMMA1_EXPONENT: usize, @@ -471,6 +480,7 @@ pub(crate) fn sign_internal< avx2_feature::sign_internal::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, ETA, ERROR_RING_ELEMENT_SIZE, GAMMA1_EXPONENT, @@ -492,6 +502,7 @@ pub(crate) fn sign_internal< pub(crate) fn sign_pre_hashed_shake128< const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, + const ROWS_X_COLUMNS: usize, const ETA: usize, const ERROR_RING_ELEMENT_SIZE: usize, const GAMMA1_EXPONENT: usize, @@ -514,6 +525,7 @@ pub(crate) fn sign_pre_hashed_shake128< avx2_feature::sign_pre_hashed_shake128::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, ETA, ERROR_RING_ELEMENT_SIZE, GAMMA1_EXPONENT, diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/multiplexing.rs b/libcrux-ml-dsa/src/ml_dsa_generic/multiplexing.rs index b48224351..87ca17ee3 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic/multiplexing.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic/multiplexing.rs @@ -103,6 +103,7 @@ pub(crate) fn generate_key_pair_v87( pub(crate) fn sign_internal< const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, + const ROWS_X_COLUMNS: usize, const ETA: usize, const ERROR_RING_ELEMENT_SIZE: usize, const GAMMA1_EXPONENT: usize, @@ -124,6 +125,7 @@ pub(crate) fn sign_internal< sign_internal_avx2::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, ETA, ERROR_RING_ELEMENT_SIZE, GAMMA1_EXPONENT, @@ -141,6 +143,7 @@ pub(crate) fn sign_internal< sign_internal_neon::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, ETA, ERROR_RING_ELEMENT_SIZE, GAMMA1_EXPONENT, @@ -158,6 +161,7 @@ pub(crate) fn sign_internal< instantiations::portable::sign_internal::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, ETA, ERROR_RING_ELEMENT_SIZE, GAMMA1_EXPONENT, @@ -177,6 +181,7 @@ pub(crate) fn sign_internal< pub(crate) fn sign< const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, + const ROWS_X_COLUMNS: usize, const ETA: usize, const ERROR_RING_ELEMENT_SIZE: usize, const GAMMA1_EXPONENT: usize, @@ -199,6 +204,7 @@ pub(crate) fn sign< sign_avx2::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, ETA, ERROR_RING_ELEMENT_SIZE, GAMMA1_EXPONENT, @@ -216,6 +222,7 @@ pub(crate) fn sign< sign_neon::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, ETA, ERROR_RING_ELEMENT_SIZE, GAMMA1_EXPONENT, @@ -233,6 +240,7 @@ pub(crate) fn sign< instantiations::portable::sign::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, ETA, ERROR_RING_ELEMENT_SIZE, GAMMA1_EXPONENT, @@ -252,6 +260,7 @@ pub(crate) fn sign< pub(crate) fn sign_pre_hashed_shake128< const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, + const ROWS_X_COLUMNS: usize, const ETA: usize, const ERROR_RING_ELEMENT_SIZE: usize, const GAMMA1_EXPONENT: usize, @@ -274,6 +283,7 @@ pub(crate) fn sign_pre_hashed_shake128< sign_pre_hashed_shake128_avx2::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, ETA, ERROR_RING_ELEMENT_SIZE, GAMMA1_EXPONENT, @@ -291,6 +301,7 @@ pub(crate) fn sign_pre_hashed_shake128< sign_pre_hashed_shake128_neon::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, ETA, ERROR_RING_ELEMENT_SIZE, GAMMA1_EXPONENT, @@ -308,6 +319,7 @@ pub(crate) fn sign_pre_hashed_shake128< instantiations::portable::sign_pre_hashed_shake128::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, ETA, ERROR_RING_ELEMENT_SIZE, GAMMA1_EXPONENT, diff --git a/libcrux-ml-dsa/src/sample.rs b/libcrux-ml-dsa/src/sample.rs index 28e979de2..50e33c50f 100644 --- a/libcrux-ml-dsa/src/sample.rs +++ b/libcrux-ml-dsa/src/sample.rs @@ -381,7 +381,7 @@ pub(crate) fn sample_mask_vector< >( seed: &[u8; 64], domain_separator: &mut u16, - mask: &mut [PolynomialRingElement; DIMENSION], + mask: &mut [PolynomialRingElement], ) { // DIMENSION is COLUMNS_IN_A debug_assert!(DIMENSION == 4 || DIMENSION == 5 || DIMENSION == 7); @@ -463,22 +463,18 @@ fn inside_out_shuffle( } #[inline(always)] -pub(crate) fn sample_challenge_ring_element< - SIMDUnit: Operations, - Shake256: shake256::DsaXof, - const NUMBER_OF_ONES: usize, - const SEED_SIZE: usize, ->( - seed: [u8; SEED_SIZE], +pub(crate) fn sample_challenge_ring_element( + seed: &[u8], + number_of_ones: usize, re: &mut PolynomialRingElement, ) { - let mut state = Shake256::init_absorb_final(&seed); + let mut state = Shake256::init_absorb_final(seed); let randomness = state.squeeze_first_block(); let mut signs = u64::from_le_bytes(randomness[0..8].try_into().unwrap()); let mut result = [0i32; 256]; - let mut out_index = result.len() - NUMBER_OF_ONES; + let mut out_index = result.len() - number_of_ones; let mut done = inside_out_shuffle(&randomness[8..], &mut out_index, &mut signs, &mut result); while !done { @@ -736,7 +732,7 @@ mod tests { ]; let mut re = PolynomialRingElement::zero(); - sample_challenge_ring_element::(seed, &mut re); + sample_challenge_ring_element::(&seed, 39, &mut re); assert_eq!(re.to_i32_array(), expected_coefficients); // When TAU = 49 @@ -759,7 +755,7 @@ mod tests { ]; let mut re = PolynomialRingElement::zero(); - sample_challenge_ring_element::(seed, &mut re); + sample_challenge_ring_element::(&seed, 49, &mut re); assert_eq!(re.to_i32_array(), expected_coefficients); // When TAU = 60 @@ -782,7 +778,7 @@ mod tests { ]; let mut re = PolynomialRingElement::zero(); - sample_challenge_ring_element::(seed, &mut re); + sample_challenge_ring_element::(&seed, 60, &mut re); assert_eq!(re.to_i32_array(), expected_coefficients); } From 6ed6fa307b1a649c902a55dce4054aad1e9cfea8 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Wed, 1 Jan 2025 21:03:39 +0000 Subject: [PATCH 27/58] fixed perf regression --- libcrux-ml-dsa/src/ml_dsa_44.rs | 6 ++ libcrux-ml-dsa/src/ml_dsa_65.rs | 6 ++ libcrux-ml-dsa/src/ml_dsa_87.rs | 6 ++ libcrux-ml-dsa/src/ml_dsa_generic.rs | 80 ++++++++++--------- .../src/ml_dsa_generic/instantiations.rs | 6 ++ .../src/ml_dsa_generic/instantiations/avx2.rs | 12 +++ .../src/ml_dsa_generic/multiplexing.rs | 12 +++ libcrux-ml-dsa/src/sample.rs | 1 - libcrux-ml-dsa/src/samplex4.rs | 17 +--- 9 files changed, 93 insertions(+), 53 deletions(-) diff --git a/libcrux-ml-dsa/src/ml_dsa_44.rs b/libcrux-ml-dsa/src/ml_dsa_44.rs index f4a6c0daf..f45e9f55a 100644 --- a/libcrux-ml-dsa/src/ml_dsa_44.rs +++ b/libcrux-ml-dsa/src/ml_dsa_44.rs @@ -153,6 +153,7 @@ macro_rules! instantiate { p::verify_internal::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, SIGNATURE_SIZE, VERIFICATION_KEY_SIZE, GAMMA1_EXPONENT, @@ -211,6 +212,7 @@ macro_rules! instantiate { p::verify::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, SIGNATURE_SIZE, VERIFICATION_KEY_SIZE, GAMMA1_EXPONENT, @@ -244,6 +246,7 @@ macro_rules! instantiate { p::verify_pre_hashed_shake128::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, SIGNATURE_SIZE, VERIFICATION_KEY_SIZE, GAMMA1_EXPONENT, @@ -374,6 +377,7 @@ pub fn verify_internal( ml_dsa_generic::multiplexing::verify_internal::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, SIGNATURE_SIZE, VERIFICATION_KEY_SIZE, GAMMA1_EXPONENT, @@ -406,6 +410,7 @@ pub fn verify( ml_dsa_generic::multiplexing::verify::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, SIGNATURE_SIZE, VERIFICATION_KEY_SIZE, GAMMA1_EXPONENT, @@ -479,6 +484,7 @@ pub fn verify_pre_hashed_shake128( ml_dsa_generic::multiplexing::verify_pre_hashed_shake128::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, SIGNATURE_SIZE, VERIFICATION_KEY_SIZE, GAMMA1_EXPONENT, diff --git a/libcrux-ml-dsa/src/ml_dsa_65.rs b/libcrux-ml-dsa/src/ml_dsa_65.rs index eeb76e793..2f6ac408f 100644 --- a/libcrux-ml-dsa/src/ml_dsa_65.rs +++ b/libcrux-ml-dsa/src/ml_dsa_65.rs @@ -124,6 +124,7 @@ macro_rules! instantiate { p::verify_internal::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, SIGNATURE_SIZE, VERIFICATION_KEY_SIZE, GAMMA1_EXPONENT, @@ -212,6 +213,7 @@ macro_rules! instantiate { p::verify::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, SIGNATURE_SIZE, VERIFICATION_KEY_SIZE, GAMMA1_EXPONENT, @@ -245,6 +247,7 @@ macro_rules! instantiate { p::verify_pre_hashed_shake128::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, SIGNATURE_SIZE, VERIFICATION_KEY_SIZE, GAMMA1_EXPONENT, @@ -350,6 +353,7 @@ pub fn verify( ml_dsa_generic::multiplexing::verify::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, SIGNATURE_SIZE, VERIFICATION_KEY_SIZE, GAMMA1_EXPONENT, @@ -423,6 +427,7 @@ pub fn verify_pre_hashed_shake128( ml_dsa_generic::multiplexing::verify_pre_hashed_shake128::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, SIGNATURE_SIZE, VERIFICATION_KEY_SIZE, GAMMA1_EXPONENT, @@ -484,6 +489,7 @@ pub fn verify_internal( ml_dsa_generic::multiplexing::verify_internal::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, SIGNATURE_SIZE, VERIFICATION_KEY_SIZE, GAMMA1_EXPONENT, diff --git a/libcrux-ml-dsa/src/ml_dsa_87.rs b/libcrux-ml-dsa/src/ml_dsa_87.rs index 20e5d6136..3ed0ac8e2 100644 --- a/libcrux-ml-dsa/src/ml_dsa_87.rs +++ b/libcrux-ml-dsa/src/ml_dsa_87.rs @@ -128,6 +128,7 @@ macro_rules! instantiate { p::verify_internal::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, SIGNATURE_SIZE, VERIFICATION_KEY_SIZE, GAMMA1_EXPONENT, @@ -216,6 +217,7 @@ macro_rules! instantiate { p::verify::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, SIGNATURE_SIZE, VERIFICATION_KEY_SIZE, GAMMA1_EXPONENT, @@ -249,6 +251,7 @@ macro_rules! instantiate { p::verify_pre_hashed_shake128::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, SIGNATURE_SIZE, VERIFICATION_KEY_SIZE, GAMMA1_EXPONENT, @@ -354,6 +357,7 @@ pub fn verify( ml_dsa_generic::multiplexing::verify::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, SIGNATURE_SIZE, VERIFICATION_KEY_SIZE, GAMMA1_EXPONENT, @@ -427,6 +431,7 @@ pub fn verify_pre_hashed_shake128( ml_dsa_generic::multiplexing::verify_pre_hashed_shake128::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, SIGNATURE_SIZE, VERIFICATION_KEY_SIZE, GAMMA1_EXPONENT, @@ -489,6 +494,7 @@ pub fn verify_internal( ml_dsa_generic::multiplexing::verify_internal::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, SIGNATURE_SIZE, VERIFICATION_KEY_SIZE, GAMMA1_EXPONENT, diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index 70fbef822..0feb64750 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -45,17 +45,6 @@ pub(crate) mod multiplexing; const ETA: Eta = constants::v87::ETA; const BITS_PER_ERROR_COEFFICIENT: usize = constants::v87::BITS_PER_ERROR_COEFFICIENT; }, - - // Derived constants - derived { - const ROW_COLUMN: usize = ROWS_IN_A + COLUMNS_IN_A; - const ROW_X_COLUMN: usize = ROWS_IN_A * COLUMNS_IN_A; - const ERROR_RING_ELEMENT_SIZE: usize = error_ring_element_size(BITS_PER_ERROR_COEFFICIENT); - const SIGNING_KEY_SIZE: usize = signing_key_size( - ROWS_IN_A, COLUMNS_IN_A, ERROR_RING_ELEMENT_SIZE); - const VERIFICATION_KEY_SIZE: usize = verification_key_size(ROWS_IN_A); - - } )] #[inline(always)] pub(crate) fn generate_key_pair< @@ -70,6 +59,14 @@ pub(crate) fn generate_key_pair< signing_key: &mut [u8], verification_key: &mut [u8], ) { + // Derived constants + const ROW_COLUMN: usize = ROWS_IN_A + COLUMNS_IN_A; + const ROW_X_COLUMN: usize = ROWS_IN_A * COLUMNS_IN_A; + const ERROR_RING_ELEMENT_SIZE: usize = error_ring_element_size(BITS_PER_ERROR_COEFFICIENT); + const SIGNING_KEY_SIZE: usize = + signing_key_size(ROWS_IN_A, COLUMNS_IN_A, ERROR_RING_ELEMENT_SIZE); + const VERIFICATION_KEY_SIZE: usize = verification_key_size(ROWS_IN_A); + // Check key sizes debug_assert!(signing_key.len() == SIGNING_KEY_SIZE); debug_assert!(verification_key.len() == VERIFICATION_KEY_SIZE); @@ -88,14 +85,10 @@ pub(crate) fn generate_key_pair< seed_expanded.split_at(SEED_FOR_ERROR_VECTORS_SIZE); let mut a_as_ntt = [PolynomialRingElement::::zero(); ROW_X_COLUMN]; - Sampler::matrix_flat::(ROWS_IN_A, COLUMNS_IN_A, seed_for_a, &mut a_as_ntt); + Sampler::matrix_flat::(COLUMNS_IN_A, seed_for_a, &mut a_as_ntt); let mut s1_s2 = [PolynomialRingElement::::zero(); ROW_COLUMN]; - samplex4::sample_s1_and_s2::( - ETA, - seed_for_error_vectors, - &mut s1_s2, - ); + samplex4::sample_s1_and_s2::(ETA, seed_for_error_vectors, &mut s1_s2); let mut t0 = [PolynomialRingElement::::zero(); ROWS_IN_A]; { @@ -104,22 +97,22 @@ pub(crate) fn generate_key_pair< for i in 0..s1_ntt.len() { ntt(&mut s1_ntt[i]); } - compute_as1_plus_s2::( ROWS_IN_A, COLUMNS_IN_A, &a_as_ntt,&s1_ntt, &s1_s2, &mut t0); + compute_as1_plus_s2::( + ROWS_IN_A, + COLUMNS_IN_A, + &a_as_ntt, + &s1_ntt, + &s1_s2, + &mut t0, + ); } let mut t1 = [PolynomialRingElement::::zero(); ROWS_IN_A]; power2round_vector::(&mut t0, &mut t1); - encoding::verification_key::generate_serialized::( - seed_for_a, - &t1, - verification_key, - ); + encoding::verification_key::generate_serialized::(seed_for_a, &t1, verification_key); - encoding::signing_key::generate_serialized::< - SIMDUnit, - Shake256, - >( + encoding::signing_key::generate_serialized::( ETA, ERROR_RING_ELEMENT_SIZE, seed_for_a, @@ -334,7 +327,7 @@ pub(crate) fn sign_internal< // Sample matrix A. let mut matrix = [PolynomialRingElement::::zero(); ROWS_X_COLUMNS]; - Sampler::matrix_flat::(ROWS_IN_A, COLUMNS_IN_A, &seed_for_a, &mut matrix); + Sampler::matrix_flat::(COLUMNS_IN_A, &seed_for_a, &mut matrix); let mut message_representative = [0; MESSAGE_REPRESENTATIVE_SIZE]; derive_message_representative::( @@ -417,10 +410,11 @@ pub(crate) fn sign_internal< } let mut verifier_challenge = PolynomialRingElement::zero(); - sample_challenge_ring_element::< - SIMDUnit, - Shake256, - >(&commitment_hash_candidate,ONES_IN_VERIFIER_CHALLENGE, &mut verifier_challenge); + sample_challenge_ring_element::( + &commitment_hash_candidate, + ONES_IN_VERIFIER_CHALLENGE, + &mut verifier_challenge, + ); ntt(&mut verifier_challenge); // We need to clone here in case we need s1_as_ntt or s2_as_ntt again in @@ -571,6 +565,7 @@ pub(crate) fn verify_internal< Shake256Xof: shake256::Xof, const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, + const ROWS_X_COLUMNS: usize, const SIGNATURE_SIZE: usize, const VERIFICATION_KEY_SIZE: usize, const GAMMA1_EXPONENT: usize, @@ -618,8 +613,8 @@ pub(crate) fn verify_internal< ) { return Err(VerificationError::SignerResponseExceedsBoundError); } - let mut matrix = [PolynomialRingElement::::zero(); 56]; // FIXME - Sampler::matrix_flat::(ROWS_IN_A, COLUMNS_IN_A, &seed_for_a, &mut matrix); + let mut matrix = [PolynomialRingElement::::zero(); ROWS_X_COLUMNS]; + Sampler::matrix_flat::(COLUMNS_IN_A, &seed_for_a, &mut matrix); let mut verification_key_hash = [0; BYTES_FOR_VERIFICATION_KEY_HASH]; Shake256::shake256::( @@ -635,17 +630,20 @@ pub(crate) fn verify_internal< ); let mut verifier_challenge = PolynomialRingElement::zero(); - sample_challenge_ring_element::< - SIMDUnit, - Shake256, - >(&signature.commitment_hash,ONES_IN_VERIFIER_CHALLENGE, &mut verifier_challenge); + sample_challenge_ring_element::( + &signature.commitment_hash, + ONES_IN_VERIFIER_CHALLENGE, + &mut verifier_challenge, + ); ntt(&mut verifier_challenge); // Move signer response into ntt for i in 0..signature.signer_response.len() { ntt(&mut signature.signer_response[i]); } - compute_w_approx::(ROWS_IN_A, COLUMNS_IN_A, + compute_w_approx::( + ROWS_IN_A, + COLUMNS_IN_A, &matrix, &signature.signer_response, &verifier_challenge, @@ -687,6 +685,7 @@ pub(crate) fn verify< Shake256Xof: shake256::Xof, const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, + const ROWS_X_COLUMNS: usize, const SIGNATURE_SIZE: usize, const VERIFICATION_KEY_SIZE: usize, const GAMMA1_EXPONENT: usize, @@ -717,6 +716,7 @@ pub(crate) fn verify< Shake256Xof, ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, SIGNATURE_SIZE, VERIFICATION_KEY_SIZE, GAMMA1_EXPONENT, @@ -749,6 +749,7 @@ pub(crate) fn verify_pre_hashed< const PH_DIGEST_LEN: usize, const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, + const ROWS_X_COLUMNS: usize, const SIGNATURE_SIZE: usize, const VERIFICATION_KEY_SIZE: usize, const GAMMA1_EXPONENT: usize, @@ -780,6 +781,7 @@ pub(crate) fn verify_pre_hashed< Shake256Xof, ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, SIGNATURE_SIZE, VERIFICATION_KEY_SIZE, GAMMA1_EXPONENT, diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs index 989dbf453..7c276265e 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs @@ -183,6 +183,7 @@ macro_rules! instantiate { pub(crate) fn verify< const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, + const ROWS_X_COLUMNS: usize, const SIGNATURE_SIZE: usize, const VERIFICATION_KEY_SIZE: usize, const GAMMA1_EXPONENT: usize, @@ -208,6 +209,7 @@ macro_rules! instantiate { $shake256xof, ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, SIGNATURE_SIZE, VERIFICATION_KEY_SIZE, GAMMA1_EXPONENT, @@ -227,6 +229,7 @@ macro_rules! instantiate { pub(crate) fn verify_internal< const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, + const ROWS_X_COLUMNS: usize, const SIGNATURE_SIZE: usize, const VERIFICATION_KEY_SIZE: usize, const GAMMA1_EXPONENT: usize, @@ -251,6 +254,7 @@ macro_rules! instantiate { $shake256xof, ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, SIGNATURE_SIZE, VERIFICATION_KEY_SIZE, GAMMA1_EXPONENT, @@ -269,6 +273,7 @@ macro_rules! instantiate { pub(crate) fn verify_pre_hashed_shake128< const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, + const ROWS_X_COLUMNS: usize, const SIGNATURE_SIZE: usize, const VERIFICATION_KEY_SIZE: usize, const GAMMA1_EXPONENT: usize, @@ -297,6 +302,7 @@ macro_rules! instantiate { 256, ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, SIGNATURE_SIZE, VERIFICATION_KEY_SIZE, GAMMA1_EXPONENT, diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs index 137544c38..9b8ddfd64 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs @@ -235,6 +235,7 @@ mod avx2_feature { pub(super) unsafe fn verify< const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, + const ROWS_X_COLUMNS: usize, const SIGNATURE_SIZE: usize, const VERIFICATION_KEY_SIZE: usize, const GAMMA1_EXPONENT: usize, @@ -262,6 +263,7 @@ mod avx2_feature { crate::hash_functions::portable::Shake256Xof, ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, SIGNATURE_SIZE, VERIFICATION_KEY_SIZE, GAMMA1_EXPONENT, @@ -283,6 +285,7 @@ mod avx2_feature { pub(super) unsafe fn verify_internal< const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, + const ROWS_X_COLUMNS: usize, const SIGNATURE_SIZE: usize, const VERIFICATION_KEY_SIZE: usize, const GAMMA1_EXPONENT: usize, @@ -309,6 +312,7 @@ mod avx2_feature { crate::hash_functions::portable::Shake256Xof, ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, SIGNATURE_SIZE, VERIFICATION_KEY_SIZE, GAMMA1_EXPONENT, @@ -329,6 +333,7 @@ mod avx2_feature { pub(super) unsafe fn verify_pre_hashed_shake128< const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, + const ROWS_X_COLUMNS: usize, const SIGNATURE_SIZE: usize, const VERIFICATION_KEY_SIZE: usize, const GAMMA1_EXPONENT: usize, @@ -361,6 +366,7 @@ mod avx2_feature { 256, ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, SIGNATURE_SIZE, VERIFICATION_KEY_SIZE, GAMMA1_EXPONENT, @@ -547,6 +553,7 @@ pub(crate) fn sign_pre_hashed_shake128< pub(crate) fn verify< const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, + const ROWS_X_COLUMNS: usize, const SIGNATURE_SIZE: usize, const VERIFICATION_KEY_SIZE: usize, const GAMMA1_EXPONENT: usize, @@ -568,6 +575,7 @@ pub(crate) fn verify< avx2_feature::verify::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, SIGNATURE_SIZE, VERIFICATION_KEY_SIZE, GAMMA1_EXPONENT, @@ -589,6 +597,7 @@ pub(crate) fn verify< pub(crate) fn verify_internal< const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, + const ROWS_X_COLUMNS: usize, const SIGNATURE_SIZE: usize, const VERIFICATION_KEY_SIZE: usize, const GAMMA1_EXPONENT: usize, @@ -609,6 +618,7 @@ pub(crate) fn verify_internal< avx2_feature::verify_internal::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, SIGNATURE_SIZE, VERIFICATION_KEY_SIZE, GAMMA1_EXPONENT, @@ -629,6 +639,7 @@ pub(crate) fn verify_internal< pub(crate) fn verify_pre_hashed_shake128< const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, + const ROWS_X_COLUMNS: usize, const SIGNATURE_SIZE: usize, const VERIFICATION_KEY_SIZE: usize, const GAMMA1_EXPONENT: usize, @@ -650,6 +661,7 @@ pub(crate) fn verify_pre_hashed_shake128< avx2_feature::verify_pre_hashed_shake128::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, SIGNATURE_SIZE, VERIFICATION_KEY_SIZE, GAMMA1_EXPONENT, diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/multiplexing.rs b/libcrux-ml-dsa/src/ml_dsa_generic/multiplexing.rs index 87ca17ee3..f4d89a147 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic/multiplexing.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic/multiplexing.rs @@ -340,6 +340,7 @@ pub(crate) fn sign_pre_hashed_shake128< pub(crate) fn verify_internal< const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, + const ROWS_X_COLUMNS: usize, const SIGNATURE_SIZE: usize, const VERIFICATION_KEY_SIZE: usize, const GAMMA1_EXPONENT: usize, @@ -360,6 +361,7 @@ pub(crate) fn verify_internal< verify_internal_avx2::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, SIGNATURE_SIZE, VERIFICATION_KEY_SIZE, GAMMA1_EXPONENT, @@ -376,6 +378,7 @@ pub(crate) fn verify_internal< verify_internal_neon::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, SIGNATURE_SIZE, VERIFICATION_KEY_SIZE, GAMMA1_EXPONENT, @@ -392,6 +395,7 @@ pub(crate) fn verify_internal< instantiations::portable::verify_internal::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, SIGNATURE_SIZE, VERIFICATION_KEY_SIZE, GAMMA1_EXPONENT, @@ -410,6 +414,7 @@ pub(crate) fn verify_internal< pub(crate) fn verify< const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, + const ROWS_X_COLUMNS: usize, const SIGNATURE_SIZE: usize, const VERIFICATION_KEY_SIZE: usize, const GAMMA1_EXPONENT: usize, @@ -431,6 +436,7 @@ pub(crate) fn verify< verify_avx2::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, SIGNATURE_SIZE, VERIFICATION_KEY_SIZE, GAMMA1_EXPONENT, @@ -452,6 +458,7 @@ pub(crate) fn verify< verify_neon::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, SIGNATURE_SIZE, VERIFICATION_KEY_SIZE, GAMMA1_EXPONENT, @@ -473,6 +480,7 @@ pub(crate) fn verify< instantiations::portable::verify::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, SIGNATURE_SIZE, VERIFICATION_KEY_SIZE, GAMMA1_EXPONENT, @@ -496,6 +504,7 @@ pub(crate) fn verify< pub(crate) fn verify_pre_hashed_shake128< const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, + const ROWS_X_COLUMNS: usize, const SIGNATURE_SIZE: usize, const VERIFICATION_KEY_SIZE: usize, const GAMMA1_EXPONENT: usize, @@ -517,6 +526,7 @@ pub(crate) fn verify_pre_hashed_shake128< verify_pre_hashed_shake128_avx2::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, SIGNATURE_SIZE, VERIFICATION_KEY_SIZE, GAMMA1_EXPONENT, @@ -538,6 +548,7 @@ pub(crate) fn verify_pre_hashed_shake128< verify_pre_hashed_shake128_neon::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, SIGNATURE_SIZE, VERIFICATION_KEY_SIZE, GAMMA1_EXPONENT, @@ -559,6 +570,7 @@ pub(crate) fn verify_pre_hashed_shake128< instantiations::portable::verify_pre_hashed_shake128::< ROWS_IN_A, COLUMNS_IN_A, + ROWS_X_COLUMNS, SIGNATURE_SIZE, VERIFICATION_KEY_SIZE, GAMMA1_EXPONENT, diff --git a/libcrux-ml-dsa/src/sample.rs b/libcrux-ml-dsa/src/sample.rs index 50e33c50f..93ce7eb60 100644 --- a/libcrux-ml-dsa/src/sample.rs +++ b/libcrux-ml-dsa/src/sample.rs @@ -65,7 +65,6 @@ pub(crate) fn sample_up_to_four_ring_elements_flat< SIMDUnit: Operations, Shake128: shake128::XofX4, >( - rows: usize, columns: usize, seed: &[u8], matrix: &mut [PolynomialRingElement], diff --git a/libcrux-ml-dsa/src/samplex4.rs b/libcrux-ml-dsa/src/samplex4.rs index daa575803..b56f82b10 100644 --- a/libcrux-ml-dsa/src/samplex4.rs +++ b/libcrux-ml-dsa/src/samplex4.rs @@ -10,7 +10,6 @@ use crate::{ pub(crate) trait X4Sampler { /// Sample the matrix A using platform specific implementation. fn matrix_flat( - rows: usize, columns: usize, seed: &[u8], matrix: &mut [PolynomialRingElement], @@ -19,7 +18,6 @@ pub(crate) trait X4Sampler { #[inline(always)] pub(crate) fn matrix_flat( - rows: usize, columns: usize, seed: &[u8], matrix: &mut [PolynomialRingElement], @@ -37,7 +35,6 @@ pub(crate) fn matrix_flat( matrix.len() - start_index }; sample_up_to_four_ring_elements_flat::( - rows, columns, seed, matrix, @@ -59,13 +56,12 @@ pub(crate) mod portable { pub(crate) struct PortableSampler {} impl X4Sampler for PortableSampler { fn matrix_flat( - rows: usize, columns: usize, seed: &[u8], matrix: &mut [PolynomialRingElement], ) { matrix_flat::( - rows, columns, seed, matrix, + columns, seed, matrix, ) } } @@ -80,14 +76,11 @@ pub(crate) mod neon { impl X4Sampler for NeonSampler { #[inline(always)] fn matrix_flat( - rows: usize, columns: usize, seed: &[u8], matrix: &mut [PolynomialRingElement], ) { - matrix_flat::( - rows, columns, seed, matrix, - ) + matrix_flat::(columns, seed, matrix) } } } @@ -101,7 +94,6 @@ pub(crate) mod avx2 { impl X4Sampler for AVX2Sampler { #[allow(unsafe_code)] fn matrix_flat( - rows: usize, columns: usize, seed: &[u8], matrix: &mut [PolynomialRingElement], @@ -109,16 +101,15 @@ pub(crate) mod avx2 { #[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] unsafe fn inner( - rows: usize, columns: usize, seed: &[u8], matrix: &mut [PolynomialRingElement], ) { matrix_flat::( - rows, columns, seed, matrix, + columns, seed, matrix, ) } - unsafe { inner(rows, columns, seed, matrix) }; + unsafe { inner(columns, seed, matrix) }; } } } From 9252b9d59cc5700eb51d608c1d12ee80d9419b1f Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Thu, 2 Jan 2025 09:01:47 +0000 Subject: [PATCH 28/58] wip --- Cargo.toml | 5 +- libcrux-ml-dsa/Cargo.toml | 1 + libcrux-ml-dsa/boring.sh | 2 +- libcrux-ml-dsa/cg/code_gen.txt | 2 +- libcrux-ml-dsa/cg/header.txt | 2 +- libcrux-ml-dsa/src/ml_dsa_generic.rs | 3 + .../src/ml_dsa_generic/instantiations.rs | 3 + .../src/ml_dsa_generic/instantiations/avx2.rs | 88 +++++++------------ .../src/ml_dsa_generic/multiplexing.rs | 31 ++++--- libcrux-ml-dsa/tests/nistkats.rs | 10 ++- libcrux-sha3/src/lib.rs | 4 + macros/Cargo.toml | 2 + macros/src/lib.rs | 35 ++++++-- .../fstar/extraction/Libcrux_platform.X86.fst | 2 +- 14 files changed, 106 insertions(+), 84 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 3074a700a..8d2974349 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -119,8 +119,9 @@ lto = "fat" codegen-units = 1 panic = "abort" -[profile.dev.package."libcrux-ml-dsa"] -opt-level = 1 +# XXX: Not needed anymore, but nice for test speed +# [profile.dev.package."libcrux-ml-dsa"] +# opt-level = 1 [lints.rust] unexpected_cfgs = { level = "warn", check-cfg = [ diff --git a/libcrux-ml-dsa/Cargo.toml b/libcrux-ml-dsa/Cargo.toml index c261861ba..a24e6901f 100644 --- a/libcrux-ml-dsa/Cargo.toml +++ b/libcrux-ml-dsa/Cargo.toml @@ -19,6 +19,7 @@ bench = false # so libtest doesn't eat the arguments to criterion libcrux-sha3 = { version = "0.0.2-beta.2", path = "../libcrux-sha3" } libcrux-intrinsics = { version = "0.0.2-beta.2", path = "../libcrux-intrinsics" } libcrux-platform = { version = "0.0.2-beta.2", path = "../sys/platform" } +libcrux-macros = { version = "0.0.2-beta.2", path = "../macros" } hax-lib = { version = "0.1.0-alpha.1", git = "https://github.com/hacspec/hax/" } [dev-dependencies] diff --git a/libcrux-ml-dsa/boring.sh b/libcrux-ml-dsa/boring.sh index 6411d6dab..546800612 100755 --- a/libcrux-ml-dsa/boring.sh +++ b/libcrux-ml-dsa/boring.sh @@ -19,7 +19,7 @@ done if [[ "$no_clean" = 0 ]]; then cargo clean fi -# TODO: add feature flags for mldsa65 + ./c.sh --config cg.yaml --out cg --mldsa65\ --no-glue --no-unrolling --no-karamel_include --no-karamel_include diff --git a/libcrux-ml-dsa/cg/code_gen.txt b/libcrux-ml-dsa/cg/code_gen.txt index 80f8dd1aa..a724f2bbe 100644 --- a/libcrux-ml-dsa/cg/code_gen.txt +++ b/libcrux-ml-dsa/cg/code_gen.txt @@ -3,4 +3,4 @@ Charon: db4e045d4597d06d854ce7a2c10e8dcfda6ecd25 Eurydice: 75eae2e2534a16f5ba5430e6ee5c69d8a46f3bea Karamel: 3823e3d82fa0b271d799b61c59ffb4742ddc1e65 F*: b0961063393215ca65927f017720cb365a193833-dirty -Libcrux: 834b7f51701fa4e8695a784c138ed230f49f0c4e +Libcrux: a596b564bbc047e157eb19f66887f965403a30e6 diff --git a/libcrux-ml-dsa/cg/header.txt b/libcrux-ml-dsa/cg/header.txt index c8d136fbe..8cdf86129 100644 --- a/libcrux-ml-dsa/cg/header.txt +++ b/libcrux-ml-dsa/cg/header.txt @@ -8,5 +8,5 @@ * Eurydice: 75eae2e2534a16f5ba5430e6ee5c69d8a46f3bea * Karamel: 3823e3d82fa0b271d799b61c59ffb4742ddc1e65 * F*: b0961063393215ca65927f017720cb365a193833-dirty - * Libcrux: 834b7f51701fa4e8695a784c138ed230f49f0c4e + * Libcrux: a596b564bbc047e157eb19f66887f965403a30e6 */ diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index 0feb64750..8702b7ab4 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -28,18 +28,21 @@ pub(crate) mod multiplexing; #[libcrux_macros::consts( // Key size specific constants v44 { + #[cfg(feature = "mldsa44")] const ROWS_IN_A: usize = constants::v44::ROWS_IN_A; const COLUMNS_IN_A: usize = constants::v44::COLUMNS_IN_A; const ETA: Eta = constants::v44::ETA; const BITS_PER_ERROR_COEFFICIENT: usize = constants::v44::BITS_PER_ERROR_COEFFICIENT; }, v65 { + #[cfg(feature = "mldsa65")] const ROWS_IN_A: usize = constants::v65::ROWS_IN_A; const COLUMNS_IN_A: usize = constants::v65::COLUMNS_IN_A; const ETA: Eta = constants::v65::ETA; const BITS_PER_ERROR_COEFFICIENT: usize = constants::v65::BITS_PER_ERROR_COEFFICIENT; }, v87 { + #[cfg(feature = "mldsa87")] const ROWS_IN_A: usize = constants::v87::ROWS_IN_A; const COLUMNS_IN_A: usize = constants::v87::COLUMNS_IN_A; const ETA: Eta = constants::v87::ETA; diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs index 7c276265e..2a47d10ec 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs @@ -28,8 +28,11 @@ macro_rules! instantiate { }; } + #[cfg(feature = "mldsa44")] generate_key_pair!(generate_key_pair_v44); + #[cfg(feature = "mldsa65")] generate_key_pair!(generate_key_pair_v65); + #[cfg(feature = "mldsa87")] generate_key_pair!(generate_key_pair_v87); /// Sign. diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs index 9b8ddfd64..473337d0d 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs @@ -8,65 +8,36 @@ use crate::{ mod avx2_feature { use super::*; - /// Generate key pair. - #[cfg_attr(not(hax), target_feature(enable = "avx2"))] - #[allow(unsafe_code)] - pub(super) unsafe fn generate_key_pair_v44( - randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], - signing_key: &mut [u8], - verification_key: &mut [u8], - ) { - crate::ml_dsa_generic::generate_key_pair_v44::< - crate::simd::avx2::AVX2SIMDUnit, - crate::samplex4::avx2::AVX2Sampler, - crate::hash_functions::simd256::Shake128x4, - crate::hash_functions::simd256::Shake256, - // We use the portable version here. - // It doesn' make sense to do these in parallel. - crate::hash_functions::portable::Shake256Xof, - crate::hash_functions::simd256::Shake256x4, - >(randomness, signing_key, verification_key) + macro_rules! generate_key_pair { + ($name:ident) => { + /// Generate key pair. + #[cfg_attr(not(hax), target_feature(enable = "avx2"))] + #[allow(unsafe_code)] + pub(super) unsafe fn $name( + randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], + signing_key: &mut [u8], + verification_key: &mut [u8], + ) { + crate::ml_dsa_generic::$name::< + crate::simd::avx2::AVX2SIMDUnit, + crate::samplex4::avx2::AVX2Sampler, + crate::hash_functions::simd256::Shake128x4, + crate::hash_functions::simd256::Shake256, + // We use the portable version here. + // It doesn' make sense to do these in parallel. + crate::hash_functions::portable::Shake256Xof, + crate::hash_functions::simd256::Shake256x4, + >(randomness, signing_key, verification_key) + } + }; } - /// Generate key pair. - #[cfg_attr(not(hax), target_feature(enable = "avx2"))] - #[allow(unsafe_code)] - pub(super) unsafe fn generate_key_pair_v65( - randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], - signing_key: &mut [u8], - verification_key: &mut [u8], - ) { - crate::ml_dsa_generic::generate_key_pair_v65::< - crate::simd::avx2::AVX2SIMDUnit, - crate::samplex4::avx2::AVX2Sampler, - crate::hash_functions::simd256::Shake128x4, - crate::hash_functions::simd256::Shake256, - // We use the portable version here. - // It doesn' make sense to do these in parallel. - crate::hash_functions::portable::Shake256Xof, - crate::hash_functions::simd256::Shake256x4, - >(randomness, signing_key, verification_key) - } - - /// Generate key pair. - #[cfg_attr(not(hax), target_feature(enable = "avx2"))] - #[allow(unsafe_code)] - pub(super) unsafe fn generate_key_pair_v87( - randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], - signing_key: &mut [u8], - verification_key: &mut [u8], - ) { - crate::ml_dsa_generic::generate_key_pair_v87::< - crate::simd::avx2::AVX2SIMDUnit, - crate::samplex4::avx2::AVX2Sampler, - crate::hash_functions::simd256::Shake128x4, - crate::hash_functions::simd256::Shake256, - // We use the portable version here. - // It doesn' make sense to do these in parallel. - crate::hash_functions::portable::Shake256Xof, - crate::hash_functions::simd256::Shake256x4, - >(randomness, signing_key, verification_key) - } + #[cfg(feature = "mldsa44")] + generate_key_pair!(generate_key_pair_v44); + #[cfg(feature = "mldsa65")] + generate_key_pair!(generate_key_pair_v65); + #[cfg(feature = "mldsa87")] + generate_key_pair!(generate_key_pair_v87); /// Sign. #[cfg_attr(not(hax), target_feature(enable = "avx2"))] @@ -382,6 +353,7 @@ mod avx2_feature { } } +#[cfg(feature = "mldsa44")] /// Generate key pair. #[allow(unsafe_code)] pub(crate) fn generate_key_pair_v44( @@ -392,6 +364,7 @@ pub(crate) fn generate_key_pair_v44( unsafe { avx2_feature::generate_key_pair_v44(randomness, signing_key, verification_key) } } +#[cfg(feature = "mldsa65")] /// Generate key pair. #[allow(unsafe_code)] pub(crate) fn generate_key_pair_v65( @@ -402,6 +375,7 @@ pub(crate) fn generate_key_pair_v65( unsafe { avx2_feature::generate_key_pair_v65(randomness, signing_key, verification_key) } } +#[cfg(feature = "mldsa87")] /// Generate key pair. #[allow(unsafe_code)] pub(crate) fn generate_key_pair_v87( diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/multiplexing.rs b/libcrux-ml-dsa/src/ml_dsa_generic/multiplexing.rs index f4d89a147..d04c6a71f 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic/multiplexing.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic/multiplexing.rs @@ -7,13 +7,17 @@ use libcrux_platform; #[cfg(feature = "simd256")] use instantiations::avx2::{ - generate_key_pair_v44 as generate_key_pair_v44_avx2, - generate_key_pair_v65 as generate_key_pair_v65_avx2, - generate_key_pair_v87 as generate_key_pair_v87_avx2, sign as sign_avx2, - sign_pre_hashed_shake128 as sign_pre_hashed_shake128_avx2, verify as verify_avx2, - verify_pre_hashed_shake128 as verify_pre_hashed_shake128_avx2, + sign as sign_avx2, sign_pre_hashed_shake128 as sign_pre_hashed_shake128_avx2, + verify as verify_avx2, verify_pre_hashed_shake128 as verify_pre_hashed_shake128_avx2, }; +#[cfg(all(feature = "simd256", feature = "mldsa44"))] +use instantiations::portable::generate_key_pair_v44 as generate_key_pair_v44_avx2; +#[cfg(all(feature = "simd256", feature = "mldsa65"))] +use instantiations::portable::generate_key_pair_v65 as generate_key_pair_v65_avx2; +#[cfg(all(feature = "simd256", feature = "mldsa87"))] +use instantiations::portable::generate_key_pair_v87 as generate_key_pair_v87_avx2; + #[cfg(all(feature = "simd256", feature = "acvp"))] use instantiations::avx2::{ sign_internal as sign_internal_avx2, verify_internal as verify_internal_avx2, @@ -50,13 +54,18 @@ use instantiations::portable::{ #[cfg(not(feature = "simd128"))] use instantiations::portable::{ - generate_key_pair_v44 as generate_key_pair_v44_neon, - generate_key_pair_v65 as generate_key_pair_v65_neon, - generate_key_pair_v87 as generate_key_pair_v87_neon, sign as sign_neon, - sign_pre_hashed_shake128 as sign_pre_hashed_shake128_neon, verify as verify_neon, - verify_pre_hashed_shake128 as verify_pre_hashed_shake128_neon, + sign as sign_neon, sign_pre_hashed_shake128 as sign_pre_hashed_shake128_neon, + verify as verify_neon, verify_pre_hashed_shake128 as verify_pre_hashed_shake128_neon, }; +#[cfg(all(not(feature = "simd128"), feature = "mldsa44"))] +use instantiations::portable::generate_key_pair_v44 as generate_key_pair_v44_neon; +#[cfg(all(not(feature = "simd128"), feature = "mldsa65"))] +use instantiations::portable::generate_key_pair_v65 as generate_key_pair_v65_neon; +#[cfg(all(not(feature = "simd128"), feature = "mldsa87"))] +use instantiations::portable::generate_key_pair_v87 as generate_key_pair_v87_neon; + +#[cfg(feature = "mldsa44")] pub(crate) fn generate_key_pair_v44( randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], signing_key: &mut [u8], @@ -71,6 +80,7 @@ pub(crate) fn generate_key_pair_v44( } } +#[cfg(feature = "mldsa65")] pub(crate) fn generate_key_pair_v65( randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], signing_key: &mut [u8], @@ -85,6 +95,7 @@ pub(crate) fn generate_key_pair_v65( } } +#[cfg(feature = "mldsa87")] pub(crate) fn generate_key_pair_v87( randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], signing_key: &mut [u8], diff --git a/libcrux-ml-dsa/tests/nistkats.rs b/libcrux-ml-dsa/tests/nistkats.rs index 926effa81..d6b0d93e6 100644 --- a/libcrux-ml-dsa/tests/nistkats.rs +++ b/libcrux-ml-dsa/tests/nistkats.rs @@ -120,6 +120,7 @@ macro_rules! impl_nist_known_answer_tests { // 44 +#[cfg(feature = "mldsa44")] impl_nist_known_answer_tests!( nist_known_answer_tests_44, nist_known_answer_tests_pre_hashed_44, @@ -131,6 +132,7 @@ impl_nist_known_answer_tests!( libcrux_ml_dsa::ml_dsa_44::verify_pre_hashed_shake128 ); +#[cfg(feature = "mldsa44")] impl_nist_known_answer_tests!( nist_known_answer_tests_44_portable, nist_known_answer_tests_pre_hashed_44_portable, @@ -142,7 +144,7 @@ impl_nist_known_answer_tests!( libcrux_ml_dsa::ml_dsa_44::verify_pre_hashed_shake128 ); -#[cfg(feature = "simd128")] +#[cfg(all(feature = "simd128", feature = "mldsa44"))] impl_nist_known_answer_tests!( nist_known_answer_tests_44_simd128, nist_known_answer_tests_pre_hashed_44_simd128, @@ -154,7 +156,7 @@ impl_nist_known_answer_tests!( libcrux_ml_dsa::ml_dsa_44::verify_pre_hashed_shake128 ); -#[cfg(feature = "simd256")] +#[cfg(all(feature = "simd256", feature = "mldsa44"))] impl_nist_known_answer_tests!( nist_known_answer_tests_44_simd256, nist_known_answer_tests_pre_hashed_44_simd256, @@ -167,7 +169,7 @@ impl_nist_known_answer_tests!( ); // 65 - +#[cfg(feature = "mldsa65")] impl_nist_known_answer_tests!( nist_known_answer_tests_65, nist_known_answer_tests_pre_hashed_65, @@ -180,7 +182,7 @@ impl_nist_known_answer_tests!( ); // 87 - +#[cfg(feature = "mldsa87")] impl_nist_known_answer_tests!( nist_known_answer_tests_87, nist_known_answer_tests_pre_hashed_87, diff --git a/libcrux-sha3/src/lib.rs b/libcrux-sha3/src/lib.rs index 45033ab98..b3b3b0a5c 100644 --- a/libcrux-sha3/src/lib.rs +++ b/libcrux-sha3/src/lib.rs @@ -319,6 +319,7 @@ pub mod portable { /// Shake256 XOF in absorb state impl Xof<136> for Shake256Xof { /// Shake256 new state + #[inline(always)] fn new() -> Self { Self { state: KeccakXofState::<1, 136, u64>::new(), @@ -326,16 +327,19 @@ pub mod portable { } /// Shake256 absorb + #[inline(always)] fn absorb(&mut self, input: &[u8]) { self.state.absorb([input]); } /// Shake256 absorb final + #[inline(always)] fn absorb_final(&mut self, input: &[u8]) { self.state.absorb_final::<0x1fu8>([input]); } /// Shake256 squeeze + #[inline(always)] fn squeeze(&mut self, out: &mut [u8]) { self.state.squeeze([out]); } diff --git a/macros/Cargo.toml b/macros/Cargo.toml index 26501a724..66e41f786 100644 --- a/macros/Cargo.toml +++ b/macros/Cargo.toml @@ -13,6 +13,8 @@ readme.workspace = true # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] +quote = "1.0.37" +syn = { version = "2.0.89", features = ["full"] } [lib] proc-macro = true diff --git a/macros/src/lib.rs b/macros/src/lib.rs index 0228f0cfb..335d66577 100644 --- a/macros/src/lib.rs +++ b/macros/src/lib.rs @@ -3,9 +3,7 @@ use proc_macro::{Delimiter, TokenStream, TokenTree}; use quote::quote; use std::collections::HashMap; -use syn::{ - parse_macro_input, Ident, ItemFn, Stmt -}; +use syn::{parse_macro_input, Attribute, Ident, ItemFn, Stmt}; fn skip_comma>(ts: &mut T) { match ts.next() { @@ -69,7 +67,7 @@ pub fn consts(args: TokenStream, item: TokenStream) -> TokenStream { // #[my_consts( // v4x4{const X: usize = 4; const Y: usize = 4;}, // v6x5{const X: usize = 5; const Y: usize = 6;}, - // derived { + // derived { // optional - shold be in function // const Z: usize = X + Y; // } // )] @@ -91,18 +89,28 @@ pub fn consts(args: TokenStream, item: TokenStream) -> TokenStream { syn::braced!(content in meta.input); let mut const_vec = Vec::new(); + let mut attributes: Option> = None; while !content.is_empty() { + // There may be a config flag here. + if let Ok(new_attributes) = Attribute::parse_outer(&content) { + if let Some(attributes) = &mut attributes { + attributes.extend(new_attributes); + } else { + attributes = Some(new_attributes); + } + } + const_vec.push(content.parse::().unwrap()); } - variants_map.insert(quote! {#ident}.to_string(), const_vec); + variants_map.insert(quote! {#ident}.to_string(), (attributes, const_vec)); Ok(()) }); parse_macro_input!(args with parser); let mut expanded = quote! {}; - for (variant, consts) in variants_map.iter() { + for (variant, (attributes, consts)) in variants_map.iter() { // add the variant at the end of the function name let mut this_sig = sig.clone(); this_sig.ident = Ident::new( @@ -110,10 +118,23 @@ pub fn consts(args: TokenStream, item: TokenStream) -> TokenStream { this_sig.ident.span(), ); + let mut attribute_tokens = quote! {}; + if let Some(av) = attributes { + for a in av { + attribute_tokens.extend(quote! { + #a + }); + } + } + let fun = quote! { + #attribute_tokens #(#attrs)* #vis #this_sig { - #(#consts)* + #( + #attribute_tokens + #consts + )* #(#derived_const_vec)* #block diff --git a/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fst b/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fst index 2ddf180ff..fa4428704 100644 --- a/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fst +++ b/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fst @@ -4,7 +4,7 @@ open Core open FStar.Mul let t_Feature_cast_to_repr (x: t_Feature) = - match x with + match x <: t_Feature with | Feature_mmx -> isz 0 | Feature_sse -> isz 1 | Feature_sse2 -> isz 3 From 21b44ef063b77e1cfdf8bd6e16ea8889de7ec0bb Mon Sep 17 00:00:00 2001 From: Jonas Schneider-Bensch Date: Thu, 2 Jan 2025 16:56:12 +0100 Subject: [PATCH 29/58] Macro cleanup --- macros/src/lib.rs | 40 +++++++++++++++++----------------------- 1 file changed, 17 insertions(+), 23 deletions(-) diff --git a/macros/src/lib.rs b/macros/src/lib.rs index 335d66577..595f5403a 100644 --- a/macros/src/lib.rs +++ b/macros/src/lib.rs @@ -50,6 +50,19 @@ pub fn unroll_for(ts: TokenStream) -> TokenStream { // "{ let i = 0; println!(\"FROM MACRO{}\", i); }".parse().unwrap() } +/// For an annotated function `f`, parse an attribute list of the type +/// ``` +/// #[consts( +/// variant_a{const X: usize = 4; const Y: usize = 4;}, +/// variant_b{const X: usize = 5; const Y: usize = 6;}, +/// ... +/// )] +/// ``` +/// and generate variants `f_variant_a`, `f_variant_b` of `f` with the given +/// constants injected into the function as constants. The variant +/// attribute lists can in turn contain attributes, +/// e.g. `#[cfg(feature = "variant_a")]`, which will be applied to the +/// generated function variant. #[proc_macro_attribute] pub fn consts(args: TokenStream, item: TokenStream) -> TokenStream { let ItemFn { @@ -61,30 +74,15 @@ pub fn consts(args: TokenStream, item: TokenStream) -> TokenStream { } = parse_macro_input!(item as ItemFn); let mut variants_map: HashMap = HashMap::new(); - let mut derived_const_vec = Vec::new(); // Parse an attribute list of the type - // #[my_consts( - // v4x4{const X: usize = 4; const Y: usize = 4;}, - // v6x5{const X: usize = 5; const Y: usize = 6;}, - // derived { // optional - shold be in function - // const Z: usize = X + Y; - // } + // #[consts( + // v44{const X: usize = 4; const Y: usize = 4;}, + // v44{const X: usize = 4; const Y: usize = 4;}, // )] let parser = syn::meta::parser(|meta| { let ident = meta.path.clone(); - if ident.get_ident().unwrap().to_string() == "derived" { - let content; - syn::braced!(content in meta.input); - - while !content.is_empty() { - derived_const_vec.push(content.parse::().unwrap()); - } - - return Ok(()); - } - let content; syn::braced!(content in meta.input); @@ -131,11 +129,7 @@ pub fn consts(args: TokenStream, item: TokenStream) -> TokenStream { #attribute_tokens #(#attrs)* #vis #this_sig { - #( - #attribute_tokens - #consts - )* - #(#derived_const_vec)* + #(#consts)* #block } From 0ca470dd30849d83adb8fe36fc857b5b4c0e66ec Mon Sep 17 00:00:00 2001 From: Jonas Schneider-Bensch Date: Thu, 2 Jan 2025 16:57:22 +0100 Subject: [PATCH 30/58] Avoid const generics in signing --- libcrux-ml-dsa/src/arithmetic.rs | 19 ++-- libcrux-ml-dsa/src/encoding/commitment.rs | 16 +-- libcrux-ml-dsa/src/encoding/error.rs | 19 +--- libcrux-ml-dsa/src/encoding/gamma1.rs | 22 ++-- libcrux-ml-dsa/src/encoding/signature.rs | 91 ++++++++-------- libcrux-ml-dsa/src/encoding/t0.rs | 4 +- libcrux-ml-dsa/src/matrix.rs | 22 ++-- libcrux-ml-dsa/src/ml_dsa_generic.rs | 103 +++++++++--------- libcrux-ml-dsa/src/sample.rs | 41 ++++--- libcrux-ml-dsa/src/simd/avx2.rs | 22 ++-- libcrux-ml-dsa/src/simd/avx2/arithmetic.rs | 6 +- .../src/simd/avx2/encoding/gamma1.rs | 8 +- libcrux-ml-dsa/src/simd/portable.rs | 21 ++-- .../src/simd/portable/arithmetic.rs | 11 +- .../src/simd/portable/encoding/gamma1.rs | 11 +- .../src/simd/portable/encoding/t0.rs | 2 +- libcrux-ml-dsa/src/simd/tests.rs | 4 +- libcrux-ml-dsa/src/simd/traits.rs | 11 +- 18 files changed, 213 insertions(+), 220 deletions(-) diff --git a/libcrux-ml-dsa/src/arithmetic.rs b/libcrux-ml-dsa/src/arithmetic.rs index b39302a52..f85844180 100644 --- a/libcrux-ml-dsa/src/arithmetic.rs +++ b/libcrux-ml-dsa/src/arithmetic.rs @@ -4,8 +4,8 @@ use crate::{ }; #[inline(always)] -pub(crate) fn vector_infinity_norm_exceeds( - vector: &[PolynomialRingElement; DIMENSION], +pub(crate) fn vector_infinity_norm_exceeds( + vector: &[PolynomialRingElement], bound: i32, ) -> bool { let mut result = false; @@ -42,14 +42,17 @@ pub(crate) fn power2round_vector( } #[inline(always)] -pub(crate) fn decompose_vector( - t: &[PolynomialRingElement; DIMENSION], - low: &mut [PolynomialRingElement; DIMENSION], - high: &mut [PolynomialRingElement; DIMENSION], +pub(crate) fn decompose_vector( + dimension: usize, + gamma2: i32, + t: &[PolynomialRingElement], + low: &mut [PolynomialRingElement], + high: &mut [PolynomialRingElement], ) { - for i in 0..DIMENSION { + for i in 0..dimension { for j in 0..low[0].simd_units.len() { - SIMDUnit::decompose::( + SIMDUnit::decompose( + gamma2, &t[i].simd_units[j], &mut low[i].simd_units[j], &mut high[i].simd_units[j], diff --git a/libcrux-ml-dsa/src/encoding/commitment.rs b/libcrux-ml-dsa/src/encoding/commitment.rs index 90f661046..324c4879b 100644 --- a/libcrux-ml-dsa/src/encoding/commitment.rs +++ b/libcrux-ml-dsa/src/encoding/commitment.rs @@ -16,21 +16,17 @@ fn serialize(re: &PolynomialRingElement, seriali } #[inline(always)] -pub(crate) fn serialize_vector< - SIMDUnit: Operations, - const DIMENSION: usize, - const RING_ELEMENT_SIZE: usize, - const OUTPUT_SIZE: usize, ->( - vector: &[PolynomialRingElement; DIMENSION], - serialized: &mut [u8; OUTPUT_SIZE], +pub(crate) fn serialize_vector( + ring_element_size: usize, + vector: &[PolynomialRingElement], + serialized: &mut [u8], ) { let mut offset: usize = 0; cloop! { for ring_element in vector.iter() { - serialize::(ring_element, &mut serialized[offset..offset + RING_ELEMENT_SIZE]); - offset += RING_ELEMENT_SIZE; + serialize::(ring_element, &mut serialized[offset..offset + ring_element_size]); + offset += ring_element_size; } } } diff --git a/libcrux-ml-dsa/src/encoding/error.rs b/libcrux-ml-dsa/src/encoding/error.rs index e6b415c98..6c350e945 100644 --- a/libcrux-ml-dsa/src/encoding/error.rs +++ b/libcrux-ml-dsa/src/encoding/error.rs @@ -52,23 +52,14 @@ fn deserialize( } #[inline(always)] -pub(crate) fn deserialize_to_vector_then_ntt< - SIMDUnit: Operations, - const DIMENSION: usize, - const ETA: usize, - const RING_ELEMENT_SIZE: usize, ->( +pub(crate) fn deserialize_to_vector_then_ntt( + eta: Eta, + ring_element_size: usize, serialized: &[u8], - ring_elements: &mut [PolynomialRingElement; DIMENSION], + ring_elements: &mut [PolynomialRingElement], ) { - let eta = match ETA { - 2 => Eta::Two, - 4 => Eta::Four, - _ => unreachable!(), - }; - cloop! { - for (i, bytes) in serialized.chunks_exact(RING_ELEMENT_SIZE).enumerate() { + for (i, bytes) in serialized.chunks_exact(ring_element_size).enumerate() { deserialize::(eta, bytes, &mut ring_elements[i]); ntt(&mut ring_elements[i]); } diff --git a/libcrux-ml-dsa/src/encoding/gamma1.rs b/libcrux-ml-dsa/src/encoding/gamma1.rs index 1d5530c44..ec832642e 100644 --- a/libcrux-ml-dsa/src/encoding/gamma1.rs +++ b/libcrux-ml-dsa/src/encoding/gamma1.rs @@ -1,15 +1,17 @@ use crate::{helper::cloop, polynomial::PolynomialRingElement, simd::traits::Operations}; #[inline(always)] -pub(crate) fn serialize( +pub(crate) fn serialize( re: PolynomialRingElement, serialized: &mut [u8], // OUTPUT_BYTES + gamma1_exponent: usize, ) { cloop! { for (i, simd_unit) in re.simd_units.iter().enumerate() { - SIMDUnit::gamma1_serialize::( + SIMDUnit::gamma1_serialize( simd_unit, - &mut serialized[i * (GAMMA1_EXPONENT + 1)..(i + 1) * (GAMMA1_EXPONENT + 1)], + &mut serialized[i * (gamma1_exponent + 1)..(i + 1) * (gamma1_exponent + 1)], + gamma1_exponent ); } } @@ -17,14 +19,16 @@ pub(crate) fn serialize( } #[inline(always)] -pub(crate) fn deserialize( +pub(crate) fn deserialize( + gamma1_exponent: usize, serialized: &[u8], result: &mut PolynomialRingElement, ) { for i in 0..result.simd_units.len() { - SIMDUnit::gamma1_deserialize::( - &serialized[i * (GAMMA1_EXPONENT + 1)..(i + 1) * (GAMMA1_EXPONENT + 1)], + SIMDUnit::gamma1_deserialize( + &serialized[i * (gamma1_exponent + 1)..(i + 1) * (gamma1_exponent + 1)], &mut result.simd_units[i], + gamma1_exponent, ); } () @@ -106,7 +110,7 @@ mod tests { ]; let mut result = [0u8; 640]; - serialize::(re, &mut result); + serialize::(re, &mut result, 19); assert_eq!(result, expected_bytes); } @@ -173,7 +177,7 @@ mod tests { ]; let mut result = PolynomialRingElement::::zero(); - deserialize::(&bytes, &mut result); + deserialize::(17, &bytes, &mut result); assert_eq!(result.to_i32_array(), expected_coefficients); let bytes: [u8; 640] = [ @@ -243,7 +247,7 @@ mod tests { ]; let mut result = PolynomialRingElement::::zero(); - deserialize::(&bytes, &mut result); + deserialize::(19, &bytes, &mut result); assert_eq!(result.to_i32_array(), expected_coefficients); } diff --git a/libcrux-ml-dsa/src/encoding/signature.rs b/libcrux-ml-dsa/src/encoding/signature.rs index c8e9be9ee..0864e6107 100644 --- a/libcrux-ml-dsa/src/encoding/signature.rs +++ b/libcrux-ml-dsa/src/encoding/signature.rs @@ -3,6 +3,52 @@ use crate::{ simd::traits::Operations, VerificationError, }; +#[inline(always)] +pub(crate) fn serialize( + commitment_hash: &[u8], + signer_response: &[PolynomialRingElement], + hint: &[[i32; COEFFICIENTS_IN_RING_ELEMENT]], + commitment_hash_size: usize, + columns_in_a: usize, + rows_in_a: usize, + gamma1_exponent: usize, + gamma1_ring_element_size: usize, + max_ones_in_hint: usize, + signature: &mut [u8], +) { + let mut offset = 0; + + signature[offset..offset + commitment_hash_size].copy_from_slice(commitment_hash); + offset += commitment_hash_size; + + for i in 0..columns_in_a { + encoding::gamma1::serialize::( + signer_response[i], + &mut signature[offset..offset + gamma1_ring_element_size], + gamma1_exponent, + ); + offset += gamma1_ring_element_size; + } + + let mut true_hints_seen = 0; + + // Unfortunately the following does not go through hax: + // + // let hint_serialized = &mut signature[offset..]; + // + // Instead, we have to mutate signature[offset + ..] directly. + for i in 0..rows_in_a { + // for (j, hint) in self.hint[i].into_iter().enumerate() { + for j in 0..hint[i].len() { + if hint[i][j] == 1 { + signature[offset + true_hints_seen] = j as u8; + true_hints_seen += 1; + } + } + signature[offset + max_ones_in_hint + i] = true_hints_seen as u8; + } +} + /// A signature /// /// This is only an internal type. @@ -24,48 +70,6 @@ impl< const ROWS_IN_A: usize, > Signature { - #[inline(always)] - pub(crate) fn serialize< - const GAMMA1_EXPONENT: usize, - const GAMMA1_RING_ELEMENT_SIZE: usize, - const MAX_ONES_IN_HINT: usize, - const SIGNATURE_SIZE: usize, - >( - &self, - signature: &mut [u8; SIGNATURE_SIZE], - ) { - let mut offset = 0; - - signature[offset..offset + COMMITMENT_HASH_SIZE].copy_from_slice(&self.commitment_hash); - offset += COMMITMENT_HASH_SIZE; - - for i in 0..COLUMNS_IN_A { - encoding::gamma1::serialize::( - self.signer_response[i], - &mut signature[offset..offset + GAMMA1_RING_ELEMENT_SIZE], - ); - offset += GAMMA1_RING_ELEMENT_SIZE; - } - - let mut true_hints_seen = 0; - - // Unfortunately the following does not go through hax: - // - // let hint_serialized = &mut signature[offset..]; - // - // Instead, we have to mutate signature[offset + ..] directly. - for i in 0..ROWS_IN_A { - // for (j, hint) in self.hint[i].into_iter().enumerate() { - for j in 0..self.hint[i].len() { - if self.hint[i][j] == 1 { - signature[offset + true_hints_seen] = j as u8; - true_hints_seen += 1; - } - } - signature[offset + MAX_ONES_IN_HINT + i] = true_hints_seen as u8; - } - } - #[inline(always)] pub(crate) fn deserialize< const GAMMA1_EXPONENT: usize, @@ -83,7 +87,8 @@ impl< let mut signer_response = [PolynomialRingElement::::zero(); COLUMNS_IN_A]; for i in 0..COLUMNS_IN_A { - encoding::gamma1::deserialize::( + encoding::gamma1::deserialize::( + GAMMA1_EXPONENT, &signer_response_serialized [i * GAMMA1_RING_ELEMENT_SIZE..(i + 1) * GAMMA1_RING_ELEMENT_SIZE], &mut signer_response[i], diff --git a/libcrux-ml-dsa/src/encoding/t0.rs b/libcrux-ml-dsa/src/encoding/t0.rs index 43c2c0b5a..156095b34 100644 --- a/libcrux-ml-dsa/src/encoding/t0.rs +++ b/libcrux-ml-dsa/src/encoding/t0.rs @@ -37,9 +37,9 @@ fn deserialize( } #[inline(always)] -pub(crate) fn deserialize_to_vector_then_ntt( +pub(crate) fn deserialize_to_vector_then_ntt( serialized: &[u8], - ring_elements: &mut [PolynomialRingElement; DIMENSION], + ring_elements: &mut [PolynomialRingElement], ) { cloop! { for (i, bytes) in serialized.chunks_exact(RING_ELEMENT_OF_T0S_SIZE).enumerate() { diff --git a/libcrux-ml-dsa/src/matrix.rs b/libcrux-ml-dsa/src/matrix.rs index cf247d517..c32d7e257 100644 --- a/libcrux-ml-dsa/src/matrix.rs +++ b/libcrux-ml-dsa/src/matrix.rs @@ -49,8 +49,8 @@ pub(crate) fn compute_matrix_x_mask( } #[inline(always)] -pub(crate) fn vector_times_ring_element( - vector: &mut [PolynomialRingElement; DIMENSION], +pub(crate) fn vector_times_ring_element( + vector: &mut [PolynomialRingElement], ring_element: &PolynomialRingElement, ) { for i in 0..vector.len() { @@ -60,21 +60,23 @@ pub(crate) fn vector_times_ring_element( - lhs: &mut [PolynomialRingElement; DIMENSION], - rhs: &[PolynomialRingElement; DIMENSION], +pub(crate) fn add_vectors( + dimension: usize, + lhs: &mut [PolynomialRingElement], + rhs: &[PolynomialRingElement], ) { - for i in 0..DIMENSION { + for i in 0..dimension { PolynomialRingElement::::add(&mut lhs[i], &rhs[i]); } } #[inline(always)] -pub(crate) fn subtract_vectors( - lhs: &mut [PolynomialRingElement; DIMENSION], - rhs: &[PolynomialRingElement; DIMENSION], +pub(crate) fn subtract_vectors( + dimension: usize, + lhs: &mut [PolynomialRingElement], + rhs: &[PolynomialRingElement], ) { - for i in 0..DIMENSION { + for i in 0..dimension { PolynomialRingElement::::subtract(&mut lhs[i], &rhs[i]); } } diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index 8702b7ab4..3e53f2b1d 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -265,6 +265,7 @@ pub(crate) fn sign< /// /// If no `domain_separation_context` is supplied, it is assumed that /// `message` already contains the domain separation. + #[inline(always)] pub(crate) fn sign_internal< SIMDUnit: Operations, @@ -294,6 +295,11 @@ pub(crate) fn sign_internal< domain_separation_context: Option, randomness: [u8; SIGNING_RANDOMNESS_SIZE], ) -> Result, SigningError> { + let eta = match ETA { + 2 => Eta::Two, + 4 => Eta::Four, + _ => unreachable!(), + }; // Split the signing key into its parts. let (seed_for_a, remaining_serialized) = signing_key.split_at(SEED_FOR_A_SIZE); let (seed_for_signing, remaining_serialized) = @@ -311,22 +317,19 @@ pub(crate) fn sign_internal< let mut s2_as_ntt = [PolynomialRingElement::zero(); ROWS_IN_A]; let mut t0_as_ntt = [PolynomialRingElement::zero(); ROWS_IN_A]; - encoding::error::deserialize_to_vector_then_ntt::< - SIMDUnit, - COLUMNS_IN_A, - ETA, + encoding::error::deserialize_to_vector_then_ntt::( + eta, ERROR_RING_ELEMENT_SIZE, - >(s1_serialized, &mut s1_as_ntt); - encoding::error::deserialize_to_vector_then_ntt::< - SIMDUnit, - ROWS_IN_A, - ETA, + s1_serialized, + &mut s1_as_ntt, + ); + encoding::error::deserialize_to_vector_then_ntt::( + eta, ERROR_RING_ELEMENT_SIZE, - >(s2_serialized, &mut s2_as_ntt); - encoding::t0::deserialize_to_vector_then_ntt::( - t0_serialized, - &mut t0_as_ntt, + s2_serialized, + &mut s2_as_ntt, ); + encoding::t0::deserialize_to_vector_then_ntt::(t0_serialized, &mut t0_as_ntt); // Sample matrix A. let mut matrix = [PolynomialRingElement::::zero(); ROWS_X_COLUMNS]; @@ -373,7 +376,9 @@ pub(crate) fn sign_internal< let mut w0 = [PolynomialRingElement::zero(); ROWS_IN_A]; let mut commitment = [PolynomialRingElement::zero(); ROWS_IN_A]; - sample_mask_vector::( + sample_mask_vector::( + COLUMNS_IN_A, + GAMMA1_EXPONENT, &mask_seed, &mut domain_separator_for_mask, &mut mask, @@ -392,18 +397,17 @@ pub(crate) fn sign_internal< &mask_ntt, &mut a_x_mask, ); - decompose_vector::(&a_x_mask, &mut w0, &mut commitment); + decompose_vector::(ROWS_IN_A, GAMMA2, &a_x_mask, &mut w0, &mut commitment); } let mut commitment_hash_candidate = [0; COMMITMENT_HASH_SIZE]; { let mut commitment_serialized = [0u8; COMMITMENT_VECTOR_SIZE]; - encoding::commitment::serialize_vector::< - SIMDUnit, - ROWS_IN_A, + encoding::commitment::serialize_vector::( COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - >(&commitment, &mut commitment_serialized); + &commitment, + &mut commitment_serialized, + ); let mut shake = Shake256Xof::init(); shake.absorb(&message_representative); @@ -425,42 +429,29 @@ pub(crate) fn sign_internal< let mut challenge_times_s1 = s1_as_ntt.clone(); let mut challenge_times_s2 = s2_as_ntt.clone(); - vector_times_ring_element::( - &mut challenge_times_s1, - &verifier_challenge, - ); - vector_times_ring_element::( - &mut challenge_times_s2, - &verifier_challenge, - ); + vector_times_ring_element::(&mut challenge_times_s1, &verifier_challenge); + vector_times_ring_element::(&mut challenge_times_s2, &verifier_challenge); - add_vectors::(&mut mask, &challenge_times_s1); - subtract_vectors::(&mut w0, &challenge_times_s2); + add_vectors::(COLUMNS_IN_A, &mut mask, &challenge_times_s1); + subtract_vectors::(ROWS_IN_A, &mut w0, &challenge_times_s2); - if vector_infinity_norm_exceeds::( - &mask, - (1 << GAMMA1_EXPONENT) - beta, - ) { + if vector_infinity_norm_exceeds::(&mask, (1 << GAMMA1_EXPONENT) - beta) { // XXX: https://github.com/hacspec/hax/issues/1171 // continue; } else { - if vector_infinity_norm_exceeds::(&w0, GAMMA2 - beta) { + if vector_infinity_norm_exceeds::(&w0, GAMMA2 - beta) { // XXX: https://github.com/hacspec/hax/issues/1171 // continue; } else { // We need to clone here in case we need t0_as_ntt again in another iteration // of the loop. let mut challenge_times_t0 = t0_as_ntt.clone(); - vector_times_ring_element::( - &mut challenge_times_t0, - &verifier_challenge, - ); - if vector_infinity_norm_exceeds::(&challenge_times_t0, GAMMA2) - { + vector_times_ring_element::(&mut challenge_times_t0, &verifier_challenge); + if vector_infinity_norm_exceeds::(&challenge_times_t0, GAMMA2) { // XXX: https://github.com/hacspec/hax/issues/1171 // continue; } else { - add_vectors::(&mut w0, &challenge_times_t0); + add_vectors::(ROWS_IN_A, &mut w0, &challenge_times_t0); let mut hint_candidate = [[0; COEFFICIENTS_IN_RING_ELEMENT]; ROWS_IN_A]; let ones_in_hint = make_hint::( &w0, @@ -498,12 +489,17 @@ pub(crate) fn sign_internal< }; let mut signature = [0u8; SIGNATURE_SIZE]; - Signature:: { - commitment_hash, - signer_response, - hint, - } - .serialize::( + + encoding::signature::serialize::( + &commitment_hash, + &signer_response, + &hint, + COMMITMENT_HASH_SIZE, + COLUMNS_IN_A, + ROWS_IN_A, + GAMMA1_EXPONENT, + GAMMA1_RING_ELEMENT_SIZE, + MAX_ONES_IN_HINT, &mut signature, ); @@ -610,7 +606,7 @@ pub(crate) fn verify_internal< }; // We use if-else branches because early returns will not go through hax. - if vector_infinity_norm_exceeds::( + if vector_infinity_norm_exceeds::( &signature.signer_response, (2 << GAMMA1_EXPONENT) - BETA, ) { @@ -657,12 +653,11 @@ pub(crate) fn verify_internal< { use_hint::(signature.hint, &mut t1); let mut commitment_serialized = [0u8; COMMITMENT_VECTOR_SIZE]; - encoding::commitment::serialize_vector::< - SIMDUnit, - ROWS_IN_A, + encoding::commitment::serialize_vector::( COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - >(&t1, &mut commitment_serialized); + &t1, + &mut commitment_serialized, + ); let mut shake = Shake256Xof::init(); shake.absorb(&message_representative); diff --git a/libcrux-ml-dsa/src/sample.rs b/libcrux-ml-dsa/src/sample.rs index 93ce7eb60..7c0c35f5e 100644 --- a/libcrux-ml-dsa/src/sample.rs +++ b/libcrux-ml-dsa/src/sample.rs @@ -347,24 +347,21 @@ pub(crate) fn sample_four_error_ring_elements( +fn sample_mask_ring_element( seed: &[u8; 66], result: &mut PolynomialRingElement, + gamma1_exponent: usize, ) { - match GAMMA1_EXPONENT as u8 { + match gamma1_exponent as u8 { 17 => { let mut out = [0u8; 576]; Shake256::shake256::<576>(seed, &mut out); - encoding::gamma1::deserialize::(&out, result); + encoding::gamma1::deserialize::(gamma1_exponent, &out, result); } 19 => { let mut out = [0u8; 640]; Shake256::shake256::<640>(seed, &mut out); - encoding::gamma1::deserialize::(&out, result); + encoding::gamma1::deserialize::(gamma1_exponent, &out, result); } _ => unreachable!(), } @@ -375,15 +372,15 @@ pub(crate) fn sample_mask_vector< SIMDUnit: Operations, Shake256: shake256::DsaXof, Shake256X4: shake256::XofX4, - const DIMENSION: usize, - const GAMMA1_EXPONENT: usize, >( + dimension: usize, + gamma1_exponent: usize, seed: &[u8; 64], domain_separator: &mut u16, mask: &mut [PolynomialRingElement], ) { // DIMENSION is COLUMNS_IN_A - debug_assert!(DIMENSION == 4 || DIMENSION == 5 || DIMENSION == 7); + debug_assert!(dimension == 4 || dimension == 5 || dimension == 7); // So we can always sample 4 elements in one go first. let seed0 = add_error_domain_separator(seed, *domain_separator); @@ -392,7 +389,7 @@ pub(crate) fn sample_mask_vector< let seed3 = add_error_domain_separator(seed, *domain_separator + 3); *domain_separator += 4; - match GAMMA1_EXPONENT as u8 { + match gamma1_exponent as u8 { 17 => { let mut out0 = [0; 576]; let mut out1 = [0; 576]; @@ -401,10 +398,10 @@ pub(crate) fn sample_mask_vector< Shake256X4::shake256_x4( &seed0, &seed1, &seed2, &seed3, &mut out0, &mut out1, &mut out2, &mut out3, ); - encoding::gamma1::deserialize::(&out0, &mut mask[0]); - encoding::gamma1::deserialize::(&out1, &mut mask[1]); - encoding::gamma1::deserialize::(&out2, &mut mask[2]); - encoding::gamma1::deserialize::(&out3, &mut mask[3]); + encoding::gamma1::deserialize::(gamma1_exponent, &out0, &mut mask[0]); + encoding::gamma1::deserialize::(gamma1_exponent, &out1, &mut mask[1]); + encoding::gamma1::deserialize::(gamma1_exponent, &out2, &mut mask[2]); + encoding::gamma1::deserialize::(gamma1_exponent, &out3, &mut mask[3]); } 19 => { let mut out0 = [0; 640]; @@ -414,21 +411,21 @@ pub(crate) fn sample_mask_vector< Shake256X4::shake256_x4( &seed0, &seed1, &seed2, &seed3, &mut out0, &mut out1, &mut out2, &mut out3, ); - encoding::gamma1::deserialize::(&out0, &mut mask[0]); - encoding::gamma1::deserialize::(&out1, &mut mask[1]); - encoding::gamma1::deserialize::(&out2, &mut mask[2]); - encoding::gamma1::deserialize::(&out3, &mut mask[3]); + encoding::gamma1::deserialize::(gamma1_exponent, &out0, &mut mask[0]); + encoding::gamma1::deserialize::(gamma1_exponent, &out1, &mut mask[1]); + encoding::gamma1::deserialize::(gamma1_exponent, &out2, &mut mask[2]); + encoding::gamma1::deserialize::(gamma1_exponent, &out3, &mut mask[3]); } _ => unreachable!(), } #[allow(clippy::needless_range_loop)] - for i in 4..DIMENSION { + for i in 4..dimension { let seed = add_error_domain_separator(seed, *domain_separator); *domain_separator += 1; // TODO: For 87 we may want to do another 4 and discard 1. - sample_mask_ring_element::(&seed, &mut mask[i]); + sample_mask_ring_element::(&seed, &mut mask[i], gamma1_exponent); } } diff --git a/libcrux-ml-dsa/src/simd/avx2.rs b/libcrux-ml-dsa/src/simd/avx2.rs index ae86e1f22..9a5a37e8a 100644 --- a/libcrux-ml-dsa/src/simd/avx2.rs +++ b/libcrux-ml-dsa/src/simd/avx2.rs @@ -1,4 +1,7 @@ -use crate::{constants::Eta, simd::traits::{Operations, SIMD_UNITS_IN_RING_ELEMENT}}; +use crate::{ + constants::Eta, + simd::traits::{Operations, SIMD_UNITS_IN_RING_ELEMENT}, +}; mod arithmetic; mod encoding; @@ -58,12 +61,13 @@ impl Operations for AVX2SIMDUnit { } #[inline(always)] - fn decompose( + fn decompose( + gamma2: i32, simd_unit: &Self::Coefficient, low: &mut Self::Coefficient, high: &mut Self::Coefficient, ) { - arithmetic::decompose::(simd_unit, low, high); + arithmetic::decompose(gamma2, simd_unit, low, high); } #[inline(always)] @@ -96,18 +100,16 @@ impl Operations for AVX2SIMDUnit { } #[inline(always)] - fn gamma1_serialize( + fn gamma1_serialize( simd_unit: &Self::Coefficient, serialized: &mut [u8], + gamma1_exponent: usize, ) { - encoding::gamma1::serialize::(simd_unit, serialized) + encoding::gamma1::serialize(simd_unit, serialized, gamma1_exponent) } #[inline(always)] - fn gamma1_deserialize( - serialized: &[u8], - out: &mut Self::Coefficient, - ) { - encoding::gamma1::deserialize::(serialized, out); + fn gamma1_deserialize(serialized: &[u8], out: &mut Self::Coefficient, gamma1_exponent: usize) { + encoding::gamma1::deserialize(serialized, out, gamma1_exponent); } #[inline(always)] diff --git a/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs b/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs index 88e1927d8..ced6107e0 100644 --- a/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs +++ b/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs @@ -121,7 +121,7 @@ pub(super) fn power2round(r0: &mut Vec256, r1: &mut Vec256) { #[allow(non_snake_case)] #[inline(always)] -pub(super) fn decompose(r: &Vec256, r0: &mut Vec256, r1: &mut Vec256) { +pub(super) fn decompose(gamma2: i32, r: &Vec256, r0: &mut Vec256, r1: &mut Vec256) { let mut r = r.clone(); to_unsigned_representatives(&mut r); @@ -129,7 +129,7 @@ pub(super) fn decompose(r: &Vec256, r0: &mut Vec256, r1: &mut // When const-generic expressions are available, this could be turned into a // const value. - let ALPHA: i32 = GAMMA2 * 2; + let ALPHA: i32 = gamma2 * 2; *r1 = { let ceil_of_r_by_128 = mm256_add_epi32(r, mm256_set1_epi32(127)); @@ -212,7 +212,7 @@ pub(super) fn compute_hint( #[inline(always)] pub(super) fn use_hint(r: &Vec256, hint: &mut Vec256) { let (mut r0, mut r1) = (zero(), zero()); - decompose::(r, &mut r0, &mut r1); + decompose(GAMMA2, r, &mut r0, &mut r1); let all_zeros = mm256_setzero_si256(); diff --git a/libcrux-ml-dsa/src/simd/avx2/encoding/gamma1.rs b/libcrux-ml-dsa/src/simd/avx2/encoding/gamma1.rs index bed98d7e3..7d6ddcfc5 100644 --- a/libcrux-ml-dsa/src/simd/avx2/encoding/gamma1.rs +++ b/libcrux-ml-dsa/src/simd/avx2/encoding/gamma1.rs @@ -61,8 +61,8 @@ fn serialize_when_gamma1_is_2_pow_19(simd_unit: &Vec256, out: &mut [u8]) { } #[inline(always)] -pub(crate) fn serialize(simd_unit: &Vec256, serialized: &mut [u8]) { - match GAMMA1_EXPONENT as u8 { +pub(crate) fn serialize(simd_unit: &Vec256, serialized: &mut [u8], gamma1_exponent: usize) { + match gamma1_exponent as u8 { 17 => serialize_when_gamma1_is_2_pow_17(simd_unit, serialized), 19 => serialize_when_gamma1_is_2_pow_19(simd_unit, serialized), _ => unreachable!(), @@ -126,8 +126,8 @@ fn deserialize_when_gamma1_is_2_pow_19(serialized: &[u8], out: &mut Vec256) { } #[inline(always)] -pub(crate) fn deserialize(serialized: &[u8], out: &mut Vec256) { - match GAMMA1_EXPONENT as u8 { +pub(crate) fn deserialize(serialized: &[u8], out: &mut Vec256, gamma1_exponent: usize) { + match gamma1_exponent as u8 { 17 => deserialize_when_gamma1_is_2_pow_17(serialized, out), 19 => deserialize_when_gamma1_is_2_pow_19(serialized, out), _ => unreachable!(), diff --git a/libcrux-ml-dsa/src/simd/portable.rs b/libcrux-ml-dsa/src/simd/portable.rs index b9359427d..69a5f07a0 100644 --- a/libcrux-ml-dsa/src/simd/portable.rs +++ b/libcrux-ml-dsa/src/simd/portable.rs @@ -1,4 +1,7 @@ -use crate::{constants::Eta, simd::traits::{Operations, SIMD_UNITS_IN_RING_ELEMENT}}; +use crate::{ + constants::Eta, + simd::traits::{Operations, SIMD_UNITS_IN_RING_ELEMENT}, +}; mod arithmetic; mod vector_type; @@ -51,12 +54,13 @@ impl Operations for PortableSIMDUnit { arithmetic::infinity_norm_exceeds(simd_unit, bound) } - fn decompose( + fn decompose( + gamma2: i32, simd_unit: &Self::Coefficient, low: &mut Self::Coefficient, high: &mut Self::Coefficient, ) { - arithmetic::decompose::(simd_unit, low, high) + arithmetic::decompose(gamma2, simd_unit, low, high) } fn compute_hint( @@ -83,15 +87,12 @@ impl Operations for PortableSIMDUnit { sample::rejection_sample_less_than_eta_equals_4(randomness, out) } - fn gamma1_serialize( - simd_unit: &Coefficients, - serialized: &mut [u8], - ) { - encoding::gamma1::serialize::(simd_unit, serialized) + fn gamma1_serialize(simd_unit: &Coefficients, serialized: &mut [u8], gamma1_exponent: usize) { + encoding::gamma1::serialize(simd_unit, serialized, gamma1_exponent) } - fn gamma1_deserialize(serialized: &[u8], out: &mut Coefficients) { - encoding::gamma1::deserialize::(serialized, out) + fn gamma1_deserialize(serialized: &[u8], out: &mut Coefficients, gamma1_exponent: usize) { + encoding::gamma1::deserialize(serialized, out, gamma1_exponent) } fn commitment_serialize(simd_unit: &Coefficients, serialized: &mut [u8]) { diff --git a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs index 4dd2482c8..584af66be 100644 --- a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs +++ b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs @@ -182,13 +182,13 @@ pub(super) fn compute_hint( // // Note that 0 ≤ r₁ < (q-1)/α. #[inline(always)] -fn decompose_element(r: i32) -> (i32, i32) { +fn decompose_element(gamma2: i32, r: i32) -> (i32, i32) { debug_assert!(r > -FIELD_MODULUS && r < FIELD_MODULUS); // Convert the signed representative to the standard unsigned one. let r = r + ((r >> 31) & FIELD_MODULUS); - let alpha = GAMMA2 * 2; + let alpha = gamma2 * 2; let r1 = { // Compute ⌈r / 128⌉ @@ -227,7 +227,7 @@ fn decompose_element(r: i32) -> (i32, i32) { #[inline(always)] pub(crate) fn use_one_hint(r: i32, hint: i32) -> i32 { - let (r0, r1) = decompose_element::(r); + let (r0, r1) = decompose_element(GAMMA2, r); if hint == 0 { return r1; @@ -261,13 +261,14 @@ pub(crate) fn use_one_hint(r: i32, hint: i32) -> i32 { } #[inline(always)] -pub fn decompose( +pub fn decompose( + gamma2: i32, simd_unit: &Coefficients, low: &mut Coefficients, high: &mut Coefficients, ) { for i in 0..low.len() { - (low[i], high[i]) = decompose_element::(simd_unit[i]); + (low[i], high[i]) = decompose_element(gamma2, simd_unit[i]); } } diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs b/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs index 77f86dca5..1dfb5c952 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs @@ -57,11 +57,8 @@ fn serialize_when_gamma1_is_2_pow_19(simd_unit: &Coefficients, serialized: &mut } #[inline(always)] -pub(crate) fn serialize( - simd_unit: &Coefficients, - serialized: &mut [u8], -) { - match GAMMA1_EXPONENT as u8 { +pub(crate) fn serialize(simd_unit: &Coefficients, serialized: &mut [u8], gamma1_exponent: usize) { + match gamma1_exponent as u8 { 17 => serialize_when_gamma1_is_2_pow_17(simd_unit, serialized), 19 => serialize_when_gamma1_is_2_pow_19(simd_unit, serialized), _ => unreachable!(), @@ -133,8 +130,8 @@ fn deserialize_when_gamma1_is_2_pow_19(serialized: &[u8], simd_unit: &mut Coeffi } } #[inline(always)] -pub(crate) fn deserialize(serialized: &[u8], out: &mut Coefficients) { - match GAMMA1_EXPONENT as u8 { +pub(crate) fn deserialize(serialized: &[u8], out: &mut Coefficients, gamma1_exponent: usize) { + match gamma1_exponent as u8 { 17 => deserialize_when_gamma1_is_2_pow_17(serialized, out), 19 => deserialize_when_gamma1_is_2_pow_19(serialized, out), _ => unreachable!(), diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/t0.rs b/libcrux-ml-dsa/src/simd/portable/encoding/t0.rs index fff245cc7..9a55a2015 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/t0.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/t0.rs @@ -10,7 +10,7 @@ fn change_t0_interval(t0: i32) -> i32 { #[inline(always)] pub fn serialize(simd_unit: &Coefficients, serialized: &mut [u8]) { debug_assert!(serialized.len() == 13); - + let coefficient0 = change_t0_interval(simd_unit[0]); let coefficient1 = change_t0_interval(simd_unit[1]); let coefficient2 = change_t0_interval(simd_unit[2]); diff --git a/libcrux-ml-dsa/src/simd/tests.rs b/libcrux-ml-dsa/src/simd/tests.rs index d9c23a052..7b84e6eb0 100644 --- a/libcrux-ml-dsa/src/simd/tests.rs +++ b/libcrux-ml-dsa/src/simd/tests.rs @@ -14,7 +14,7 @@ fn test_decompose_generic() { let expected_high = [29, 28, 1, 43, 27, 29, 18, 21]; let (mut low, mut high) = (SIMDUnit::zero(), SIMDUnit::zero()); - SIMDUnit::decompose::<95_232>(&input, &mut low, &mut high); + SIMDUnit::decompose(95_232, &input, &mut low, &mut high); let mut out = [0i32; COEFFICIENTS_IN_SIMD_UNIT]; SIMDUnit::to_coefficient_array(&low, &mut out); @@ -38,7 +38,7 @@ fn test_decompose_generic() { ]; let expected_high = [4, 14, 12, 15, 4, 0, 1, 4]; - SIMDUnit::decompose::<261_888>(&input, &mut low, &mut high); + SIMDUnit::decompose(261_888, &input, &mut low, &mut high); let mut out = [0i32; COEFFICIENTS_IN_SIMD_UNIT]; SIMDUnit::to_coefficient_array(&low, &mut out); diff --git a/libcrux-ml-dsa/src/simd/traits.rs b/libcrux-ml-dsa/src/simd/traits.rs index 63fea210a..14cb902cd 100644 --- a/libcrux-ml-dsa/src/simd/traits.rs +++ b/libcrux-ml-dsa/src/simd/traits.rs @@ -29,7 +29,8 @@ pub(crate) trait Operations: Copy + Clone { fn add(lhs: &mut Self::Coefficient, rhs: &Self::Coefficient); fn subtract(lhs: &mut Self::Coefficient, rhs: &Self::Coefficient); fn infinity_norm_exceeds(simd_unit: &Self::Coefficient, bound: i32) -> bool; - fn decompose( + fn decompose( + gamma2: i32, simd_unit: &Self::Coefficient, low: &mut Self::Coefficient, high: &mut Self::Coefficient, @@ -65,14 +66,12 @@ pub(crate) trait Operations: Copy + Clone { // Encoding operations // Gamma1 - fn gamma1_serialize( + fn gamma1_serialize( simd_unit: &Self::Coefficient, serialized: &mut [u8], + gamma1_exponent: usize, ); - fn gamma1_deserialize( - serialized: &[u8], - out: &mut Self::Coefficient, - ); + fn gamma1_deserialize(serialized: &[u8], out: &mut Self::Coefficient, gamma1_exponent: usize); // Commitment fn commitment_serialize(simd_unit: &Self::Coefficient, serialized: &mut [u8]); From 83ffae727d408f7744026e0905812a98e074de4d Mon Sep 17 00:00:00 2001 From: Jonas Schneider-Bensch Date: Thu, 2 Jan 2025 21:38:57 +0100 Subject: [PATCH 31/58] Avoid const generics in verification --- libcrux-ml-dsa/src/encoding/signature.rs | 147 ++++++++---------- .../src/encoding/verification_key.rs | 14 +- libcrux-ml-dsa/src/ml_dsa_generic.rs | 43 ++--- 3 files changed, 93 insertions(+), 111 deletions(-) diff --git a/libcrux-ml-dsa/src/encoding/signature.rs b/libcrux-ml-dsa/src/encoding/signature.rs index 0864e6107..258b96aa7 100644 --- a/libcrux-ml-dsa/src/encoding/signature.rs +++ b/libcrux-ml-dsa/src/encoding/signature.rs @@ -49,108 +49,87 @@ pub(crate) fn serialize( } } -/// A signature -/// -/// This is only an internal type. -pub(crate) struct Signature< +#[inline(always)] +pub(crate) fn deserialize< SIMDUnit: Operations, - const COMMITMENT_HASH_SIZE: usize, const COLUMNS_IN_A: usize, const ROWS_IN_A: usize, -> { - pub(crate) commitment_hash: [u8; COMMITMENT_HASH_SIZE], - pub(crate) signer_response: [PolynomialRingElement; COLUMNS_IN_A], - pub(crate) hint: [[i32; COEFFICIENTS_IN_RING_ELEMENT]; ROWS_IN_A], -} - -impl< - SIMDUnit: Operations, - const COMMITMENT_HASH_SIZE: usize, - const COLUMNS_IN_A: usize, - const ROWS_IN_A: usize, - > Signature -{ - #[inline(always)] - pub(crate) fn deserialize< - const GAMMA1_EXPONENT: usize, - const GAMMA1_RING_ELEMENT_SIZE: usize, - const MAX_ONES_IN_HINT: usize, - const SIGNATURE_SIZE: usize, - >( - serialized: &[u8; SIGNATURE_SIZE], - signature: &mut Self, - ) -> Result<(), VerificationError> { - let (commitment_hash, rest_of_serialized) = serialized.split_at(COMMITMENT_HASH_SIZE); - let (signer_response_serialized, hint_serialized) = - rest_of_serialized.split_at(GAMMA1_RING_ELEMENT_SIZE * COLUMNS_IN_A); - - let mut signer_response = [PolynomialRingElement::::zero(); COLUMNS_IN_A]; - - for i in 0..COLUMNS_IN_A { - encoding::gamma1::deserialize::( - GAMMA1_EXPONENT, - &signer_response_serialized - [i * GAMMA1_RING_ELEMENT_SIZE..(i + 1) * GAMMA1_RING_ELEMENT_SIZE], - &mut signer_response[i], - ); - } +>( + commitment_hash_size: usize, + gamma1_exponent: usize, + gamma1_ring_element_size: usize, + max_ones_in_hint: usize, + signature_size: usize, + serialized: &[u8], + out_commitment_hash: &mut [u8], + out_signer_response: &mut [PolynomialRingElement], + out_hint: &mut [[i32; COEFFICIENTS_IN_RING_ELEMENT]], +) -> Result<(), VerificationError> { + debug_assert!(serialized.len() == signature_size); + + let (commitment_hash, rest_of_serialized) = serialized.split_at(commitment_hash_size); + out_commitment_hash[0..commitment_hash_size].copy_from_slice(commitment_hash); + + let (signer_response_serialized, hint_serialized) = + rest_of_serialized.split_at(gamma1_ring_element_size * COLUMNS_IN_A); + + for i in 0..COLUMNS_IN_A { + encoding::gamma1::deserialize::( + gamma1_exponent, + &signer_response_serialized + [i * gamma1_ring_element_size..(i + 1) * gamma1_ring_element_size], + &mut out_signer_response[i], + ); + } - // While there are several ways to encode the same hint vector, we - // allow only one such encoding, to ensure strong unforgeability. - let mut hint = [[0; COEFFICIENTS_IN_RING_ELEMENT]; ROWS_IN_A]; + // While there are several ways to encode the same hint vector, we + // allow only one such encoding, to ensure strong unforgeability. + let mut previous_true_hints_seen = 0usize; - let mut previous_true_hints_seen = 0usize; + let mut i = 0; + let mut malformed_hint = false; - let mut i = 0; - let mut malformed_hint = false; + while i < ROWS_IN_A && !malformed_hint { + let current_true_hints_seen = hint_serialized[max_ones_in_hint + i] as usize; - while i < ROWS_IN_A && !malformed_hint { - let current_true_hints_seen = hint_serialized[MAX_ONES_IN_HINT + i] as usize; + if (current_true_hints_seen < previous_true_hints_seen) + || (previous_true_hints_seen > max_ones_in_hint) + { + // the true hints seen should be increasing + malformed_hint = true; + } - if (current_true_hints_seen < previous_true_hints_seen) - || (previous_true_hints_seen > MAX_ONES_IN_HINT) - { - // the true hints seen should be increasing + let mut j = previous_true_hints_seen; + while !malformed_hint && j < current_true_hints_seen { + if j > previous_true_hints_seen && hint_serialized[j] <= hint_serialized[j - 1] { + // indices of true hints for a specific polynomial should be + // increasing malformed_hint = true; } - - let mut j = previous_true_hints_seen; - while !malformed_hint && j < current_true_hints_seen { - if j > previous_true_hints_seen && hint_serialized[j] <= hint_serialized[j - 1] { - // indices of true hints for a specific polynomial should be - // increasing - malformed_hint = true; - } - if !malformed_hint { - hint[i][hint_serialized[j] as usize] = 1; - j += 1; - } - } - if !malformed_hint { - previous_true_hints_seen = current_true_hints_seen; - i += 1; + out_hint[i][hint_serialized[j] as usize] = 1; + j += 1; } } - i = previous_true_hints_seen; - while i < MAX_ONES_IN_HINT && !malformed_hint { - if hint_serialized[i] != 0 { - // ensures padding indices are zero - malformed_hint = true; - } + if !malformed_hint { + previous_true_hints_seen = current_true_hints_seen; i += 1; } + } - if malformed_hint { - return Err(VerificationError::MalformedHintError); + i = previous_true_hints_seen; + while i < max_ones_in_hint && !malformed_hint { + if hint_serialized[i] != 0 { + // ensures padding indices are zero + malformed_hint = true; } + i += 1; + } - // Set output - signature.commitment_hash = commitment_hash.try_into().unwrap(); - signature.signer_response = signer_response; - signature.hint = hint; - - Ok(()) + if malformed_hint { + return Err(VerificationError::MalformedHintError); } + + Ok(()) } diff --git a/libcrux-ml-dsa/src/encoding/verification_key.rs b/libcrux-ml-dsa/src/encoding/verification_key.rs index 878ae4aed..1c042da3f 100644 --- a/libcrux-ml-dsa/src/encoding/verification_key.rs +++ b/libcrux-ml-dsa/src/encoding/verification_key.rs @@ -24,17 +24,15 @@ pub(crate) fn generate_serialized( } #[inline(always)] -pub(crate) fn deserialize< - SIMDUnit: Operations, - const ROWS_IN_A: usize, - const VERIFICATION_KEY_SIZE: usize, ->( +pub(crate) fn deserialize( + rows_in_a: usize, + verification_key_size: usize, serialized: &[u8], - t1: &mut [PolynomialRingElement; ROWS_IN_A], + t1: &mut [PolynomialRingElement], ) { - debug_assert!(serialized.len() == VERIFICATION_KEY_SIZE - SEED_FOR_A_SIZE); + debug_assert!(serialized.len() == verification_key_size - SEED_FOR_A_SIZE); - for i in 0..ROWS_IN_A { + for i in 0..rows_in_a { t1::deserialize::( &serialized[i * RING_ELEMENT_OF_T1S_SIZE..(i + 1) * RING_ELEMENT_OF_T1S_SIZE], &mut t1[i], diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index 3e53f2b1d..b1675c82d 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -3,7 +3,7 @@ use crate::{ decompose_vector, make_hint, power2round_vector, use_hint, vector_infinity_norm_exceeds, }, constants::{self, *}, - encoding::{self, signature::Signature}, + encoding::{self}, hash_functions::{shake128, shake256}, matrix::{ add_vectors, compute_as1_plus_s2, compute_matrix_x_mask, compute_w_approx, @@ -584,30 +584,35 @@ pub(crate) fn verify_internal< ) -> Result<(), VerificationError> { let (seed_for_a, t1_serialized) = verification_key.split_at(SEED_FOR_A_SIZE); let mut t1 = [PolynomialRingElement::::zero(); ROWS_IN_A]; - encoding::verification_key::deserialize::( + encoding::verification_key::deserialize::( + ROWS_IN_A, + VERIFICATION_KEY_SIZE, t1_serialized, &mut t1, ); - let mut signature = Signature { - commitment_hash: [0u8; COMMITMENT_HASH_SIZE], - signer_response: [PolynomialRingElement::zero(); COLUMNS_IN_A], - hint: [[0i32; COEFFICIENTS_IN_RING_ELEMENT]; ROWS_IN_A], - }; - match Signature::::deserialize::< + let mut deserialized_commitment_hash = [0u8; COMMITMENT_HASH_SIZE]; + let mut deserialized_signer_response = [PolynomialRingElement::zero(); COLUMNS_IN_A]; + let mut deserialized_hint = [[0i32; COEFFICIENTS_IN_RING_ELEMENT]; ROWS_IN_A]; + + match encoding::signature::deserialize::( + COMMITMENT_HASH_SIZE, GAMMA1_EXPONENT, GAMMA1_RING_ELEMENT_SIZE, MAX_ONES_IN_HINT, SIGNATURE_SIZE, - >(signature_serialized, &mut signature) - { + signature_serialized, + &mut deserialized_commitment_hash, + &mut deserialized_signer_response, + &mut deserialized_hint, + ) { Ok(_) => (), Err(e) => return Err(e), }; // We use if-else branches because early returns will not go through hax. if vector_infinity_norm_exceeds::( - &signature.signer_response, + &deserialized_signer_response, (2 << GAMMA1_EXPONENT) - BETA, ) { return Err(VerificationError::SignerResponseExceedsBoundError); @@ -630,28 +635,28 @@ pub(crate) fn verify_internal< let mut verifier_challenge = PolynomialRingElement::zero(); sample_challenge_ring_element::( - &signature.commitment_hash, + &deserialized_commitment_hash, ONES_IN_VERIFIER_CHALLENGE, &mut verifier_challenge, ); ntt(&mut verifier_challenge); // Move signer response into ntt - for i in 0..signature.signer_response.len() { - ntt(&mut signature.signer_response[i]); + for i in 0..deserialized_signer_response.len() { + ntt(&mut deserialized_signer_response[i]); } compute_w_approx::( ROWS_IN_A, COLUMNS_IN_A, &matrix, - &signature.signer_response, + &deserialized_signer_response, &verifier_challenge, &mut t1, ); - let mut commitment_hash = [0; COMMITMENT_HASH_SIZE]; + let mut recomputed_commitment_hash = [0; COMMITMENT_HASH_SIZE]; { - use_hint::(signature.hint, &mut t1); + use_hint::(deserialized_hint, &mut t1); let mut commitment_serialized = [0u8; COMMITMENT_VECTOR_SIZE]; encoding::commitment::serialize_vector::( COMMITMENT_RING_ELEMENT_SIZE, @@ -663,10 +668,10 @@ pub(crate) fn verify_internal< shake.absorb(&message_representative); shake.absorb_final(&commitment_serialized); - shake.squeeze(&mut commitment_hash); + shake.squeeze(&mut recomputed_commitment_hash); } - if signature.commitment_hash == commitment_hash { + if deserialized_commitment_hash == recomputed_commitment_hash { return Ok(()); } From 06d97b02e06416ce3c2e2e6a73787bf22b96c7e9 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Fri, 3 Jan 2025 07:47:07 +0000 Subject: [PATCH 32/58] a little more verification cleanup --- libcrux-intrinsics/src/avx2.rs | 16 +++++++- libcrux-ml-dsa/examples/sign_65.rs | 2 +- libcrux-ml-dsa/src/arithmetic.rs | 17 ++++---- libcrux-ml-dsa/src/constants.rs | 7 ++++ libcrux-ml-dsa/src/encoding/signature.rs | 14 +++---- libcrux-ml-dsa/src/ml_dsa_generic.rs | 33 +++++++++++---- libcrux-ml-dsa/src/sample.rs | 2 + libcrux-ml-dsa/src/samplex4.rs | 1 + libcrux-ml-dsa/src/simd/avx2.rs | 8 ++-- libcrux-ml-dsa/src/simd/avx2/arithmetic.rs | 31 ++++++-------- libcrux-ml-dsa/src/simd/portable.rs | 8 ++-- .../src/simd/portable/arithmetic.rs | 40 +++++++++---------- libcrux-ml-dsa/src/simd/tests.rs | 6 +-- libcrux-ml-dsa/src/simd/traits.rs | 6 +-- 14 files changed, 111 insertions(+), 80 deletions(-) diff --git a/libcrux-intrinsics/src/avx2.rs b/libcrux-intrinsics/src/avx2.rs index da3dacfaf..aa9960271 100644 --- a/libcrux-intrinsics/src/avx2.rs +++ b/libcrux-intrinsics/src/avx2.rs @@ -305,6 +305,11 @@ pub fn mm256_castsi256_ps(a: Vec256) -> Vec256Float { unsafe { _mm256_castsi256_ps(a) } } +#[inline(always)] +pub fn mm256_castps_si256(a: Vec256Float) -> Vec256 { + unsafe { _mm256_castps_si256(a) } +} + #[inline(always)] pub fn mm256_movemask_ps(a: Vec256Float) -> i32 { unsafe { _mm256_movemask_ps(a) } @@ -352,7 +357,16 @@ pub fn mm256_testz_si256(lhs: Vec256, rhs: Vec256) -> i32 { #[inline(always)] pub fn mm256_xor_si256(lhs: Vec256, rhs: Vec256) -> Vec256 { - unsafe { _mm256_xor_si256(lhs, rhs) } + // This floating point xor may or may not be faster than regular xor. + // Local testing seems to indicate that it's a little more stable in + // benchmarks though. + // See https://stackoverflow.com/questions/27804476/difference-between-mm256-xor-si256-and-mm256-xor-ps + unsafe { + _mm256_castps_si256(_mm256_xor_ps( + _mm256_castsi256_ps(lhs), + _mm256_castsi256_ps(rhs), + )) + } } #[inline(always)] diff --git a/libcrux-ml-dsa/examples/sign_65.rs b/libcrux-ml-dsa/examples/sign_65.rs index 831bc36cc..72a2283e0 100644 --- a/libcrux-ml-dsa/examples/sign_65.rs +++ b/libcrux-ml-dsa/examples/sign_65.rs @@ -15,7 +15,7 @@ fn main() { let keypair = ml_dsa_65::generate_key_pair(key_generation_seed); - for _i in 0..100_000 { + for _i in 0..10_000 { let _ = ml_dsa_65::sign(&keypair.signing_key, &message, b"", signing_randomness); } } diff --git a/libcrux-ml-dsa/src/arithmetic.rs b/libcrux-ml-dsa/src/arithmetic.rs index f85844180..ee5f7b158 100644 --- a/libcrux-ml-dsa/src/arithmetic.rs +++ b/libcrux-ml-dsa/src/arithmetic.rs @@ -1,5 +1,7 @@ use crate::{ - constants::COEFFICIENTS_IN_RING_ELEMENT, helper::cloop, polynomial::PolynomialRingElement, + constants::{Gamma2, COEFFICIENTS_IN_RING_ELEMENT}, + helper::cloop, + polynomial::PolynomialRingElement, simd::traits::Operations, }; @@ -44,7 +46,7 @@ pub(crate) fn power2round_vector( #[inline(always)] pub(crate) fn decompose_vector( dimension: usize, - gamma2: i32, + gamma2: Gamma2, t: &[PolynomialRingElement], low: &mut [PolynomialRingElement], high: &mut [PolynomialRingElement], @@ -88,16 +90,17 @@ pub(crate) fn make_hint( - hint: [[i32; COEFFICIENTS_IN_RING_ELEMENT]; DIMENSION], - re_vector: &mut [PolynomialRingElement; DIMENSION], +pub(crate) fn use_hint( + gamma2: Gamma2, + hint: &[[i32; COEFFICIENTS_IN_RING_ELEMENT]], + re_vector: &mut [PolynomialRingElement], ) { - for i in 0..DIMENSION { + for i in 0..re_vector.len() { let mut tmp = PolynomialRingElement::zero(); PolynomialRingElement::::from_i32_array(&hint[i], &mut tmp); for j in 0..re_vector[0].simd_units.len() { - SIMDUnit::use_hint::(&re_vector[i].simd_units[j], &mut tmp.simd_units[j]); + SIMDUnit::use_hint(gamma2, &re_vector[i].simd_units[j], &mut tmp.simd_units[j]); } re_vector[i] = tmp; } diff --git a/libcrux-ml-dsa/src/constants.rs b/libcrux-ml-dsa/src/constants.rs index 04f8de619..277b88b84 100644 --- a/libcrux-ml-dsa/src/constants.rs +++ b/libcrux-ml-dsa/src/constants.rs @@ -38,6 +38,13 @@ pub(crate) enum Eta { Four = 4, } +/// Gamma2 values +#[derive(Debug, Clone, Copy, PartialEq, Eq)] +pub(crate) enum Gamma2 { + V95_232 = 95_232, + V261_888 = 261_888, +} + /// ML-DSA-44-specific parameters #[cfg(feature = "mldsa44")] pub(crate) mod v44 { diff --git a/libcrux-ml-dsa/src/encoding/signature.rs b/libcrux-ml-dsa/src/encoding/signature.rs index 258b96aa7..59655aa4c 100644 --- a/libcrux-ml-dsa/src/encoding/signature.rs +++ b/libcrux-ml-dsa/src/encoding/signature.rs @@ -50,11 +50,9 @@ pub(crate) fn serialize( } #[inline(always)] -pub(crate) fn deserialize< - SIMDUnit: Operations, - const COLUMNS_IN_A: usize, - const ROWS_IN_A: usize, ->( +pub(crate) fn deserialize( + columns_in_a: usize, + rows_in_a: usize, commitment_hash_size: usize, gamma1_exponent: usize, gamma1_ring_element_size: usize, @@ -71,9 +69,9 @@ pub(crate) fn deserialize< out_commitment_hash[0..commitment_hash_size].copy_from_slice(commitment_hash); let (signer_response_serialized, hint_serialized) = - rest_of_serialized.split_at(gamma1_ring_element_size * COLUMNS_IN_A); + rest_of_serialized.split_at(gamma1_ring_element_size * columns_in_a); - for i in 0..COLUMNS_IN_A { + for i in 0..columns_in_a { encoding::gamma1::deserialize::( gamma1_exponent, &signer_response_serialized @@ -89,7 +87,7 @@ pub(crate) fn deserialize< let mut i = 0; let mut malformed_hint = false; - while i < ROWS_IN_A && !malformed_hint { + while i < rows_in_a && !malformed_hint { let current_true_hints_seen = hint_serialized[max_ones_in_hint + i] as usize; if (current_true_hints_seen < previous_true_hints_seen) diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index b1675c82d..8ac0024ea 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -113,8 +113,8 @@ pub(crate) fn generate_key_pair< let mut t1 = [PolynomialRingElement::::zero(); ROWS_IN_A]; power2round_vector::(&mut t0, &mut t1); + // Write out the keys encoding::verification_key::generate_serialized::(seed_for_a, &t1, verification_key); - encoding::signing_key::generate_serialized::( ETA, ERROR_RING_ELEMENT_SIZE, @@ -295,11 +295,19 @@ pub(crate) fn sign_internal< domain_separation_context: Option, randomness: [u8; SIGNING_RANDOMNESS_SIZE], ) -> Result, SigningError> { + // FIXME: pass these in as enums instead let eta = match ETA { 2 => Eta::Two, 4 => Eta::Four, _ => unreachable!(), }; + + let gamma2 = match GAMMA2 { + 95_232 => Gamma2::V95_232, + 261_888 => Gamma2::V261_888, + _ => unreachable!(), + }; + // Split the signing key into its parts. let (seed_for_a, remaining_serialized) = signing_key.split_at(SEED_FOR_A_SIZE); let (seed_for_signing, remaining_serialized) = @@ -397,7 +405,7 @@ pub(crate) fn sign_internal< &mask_ntt, &mut a_x_mask, ); - decompose_vector::(ROWS_IN_A, GAMMA2, &a_x_mask, &mut w0, &mut commitment); + decompose_vector::(ROWS_IN_A, gamma2, &a_x_mask, &mut w0, &mut commitment); } let mut commitment_hash_candidate = [0; COMMITMENT_HASH_SIZE]; @@ -582,6 +590,13 @@ pub(crate) fn verify_internal< domain_separation_context: Option, signature_serialized: &[u8; SIGNATURE_SIZE], ) -> Result<(), VerificationError> { + let gamma2 = match GAMMA2 { + // FIXME: pass this in as enum instead + 95_232 => Gamma2::V95_232, + 261_888 => Gamma2::V261_888, + _ => unreachable!(), + }; + let (seed_for_a, t1_serialized) = verification_key.split_at(SEED_FOR_A_SIZE); let mut t1 = [PolynomialRingElement::::zero(); ROWS_IN_A]; encoding::verification_key::deserialize::( @@ -595,7 +610,9 @@ pub(crate) fn verify_internal< let mut deserialized_signer_response = [PolynomialRingElement::zero(); COLUMNS_IN_A]; let mut deserialized_hint = [[0i32; COEFFICIENTS_IN_RING_ELEMENT]; ROWS_IN_A]; - match encoding::signature::deserialize::( + match encoding::signature::deserialize::( + COLUMNS_IN_A, + ROWS_IN_A, COMMITMENT_HASH_SIZE, GAMMA1_EXPONENT, GAMMA1_RING_ELEMENT_SIZE, @@ -621,10 +638,8 @@ pub(crate) fn verify_internal< Sampler::matrix_flat::(COLUMNS_IN_A, &seed_for_a, &mut matrix); let mut verification_key_hash = [0; BYTES_FOR_VERIFICATION_KEY_HASH]; - Shake256::shake256::( - verification_key, - &mut verification_key_hash, - ); + Shake256::shake256(verification_key, &mut verification_key_hash); + let mut message_representative = [0; MESSAGE_REPRESENTATIVE_SIZE]; derive_message_representative::( &verification_key_hash, @@ -654,9 +669,10 @@ pub(crate) fn verify_internal< &mut t1, ); + // Compute the commitment hash again to validate the signature. let mut recomputed_commitment_hash = [0; COMMITMENT_HASH_SIZE]; { - use_hint::(deserialized_hint, &mut t1); + use_hint::(gamma2, &deserialized_hint, &mut t1); let mut commitment_serialized = [0u8; COMMITMENT_VECTOR_SIZE]; encoding::commitment::serialize_vector::( COMMITMENT_RING_ELEMENT_SIZE, @@ -671,6 +687,7 @@ pub(crate) fn verify_internal< shake.squeeze(&mut recomputed_commitment_hash); } + // Check if this is a valid signature by comparing the hashes. if deserialized_commitment_hash == recomputed_commitment_hash { return Ok(()); } diff --git a/libcrux-ml-dsa/src/sample.rs b/libcrux-ml-dsa/src/sample.rs index 7c0c35f5e..a5aecc3dc 100644 --- a/libcrux-ml-dsa/src/sample.rs +++ b/libcrux-ml-dsa/src/sample.rs @@ -196,6 +196,7 @@ fn rejection_sample_less_than_eta_equals_2( done } + #[inline(always)] fn rejection_sample_less_than_eta_equals_4( randomness: &[u8], @@ -224,6 +225,7 @@ fn rejection_sample_less_than_eta_equals_4( done } + #[inline(always)] pub(crate) fn rejection_sample_less_than_eta( eta: Eta, diff --git a/libcrux-ml-dsa/src/samplex4.rs b/libcrux-ml-dsa/src/samplex4.rs index b56f82b10..14ba92a03 100644 --- a/libcrux-ml-dsa/src/samplex4.rs +++ b/libcrux-ml-dsa/src/samplex4.rs @@ -114,6 +114,7 @@ pub(crate) mod avx2 { } } +// Not inling this causes a 10x slow-down #[inline(always)] pub(crate) fn sample_s1_and_s2( eta: Eta, diff --git a/libcrux-ml-dsa/src/simd/avx2.rs b/libcrux-ml-dsa/src/simd/avx2.rs index 9a5a37e8a..dac4c0dbd 100644 --- a/libcrux-ml-dsa/src/simd/avx2.rs +++ b/libcrux-ml-dsa/src/simd/avx2.rs @@ -1,5 +1,5 @@ use crate::{ - constants::Eta, + constants::{Eta, Gamma2}, simd::traits::{Operations, SIMD_UNITS_IN_RING_ELEMENT}, }; @@ -62,7 +62,7 @@ impl Operations for AVX2SIMDUnit { #[inline(always)] fn decompose( - gamma2: i32, + gamma2: Gamma2, simd_unit: &Self::Coefficient, low: &mut Self::Coefficient, high: &mut Self::Coefficient, @@ -80,8 +80,8 @@ impl Operations for AVX2SIMDUnit { } #[inline(always)] - fn use_hint(simd_unit: &Self::Coefficient, hint: &mut Self::Coefficient) { - arithmetic::use_hint::(simd_unit, hint); + fn use_hint(gamma2: Gamma2, simd_unit: &Self::Coefficient, hint: &mut Self::Coefficient) { + arithmetic::use_hint(gamma2, simd_unit, hint); } #[inline(always)] diff --git a/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs b/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs index ced6107e0..65d1148b0 100644 --- a/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs +++ b/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs @@ -5,7 +5,7 @@ use crate::{ use libcrux_intrinsics::avx2::*; -use super::vector_type::zero; +use super::{vector_type::zero, Gamma2}; #[inline(always)] fn to_unsigned_representatives(t: &mut Vec256) { @@ -121,22 +121,18 @@ pub(super) fn power2round(r0: &mut Vec256, r1: &mut Vec256) { #[allow(non_snake_case)] #[inline(always)] -pub(super) fn decompose(gamma2: i32, r: &Vec256, r0: &mut Vec256, r1: &mut Vec256) { +pub(super) fn decompose(gamma2: Gamma2, r: &Vec256, r0: &mut Vec256, r1: &mut Vec256) { let mut r = r.clone(); to_unsigned_representatives(&mut r); let field_modulus_halved = mm256_set1_epi32((FIELD_MODULUS - 1) / 2); - // When const-generic expressions are available, this could be turned into a - // const value. - let ALPHA: i32 = gamma2 * 2; - *r1 = { let ceil_of_r_by_128 = mm256_add_epi32(r, mm256_set1_epi32(127)); let ceil_of_r_by_128 = mm256_srai_epi32::<7>(ceil_of_r_by_128); - match ALPHA { - 190_464 => { + match gamma2 { + Gamma2::V95_232 => { // We approximate 1 / 1488 as: // ⌊2²⁴ / 1488⌋ / 2²⁴ = 11,275 / 2²⁴ let result = mm256_mullo_epi32(ceil_of_r_by_128, mm256_set1_epi32(11_275)); @@ -152,7 +148,7 @@ pub(super) fn decompose(gamma2: i32, r: &Vec256, r0: &mut Vec256, r1: &mut Vec25 mm256_and_si256(result, not_result) } - 523_776 => { + Gamma2::V261_888 => { // We approximate 1 / 4092 as: // ⌊2²² / 4092⌋ / 2²² = 1025 / 2²² let result = mm256_mullo_epi32(ceil_of_r_by_128, mm256_set1_epi32(1025)); @@ -162,15 +158,14 @@ pub(super) fn decompose(gamma2: i32, r: &Vec256, r0: &mut Vec256, r1: &mut Vec25 // For the corner-case a₁ = (q-1)/α = 16, we have to set a₁=0. mm256_and_si256(result, mm256_set1_epi32(15)) } - - _ => unreachable!(), } }; // In the corner-case, when we set a₁=0, we will incorrectly // have a₀ > (q-1)/2 and we'll need to subtract q. As we // return a₀ + q, that comes down to adding q if a₀ < (q-1)/2. - *r0 = mm256_mullo_epi32(*r1, mm256_set1_epi32(ALPHA)); + let alpha = gamma2 as i32 * 2; + *r0 = mm256_mullo_epi32(*r1, mm256_set1_epi32(alpha)); *r0 = mm256_sub_epi32(r, *r0); let mask = mm256_sub_epi32(field_modulus_halved, *r0); @@ -210,9 +205,9 @@ pub(super) fn compute_hint( } #[inline(always)] -pub(super) fn use_hint(r: &Vec256, hint: &mut Vec256) { +pub(super) fn use_hint(gamma2: Gamma2, r: &Vec256, hint: &mut Vec256) { let (mut r0, mut r1) = (zero(), zero()); - decompose(GAMMA2, r, &mut r0, &mut r1); + decompose(gamma2, r, &mut r0, &mut r1); let all_zeros = mm256_setzero_si256(); @@ -234,8 +229,8 @@ pub(super) fn use_hint(r: &Vec256, hint: &mut Vec256) { // Now add the hints to r1 let mut r1_plus_hints = mm256_add_epi32(r1, hints); - match GAMMA2 { - 95_232 => { + match gamma2 { + Gamma2::V95_232 => { let max = mm256_set1_epi32(43); // If |r1_plus_hints[i]| is negative, it must be that |r1[i]| is @@ -247,10 +242,8 @@ pub(super) fn use_hint(r: &Vec256, hint: &mut Vec256) { // If r1 is greater than equal to 43, we need to set the result to 0. *hint = vec256_blendv_epi32(r1_plus_hints, all_zeros, greater_than_or_equal_to_max); } - 261_888 => { + Gamma2::V261_888 => { *hint = mm256_and_si256(r1_plus_hints, mm256_set1_epi32(15)); } - - _ => unreachable!(), } } diff --git a/libcrux-ml-dsa/src/simd/portable.rs b/libcrux-ml-dsa/src/simd/portable.rs index 69a5f07a0..1f917c084 100644 --- a/libcrux-ml-dsa/src/simd/portable.rs +++ b/libcrux-ml-dsa/src/simd/portable.rs @@ -1,5 +1,5 @@ use crate::{ - constants::Eta, + constants::{Eta, Gamma2}, simd::traits::{Operations, SIMD_UNITS_IN_RING_ELEMENT}, }; @@ -55,7 +55,7 @@ impl Operations for PortableSIMDUnit { } fn decompose( - gamma2: i32, + gamma2: Gamma2, simd_unit: &Self::Coefficient, low: &mut Self::Coefficient, high: &mut Self::Coefficient, @@ -71,8 +71,8 @@ impl Operations for PortableSIMDUnit { arithmetic::compute_hint::(low, high, hint) } - fn use_hint(simd_unit: &Coefficients, hint: &mut Coefficients) { - arithmetic::use_hint::(simd_unit, hint) + fn use_hint(gamma2: Gamma2, simd_unit: &Coefficients, hint: &mut Coefficients) { + arithmetic::use_hint(gamma2, simd_unit, hint) } fn rejection_sample_less_than_field_modulus(randomness: &[u8], out: &mut [i32]) -> usize { diff --git a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs index 584af66be..92cedfb7a 100644 --- a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs +++ b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs @@ -1,6 +1,6 @@ use super::vector_type::{Coefficients, FieldElement}; use crate::{ - constants::BITS_IN_LOWER_PART_OF_T, + constants::{Gamma2, BITS_IN_LOWER_PART_OF_T}, helper::cloop, simd::traits::{ FieldElementTimesMontgomeryR, FIELD_MODULUS, INVERSE_OF_MODULUS_MOD_MONTGOMERY_R, @@ -182,20 +182,18 @@ pub(super) fn compute_hint( // // Note that 0 ≤ r₁ < (q-1)/α. #[inline(always)] -fn decompose_element(gamma2: i32, r: i32) -> (i32, i32) { +fn decompose_element(gamma2: Gamma2, r: i32) -> (i32, i32) { debug_assert!(r > -FIELD_MODULUS && r < FIELD_MODULUS); // Convert the signed representative to the standard unsigned one. let r = r + ((r >> 31) & FIELD_MODULUS); - let alpha = gamma2 * 2; - let r1 = { // Compute ⌈r / 128⌉ let ceil_of_r_by_128 = (r + 127) >> 7; - match alpha { - 190_464 => { + match gamma2 { + Gamma2::V95_232 => { // We approximate 1 / 1488 as: // ⌊2²⁴ / 1488⌋ / 2²⁴ = 11,275 / 2²⁴ let result = ((ceil_of_r_by_128 * 11_275) + (1 << 23)) >> 24; @@ -203,7 +201,7 @@ fn decompose_element(gamma2: i32, r: i32) -> (i32, i32) { // For the corner-case a₁ = (q-1)/α = 44, we have to set a₁=0. (result ^ (43 - result) >> 31) & result } - 523_776 => { + Gamma2::V261_888 => { // We approximate 1 / 4092 as: // ⌊2²² / 4092⌋ / 2²² = 1025 / 2²² let result = (ceil_of_r_by_128 * 1025 + (1 << 21)) >> 22; @@ -211,10 +209,10 @@ fn decompose_element(gamma2: i32, r: i32) -> (i32, i32) { // For the corner-case a₁ = (q-1)/α = 16, we have to set a₁=0. result & 15 } - _ => unreachable!(), } }; + let alpha = gamma2 as i32 * 2; let mut r0 = r - (r1 * alpha); // In the corner-case, when we set a₁=0, we will incorrectly @@ -226,15 +224,15 @@ fn decompose_element(gamma2: i32, r: i32) -> (i32, i32) { } #[inline(always)] -pub(crate) fn use_one_hint(r: i32, hint: i32) -> i32 { - let (r0, r1) = decompose_element(GAMMA2, r); +pub(crate) fn use_one_hint(gamma2: Gamma2, r: i32, hint: i32) -> i32 { + let (r0, r1) = decompose_element(gamma2, r); if hint == 0 { return r1; } - match GAMMA2 { - 95_232 => { + match gamma2 { + Gamma2::V95_232 => { if r0 > 0 { if r1 == 43 { 0 @@ -248,21 +246,19 @@ pub(crate) fn use_one_hint(r: i32, hint: i32) -> i32 { } } - 261_888 => { + Gamma2::V261_888 => { if r0 > 0 { (r1 + hint) & 15 } else { (r1 - hint) & 15 } } - - _ => unreachable!(), } } #[inline(always)] pub fn decompose( - gamma2: i32, + gamma2: Gamma2, simd_unit: &Coefficients, low: &mut Coefficients, high: &mut Coefficients, @@ -273,9 +269,9 @@ pub fn decompose( } #[inline(always)] -pub fn use_hint(simd_unit: &Coefficients, hint: &mut Coefficients) { +pub fn use_hint(gamma2: Gamma2, simd_unit: &Coefficients, hint: &mut Coefficients) { for i in 0..hint.len() { - hint[i] = use_one_hint::(simd_unit[i], hint[i]); + hint[i] = use_one_hint(gamma2, simd_unit[i], hint[i]); } } @@ -293,10 +289,10 @@ mod tests { #[test] fn test_use_one_hint() { - assert_eq!(use_one_hint::<95_232>(7622170, 0), 40); - assert_eq!(use_one_hint::<95_232>(2332762, 1), 13); + assert_eq!(use_one_hint(Gamma2::V95_232, 7622170, 0), 40); + assert_eq!(use_one_hint(Gamma2::V95_232, 2332762, 1), 13); - assert_eq!(use_one_hint::<261_888>(7691572, 0), 15); - assert_eq!(use_one_hint::<261_888>(6635697, 1), 12); + assert_eq!(use_one_hint(Gamma2::V261_888, 7691572, 0), 15); + assert_eq!(use_one_hint(Gamma2::V261_888, 6635697, 1), 12); } } diff --git a/libcrux-ml-dsa/src/simd/tests.rs b/libcrux-ml-dsa/src/simd/tests.rs index 7b84e6eb0..387cf52fc 100644 --- a/libcrux-ml-dsa/src/simd/tests.rs +++ b/libcrux-ml-dsa/src/simd/tests.rs @@ -1,4 +1,4 @@ -use crate::simd::traits::*; +use crate::{constants::Gamma2, simd::traits::*}; fn test_decompose_generic() { // When GAMMA2 = 95,232 @@ -14,7 +14,7 @@ fn test_decompose_generic() { let expected_high = [29, 28, 1, 43, 27, 29, 18, 21]; let (mut low, mut high) = (SIMDUnit::zero(), SIMDUnit::zero()); - SIMDUnit::decompose(95_232, &input, &mut low, &mut high); + SIMDUnit::decompose(Gamma2::V95_232, &input, &mut low, &mut high); let mut out = [0i32; COEFFICIENTS_IN_SIMD_UNIT]; SIMDUnit::to_coefficient_array(&low, &mut out); @@ -38,7 +38,7 @@ fn test_decompose_generic() { ]; let expected_high = [4, 14, 12, 15, 4, 0, 1, 4]; - SIMDUnit::decompose(261_888, &input, &mut low, &mut high); + SIMDUnit::decompose(Gamma2::V261_888, &input, &mut low, &mut high); let mut out = [0i32; COEFFICIENTS_IN_SIMD_UNIT]; SIMDUnit::to_coefficient_array(&low, &mut out); diff --git a/libcrux-ml-dsa/src/simd/traits.rs b/libcrux-ml-dsa/src/simd/traits.rs index 14cb902cd..95c54edc8 100644 --- a/libcrux-ml-dsa/src/simd/traits.rs +++ b/libcrux-ml-dsa/src/simd/traits.rs @@ -1,4 +1,4 @@ -use crate::constants::Eta; +use crate::constants::{Eta, Gamma2}; // Each field element occupies 32 bits and the size of a simd_unit is 256 bits. pub(crate) const COEFFICIENTS_IN_SIMD_UNIT: usize = 8; @@ -30,7 +30,7 @@ pub(crate) trait Operations: Copy + Clone { fn subtract(lhs: &mut Self::Coefficient, rhs: &Self::Coefficient); fn infinity_norm_exceeds(simd_unit: &Self::Coefficient, bound: i32) -> bool; fn decompose( - gamma2: i32, + gamma2: Gamma2, simd_unit: &Self::Coefficient, low: &mut Self::Coefficient, high: &mut Self::Coefficient, @@ -40,7 +40,7 @@ pub(crate) trait Operations: Copy + Clone { high: &Self::Coefficient, hint: &mut Self::Coefficient, ) -> usize; - fn use_hint(simd_unit: &Self::Coefficient, hint: &mut Self::Coefficient); + fn use_hint(gamma2: Gamma2, simd_unit: &Self::Coefficient, hint: &mut Self::Coefficient); // Modular operations fn montgomery_multiply(lhs: &mut Self::Coefficient, rhs: &Self::Coefficient); From 7b96c9a2e2592473269d57b619f8d1d389d5d242 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Fri, 3 Jan 2025 09:45:31 +0000 Subject: [PATCH 33/58] mldsa: extract F* --- libcrux-ml-dsa/src/arithmetic.rs | 8 +++++ libcrux-ml-dsa/src/constants.rs | 4 +-- libcrux-ml-dsa/src/encoding/commitment.rs | 3 ++ libcrux-ml-dsa/src/encoding/error.rs | 6 ++++ libcrux-ml-dsa/src/encoding/gamma1.rs | 4 +-- libcrux-ml-dsa/src/encoding/signature.rs | 5 +++- libcrux-ml-dsa/src/encoding/signing_key.rs | 5 +++- libcrux-ml-dsa/src/encoding/t0.rs | 8 +++-- libcrux-ml-dsa/src/encoding/t1.rs | 4 +-- .../src/encoding/verification_key.rs | 6 +++- libcrux-ml-dsa/src/matrix.rs | 12 ++++++++ libcrux-ml-dsa/src/ml_dsa_generic.rs | 4 +-- .../src/ml_dsa_generic/multiplexing.rs | 12 ++++++-- libcrux-ml-dsa/src/ntt.rs | 2 ++ libcrux-ml-dsa/src/polynomial.rs | 6 ++++ libcrux-ml-dsa/src/sample.rs | 12 +++++++- libcrux-ml-dsa/src/samplex4.rs | 19 +++++++++++- libcrux-ml-dsa/src/simd/avx2.rs | 1 + libcrux-ml-dsa/src/simd/avx2/invntt.rs | 5 ++++ libcrux-ml-dsa/src/simd/avx2/ntt.rs | 4 ++- .../src/simd/portable/arithmetic.rs | 30 +++++++++++++++++-- .../src/simd/portable/encoding/error.rs | 5 ++++ .../src/simd/portable/encoding/gamma1.rs | 11 +++++++ .../src/simd/portable/encoding/t1.rs | 6 ++++ libcrux-ml-dsa/src/simd/portable/invntt.rs | 5 ++++ libcrux-ml-dsa/src/simd/traits.rs | 7 ++--- 26 files changed, 169 insertions(+), 25 deletions(-) diff --git a/libcrux-ml-dsa/src/arithmetic.rs b/libcrux-ml-dsa/src/arithmetic.rs index ee5f7b158..28d9d3e8a 100644 --- a/libcrux-ml-dsa/src/arithmetic.rs +++ b/libcrux-ml-dsa/src/arithmetic.rs @@ -29,6 +29,8 @@ pub(crate) fn shift_left_then_reduce( for i in 0..re.simd_units.len() { SIMDUnit::shift_left_then_reduce::(&mut re.simd_units[i]); } + // [hax] https://github.com/hacspec/hax/issues/720 + () } #[inline(always)] @@ -41,6 +43,8 @@ pub(crate) fn power2round_vector( SIMDUnit::power2round(&mut t[i].simd_units[j], &mut t1[i].simd_units[j]); } } + // [hax] https://github.com/hacspec/hax/issues/720 + () } #[inline(always)] @@ -61,6 +65,8 @@ pub(crate) fn decompose_vector( ); } } + // [hax] https://github.com/hacspec/hax/issues/720 + () } #[inline(always)] @@ -104,4 +110,6 @@ pub(crate) fn use_hint( } re_vector[i] = tmp; } + // [hax] https://github.com/hacspec/hax/issues/720 + () } diff --git a/libcrux-ml-dsa/src/constants.rs b/libcrux-ml-dsa/src/constants.rs index 277b88b84..ae907fc70 100644 --- a/libcrux-ml-dsa/src/constants.rs +++ b/libcrux-ml-dsa/src/constants.rs @@ -32,14 +32,14 @@ pub(crate) const REJECTION_SAMPLE_BOUND_SIGN: usize = 814; pub(crate) const CONTEXT_MAX_LEN: usize = 255; /// Eta values -#[derive(Debug, Clone, Copy, PartialEq, Eq)] +#[derive(Debug, Clone, Copy)] pub(crate) enum Eta { Two = 2, Four = 4, } /// Gamma2 values -#[derive(Debug, Clone, Copy, PartialEq, Eq)] +#[derive(Debug, Clone, Copy)] pub(crate) enum Gamma2 { V95_232 = 95_232, V261_888 = 261_888, diff --git a/libcrux-ml-dsa/src/encoding/commitment.rs b/libcrux-ml-dsa/src/encoding/commitment.rs index 324c4879b..148373b57 100644 --- a/libcrux-ml-dsa/src/encoding/commitment.rs +++ b/libcrux-ml-dsa/src/encoding/commitment.rs @@ -12,6 +12,7 @@ fn serialize(re: &PolynomialRingElement, seriali ); } } + // [hax] https://github.com/hacspec/hax/issues/720 () } @@ -29,6 +30,8 @@ pub(crate) fn serialize_vector( offset += ring_element_size; } } + // [hax] https://github.com/hacspec/hax/issues/720 + () } #[cfg(test)] diff --git a/libcrux-ml-dsa/src/encoding/error.rs b/libcrux-ml-dsa/src/encoding/error.rs index 6c350e945..989721423 100644 --- a/libcrux-ml-dsa/src/encoding/error.rs +++ b/libcrux-ml-dsa/src/encoding/error.rs @@ -21,6 +21,8 @@ pub(crate) fn serialize( ); } } + + // [hax] https://github.com/hacspec/hax/issues/720 () } @@ -48,6 +50,8 @@ fn deserialize( &mut result.simd_units[i], ); } + + // [hax] https://github.com/hacspec/hax/issues/720 () } @@ -64,6 +68,8 @@ pub(crate) fn deserialize_to_vector_then_ntt( ntt(&mut ring_elements[i]); } } + // [hax] https://github.com/hacspec/hax/issues/720 + () } #[cfg(test)] diff --git a/libcrux-ml-dsa/src/encoding/gamma1.rs b/libcrux-ml-dsa/src/encoding/gamma1.rs index ec832642e..fc1cc5c3b 100644 --- a/libcrux-ml-dsa/src/encoding/gamma1.rs +++ b/libcrux-ml-dsa/src/encoding/gamma1.rs @@ -2,7 +2,7 @@ use crate::{helper::cloop, polynomial::PolynomialRingElement, simd::traits::Oper #[inline(always)] pub(crate) fn serialize( - re: PolynomialRingElement, + re: &PolynomialRingElement, serialized: &mut [u8], // OUTPUT_BYTES gamma1_exponent: usize, ) { @@ -110,7 +110,7 @@ mod tests { ]; let mut result = [0u8; 640]; - serialize::(re, &mut result, 19); + serialize::(&re, &mut result, 19); assert_eq!(result, expected_bytes); } diff --git a/libcrux-ml-dsa/src/encoding/signature.rs b/libcrux-ml-dsa/src/encoding/signature.rs index 59655aa4c..316cba459 100644 --- a/libcrux-ml-dsa/src/encoding/signature.rs +++ b/libcrux-ml-dsa/src/encoding/signature.rs @@ -23,7 +23,7 @@ pub(crate) fn serialize( for i in 0..columns_in_a { encoding::gamma1::serialize::( - signer_response[i], + &signer_response[i], &mut signature[offset..offset + gamma1_ring_element_size], gamma1_exponent, ); @@ -47,6 +47,9 @@ pub(crate) fn serialize( } signature[offset + max_ones_in_hint + i] = true_hints_seen as u8; } + + // [hax] https://github.com/hacspec/hax/issues/720 + () } #[inline(always)] diff --git a/libcrux-ml-dsa/src/encoding/signing_key.rs b/libcrux-ml-dsa/src/encoding/signing_key.rs index d1bfc1f68..aaee2d442 100644 --- a/libcrux-ml-dsa/src/encoding/signing_key.rs +++ b/libcrux-ml-dsa/src/encoding/signing_key.rs @@ -50,10 +50,13 @@ pub(crate) fn generate_serialized( - *ring_element, + ring_element, &mut signing_key_serialized[offset..offset + RING_ELEMENT_OF_T0S_SIZE], ); offset += RING_ELEMENT_OF_T0S_SIZE; } } + + // [hax] https://github.com/hacspec/hax/issues/720 + () } diff --git a/libcrux-ml-dsa/src/encoding/t0.rs b/libcrux-ml-dsa/src/encoding/t0.rs index 156095b34..2a3600d1d 100644 --- a/libcrux-ml-dsa/src/encoding/t0.rs +++ b/libcrux-ml-dsa/src/encoding/t0.rs @@ -11,7 +11,7 @@ const OUTPUT_BYTES_PER_SIMD_UNIT: usize = 13; #[inline(always)] pub(crate) fn serialize( - re: PolynomialRingElement, + re: &PolynomialRingElement, serialized: &mut [u8], // RING_ELEMENT_OF_T0S_SIZE ) { cloop! { @@ -19,6 +19,7 @@ pub(crate) fn serialize( SIMDUnit::t0_serialize(simd_unit, &mut serialized[i * OUTPUT_BYTES_PER_SIMD_UNIT..(i + 1) * OUTPUT_BYTES_PER_SIMD_UNIT]); } } + // [hax] https://github.com/hacspec/hax/issues/720 () } @@ -33,6 +34,7 @@ fn deserialize( &mut result.simd_units[i], ); } + // [hax] https://github.com/hacspec/hax/issues/720 () } @@ -47,6 +49,8 @@ pub(crate) fn deserialize_to_vector_then_ntt( ntt(&mut ring_elements[i]); } } + // [hax] https://github.com/hacspec/hax/issues/720 + () } #[cfg(test)] @@ -105,7 +109,7 @@ mod tests { ]; let mut result = [0u8; RING_ELEMENT_OF_T0S_SIZE]; - serialize::(re, &mut result); + serialize::(&re, &mut result); assert_eq!(result, expected_bytes); } fn test_deserialize_generic() { diff --git a/libcrux-ml-dsa/src/encoding/t1.rs b/libcrux-ml-dsa/src/encoding/t1.rs index c2154d705..8c52e02b7 100644 --- a/libcrux-ml-dsa/src/encoding/t1.rs +++ b/libcrux-ml-dsa/src/encoding/t1.rs @@ -7,7 +7,7 @@ use crate::{ #[inline(always)] pub(crate) fn serialize( - re: PolynomialRingElement, + re: &PolynomialRingElement, ) -> [u8; RING_ELEMENT_OF_T1S_SIZE] { let mut serialized = [0u8; RING_ELEMENT_OF_T1S_SIZE]; @@ -83,7 +83,7 @@ mod tests { 122, ]; - assert_eq!(serialize::(re), expected_bytes); + assert_eq!(serialize::(&re), expected_bytes); } fn test_deserialize_generic() { diff --git a/libcrux-ml-dsa/src/encoding/verification_key.rs b/libcrux-ml-dsa/src/encoding/verification_key.rs index 1c042da3f..51e3905a0 100644 --- a/libcrux-ml-dsa/src/encoding/verification_key.rs +++ b/libcrux-ml-dsa/src/encoding/verification_key.rs @@ -18,9 +18,11 @@ pub(crate) fn generate_serialized( for (i, ring_element) in t1.iter().enumerate() { let offset = SEED_FOR_A_SIZE + (i * RING_ELEMENT_OF_T1S_SIZE); verification_key_serialized[offset..offset + RING_ELEMENT_OF_T1S_SIZE] - .copy_from_slice(&t1::serialize::(*ring_element)); + .copy_from_slice(&t1::serialize::(ring_element)); } } + // [hax] https://github.com/hacspec/hax/issues/720 + () } #[inline(always)] @@ -38,4 +40,6 @@ pub(crate) fn deserialize( &mut t1[i], ); } + // [hax] https://github.com/hacspec/hax/issues/720 + () } diff --git a/libcrux-ml-dsa/src/matrix.rs b/libcrux-ml-dsa/src/matrix.rs index c32d7e257..9e0cb199f 100644 --- a/libcrux-ml-dsa/src/matrix.rs +++ b/libcrux-ml-dsa/src/matrix.rs @@ -27,6 +27,8 @@ pub(crate) fn compute_as1_plus_s2( invert_ntt_montgomery::(&mut result[i]); PolynomialRingElement::add(&mut result[i], &s1_s2[columns_in_a + i]); } + // [hax] https://github.com/hacspec/hax/issues/720 + () } /// Compute InvertNTT(Â ◦ ŷ) @@ -46,6 +48,8 @@ pub(crate) fn compute_matrix_x_mask( } invert_ntt_montgomery(&mut result[i]); } + // [hax] https://github.com/hacspec/hax/issues/720 + () } #[inline(always)] @@ -57,6 +61,8 @@ pub(crate) fn vector_times_ring_element( ntt_multiply_montgomery(&mut vector[i], ring_element); invert_ntt_montgomery(&mut vector[i]); } + // [hax] https://github.com/hacspec/hax/issues/720 + () } #[inline(always)] @@ -68,6 +74,8 @@ pub(crate) fn add_vectors( for i in 0..dimension { PolynomialRingElement::::add(&mut lhs[i], &rhs[i]); } + // [hax] https://github.com/hacspec/hax/issues/720 + () } #[inline(always)] @@ -79,6 +87,8 @@ pub(crate) fn subtract_vectors( for i in 0..dimension { PolynomialRingElement::::subtract(&mut lhs[i], &rhs[i]); } + // [hax] https://github.com/hacspec/hax/issues/720 + () } /// Compute InvertNTT(Â ◦ ẑ - ĉ ◦ NTT(t₁2ᵈ)) @@ -106,4 +116,6 @@ pub(crate) fn compute_w_approx( t1[i] = inner_result; invert_ntt_montgomery(&mut t1[i]); } + // [hax] https://github.com/hacspec/hax/issues/720 + () } diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index 8ac0024ea..bcc4967fd 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -120,7 +120,7 @@ pub(crate) fn generate_key_pair< ERROR_RING_ELEMENT_SIZE, seed_for_a, seed_for_signing, - &verification_key, + verification_key, &s1_s2, &t0, signing_key, @@ -296,7 +296,7 @@ pub(crate) fn sign_internal< randomness: [u8; SIGNING_RANDOMNESS_SIZE], ) -> Result, SigningError> { // FIXME: pass these in as enums instead - let eta = match ETA { + let eta = match ETA as u8 { 2 => Eta::Two, 4 => Eta::Four, _ => unreachable!(), diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/multiplexing.rs b/libcrux-ml-dsa/src/ml_dsa_generic/multiplexing.rs index d04c6a71f..550aa2ab6 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic/multiplexing.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic/multiplexing.rs @@ -25,11 +25,17 @@ use instantiations::avx2::{ #[cfg(feature = "simd128")] use instantiations::neon::{ - generate_key_pair as generate_key_pair_neon, sign as sign_neon, - sign_pre_hashed_shake128 as sign_pre_hashed_shake128_neon, verify as verify_neon, - verify_pre_hashed_shake128 as verify_pre_hashed_shake128_neon, + sign as sign_neon, sign_pre_hashed_shake128 as sign_pre_hashed_shake128_neon, + verify as verify_neon, verify_pre_hashed_shake128 as verify_pre_hashed_shake128_neon, }; +#[cfg(all(feature = "simd128", feature = "mldsa44"))] +use instantiations::neon::generate_key_pair_v44 as generate_key_pair_v44_neon; +#[cfg(all(feature = "simd128", feature = "mldsa65"))] +use instantiations::neon::generate_key_pair_v65 as generate_key_pair_v65_neon; +#[cfg(all(feature = "simd128", feature = "mldsa87"))] +use instantiations::neon::generate_key_pair_v87 as generate_key_pair_v87_neon; + #[cfg(all(feature = "simd128", feature = "acvp"))] use instantiations::neon::{ sign_internal as sign_internal_neon, verify_internal as verify_internal_neon, diff --git a/libcrux-ml-dsa/src/ntt.rs b/libcrux-ml-dsa/src/ntt.rs index 2e96a67f9..711dc2668 100644 --- a/libcrux-ml-dsa/src/ntt.rs +++ b/libcrux-ml-dsa/src/ntt.rs @@ -20,6 +20,8 @@ pub(crate) fn ntt_multiply_montgomery( for i in 0..lhs.simd_units.len() { SIMDUnit::montgomery_multiply(&mut lhs.simd_units[i], &rhs.simd_units[i]); } + // [hax] https://github.com/hacspec/hax/issues/720 + () } #[cfg(test)] diff --git a/libcrux-ml-dsa/src/polynomial.rs b/libcrux-ml-dsa/src/polynomial.rs index 38679ebfc..bae18d3bc 100644 --- a/libcrux-ml-dsa/src/polynomial.rs +++ b/libcrux-ml-dsa/src/polynomial.rs @@ -37,6 +37,8 @@ impl PolynomialRingElement { &mut result.simd_units[i], ); } + // [hax] https://github.com/hacspec/hax/issues/720 + () } #[cfg(test)] @@ -63,6 +65,8 @@ impl PolynomialRingElement { for i in 0..self.simd_units.len() { SIMDUnit::add(&mut self.simd_units[i], &rhs.simd_units[i]); } + // [hax] https://github.com/hacspec/hax/issues/720 + () } #[inline(always)] @@ -70,5 +74,7 @@ impl PolynomialRingElement { for i in 0..self.simd_units.len() { SIMDUnit::subtract(&mut self.simd_units[i], &rhs.simd_units[i]); } + // [hax] https://github.com/hacspec/hax/issues/720 + () } } diff --git a/libcrux-ml-dsa/src/sample.rs b/libcrux-ml-dsa/src/sample.rs index a5aecc3dc..ef6553d2f 100644 --- a/libcrux-ml-dsa/src/sample.rs +++ b/libcrux-ml-dsa/src/sample.rs @@ -165,6 +165,7 @@ pub(crate) fn sample_up_to_four_ring_elements_flat< ); } + // [hax] https://github.com/hacspec/hax/issues/720 () } @@ -343,9 +344,15 @@ pub(crate) fn sample_four_error_ring_elements::from_i32_array(&out[i % 4], &mut re[i]); } + + // [hax] https://github.com/hacspec/hax/issues/720 + () } #[inline(always)] @@ -429,6 +436,9 @@ pub(crate) fn sample_mask_vector< // TODO: For 87 we may want to do another 4 and discard 1. sample_mask_ring_element::(&seed, &mut mask[i], gamma1_exponent); } + + // [hax] https://github.com/hacspec/hax/issues/720 + () } #[inline(always)] diff --git a/libcrux-ml-dsa/src/samplex4.rs b/libcrux-ml-dsa/src/samplex4.rs index 14ba92a03..c800c3465 100644 --- a/libcrux-ml-dsa/src/samplex4.rs +++ b/libcrux-ml-dsa/src/samplex4.rs @@ -47,6 +47,9 @@ pub(crate) fn matrix_flat( elements_requested, ); } + + // [hax] https://github.com/hacspec/hax/issues/720 + () } /// Portable sampling @@ -121,7 +124,21 @@ pub(crate) fn sample_s1_and_s2], ) { - for i in 0..s1_s2.len().div_ceil(4) { + let len = s1_s2.len(); + + // XXX: div_ceil is not implemented in F*. + for i in 0..len / 4 { sample_four_error_ring_elements::(eta, seed, 4 * i as u16, s1_s2); } + + // Do it another time if needed. + let remainder = len % 4; + if remainder != 0 { + sample_four_error_ring_elements::( + eta, + seed, + (len - remainder) as u16, + s1_s2, + ); + } } diff --git a/libcrux-ml-dsa/src/simd/avx2.rs b/libcrux-ml-dsa/src/simd/avx2.rs index dac4c0dbd..3739b5cde 100644 --- a/libcrux-ml-dsa/src/simd/avx2.rs +++ b/libcrux-ml-dsa/src/simd/avx2.rs @@ -12,6 +12,7 @@ mod vector_type; pub(crate) use vector_type::{AVX2RingElement, AVX2SIMDUnit}; +/// Implementing the [`Operations`] for AVX2. impl Operations for AVX2SIMDUnit { type Coefficient = vector_type::Vec256; diff --git a/libcrux-ml-dsa/src/simd/avx2/invntt.rs b/libcrux-ml-dsa/src/simd/avx2/invntt.rs index 5337a68f8..bb15d5ac6 100644 --- a/libcrux-ml-dsa/src/simd/avx2/invntt.rs +++ b/libcrux-ml-dsa/src/simd/avx2/invntt.rs @@ -27,6 +27,9 @@ pub(crate) fn invert_ntt_montgomery(re: &mut AVX2RingElement) { const FACTOR: i32 = 41_978; re[i] = arithmetic::montgomery_multiply_by_constant(re[i], FACTOR); } + + // [hax] https://github.com/hacspec/hax/issues/720 + () } unsafe { inv_inner(re) }; @@ -279,6 +282,8 @@ fn outer_3_plus( re[j] = mm256_add_epi32(re[j], re[j + STEP_BY]); re[j + STEP_BY] = arithmetic::montgomery_multiply_by_constant(a_minus_b, ZETA); } + + // [hax] https://github.com/hacspec/hax/issues/720 () } diff --git a/libcrux-ml-dsa/src/simd/avx2/ntt.rs b/libcrux-ml-dsa/src/simd/avx2/ntt.rs index ece8055c2..03aa24059 100644 --- a/libcrux-ml-dsa/src/simd/avx2/ntt.rs +++ b/libcrux-ml-dsa/src/simd/avx2/ntt.rs @@ -316,7 +316,9 @@ unsafe fn ntt_at_layer_5_to_3(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { re[j] = mm256_add_epi32(re[j], re[j + STEP_BY]); re[j + STEP_BY] = tmp; } - () // Needed because of https://github.com/hacspec/hax/issues/720 + + // [hax] https://github.com/hacspec/hax/issues/720 + () } // Layer 5 diff --git a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs index 92cedfb7a..ac4e9393b 100644 --- a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs +++ b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs @@ -14,6 +14,9 @@ pub fn add(lhs: &mut Coefficients, rhs: &Coefficients) { for i in 0..lhs.len() { lhs[i] += rhs[i]; } + + // [hax] https://github.com/hacspec/hax/issues/720 + () } #[inline(always)] @@ -21,6 +24,9 @@ pub fn subtract(lhs: &mut Coefficients, rhs: &Coefficients) { for i in 0..lhs.len() { lhs[i] -= rhs[i]; } + + // [hax] https://github.com/hacspec/hax/issues/720 + () } #[inline(always)] @@ -55,6 +61,9 @@ pub(crate) fn montgomery_multiply_by_constant(simd_unit: &mut Coefficients, c: i for i in 0..simd_unit.len() { simd_unit[i] = montgomery_reduce_element((simd_unit[i] as i64) * (c as i64)) } + + // [hax] https://github.com/hacspec/hax/issues/720 + () } #[inline(always)] @@ -62,6 +71,9 @@ pub(crate) fn montgomery_multiply(lhs: &mut Coefficients, rhs: &Coefficients) { for i in 0..lhs.len() { lhs[i] = montgomery_reduce_element((lhs[i] as i64) * (rhs[i] as i64)) } + + // [hax] https://github.com/hacspec/hax/issues/720 + () } // Splits t ∈ {0, ..., q-1} into t0 and t1 with a = t1*2ᴰ + t0 @@ -96,12 +108,16 @@ pub(super) fn power2round(t0: &mut Coefficients, t1: &mut Coefficients) { for i in 0..t0.len() { (t0[i], t1[i]) = power2round_element(t0[i]); } + + // [hax] https://github.com/hacspec/hax/issues/720 + () } // TODO: Revisit this function when doing the range analysis and testing // additional KATs. #[inline(always)] pub(super) fn infinity_norm_exceeds(simd_unit: &Coefficients, bound: i32) -> bool { + let mut result = false; // It is ok to leak which coefficient violates the bound since // the probability for each coefficient is independent of secret // data but we must not leak the sign of the centralized representative. @@ -119,13 +135,14 @@ pub(super) fn infinity_norm_exceeds(simd_unit: &Coefficients, bound: i32) -> boo let normalized = coefficient - (sign & (2 * coefficient)); // FIXME: return + // [hax] https://github.com/hacspec/hax/issues/1204 if normalized >= bound { - return true; + result = true; } } } - false + result } #[inline(always)] @@ -140,6 +157,9 @@ pub(super) fn shift_left_then_reduce(simd_unit: &mut Coeffi for i in 0..simd_unit.len() { simd_unit[i] = reduce_element(simd_unit[i] << SHIFT_BY); } + + // [hax] https://github.com/hacspec/hax/issues/720 + () } #[inline(always)] @@ -266,6 +286,9 @@ pub fn decompose( for i in 0..low.len() { (low[i], high[i]) = decompose_element(gamma2, simd_unit[i]); } + + // [hax] https://github.com/hacspec/hax/issues/720 + () } #[inline(always)] @@ -273,6 +296,9 @@ pub fn use_hint(gamma2: Gamma2, simd_unit: &Coefficients, hint: &mut Coefficient for i in 0..hint.len() { hint[i] = use_one_hint(gamma2, simd_unit[i], hint[i]); } + + // [hax] https://github.com/hacspec/hax/issues/720 + () } #[cfg(test)] diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/error.rs b/libcrux-ml-dsa/src/simd/portable/encoding/error.rs index d852c3d74..fe370913c 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/error.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/error.rs @@ -33,6 +33,8 @@ fn serialize_when_eta_is_4(simd_unit: &Coefficients, serialized: &mut [u8]) { serialized[i] = (coefficient1 << 4) | coefficient0; } } + + // [hax] https://github.com/hacspec/hax/issues/720 () } @@ -76,6 +78,9 @@ fn deserialize_when_eta_is_4(serialized: &[u8], simd_units: &mut Coefficients) { simd_units[2 * i + 1] = ETA - ((byte >> 4) as i32); } } + + // [hax] https://github.com/hacspec/hax/issues/720 + () } #[inline(always)] pub(crate) fn deserialize(eta: Eta, serialized: &[u8], out: &mut Coefficients) { diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs b/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs index 1dfb5c952..b0eaa4c17 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs @@ -31,6 +31,8 @@ fn serialize_when_gamma1_is_2_pow_17(simd_unit: &Coefficients, serialized: &mut serialized[9 * i + 8] = (coefficient3 >> 10) as u8; } } + + // [hax] https://github.com/hacspec/hax/issues/720 () } @@ -53,6 +55,8 @@ fn serialize_when_gamma1_is_2_pow_19(simd_unit: &Coefficients, serialized: &mut serialized[5 * i + 4] = (coefficient1 >> 12) as u8; } } + + // [hax] https://github.com/hacspec/hax/issues/720 () } @@ -102,6 +106,9 @@ fn deserialize_when_gamma1_is_2_pow_17(serialized: &[u8], simd_unit: &mut Coeffi simd_unit[4 * i + 3] = GAMMA1 - coefficient3; } } + + // [hax] https://github.com/hacspec/hax/issues/720 + () } #[inline(always)] @@ -128,7 +135,11 @@ fn deserialize_when_gamma1_is_2_pow_19(serialized: &[u8], simd_unit: &mut Coeffi simd_unit[2 * i + 1] = GAMMA1 - coefficient1; } } + + // [hax] https://github.com/hacspec/hax/issues/720 + () } + #[inline(always)] pub(crate) fn deserialize(serialized: &[u8], out: &mut Coefficients, gamma1_exponent: usize) { match gamma1_exponent as u8 { diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/t1.rs b/libcrux-ml-dsa/src/simd/portable/encoding/t1.rs index bc01abda6..72f08046f 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/t1.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/t1.rs @@ -18,6 +18,9 @@ pub fn serialize(simd_unit: &Coefficients, serialized: &mut [u8]) { serialized[5 * i + 4] = ((coefficients[3] >> 2) & 0xFF) as u8; } } + + // [hax] https://github.com/hacspec/hax/issues/720 + () } #[inline(always)] @@ -40,4 +43,7 @@ pub fn deserialize(serialized: &[u8], simd_unit: &mut Coefficients) { simd_unit[4 * i + 3] = ((byte3 >> 6) | (byte4 << 2)) & mask; } } + + // [hax] https://github.com/hacspec/hax/issues/720 + () } diff --git a/libcrux-ml-dsa/src/simd/portable/invntt.rs b/libcrux-ml-dsa/src/simd/portable/invntt.rs index 82f37e592..bd85f0c9e 100644 --- a/libcrux-ml-dsa/src/simd/portable/invntt.rs +++ b/libcrux-ml-dsa/src/simd/portable/invntt.rs @@ -212,6 +212,8 @@ fn outer_3_plus( re[j + STEP_BY] = a_minus_b; arithmetic::montgomery_multiply_by_constant(&mut re[j + STEP_BY], ZETA); } + + // [hax] https://github.com/hacspec/hax/issues/720 () } @@ -299,4 +301,7 @@ pub(crate) fn invert_ntt_montgomery(re: &mut [Coefficients; SIMD_UNITS_IN_RING_E // - Convert the elements form montgomery domain to the standard domain. arithmetic::montgomery_multiply_by_constant(&mut re[i], 41_978); } + + // [hax] https://github.com/hacspec/hax/issues/720 + () } diff --git a/libcrux-ml-dsa/src/simd/traits.rs b/libcrux-ml-dsa/src/simd/traits.rs index 95c54edc8..fb70c9f92 100644 --- a/libcrux-ml-dsa/src/simd/traits.rs +++ b/libcrux-ml-dsa/src/simd/traits.rs @@ -19,7 +19,6 @@ pub(crate) type FieldElementTimesMontgomeryR = i32; pub(crate) trait Operations: Copy + Clone { type Coefficient: Copy; // XXX: make generic? drop copy? - #[allow(non_snake_case)] fn zero() -> Self::Coefficient; fn from_coefficient_array(array: &[i32], out: &mut Self::Coefficient); @@ -52,14 +51,14 @@ pub(crate) trait Operations: Copy + Clone { // Sampling // // In the sampling functions, since each SIMD unit can hold 8 coefficients, - // we expect that |out| has the capacity for up to 8 coefficients. + // we expect that `out` has the capacity for up to 8 coefficients. // Since each coefficient could potentially be sampled with 3 bytes, we expect - // |randomness| to hold 24 bytes. + // `randomness` to hold 24 bytes. fn rejection_sample_less_than_field_modulus(randomness: &[u8], out: &mut [i32]) -> usize; // Since each coefficient could potentially be sampled with half a byte, - // we expect |randomness| to hold 4 bytes. + // we expect `randomness` to hold 4 bytes. fn rejection_sample_less_than_eta_equals_2(randomness: &[u8], out: &mut [i32]) -> usize; fn rejection_sample_less_than_eta_equals_4(randomness: &[u8], out: &mut [i32]) -> usize; From 2b59dd85b7ce9fd6f0460662ce8ed86865000298 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Fri, 3 Jan 2025 09:45:46 +0000 Subject: [PATCH 34/58] mldsa: F* extraction --- .../extraction/Libcrux_ml_dsa.Arithmetic.fst | 551 +++-- .../extraction/Libcrux_ml_dsa.Arithmetic.fsti | 44 +- .../Libcrux_ml_dsa.Constants.V44.fsti | 13 + .../Libcrux_ml_dsa.Constants.V65.fsti | 13 + .../Libcrux_ml_dsa.Constants.V87.fsti | 13 + .../extraction/Libcrux_ml_dsa.Constants.fst | 72 + .../extraction/Libcrux_ml_dsa.Constants.fsti | 48 + .../Libcrux_ml_dsa.Encoding.Commitment.fst | 29 +- .../Libcrux_ml_dsa.Encoding.Commitment.fsti | 7 +- .../Libcrux_ml_dsa.Encoding.Error.fst | 143 +- .../Libcrux_ml_dsa.Encoding.Error.fsti | 26 +- .../Libcrux_ml_dsa.Encoding.Gamma1.fst | 33 +- .../Libcrux_ml_dsa.Encoding.Gamma1.fsti | 4 +- .../Libcrux_ml_dsa.Encoding.Signature.fst | 272 +-- .../Libcrux_ml_dsa.Encoding.Signature.fsti | 43 +- .../Libcrux_ml_dsa.Encoding.Signing_key.fst | 204 +- .../Libcrux_ml_dsa.Encoding.Signing_key.fsti | 24 +- .../extraction/Libcrux_ml_dsa.Encoding.T0.fst | 131 +- .../Libcrux_ml_dsa.Encoding.T0.fsti | 17 +- .../extraction/Libcrux_ml_dsa.Encoding.T1.fst | 22 +- ...bcrux_ml_dsa.Encoding.Verification_key.fst | 85 +- ...crux_ml_dsa.Encoding.Verification_key.fsti | 17 +- .../extraction/Libcrux_ml_dsa.Matrix.fst | 603 +++--- .../extraction/Libcrux_ml_dsa.Matrix.fsti | 75 +- .../Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst | 35 +- .../Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst | 35 +- .../Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst | 39 +- .../extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst | 33 +- .../extraction/Libcrux_ml_dsa.Ml_dsa_44_.fsti | 2 + .../Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst | 35 +- .../Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst | 35 +- .../Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst | 39 +- .../extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst | 33 +- .../extraction/Libcrux_ml_dsa.Ml_dsa_65_.fsti | 2 + .../Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst | 35 +- .../Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst | 35 +- .../Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst | 39 +- .../extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst | 33 +- .../extraction/Libcrux_ml_dsa.Ml_dsa_87_.fsti | 2 + ...neric.Instantiations.Avx2.Avx2_feature.fst | 100 +- ...eric.Instantiations.Avx2.Avx2_feature.fsti | 31 +- ...dsa.Ml_dsa_generic.Instantiations.Avx2.fst | 78 +- ...sa.Ml_dsa_generic.Instantiations.Avx2.fsti | 31 +- ...dsa.Ml_dsa_generic.Instantiations.Neon.fst | 95 +- ...sa.Ml_dsa_generic.Instantiations.Neon.fsti | 31 +- ...Ml_dsa_generic.Instantiations.Portable.fst | 101 +- ...l_dsa_generic.Instantiations.Portable.fsti | 31 +- ...rux_ml_dsa.Ml_dsa_generic.Multiplexing.fst | 240 ++- ...ux_ml_dsa.Ml_dsa_generic.Multiplexing.fsti | 29 +- .../Libcrux_ml_dsa.Ml_dsa_generic.fst | 1767 ++++++++++++----- .../Libcrux_ml_dsa.Ml_dsa_generic.fsti | 222 ++- .../fstar/extraction/Libcrux_ml_dsa.Ntt.fst | 78 +- .../extraction/Libcrux_ml_dsa.Polynomial.fst | 270 +-- .../extraction/Libcrux_ml_dsa.Polynomial.fsti | 53 +- .../extraction/Libcrux_ml_dsa.Pre_hash.fst | 6 +- .../extraction/Libcrux_ml_dsa.Sample.fst | 807 ++++---- .../extraction/Libcrux_ml_dsa.Sample.fsti | 86 +- .../Libcrux_ml_dsa.Samplex4.Avx2.fst | 75 +- .../Libcrux_ml_dsa.Samplex4.Avx2.fsti | 14 +- .../Libcrux_ml_dsa.Samplex4.Neon.fst | 46 +- .../Libcrux_ml_dsa.Samplex4.Portable.fst | 46 +- .../extraction/Libcrux_ml_dsa.Samplex4.fst | 1406 ++----------- .../extraction/Libcrux_ml_dsa.Samplex4.fsti | 125 +- .../Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst | 394 ++-- .../Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fsti | 32 +- ...ibcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst | 50 +- ...bcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti | 9 +- ...bcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst | 73 +- ...crux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti | 15 +- .../Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fst | 30 +- .../Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fsti | 6 +- .../Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fst | 43 +- .../Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fsti | 6 +- .../Libcrux_ml_dsa.Simd.Avx2.Invntt.fst | 64 +- .../Libcrux_ml_dsa.Simd.Avx2.Invntt.fsti | 7 + .../Libcrux_ml_dsa.Simd.Avx2.Ntt.fst | 371 ++-- .../Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti | 43 +- ...md.Avx2.Rejection_sample.Less_than_eta.fst | 5 +- .../Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst | 55 +- .../Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti | 26 +- .../extraction/Libcrux_ml_dsa.Simd.Avx2.fst | 683 ------- .../extraction/Libcrux_ml_dsa.Simd.Avx2.fsti | 570 +++++- ...ibcrux_ml_dsa.Simd.Portable.Arithmetic.fst | 629 ++---- ...bcrux_ml_dsa.Simd.Portable.Arithmetic.fsti | 97 +- ..._dsa.Simd.Portable.Encoding.Commitment.fst | 9 +- ...dsa.Simd.Portable.Encoding.Commitment.fsti | 4 +- ...ux_ml_dsa.Simd.Portable.Encoding.Error.fst | 389 ++-- ...x_ml_dsa.Simd.Portable.Encoding.Error.fsti | 35 +- ...x_ml_dsa.Simd.Portable.Encoding.Gamma1.fst | 174 +- ..._ml_dsa.Simd.Portable.Encoding.Gamma1.fsti | 37 +- ...bcrux_ml_dsa.Simd.Portable.Encoding.T0.fst | 334 ++-- ...crux_ml_dsa.Simd.Portable.Encoding.T0.fsti | 10 +- ...bcrux_ml_dsa.Simd.Portable.Encoding.T1.fst | 106 +- ...crux_ml_dsa.Simd.Portable.Encoding.T1.fsti | 10 +- .../Libcrux_ml_dsa.Simd.Portable.Invntt.fst | 1081 +++------- .../Libcrux_ml_dsa.Simd.Portable.Invntt.fsti | 131 +- .../Libcrux_ml_dsa.Simd.Portable.Ntt.fst | 1069 +++------- .../Libcrux_ml_dsa.Simd.Portable.Ntt.fsti | 135 +- ...bcrux_ml_dsa.Simd.Portable.Vector_type.fst | 47 +- ...crux_ml_dsa.Simd.Portable.Vector_type.fsti | 16 +- .../Libcrux_ml_dsa.Simd.Portable.fst | 486 ----- .../Libcrux_ml_dsa.Simd.Portable.fsti | 450 ++++- .../Libcrux_ml_dsa.Simd.Traits.fsti | 282 +-- .../fstar/extraction/Libcrux_ml_dsa.Types.fst | 4 +- .../fstar/extraction/Libcrux_ml_dsa.Utils.fst | 37 - .../extraction/Libcrux_ml_dsa.Utils.fsti | 8 - 106 files changed, 7460 insertions(+), 9291 deletions(-) create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.V44.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.V65.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.V87.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fst delete mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fst delete mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fst delete mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Utils.fst delete mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Utils.fsti diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst index 787aefa44..999126874 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst @@ -11,245 +11,211 @@ let _ = let decompose_vector (#v_SIMDUnit: Type0) - (v_DIMENSION: usize) - (v_GAMMA2: i32) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (t: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + (dimension: usize) + (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) + (t low high: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) = - let vector_low:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION - = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_DIMENSION - in - let vector_high:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION - = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_DIMENSION - in - let vector_high, vector_low:(t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) = + let high, low:(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) = Rust_primitives.Hax.Folds.fold_range (sz 0) - v_DIMENSION + dimension (fun temp_0_ temp_1_ -> - let vector_high, vector_low:(t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) = + let high, low:(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) = temp_0_ in let _:usize = temp_1_ in true) - (vector_high, vector_low + (high, low <: - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION)) + (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))) (fun temp_0_ i -> - let vector_high, vector_low:(t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) = + let high, low:(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) = temp_0_ in let i:usize = i in Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #v_SIMDUnit - ((vector_low.[ sz 0 ]).Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) + (Core.Slice.impl__len #i1.f_Coefficient + ((low.[ sz 0 ]).Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice i1.f_Coefficient) <: usize) (fun temp_0_ temp_1_ -> - let vector_high, vector_low:(t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION - ) = + let high, low:(t_Slice + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) = temp_0_ in let _:usize = temp_1_ in true) - (vector_high, vector_low + (high, low <: - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION)) + (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))) (fun temp_0_ j -> - let vector_high, vector_low:(t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION - ) = + let high, low:(t_Slice + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) = temp_0_ in let j:usize = j in - let low, high:(v_SIMDUnit & v_SIMDUnit) = + let tmp0, tmp1:(i1.f_Coefficient & i1.f_Coefficient) = Libcrux_ml_dsa.Simd.Traits.f_decompose #v_SIMDUnit #FStar.Tactics.Typeclasses.solve - v_GAMMA2 + gamma2 ((t.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: - v_SIMDUnit) + i1.f_Coefficient) + ((low.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] + <: + i1.f_Coefficient) + ((high.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] + <: + i1.f_Coefficient) in - let vector_low:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vector_low + let low:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize low i ({ - (vector_low.[ i ] - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) with + (low.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) with Libcrux_ml_dsa.Polynomial.f_simd_units = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (vector_low.[ i - ] + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (low.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) .Libcrux_ml_dsa.Polynomial.f_simd_units j - low + tmp0 <: - t_Array v_SIMDUnit (sz 32) + t_Array i1.f_Coefficient (sz 32) } <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in - let vector_high:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vector_high + let high:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize high i ({ - (vector_high.[ i ] - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) with + (high.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) with Libcrux_ml_dsa.Polynomial.f_simd_units = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (vector_high.[ i - ] + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (high.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) .Libcrux_ml_dsa.Polynomial.f_simd_units j - high + tmp1 <: - t_Array v_SIMDUnit (sz 32) + t_Array i1.f_Coefficient (sz 32) } <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in - vector_high, vector_low + high, low <: - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION - )) + (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))) <: - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION)) + (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))) in - vector_low, vector_high + let hax_temp_output:Prims.unit = () <: Prims.unit in + low, high <: - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) let power2round_vector (#v_SIMDUnit: Type0) - (v_DIMENSION: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (t: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + (t t1: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) = - let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_DIMENSION - in - let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_DIMENSION - in - let t0, t1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) = - Rust_primitives.Hax.Folds.fold_enumerated_slice (t + let t, t1:(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) t <: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + usize) (fun temp_0_ temp_1_ -> - let t0, t1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_DIMENSION & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) = + let t, t1:(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) = temp_0_ in let _:usize = temp_1_ in true) - (t0, t1 + (t, t1 <: - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION)) - (fun temp_0_ temp_1_ -> - let t0, t1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_DIMENSION & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) = + (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))) + (fun temp_0_ i -> + let t, t1:(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) = temp_0_ in - let i, ring_element:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - = - temp_1_ - in - Rust_primitives.Hax.Folds.fold_enumerated_slice (ring_element - .Libcrux_ml_dsa.Polynomial.f_simd_units + let i:usize = i in + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #i1.f_Coefficient + ((t.[ i ]).Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice i1.f_Coefficient) <: - t_Slice v_SIMDUnit) + usize) (fun temp_0_ temp_1_ -> - let t0, t1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_DIMENSION & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION - ) = + let t, t1:(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) = temp_0_ in let _:usize = temp_1_ in true) - (t0, t1 + (t, t1 <: - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION)) - (fun temp_0_ temp_1_ -> - let t0, t1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_DIMENSION & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION - ) = + (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))) + (fun temp_0_ j -> + let t, t1:(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) = temp_0_ in - let j, simd_unit:(usize & v_SIMDUnit) = temp_1_ in - let t0_unit, t1_unit:(v_SIMDUnit & v_SIMDUnit) = + let j:usize = j in + let tmp0, tmp1:(i1.f_Coefficient & i1.f_Coefficient) = Libcrux_ml_dsa.Simd.Traits.f_power2round #v_SIMDUnit #FStar.Tactics.Typeclasses.solve - simd_unit + ((t.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] + <: + i1.f_Coefficient) + ((t1.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] + <: + i1.f_Coefficient) in - let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t0 + let t:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t i ({ - (t0.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) with + (t.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) with Libcrux_ml_dsa.Polynomial.f_simd_units = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (t0.[ i ] + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (t.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) .Libcrux_ml_dsa.Polynomial.f_simd_units j - t0_unit + tmp0 <: - t_Array v_SIMDUnit (sz 32) + t_Array i1.f_Coefficient (sz 32) } <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in - let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_DIMENSION = + let t1:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t1 i ({ @@ -261,26 +227,26 @@ let power2round_vector Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) .Libcrux_ml_dsa.Polynomial.f_simd_units j - t1_unit + tmp1 <: - t_Array v_SIMDUnit (sz 32) + t_Array i1.f_Coefficient (sz 32) } <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in - t0, t1 + t, t1 <: - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION - )) + (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))) <: - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION)) + (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))) in - t0, t1 + let hax_temp_output:Prims.unit = () <: Prims.unit in + t, t1 <: - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) let shift_left_then_reduce (#v_SIMDUnit: Type0) @@ -290,163 +256,78 @@ let shift_left_then_reduce Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - let out:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () - in - let out:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #i1.f_Coefficient + (re.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice i1.f_Coefficient) <: - t_Slice v_SIMDUnit) - (fun out temp_1_ -> - let out:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = out in + usize) + (fun re temp_1_ -> + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = re in let _:usize = temp_1_ in true) - out - (fun out temp_1_ -> - let out:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = out in - let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + re + (fun re i -> + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = re in + let i:usize = i in { - out with + re with Libcrux_ml_dsa.Polynomial.f_simd_units = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re .Libcrux_ml_dsa.Polynomial.f_simd_units i (Libcrux_ml_dsa.Simd.Traits.f_shift_left_then_reduce #v_SIMDUnit #FStar.Tactics.Typeclasses.solve v_SHIFT_BY - simd_unit + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ i ] <: i1.f_Coefficient) <: - v_SIMDUnit) + i1.f_Coefficient) <: - t_Array v_SIMDUnit (sz 32) + t_Array i1.f_Coefficient (sz 32) } <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in - out - -let use_hint - (#v_SIMDUnit: Type0) - (v_DIMENSION: usize) - (v_GAMMA2: i32) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (hint: t_Array (t_Array i32 (sz 256)) v_DIMENSION) - (re_vector: - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) - = - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_DIMENSION - in - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = - Rust_primitives.Hax.Folds.fold_range (sz 0) - v_DIMENSION - (fun result temp_1_ -> - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_DIMENSION = - result - in - let _:usize = temp_1_ in - true) - result - (fun result i -> - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_DIMENSION = - result - in - let i:usize = i in - let hint_simd:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (hint.[ i ] <: t_Slice i32) - in - Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #v_SIMDUnit - ((result.[ sz 0 ]).Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) - <: - usize) - (fun result temp_1_ -> - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_DIMENSION = - result - in - let _:usize = temp_1_ in - true) - result - (fun result j -> - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_DIMENSION = - result - in - let j:usize = j in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result - i - ({ - (result.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (result.[ i ] - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - .Libcrux_ml_dsa.Polynomial.f_simd_units - j - (Libcrux_ml_dsa.Simd.Traits.f_use_hint #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - v_GAMMA2 - ((re_vector.[ i ] - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] - <: - v_SIMDUnit) - (hint_simd.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: v_SIMDUnit) - <: - v_SIMDUnit) - <: - t_Array v_SIMDUnit (sz 32) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - <: - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION)) - in - result + let hax_temp_output:Prims.unit = () <: Prims.unit in + re let vector_infinity_norm_exceeds (#v_SIMDUnit: Type0) - (v_DIMENSION: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (vector: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + (vector: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) (bound: i32) = - let exceeds:bool = false in - let exceeds:bool = + let result:bool = false in + let result:bool = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) #FStar.Tactics.Typeclasses.solve (Core.Slice.impl__iter #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (vector <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + vector <: Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) <: Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - exceeds - (fun exceeds ring_element -> - let exceeds:bool = exceeds in + result + (fun result ring_element -> + let result:bool = result in let ring_element:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = ring_element in - exceeds || - (Libcrux_ml_dsa.Polynomial.impl__infinity_norm_exceeds #v_SIMDUnit ring_element bound - <: - bool)) + if + (~.result <: bool) && + (Libcrux_ml_dsa.Polynomial.impl__infinity_norm_exceeds #v_SIMDUnit ring_element bound + <: + bool) + then + let result:bool = result || true in + result + else result) in - exceeds + result let make_hint (#v_SIMDUnit: Type0) @@ -456,31 +337,42 @@ let make_hint i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (low high: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + (hint: t_Array (t_Array i32 (sz 256)) v_DIMENSION) = - let hint:t_Array (t_Array i32 (sz 256)) v_DIMENSION = - Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0l (sz 256) <: t_Array i32 (sz 256)) - v_DIMENSION - in let true_hints:usize = sz 0 in - let hint, true_hints:(t_Array (t_Array i32 (sz 256)) v_DIMENSION & usize) = + let hint_simd:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + in + let hint, hint_simd, true_hints:(t_Array (t_Array i32 (sz 256)) v_DIMENSION & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + usize) = Rust_primitives.Hax.Folds.fold_range (sz 0) v_DIMENSION (fun temp_0_ temp_1_ -> - let hint, true_hints:(t_Array (t_Array i32 (sz 256)) v_DIMENSION & usize) = temp_0_ in + let hint, hint_simd, true_hints:(t_Array (t_Array i32 (sz 256)) v_DIMENSION & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + usize) = + temp_0_ + in let _:usize = temp_1_ in true) - (hint, true_hints <: (t_Array (t_Array i32 (sz 256)) v_DIMENSION & usize)) + (hint, hint_simd, true_hints + <: + (t_Array (t_Array i32 (sz 256)) v_DIMENSION & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + usize)) (fun temp_0_ i -> - let hint, true_hints:(t_Array (t_Array i32 (sz 256)) v_DIMENSION & usize) = temp_0_ in - let i:usize = i in - let hint_simd:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + let hint, hint_simd, true_hints:(t_Array (t_Array i32 (sz 256)) v_DIMENSION & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + usize) = + temp_0_ in + let i:usize = i in let hint_simd, true_hints:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #v_SIMDUnit - (hint_simd.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) + (Core.Slice.impl__len #i1.f_Coefficient + (hint_simd.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice i1.f_Coefficient) <: usize) (fun temp_0_ temp_1_ -> @@ -501,18 +393,19 @@ let make_hint temp_0_ in let j:usize = j in - let one_hints_count, current_hint:(usize & v_SIMDUnit) = + let tmp0, out:(i1.f_Coefficient & usize) = Libcrux_ml_dsa.Simd.Traits.f_compute_hint #v_SIMDUnit #FStar.Tactics.Typeclasses.solve v_GAMMA2 ((low.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: - v_SIMDUnit) + i1.f_Coefficient) ((high.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: - v_SIMDUnit) + i1.f_Coefficient) + (hint_simd.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: i1.f_Coefficient) in let hint_simd:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = { @@ -522,11 +415,12 @@ let make_hint Rust_primitives.Hax.Monomorphized_update_at.update_at_usize hint_simd .Libcrux_ml_dsa.Polynomial.f_simd_units j - current_hint + tmp0 } <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit in + let one_hints_count:usize = out in let true_hints:usize = true_hints +! one_hints_count in hint_simd, true_hints <: @@ -539,6 +433,95 @@ let make_hint <: t_Array i32 (sz 256)) in - hint, true_hints <: (t_Array (t_Array i32 (sz 256)) v_DIMENSION & usize)) + hint, hint_simd, true_hints + <: + (t_Array (t_Array i32 (sz 256)) v_DIMENSION & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + usize)) + in + let hax_temp_output:usize = true_hints in + hint, hax_temp_output <: (t_Array (t_Array i32 (sz 256)) v_DIMENSION & usize) + +let use_hint + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) + (hint: t_Slice (t_Array i32 (sz 256))) + (re_vector: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + = + let re_vector:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + re_vector + <: + usize) + (fun re_vector temp_1_ -> + let re_vector:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + re_vector + in + let _:usize = temp_1_ in + true) + re_vector + (fun re_vector i -> + let re_vector:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + re_vector + in + let i:usize = i in + let tmp:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + in + let tmp:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit + (hint.[ i ] <: t_Slice i32) + tmp + in + let tmp:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #i1.f_Coefficient + ((re_vector.[ sz 0 ]).Libcrux_ml_dsa.Polynomial.f_simd_units + <: + t_Slice i1.f_Coefficient) + <: + usize) + (fun tmp temp_1_ -> + let tmp:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp in + let _:usize = temp_1_ in + true) + tmp + (fun tmp j -> + let tmp:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp in + let j:usize = j in + { + tmp with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp + .Libcrux_ml_dsa.Polynomial.f_simd_units + j + (Libcrux_ml_dsa.Simd.Traits.f_use_hint #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + gamma2 + ((re_vector.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] + <: + i1.f_Coefficient) + (tmp.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: i1.f_Coefficient) + <: + i1.f_Coefficient) + <: + t_Array i1.f_Coefficient (sz 32) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let re_vector:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re_vector i tmp + in + re_vector) in - hint, true_hints <: (t_Array (t_Array i32 (sz 256)) v_DIMENSION & usize) + let hax_temp_output:Prims.unit = () <: Prims.unit in + re_vector diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fsti index aa749b797..162c31133 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fsti @@ -11,24 +11,23 @@ let _ = val decompose_vector (#v_SIMDUnit: Type0) - (v_DIMENSION: usize) - (v_GAMMA2: i32) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (t: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + (dimension: usize) + (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) + (t low high: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) : Prims.Pure - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) Prims.l_True (fun _ -> Prims.l_True) val power2round_vector (#v_SIMDUnit: Type0) - (v_DIMENSION: usize) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (t: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + (t t1: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) : Prims.Pure - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) Prims.l_True (fun _ -> Prims.l_True) @@ -41,24 +40,10 @@ val shift_left_then_reduce Prims.l_True (fun _ -> Prims.l_True) -val use_hint - (#v_SIMDUnit: Type0) - (v_DIMENSION: usize) - (v_GAMMA2: i32) - {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (hint: t_Array (t_Array i32 (sz 256)) v_DIMENSION) - (re_vector: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION - ) - : Prims.Pure - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) - Prims.l_True - (fun _ -> Prims.l_True) - val vector_infinity_norm_exceeds (#v_SIMDUnit: Type0) - (v_DIMENSION: usize) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (vector: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + (vector: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) (bound: i32) : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) @@ -68,6 +53,17 @@ val make_hint (v_GAMMA2: i32) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} (low high: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + (hint: t_Array (t_Array i32 (sz 256)) v_DIMENSION) : Prims.Pure (t_Array (t_Array i32 (sz 256)) v_DIMENSION & usize) Prims.l_True (fun _ -> Prims.l_True) + +val use_hint + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) + (hint: t_Slice (t_Array i32 (sz 256))) + (re_vector: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + : Prims.Pure (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.V44.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.V44.fsti new file mode 100644 index 000000000..0ac18ca06 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.V44.fsti @@ -0,0 +1,13 @@ +module Libcrux_ml_dsa.Constants.V44 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let v_BITS_PER_ERROR_COEFFICIENT: usize = sz 3 + +let v_COLUMNS_IN_A: usize = sz 4 + +let v_ETA: Libcrux_ml_dsa.Constants.t_Eta = + Libcrux_ml_dsa.Constants.Eta_Two <: Libcrux_ml_dsa.Constants.t_Eta + +let v_ROWS_IN_A: usize = sz 4 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.V65.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.V65.fsti new file mode 100644 index 000000000..ff1b5d542 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.V65.fsti @@ -0,0 +1,13 @@ +module Libcrux_ml_dsa.Constants.V65 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let v_BITS_PER_ERROR_COEFFICIENT: usize = sz 4 + +let v_COLUMNS_IN_A: usize = sz 5 + +let v_ETA: Libcrux_ml_dsa.Constants.t_Eta = + Libcrux_ml_dsa.Constants.Eta_Four <: Libcrux_ml_dsa.Constants.t_Eta + +let v_ROWS_IN_A: usize = sz 6 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.V87.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.V87.fsti new file mode 100644 index 000000000..5f0a77d63 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.V87.fsti @@ -0,0 +1,13 @@ +module Libcrux_ml_dsa.Constants.V87 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let v_BITS_PER_ERROR_COEFFICIENT: usize = sz 3 + +let v_COLUMNS_IN_A: usize = sz 7 + +let v_ETA: Libcrux_ml_dsa.Constants.t_Eta = + Libcrux_ml_dsa.Constants.Eta_Two <: Libcrux_ml_dsa.Constants.t_Eta + +let v_ROWS_IN_A: usize = sz 8 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fst new file mode 100644 index 000000000..a8b6eebb7 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fst @@ -0,0 +1,72 @@ +module Libcrux_ml_dsa.Constants +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let t_Eta_cast_to_repr (x: t_Eta) = + match x <: t_Eta with + | Eta_Two -> discriminant_Eta_Two + | Eta_Four -> discriminant_Eta_Four + +let t_Gamma2_cast_to_repr (x: t_Gamma2) = + match x <: t_Gamma2 with + | Gamma2_V95_232_ -> discriminant_Gamma2_V95_232_ + | Gamma2_V261_888_ -> discriminant_Gamma2_V261_888_ + +let error_ring_element_size (bits_per_error_coefficient: usize) = + (bits_per_error_coefficient *! v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! sz 8 + +let signing_key_size (rows_in_a columns_in_a error_ring_element_size: usize) = + (((v_SEED_FOR_A_SIZE +! v_SEED_FOR_SIGNING_SIZE <: usize) +! v_BYTES_FOR_VERIFICATION_KEY_HASH + <: + usize) +! + ((rows_in_a +! columns_in_a <: usize) *! error_ring_element_size <: usize) + <: + usize) +! + (rows_in_a *! v_RING_ELEMENT_OF_T0S_SIZE <: usize) + +let verification_key_size (rows_in_a: usize) = + v_SEED_FOR_A_SIZE +! + (((v_COEFFICIENTS_IN_RING_ELEMENT *! rows_in_a <: usize) *! + (v_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH -! v_BITS_IN_LOWER_PART_OF_T <: usize) + <: + usize) /! + sz 8 + <: + usize) + +[@@ FStar.Tactics.Typeclasses.tcinstance] +assume +val impl': Core.Fmt.t_Debug t_Eta + +let impl = impl' + +[@@ FStar.Tactics.Typeclasses.tcinstance] +assume +val impl_1': Core.Clone.t_Clone t_Eta + +let impl_1 = impl_1' + +[@@ FStar.Tactics.Typeclasses.tcinstance] +assume +val impl_2': Core.Marker.t_Copy t_Eta + +let impl_2 = impl_2' + +[@@ FStar.Tactics.Typeclasses.tcinstance] +assume +val impl_3': Core.Fmt.t_Debug t_Gamma2 + +let impl_3 = impl_3' + +[@@ FStar.Tactics.Typeclasses.tcinstance] +assume +val impl_4': Core.Clone.t_Clone t_Gamma2 + +let impl_4 = impl_4' + +[@@ FStar.Tactics.Typeclasses.tcinstance] +assume +val impl_5': Core.Marker.t_Copy t_Gamma2 + +let impl_5 = impl_5' diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fsti index 6263c2610..e94db3904 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fsti @@ -3,6 +3,28 @@ module Libcrux_ml_dsa.Constants open Core open FStar.Mul +let discriminant_Eta_Four: isize = isz 4 + +/// Eta values +type t_Eta = + | Eta_Two : t_Eta + | Eta_Four : t_Eta + +let discriminant_Eta_Two: isize = isz 2 + +val t_Eta_cast_to_repr (x: t_Eta) : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True) + +let discriminant_Gamma2_V261_888_: isize = isz 261888 + +/// Gamma2 values +type t_Gamma2 = + | Gamma2_V95_232_ : t_Gamma2 + | Gamma2_V261_888_ : t_Gamma2 + +let discriminant_Gamma2_V95_232_: isize = isz 95232 + +val t_Gamma2_cast_to_repr (x: t_Gamma2) : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True) + let v_BITS_IN_LOWER_PART_OF_T: usize = sz 13 let v_BYTES_FOR_VERIFICATION_KEY_HASH: usize = sz 64 @@ -42,3 +64,29 @@ let v_SEED_FOR_SIGNING_SIZE: usize = sz 32 /// Number of bytes of entropy required for signing. let v_SIGNING_RANDOMNESS_SIZE: usize = sz 32 + +val error_ring_element_size (bits_per_error_coefficient: usize) + : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) + +val signing_key_size (rows_in_a columns_in_a error_ring_element_size: usize) + : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) + +val verification_key_size (rows_in_a: usize) : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) + +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl:Core.Fmt.t_Debug t_Eta + +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl_1:Core.Clone.t_Clone t_Eta + +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl_2:Core.Marker.t_Copy t_Eta + +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl_3:Core.Fmt.t_Debug t_Gamma2 + +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl_4:Core.Clone.t_Clone t_Gamma2 + +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl_5:Core.Marker.t_Copy t_Gamma2 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fst index bfbcf309d..ddad1b46a 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fst @@ -23,7 +23,7 @@ let serialize let serialized:t_Slice u8 = Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units <: - t_Slice v_SIMDUnit) + t_Slice i1.f_Coefficient) (fun serialized temp_1_ -> let serialized:t_Slice u8 = serialized in let _:usize = temp_1_ in @@ -31,7 +31,7 @@ let serialize serialized (fun serialized temp_1_ -> let serialized:t_Slice u8 = serialized in - let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + let i, simd_unit:(usize & i1.f_Coefficient) = temp_1_ in Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized ({ Core.Ops.Range.f_start = i *! output_bytes_per_simd_unit <: usize; @@ -62,35 +62,35 @@ let serialize let serialize_vector (#v_SIMDUnit: Type0) - (v_DIMENSION v_RING_ELEMENT_SIZE v_OUTPUT_SIZE: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (vector: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + (ring_element_size: usize) + (vector: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (serialized: t_Slice u8) = - let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in let (offset: usize):usize = sz 0 in - let offset, serialized:(usize & t_Array u8 v_OUTPUT_SIZE) = + let offset, serialized:(usize & t_Slice u8) = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) #FStar.Tactics.Typeclasses.solve (Core.Slice.impl__iter #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (vector <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + vector <: Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) <: Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (offset, serialized <: (usize & t_Array u8 v_OUTPUT_SIZE)) + (offset, serialized <: (usize & t_Slice u8)) (fun temp_0_ ring_element -> - let offset, serialized:(usize & t_Array u8 v_OUTPUT_SIZE) = temp_0_ in + let offset, serialized:(usize & t_Slice u8) = temp_0_ in let ring_element:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = ring_element in - let serialized:t_Array u8 v_OUTPUT_SIZE = + let serialized:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized ({ Core.Ops.Range.f_start = offset; - Core.Ops.Range.f_end = offset +! v_RING_ELEMENT_SIZE <: usize + Core.Ops.Range.f_end = offset +! ring_element_size <: usize } <: Core.Ops.Range.t_Range usize) @@ -98,7 +98,7 @@ let serialize_vector ring_element (serialized.[ { Core.Ops.Range.f_start = offset; - Core.Ops.Range.f_end = offset +! v_RING_ELEMENT_SIZE <: usize + Core.Ops.Range.f_end = offset +! ring_element_size <: usize } <: Core.Ops.Range.t_Range usize ] @@ -107,7 +107,8 @@ let serialize_vector <: t_Slice u8) in - let offset:usize = offset +! v_RING_ELEMENT_SIZE in - offset, serialized <: (usize & t_Array u8 v_OUTPUT_SIZE)) + let offset:usize = offset +! ring_element_size in + offset, serialized <: (usize & t_Slice u8)) in + let hax_temp_output:Prims.unit = () <: Prims.unit in serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fsti index 53816fd08..125774597 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fsti @@ -18,7 +18,8 @@ val serialize val serialize_vector (#v_SIMDUnit: Type0) - (v_DIMENSION v_RING_ELEMENT_SIZE v_OUTPUT_SIZE: usize) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (vector: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) - : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + (ring_element_size: usize) + (vector: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (serialized: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fst index e95ba0a90..60f503c84 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fst @@ -9,20 +9,25 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () +let chunk_size (eta: Libcrux_ml_dsa.Constants.t_Eta) = + match eta <: Libcrux_ml_dsa.Constants.t_Eta with + | Libcrux_ml_dsa.Constants.Eta_Two -> sz 3 + | Libcrux_ml_dsa.Constants.Eta_Four -> sz 4 + let deserialize (#v_SIMDUnit: Type0) - (v_ETA: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (eta: Libcrux_ml_dsa.Constants.t_Eta) (serialized: t_Slice u8) (result: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - let chunk_size:usize = if v_ETA =. sz 2 then sz 3 else sz 4 in + let chunk_size:usize = chunk_size eta in let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #v_SIMDUnit - (result.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) + (Core.Slice.impl__len #i1.f_Coefficient + (result.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice i1.f_Coefficient) <: usize) (fun result temp_1_ -> @@ -42,7 +47,7 @@ let deserialize i (Libcrux_ml_dsa.Simd.Traits.f_error_deserialize #v_SIMDUnit #FStar.Tactics.Typeclasses.solve - v_ETA + eta (serialized.[ { Core.Ops.Range.f_start = i *! chunk_size <: usize; Core.Ops.Range.f_end = (i +! sz 1 <: usize) *! chunk_size <: usize @@ -51,10 +56,11 @@ let deserialize Core.Ops.Range.t_Range usize ] <: t_Slice u8) + (result.Libcrux_ml_dsa.Polynomial.f_simd_units.[ i ] <: i1.f_Coefficient) <: - v_SIMDUnit) + i1.f_Coefficient) <: - t_Array v_SIMDUnit (sz 32) + t_Array i1.f_Coefficient (sz 32) } <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) @@ -62,81 +68,20 @@ let deserialize let hax_temp_output:Prims.unit = () <: Prims.unit in result -let deserialize_to_vector_then_ntt - (#v_SIMDUnit: Type0) - (v_DIMENSION v_ETA v_RING_ELEMENT_SIZE: usize) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (serialized: t_Slice u8) - = - let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_DIMENSION = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_DIMENSION - in - let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_DIMENSION = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice v_RING_ELEMENT_SIZE - serialized - (fun ring_elements temp_1_ -> - let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_DIMENSION = - ring_elements - in - let _:usize = temp_1_ in - true) - ring_elements - (fun ring_elements temp_1_ -> - let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_DIMENSION = - ring_elements - in - let i, bytes:(usize & t_Slice u8) = temp_1_ in - let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize ring_elements - i - (deserialize #v_SIMDUnit - v_ETA - bytes - (ring_elements.[ i ] - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - in - let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize ring_elements - i - (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit - (ring_elements.[ i ] - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - in - ring_elements) - in - ring_elements - let serialize (#v_SIMDUnit: Type0) - (v_ETA v_OUTPUT_SIZE: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (eta: Libcrux_ml_dsa.Constants.t_Eta) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (serialized: t_Slice u8) = - let output_bytes_per_simd_unit:usize = if v_ETA =. sz 2 then sz 3 else sz 4 in + let output_bytes_per_simd_unit:usize = chunk_size eta in let serialized:t_Slice u8 = Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units <: - t_Slice v_SIMDUnit) + t_Slice i1.f_Coefficient) (fun serialized temp_1_ -> let serialized:t_Slice u8 = serialized in let _:usize = temp_1_ in @@ -144,7 +89,7 @@ let serialize serialized (fun serialized temp_1_ -> let serialized:t_Slice u8 = serialized in - let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + let i, simd_unit:(usize & i1.f_Coefficient) = temp_1_ in Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized ({ Core.Ops.Range.f_start = i *! output_bytes_per_simd_unit <: usize; @@ -154,7 +99,7 @@ let serialize Core.Ops.Range.t_Range usize) (Libcrux_ml_dsa.Simd.Traits.f_error_serialize #v_SIMDUnit #FStar.Tactics.Typeclasses.solve - v_ETA + eta simd_unit (serialized.[ { Core.Ops.Range.f_start = i *! output_bytes_per_simd_unit <: usize; @@ -173,3 +118,55 @@ let serialize in let hax_temp_output:Prims.unit = () <: Prims.unit in serialized + +let deserialize_to_vector_then_ntt + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (ring_element_size: usize) + (serialized: t_Slice u8) + (ring_elements: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + = + let ring_elements:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice ring_element_size + serialized + (fun ring_elements temp_1_ -> + let ring_elements:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + ring_elements + in + let _:usize = temp_1_ in + true) + ring_elements + (fun ring_elements temp_1_ -> + let ring_elements:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + ring_elements + in + let i, bytes:(usize & t_Slice u8) = temp_1_ in + let ring_elements:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize ring_elements + i + (deserialize #v_SIMDUnit + eta + bytes + (ring_elements.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let ring_elements:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize ring_elements + i + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (ring_elements.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + ring_elements) + in + let hax_temp_output:Prims.unit = () <: Prims.unit in + ring_elements diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fsti index 2136a90ef..22e863781 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fsti @@ -9,30 +9,34 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () +val chunk_size (eta: Libcrux_ml_dsa.Constants.t_Eta) + : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) + val deserialize (#v_SIMDUnit: Type0) - (v_ETA: usize) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (eta: Libcrux_ml_dsa.Constants.t_Eta) (serialized: t_Slice u8) (result: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) -val deserialize_to_vector_then_ntt +val serialize (#v_SIMDUnit: Type0) - (v_DIMENSION v_ETA v_RING_ELEMENT_SIZE: usize) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (serialized: t_Slice u8) - : Prims.Pure - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) - Prims.l_True - (fun _ -> Prims.l_True) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) -val serialize +val deserialize_to_vector_then_ntt (#v_SIMDUnit: Type0) - (v_ETA v_OUTPUT_SIZE: usize) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (ring_element_size: usize) (serialized: t_Slice u8) - : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + (ring_elements: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + : Prims.Pure (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fst index a55f19fe7..0e53c0ee1 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fst @@ -11,17 +11,17 @@ let _ = let deserialize (#v_SIMDUnit: Type0) - (v_GAMMA1_EXPONENT: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (gamma1_exponent: usize) (serialized: t_Slice u8) (result: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #v_SIMDUnit - (result.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) + (Core.Slice.impl__len #i1.f_Coefficient + (result.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice i1.f_Coefficient) <: usize) (fun result temp_1_ -> @@ -41,21 +41,22 @@ let deserialize i (Libcrux_ml_dsa.Simd.Traits.f_gamma1_deserialize #v_SIMDUnit #FStar.Tactics.Typeclasses.solve - v_GAMMA1_EXPONENT (serialized.[ { - Core.Ops.Range.f_start = i *! (v_GAMMA1_EXPONENT +! sz 1 <: usize) <: usize; + Core.Ops.Range.f_start = i *! (gamma1_exponent +! sz 1 <: usize) <: usize; Core.Ops.Range.f_end = - (i +! sz 1 <: usize) *! (v_GAMMA1_EXPONENT +! sz 1 <: usize) <: usize + (i +! sz 1 <: usize) *! (gamma1_exponent +! sz 1 <: usize) <: usize } <: Core.Ops.Range.t_Range usize ] <: t_Slice u8) + (result.Libcrux_ml_dsa.Polynomial.f_simd_units.[ i ] <: i1.f_Coefficient) + gamma1_exponent <: - v_SIMDUnit) + i1.f_Coefficient) <: - t_Array v_SIMDUnit (sz 32) + t_Array i1.f_Coefficient (sz 32) } <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) @@ -65,17 +66,17 @@ let deserialize let serialize (#v_SIMDUnit: Type0) - (v_GAMMA1_EXPONENT: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (serialized: t_Slice u8) + (gamma1_exponent: usize) = let serialized:t_Slice u8 = Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units <: - t_Slice v_SIMDUnit) + t_Slice i1.f_Coefficient) (fun serialized temp_1_ -> let serialized:t_Slice u8 = serialized in let _:usize = temp_1_ in @@ -83,30 +84,30 @@ let serialize serialized (fun serialized temp_1_ -> let serialized:t_Slice u8 = serialized in - let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + let i, simd_unit:(usize & i1.f_Coefficient) = temp_1_ in Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized ({ - Core.Ops.Range.f_start = i *! (v_GAMMA1_EXPONENT +! sz 1 <: usize) <: usize; + Core.Ops.Range.f_start = i *! (gamma1_exponent +! sz 1 <: usize) <: usize; Core.Ops.Range.f_end = - (i +! sz 1 <: usize) *! (v_GAMMA1_EXPONENT +! sz 1 <: usize) <: usize + (i +! sz 1 <: usize) *! (gamma1_exponent +! sz 1 <: usize) <: usize } <: Core.Ops.Range.t_Range usize) (Libcrux_ml_dsa.Simd.Traits.f_gamma1_serialize #v_SIMDUnit #FStar.Tactics.Typeclasses.solve - v_GAMMA1_EXPONENT simd_unit (serialized.[ { - Core.Ops.Range.f_start = i *! (v_GAMMA1_EXPONENT +! sz 1 <: usize) <: usize; + Core.Ops.Range.f_start = i *! (gamma1_exponent +! sz 1 <: usize) <: usize; Core.Ops.Range.f_end = - (i +! sz 1 <: usize) *! (v_GAMMA1_EXPONENT +! sz 1 <: usize) <: usize + (i +! sz 1 <: usize) *! (gamma1_exponent +! sz 1 <: usize) <: usize } <: Core.Ops.Range.t_Range usize ] <: t_Slice u8) + gamma1_exponent <: t_Slice u8) <: diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fsti index 9c35efc9f..20ee5e8bc 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fsti @@ -11,8 +11,8 @@ let _ = val deserialize (#v_SIMDUnit: Type0) - (v_GAMMA1_EXPONENT: usize) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (gamma1_exponent: usize) (serialized: t_Slice u8) (result: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) @@ -21,8 +21,8 @@ val deserialize val serialize (#v_SIMDUnit: Type0) - (v_GAMMA1_EXPONENT: usize) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (serialized: t_Slice u8) + (gamma1_exponent: usize) : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fst index c351af8bb..f16997151 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fst @@ -9,127 +9,134 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let impl__deserialize +let deserialize (#v_SIMDUnit: Type0) - (v_COMMITMENT_HASH_SIZE v_COLUMNS_IN_A v_ROWS_IN_A v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_MAX_ONES_IN_HINT v_SIGNATURE_SIZE: - usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (serialized: t_Array u8 v_SIGNATURE_SIZE) + (columns_in_a rows_in_a commitment_hash_size gamma1_exponent gamma1_ring_element_size max_ones_in_hint signature_size: + usize) + (serialized out_commitment_hash: t_Slice u8) + (out_signer_response: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (out_hint: t_Slice (t_Array i32 (sz 256))) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. signature_size <: bool) + in + () + in let commitment_hash, rest_of_serialized:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 (serialized <: t_Slice u8) v_COMMITMENT_HASH_SIZE + Core.Slice.impl__split_at #u8 serialized commitment_hash_size + in + let out_commitment_hash:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range out_commitment_hash + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = commitment_hash_size } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (out_commitment_hash.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = commitment_hash_size + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + commitment_hash + <: + t_Slice u8) in let signer_response_serialized, hint_serialized:(t_Slice u8 & t_Slice u8) = Core.Slice.impl__split_at #u8 rest_of_serialized - (v_GAMMA1_RING_ELEMENT_SIZE *! v_COLUMNS_IN_A <: usize) - in - let signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_COLUMNS_IN_A = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_COLUMNS_IN_A + (gamma1_ring_element_size *! columns_in_a <: usize) in - let signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_COLUMNS_IN_A = + let out_signer_response:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = Rust_primitives.Hax.Folds.fold_range (sz 0) - v_COLUMNS_IN_A - (fun signer_response temp_1_ -> - let signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_COLUMNS_IN_A = - signer_response + columns_in_a + (fun out_signer_response temp_1_ -> + let out_signer_response:t_Slice + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + out_signer_response in let _:usize = temp_1_ in true) - signer_response - (fun signer_response i -> - let signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_COLUMNS_IN_A = - signer_response + out_signer_response + (fun out_signer_response i -> + let out_signer_response:t_Slice + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + out_signer_response in let i:usize = i in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize signer_response + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out_signer_response i (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit - v_GAMMA1_EXPONENT + gamma1_exponent (signer_response_serialized.[ { - Core.Ops.Range.f_start = i *! v_GAMMA1_RING_ELEMENT_SIZE <: usize; + Core.Ops.Range.f_start = i *! gamma1_ring_element_size <: usize; Core.Ops.Range.f_end = - (i +! sz 1 <: usize) *! v_GAMMA1_RING_ELEMENT_SIZE <: usize + (i +! sz 1 <: usize) *! gamma1_ring_element_size <: usize } <: Core.Ops.Range.t_Range usize ] <: t_Slice u8) - (signer_response.[ i ] + (out_signer_response.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) <: - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - in - let hint:t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A = - Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0l (sz 256) <: t_Array i32 (sz 256)) - v_ROWS_IN_A + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) in let previous_true_hints_seen:usize = sz 0 in let i:usize = sz 0 in let malformed_hint:bool = false in - let hint, i, malformed_hint, previous_true_hints_seen:(t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & - usize & - bool & + let i, malformed_hint, out_hint, previous_true_hints_seen:(usize & bool & + t_Slice (t_Array i32 (sz 256)) & usize) = Rust_primitives.f_while_loop (fun temp_0_ -> - let hint, i, malformed_hint, previous_true_hints_seen:(t_Array (t_Array i32 (sz 256)) - v_ROWS_IN_A & - usize & - bool & + let i, malformed_hint, out_hint, previous_true_hints_seen:(usize & bool & + t_Slice (t_Array i32 (sz 256)) & usize) = temp_0_ in - (i <. v_ROWS_IN_A <: bool) && (~.malformed_hint <: bool)) - (hint, i, malformed_hint, previous_true_hints_seen + (i <. rows_in_a <: bool) && (~.malformed_hint <: bool)) + (i, malformed_hint, out_hint, previous_true_hints_seen <: - (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & bool & usize)) + (usize & bool & t_Slice (t_Array i32 (sz 256)) & usize)) (fun temp_0_ -> - let hint, i, malformed_hint, previous_true_hints_seen:(t_Array (t_Array i32 (sz 256)) - v_ROWS_IN_A & - usize & - bool & + let i, malformed_hint, out_hint, previous_true_hints_seen:(usize & bool & + t_Slice (t_Array i32 (sz 256)) & usize) = temp_0_ in let current_true_hints_seen:usize = - cast (hint_serialized.[ v_MAX_ONES_IN_HINT +! i <: usize ] <: u8) <: usize + cast (hint_serialized.[ max_ones_in_hint +! i <: usize ] <: u8) <: usize in let malformed_hint:bool = if current_true_hints_seen <. previous_true_hints_seen || - previous_true_hints_seen >. v_MAX_ONES_IN_HINT + previous_true_hints_seen >. max_ones_in_hint then let malformed_hint:bool = true in malformed_hint else malformed_hint in let j:usize = previous_true_hints_seen in - let hint, j, malformed_hint:(t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & bool) = + let j, malformed_hint, out_hint:(usize & bool & t_Slice (t_Array i32 (sz 256))) = Rust_primitives.f_while_loop (fun temp_0_ -> - let hint, j, malformed_hint:(t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & - bool) = + let j, malformed_hint, out_hint:(usize & bool & t_Slice (t_Array i32 (sz 256))) = temp_0_ in (~.malformed_hint <: bool) && (j <. current_true_hints_seen <: bool)) - (hint, j, malformed_hint - <: - (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & bool)) + (j, malformed_hint, out_hint <: (usize & bool & t_Slice (t_Array i32 (sz 256)))) (fun temp_0_ -> - let hint, j, malformed_hint:(t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & - bool) = + let j, malformed_hint, out_hint:(usize & bool & t_Slice (t_Array i32 (sz 256))) = temp_0_ in let malformed_hint:bool = @@ -144,10 +151,10 @@ let impl__deserialize in if ~.malformed_hint then - let hint:t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize hint + let out_hint:t_Slice (t_Array i32 (sz 256)) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out_hint i - (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (hint.[ i ] + (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (out_hint.[ i ] <: t_Array i32 (sz 256)) (cast (hint_serialized.[ j ] <: u8) <: usize) @@ -156,31 +163,27 @@ let impl__deserialize t_Array i32 (sz 256)) in let j:usize = j +! sz 1 in - hint, j, malformed_hint - <: - (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & bool) + j, malformed_hint, out_hint <: (usize & bool & t_Slice (t_Array i32 (sz 256))) else - hint, j, malformed_hint - <: - (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & bool)) + j, malformed_hint, out_hint <: (usize & bool & t_Slice (t_Array i32 (sz 256)))) in if ~.malformed_hint then let previous_true_hints_seen:usize = current_true_hints_seen in let i:usize = i +! sz 1 in - hint, i, malformed_hint, previous_true_hints_seen + i, malformed_hint, out_hint, previous_true_hints_seen <: - (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & bool & usize) + (usize & bool & t_Slice (t_Array i32 (sz 256)) & usize) else - hint, i, malformed_hint, previous_true_hints_seen + i, malformed_hint, out_hint, previous_true_hints_seen <: - (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & bool & usize)) + (usize & bool & t_Slice (t_Array i32 (sz 256)) & usize)) in let i:usize = previous_true_hints_seen in let i, malformed_hint:(usize & bool) = Rust_primitives.f_while_loop (fun temp_0_ -> let i, malformed_hint:(usize & bool) = temp_0_ in - (i <. v_MAX_ONES_IN_HINT <: bool) && (~.malformed_hint <: bool)) + (i <. max_ones_in_hint <: bool) && (~.malformed_hint <: bool)) (i, malformed_hint <: (usize & bool)) (fun temp_0_ -> let i, malformed_hint:(usize & bool) = temp_0_ in @@ -196,145 +199,144 @@ let impl__deserialize in if malformed_hint then - Core.Result.Result_Err - (Libcrux_ml_dsa.Types.VerificationError_MalformedHintError + out_commitment_hash, + out_signer_response, + out_hint, + (Core.Result.Result_Err + (Libcrux_ml_dsa.Types.VerificationError_MalformedHintError + <: + Libcrux_ml_dsa.Types.t_VerificationError) <: - Libcrux_ml_dsa.Types.t_VerificationError) + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) <: - Core.Result.t_Result (t_Signature v_SIMDUnit v_COMMITMENT_HASH_SIZE v_COLUMNS_IN_A v_ROWS_IN_A) - Libcrux_ml_dsa.Types.t_VerificationError + (t_Slice u8 & t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & + t_Slice (t_Array i32 (sz 256)) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) else - Core.Result.Result_Ok - ({ - f_commitment_hash - = - Core.Result.impl__unwrap #(t_Array u8 v_COMMITMENT_HASH_SIZE) - #Core.Array.t_TryFromSliceError - (Core.Convert.f_try_into #(t_Slice u8) - #(t_Array u8 v_COMMITMENT_HASH_SIZE) - #FStar.Tactics.Typeclasses.solve - commitment_hash - <: - Core.Result.t_Result (t_Array u8 v_COMMITMENT_HASH_SIZE) Core.Array.t_TryFromSliceError); - f_signer_response = signer_response; - f_hint = hint - } + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + Core.Result.Result_Ok (() <: Prims.unit) <: - t_Signature v_SIMDUnit v_COMMITMENT_HASH_SIZE v_COLUMNS_IN_A v_ROWS_IN_A) + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + in + out_commitment_hash, out_signer_response, out_hint, hax_temp_output <: - Core.Result.t_Result (t_Signature v_SIMDUnit v_COMMITMENT_HASH_SIZE v_COLUMNS_IN_A v_ROWS_IN_A) - Libcrux_ml_dsa.Types.t_VerificationError + (t_Slice u8 & t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & + t_Slice (t_Array i32 (sz 256)) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) -let impl__serialize +let serialize (#v_SIMDUnit: Type0) - (v_COMMITMENT_HASH_SIZE v_COLUMNS_IN_A v_ROWS_IN_A v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_MAX_ONES_IN_HINT v_SIGNATURE_SIZE: - usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (self: t_Signature v_SIMDUnit v_COMMITMENT_HASH_SIZE v_COLUMNS_IN_A v_ROWS_IN_A) + (commitment_hash: t_Slice u8) + (signer_response: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (hint: t_Slice (t_Array i32 (sz 256))) + (commitment_hash_size columns_in_a rows_in_a gamma1_exponent gamma1_ring_element_size max_ones_in_hint: + usize) + (signature: t_Slice u8) = - let signature:t_Array u8 v_SIGNATURE_SIZE = Rust_primitives.Hax.repeat 0uy v_SIGNATURE_SIZE in let offset:usize = sz 0 in - let signature:t_Array u8 v_SIGNATURE_SIZE = + let signature:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_range signature ({ Core.Ops.Range.f_start = offset; - Core.Ops.Range.f_end = offset +! v_COMMITMENT_HASH_SIZE <: usize + Core.Ops.Range.f_end = offset +! commitment_hash_size <: usize } <: Core.Ops.Range.t_Range usize) (Core.Slice.impl__copy_from_slice #u8 (signature.[ { Core.Ops.Range.f_start = offset; - Core.Ops.Range.f_end = offset +! v_COMMITMENT_HASH_SIZE <: usize + Core.Ops.Range.f_end = offset +! commitment_hash_size <: usize } <: Core.Ops.Range.t_Range usize ] <: t_Slice u8) - (self.f_commitment_hash <: t_Slice u8) + commitment_hash <: t_Slice u8) in - let offset:usize = offset +! v_COMMITMENT_HASH_SIZE in - let offset, signature:(usize & t_Array u8 v_SIGNATURE_SIZE) = + let offset:usize = offset +! commitment_hash_size in + let offset, signature:(usize & t_Slice u8) = Rust_primitives.Hax.Folds.fold_range (sz 0) - v_COLUMNS_IN_A + columns_in_a (fun temp_0_ temp_1_ -> - let offset, signature:(usize & t_Array u8 v_SIGNATURE_SIZE) = temp_0_ in + let offset, signature:(usize & t_Slice u8) = temp_0_ in let _:usize = temp_1_ in true) - (offset, signature <: (usize & t_Array u8 v_SIGNATURE_SIZE)) + (offset, signature <: (usize & t_Slice u8)) (fun temp_0_ i -> - let offset, signature:(usize & t_Array u8 v_SIGNATURE_SIZE) = temp_0_ in + let offset, signature:(usize & t_Slice u8) = temp_0_ in let i:usize = i in - let signature:t_Array u8 v_SIGNATURE_SIZE = + let signature:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_range signature ({ Core.Ops.Range.f_start = offset; - Core.Ops.Range.f_end = offset +! v_GAMMA1_RING_ELEMENT_SIZE <: usize + Core.Ops.Range.f_end = offset +! gamma1_ring_element_size <: usize } <: Core.Ops.Range.t_Range usize) (Libcrux_ml_dsa.Encoding.Gamma1.serialize #v_SIMDUnit - v_GAMMA1_EXPONENT - (self.f_signer_response.[ i ] + (signer_response.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (signature.[ { Core.Ops.Range.f_start = offset; - Core.Ops.Range.f_end = offset +! v_GAMMA1_RING_ELEMENT_SIZE <: usize + Core.Ops.Range.f_end = offset +! gamma1_ring_element_size <: usize } <: Core.Ops.Range.t_Range usize ] <: t_Slice u8) + gamma1_exponent <: t_Slice u8) in - let offset:usize = offset +! v_GAMMA1_RING_ELEMENT_SIZE in - offset, signature <: (usize & t_Array u8 v_SIGNATURE_SIZE)) + let offset:usize = offset +! gamma1_ring_element_size in + offset, signature <: (usize & t_Slice u8)) in let true_hints_seen:usize = sz 0 in - let signature, true_hints_seen:(t_Array u8 v_SIGNATURE_SIZE & usize) = + let signature, true_hints_seen:(t_Slice u8 & usize) = Rust_primitives.Hax.Folds.fold_range (sz 0) - v_ROWS_IN_A + rows_in_a (fun temp_0_ temp_1_ -> - let signature, true_hints_seen:(t_Array u8 v_SIGNATURE_SIZE & usize) = temp_0_ in + let signature, true_hints_seen:(t_Slice u8 & usize) = temp_0_ in let _:usize = temp_1_ in true) - (signature, true_hints_seen <: (t_Array u8 v_SIGNATURE_SIZE & usize)) + (signature, true_hints_seen <: (t_Slice u8 & usize)) (fun temp_0_ i -> - let signature, true_hints_seen:(t_Array u8 v_SIGNATURE_SIZE & usize) = temp_0_ in + let signature, true_hints_seen:(t_Slice u8 & usize) = temp_0_ in let i:usize = i in - let signature, true_hints_seen:(t_Array u8 v_SIGNATURE_SIZE & usize) = + let signature, true_hints_seen:(t_Slice u8 & usize) = Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #i32 (self.f_hint.[ i ] <: t_Slice i32) <: usize) + (Core.Slice.impl__len #i32 (hint.[ i ] <: t_Slice i32) <: usize) (fun temp_0_ temp_1_ -> - let signature, true_hints_seen:(t_Array u8 v_SIGNATURE_SIZE & usize) = temp_0_ in + let signature, true_hints_seen:(t_Slice u8 & usize) = temp_0_ in let _:usize = temp_1_ in true) - (signature, true_hints_seen <: (t_Array u8 v_SIGNATURE_SIZE & usize)) + (signature, true_hints_seen <: (t_Slice u8 & usize)) (fun temp_0_ j -> - let signature, true_hints_seen:(t_Array u8 v_SIGNATURE_SIZE & usize) = temp_0_ in + let signature, true_hints_seen:(t_Slice u8 & usize) = temp_0_ in let j:usize = j in - if ((self.f_hint.[ i ] <: t_Array i32 (sz 256)).[ j ] <: i32) =. 1l <: bool + if ((hint.[ i ] <: t_Array i32 (sz 256)).[ j ] <: i32) =. 1l <: bool then - let signature:t_Array u8 v_SIGNATURE_SIZE = + let signature:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize signature (offset +! true_hints_seen <: usize) (cast (j <: usize) <: u8) in let true_hints_seen:usize = true_hints_seen +! sz 1 in - signature, true_hints_seen <: (t_Array u8 v_SIGNATURE_SIZE & usize) - else signature, true_hints_seen <: (t_Array u8 v_SIGNATURE_SIZE & usize)) + signature, true_hints_seen <: (t_Slice u8 & usize) + else signature, true_hints_seen <: (t_Slice u8 & usize)) in - let signature:t_Array u8 v_SIGNATURE_SIZE = + let signature:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize signature - ((offset +! v_MAX_ONES_IN_HINT <: usize) +! i <: usize) + ((offset +! max_ones_in_hint <: usize) +! i <: usize) (cast (true_hints_seen <: usize) <: u8) in - signature, true_hints_seen <: (t_Array u8 v_SIGNATURE_SIZE & usize)) + signature, true_hints_seen <: (t_Slice u8 & usize)) in + let hax_temp_output:Prims.unit = () <: Prims.unit in signature diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fsti index 53b1e72ed..e1854f60f 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fsti @@ -9,33 +9,28 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -/// A signature -/// This is only an internal type. -type t_Signature - (v_SIMDUnit: Type0) (v_COMMITMENT_HASH_SIZE: usize) (v_COLUMNS_IN_A: usize) (v_ROWS_IN_A: usize) - {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - = { - f_commitment_hash:t_Array u8 v_COMMITMENT_HASH_SIZE; - f_signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_COLUMNS_IN_A; - f_hint:t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A -} - -val impl__deserialize +val deserialize (#v_SIMDUnit: Type0) - (v_COMMITMENT_HASH_SIZE v_COLUMNS_IN_A v_ROWS_IN_A v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_MAX_ONES_IN_HINT v_SIGNATURE_SIZE: - usize) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (serialized: t_Array u8 v_SIGNATURE_SIZE) + (columns_in_a rows_in_a commitment_hash_size gamma1_exponent gamma1_ring_element_size max_ones_in_hint signature_size: + usize) + (serialized out_commitment_hash: t_Slice u8) + (out_signer_response: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (out_hint: t_Slice (t_Array i32 (sz 256))) : Prims.Pure - (Core.Result.t_Result - (t_Signature v_SIMDUnit v_COMMITMENT_HASH_SIZE v_COLUMNS_IN_A v_ROWS_IN_A) - Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) + (t_Slice u8 & t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & + t_Slice (t_Array i32 (sz 256)) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) -val impl__serialize +val serialize (#v_SIMDUnit: Type0) - (v_COMMITMENT_HASH_SIZE v_COLUMNS_IN_A v_ROWS_IN_A v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_MAX_ONES_IN_HINT v_SIGNATURE_SIZE: - usize) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (self: t_Signature v_SIMDUnit v_COMMITMENT_HASH_SIZE v_COLUMNS_IN_A v_ROWS_IN_A) - : Prims.Pure (t_Array u8 v_SIGNATURE_SIZE) Prims.l_True (fun _ -> Prims.l_True) + (commitment_hash: t_Slice u8) + (signer_response: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (hint: t_Slice (t_Array i32 (sz 256))) + (commitment_hash_size columns_in_a rows_in_a gamma1_exponent gamma1_ring_element_size max_ones_in_hint: + usize) + (signature: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fst index 36b4a612d..563ad8f9c 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fst @@ -10,108 +10,22 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let deserialize_then_ntt - (#v_SIMDUnit: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE: usize) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (serialized: t_Array u8 v_SIGNING_KEY_SIZE) - = - let seed_for_A, remaining_serialized:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - (serialized <: t_Slice u8) - Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE - in - let seed_for_signing, remaining_serialized:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - remaining_serialized - Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE - in - let verification_key_hash, remaining_serialized:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - remaining_serialized - Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH - in - let s1_serialized, remaining_serialized:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - remaining_serialized - (v_ERROR_RING_ELEMENT_SIZE *! v_COLUMNS_IN_A <: usize) - in - let s2_serialized, t0_serialized:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - remaining_serialized - (v_ERROR_RING_ELEMENT_SIZE *! v_ROWS_IN_A <: usize) - in - let s1_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_COLUMNS_IN_A = - Libcrux_ml_dsa.Encoding.Error.deserialize_to_vector_then_ntt #v_SIMDUnit - v_COLUMNS_IN_A - v_ETA - v_ERROR_RING_ELEMENT_SIZE - s1_serialized - in - let s2_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = - Libcrux_ml_dsa.Encoding.Error.deserialize_to_vector_then_ntt #v_SIMDUnit - v_ROWS_IN_A - v_ETA - v_ERROR_RING_ELEMENT_SIZE - s2_serialized - in - let t0_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = - Libcrux_ml_dsa.Encoding.T0.deserialize_to_vector_then_ntt #v_SIMDUnit v_ROWS_IN_A t0_serialized - in - Core.Result.impl__unwrap #(t_Array u8 (sz 32)) - #Core.Array.t_TryFromSliceError - (Core.Convert.f_try_into #(t_Slice u8) - #(t_Array u8 (sz 32)) - #FStar.Tactics.Typeclasses.solve - seed_for_A - <: - Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError), - Core.Result.impl__unwrap #(t_Array u8 (sz 32)) - #Core.Array.t_TryFromSliceError - (Core.Convert.f_try_into #(t_Slice u8) - #(t_Array u8 (sz 32)) - #FStar.Tactics.Typeclasses.solve - seed_for_signing - <: - Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError), - Core.Result.impl__unwrap #(t_Array u8 (sz 64)) - #Core.Array.t_TryFromSliceError - (Core.Convert.f_try_into #(t_Slice u8) - #(t_Array u8 (sz 64)) - #FStar.Tactics.Typeclasses.solve - verification_key_hash - <: - Core.Result.t_Result (t_Array u8 (sz 64)) Core.Array.t_TryFromSliceError), - s1_as_ntt, - s2_as_ntt, - t0_as_ntt - <: - (t_Array u8 (sz 32) & t_Array u8 (sz 32) & t_Array u8 (sz 64) & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) - let generate_serialized (#v_SIMDUnit #v_Shake256: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (#[FStar.Tactics.Typeclasses.tcresolve ()] i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) - (seed_for_A seed_for_signing verification_key: t_Slice u8) - (s1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - (s2 t0: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (error_ring_element_size: usize) + (seed_matrix seed_signing verification_key: t_Slice u8) + (s1_2_ t0: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (signing_key_serialized: t_Slice u8) = - let signing_key_serialized:t_Array u8 v_SIGNING_KEY_SIZE = - Rust_primitives.Hax.repeat 0uy v_SIGNING_KEY_SIZE - in let offset:usize = sz 0 in - let signing_key_serialized:t_Array u8 v_SIGNING_KEY_SIZE = + let signing_key_serialized:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_range signing_key_serialized ({ Core.Ops.Range.f_start = offset; @@ -128,12 +42,12 @@ let generate_serialized Core.Ops.Range.t_Range usize ] <: t_Slice u8) - seed_for_A + seed_matrix <: t_Slice u8) in let offset:usize = offset +! Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE in - let signing_key_serialized:t_Array u8 v_SIGNING_KEY_SIZE = + let signing_key_serialized:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_range signing_key_serialized ({ Core.Ops.Range.f_start = offset; @@ -152,7 +66,7 @@ let generate_serialized Core.Ops.Range.t_Range usize ] <: t_Slice u8) - seed_for_signing + seed_signing <: t_Slice u8) in @@ -165,7 +79,7 @@ let generate_serialized verification_key verification_key_hash in - let signing_key_serialized:t_Array u8 v_SIGNING_KEY_SIZE = + let signing_key_serialized:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_range signing_key_serialized ({ Core.Ops.Range.f_start = offset; @@ -191,79 +105,33 @@ let generate_serialized t_Slice u8) in let offset:usize = offset +! Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH in - let offset, signing_key_serialized:(usize & t_Array u8 v_SIGNING_KEY_SIZE) = - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Iter - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - #FStar.Tactics.Typeclasses.solve - (Core.Slice.impl__iter #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (s1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - <: - Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - <: - Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (offset, signing_key_serialized <: (usize & t_Array u8 v_SIGNING_KEY_SIZE)) - (fun temp_0_ ring_element -> - let offset, signing_key_serialized:(usize & t_Array u8 v_SIGNING_KEY_SIZE) = temp_0_ in - let ring_element:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - ring_element - in - let signing_key_serialized:t_Array u8 v_SIGNING_KEY_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range signing_key_serialized - ({ - Core.Ops.Range.f_start = offset; - Core.Ops.Range.f_end = offset +! v_ERROR_RING_ELEMENT_SIZE <: usize - } - <: - Core.Ops.Range.t_Range usize) - (Libcrux_ml_dsa.Encoding.Error.serialize #v_SIMDUnit - v_ETA - v_ERROR_RING_ELEMENT_SIZE - ring_element - (signing_key_serialized.[ { - Core.Ops.Range.f_start = offset; - Core.Ops.Range.f_end = offset +! v_ERROR_RING_ELEMENT_SIZE <: usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - <: - t_Slice u8) - in - let offset:usize = offset +! v_ERROR_RING_ELEMENT_SIZE in - offset, signing_key_serialized <: (usize & t_Array u8 v_SIGNING_KEY_SIZE)) - in - let offset, signing_key_serialized:(usize & t_Array u8 v_SIGNING_KEY_SIZE) = - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Iter - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - #FStar.Tactics.Typeclasses.solve - (Core.Slice.impl__iter #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - <: - Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + let offset, signing_key_serialized:(usize & t_Slice u8) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) s1_2_ <: - Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (offset, signing_key_serialized <: (usize & t_Array u8 v_SIGNING_KEY_SIZE)) - (fun temp_0_ ring_element -> - let offset, signing_key_serialized:(usize & t_Array u8 v_SIGNING_KEY_SIZE) = temp_0_ in - let ring_element:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - ring_element - in - let signing_key_serialized:t_Array u8 v_SIGNING_KEY_SIZE = + usize) + (fun temp_0_ temp_1_ -> + let offset, signing_key_serialized:(usize & t_Slice u8) = temp_0_ in + let _:usize = temp_1_ in + true) + (offset, signing_key_serialized <: (usize & t_Slice u8)) + (fun temp_0_ i -> + let offset, signing_key_serialized:(usize & t_Slice u8) = temp_0_ in + let i:usize = i in + let signing_key_serialized:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_range signing_key_serialized ({ Core.Ops.Range.f_start = offset; - Core.Ops.Range.f_end = offset +! v_ERROR_RING_ELEMENT_SIZE <: usize + Core.Ops.Range.f_end = offset +! error_ring_element_size <: usize } <: Core.Ops.Range.t_Range usize) (Libcrux_ml_dsa.Encoding.Error.serialize #v_SIMDUnit - v_ETA - v_ERROR_RING_ELEMENT_SIZE - ring_element + eta + (s1_2_.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (signing_key_serialized.[ { Core.Ops.Range.f_start = offset; - Core.Ops.Range.f_end = offset +! v_ERROR_RING_ELEMENT_SIZE <: usize + Core.Ops.Range.f_end = offset +! error_ring_element_size <: usize } <: Core.Ops.Range.t_Range usize ] @@ -272,26 +140,25 @@ let generate_serialized <: t_Slice u8) in - let offset:usize = offset +! v_ERROR_RING_ELEMENT_SIZE in - offset, signing_key_serialized <: (usize & t_Array u8 v_SIGNING_KEY_SIZE)) + let offset:usize = offset +! error_ring_element_size in + offset, signing_key_serialized <: (usize & t_Slice u8)) in - let offset, signing_key_serialized:(usize & t_Array u8 v_SIGNING_KEY_SIZE) = + let offset, signing_key_serialized:(usize & t_Slice u8) = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) #FStar.Tactics.Typeclasses.solve - (Core.Slice.impl__iter #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (t0 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (Core.Slice.impl__iter #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) t0 <: Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) <: Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (offset, signing_key_serialized <: (usize & t_Array u8 v_SIGNING_KEY_SIZE)) + (offset, signing_key_serialized <: (usize & t_Slice u8)) (fun temp_0_ ring_element -> - let offset, signing_key_serialized:(usize & t_Array u8 v_SIGNING_KEY_SIZE) = temp_0_ in + let offset, signing_key_serialized:(usize & t_Slice u8) = temp_0_ in let ring_element:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = ring_element in - let signing_key_serialized:t_Array u8 v_SIGNING_KEY_SIZE = + let signing_key_serialized:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_range signing_key_serialized ({ Core.Ops.Range.f_start = offset; @@ -317,6 +184,7 @@ let generate_serialized t_Slice u8) in let offset:usize = offset +! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T0S_SIZE in - offset, signing_key_serialized <: (usize & t_Array u8 v_SIGNING_KEY_SIZE)) + offset, signing_key_serialized <: (usize & t_Slice u8)) in + let hax_temp_output:Prims.unit = () <: Prims.unit in signing_key_serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fsti index bad7c34f3..5eefc9f4c 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fsti @@ -10,25 +10,13 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -val deserialize_then_ntt - (#v_SIMDUnit: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE: usize) - {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (serialized: t_Array u8 v_SIGNING_KEY_SIZE) - : Prims.Pure - (t_Array u8 (sz 32) & t_Array u8 (sz 32) & t_Array u8 (sz 64) & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) - Prims.l_True - (fun _ -> Prims.l_True) - val generate_serialized (#v_SIMDUnit #v_Shake256: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE: usize) {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} - (seed_for_A seed_for_signing verification_key: t_Slice u8) - (s1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - (s2 t0: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) - : Prims.Pure (t_Array u8 v_SIGNING_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (error_ring_element_size: usize) + (seed_matrix seed_signing verification_key: t_Slice u8) + (s1_2_ t0: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (signing_key_serialized: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fst index 2fda1d74c..17638e3fb 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fst @@ -19,8 +19,8 @@ let deserialize = let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #v_SIMDUnit - (result.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) + (Core.Slice.impl__len #i1.f_Coefficient + (result.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice i1.f_Coefficient) <: usize) (fun result temp_1_ -> @@ -50,10 +50,11 @@ let deserialize Core.Ops.Range.t_Range usize ] <: t_Slice u8) + (result.Libcrux_ml_dsa.Polynomial.f_simd_units.[ i ] <: i1.f_Coefficient) <: - v_SIMDUnit) + i1.f_Coefficient) <: - t_Array v_SIMDUnit (sz 32) + t_Array i1.f_Coefficient (sz 32) } <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) @@ -61,66 +62,6 @@ let deserialize let hax_temp_output:Prims.unit = () <: Prims.unit in result -let deserialize_to_vector_then_ntt - (#v_SIMDUnit: Type0) - (v_DIMENSION: usize) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (serialized: t_Slice u8) - = - let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_DIMENSION = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_DIMENSION - in - let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_DIMENSION = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T0S_SIZE - serialized - (fun ring_elements temp_1_ -> - let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_DIMENSION = - ring_elements - in - let _:usize = temp_1_ in - true) - ring_elements - (fun ring_elements temp_1_ -> - let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_DIMENSION = - ring_elements - in - let i, bytes:(usize & t_Slice u8) = temp_1_ in - let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize ring_elements - i - (deserialize #v_SIMDUnit - bytes - (ring_elements.[ i ] - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - in - let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize ring_elements - i - (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit - (ring_elements.[ i ] - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - in - ring_elements) - in - ring_elements - let serialize (#v_SIMDUnit: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -132,7 +73,7 @@ let serialize let serialized:t_Slice u8 = Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units <: - t_Slice v_SIMDUnit) + t_Slice i1.f_Coefficient) (fun serialized temp_1_ -> let serialized:t_Slice u8 = serialized in let _:usize = temp_1_ in @@ -140,7 +81,7 @@ let serialize serialized (fun serialized temp_1_ -> let serialized:t_Slice u8 = serialized in - let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + let i, simd_unit:(usize & i1.f_Coefficient) = temp_1_ in Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized ({ Core.Ops.Range.f_start = i *! v_OUTPUT_BYTES_PER_SIMD_UNIT <: usize; @@ -148,7 +89,9 @@ let serialize } <: Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 + (Libcrux_ml_dsa.Simd.Traits.f_t0_serialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + simd_unit (serialized.[ { Core.Ops.Range.f_start = i *! v_OUTPUT_BYTES_PER_SIMD_UNIT <: usize; Core.Ops.Range.f_end @@ -159,11 +102,6 @@ let serialize Core.Ops.Range.t_Range usize ] <: t_Slice u8) - (Libcrux_ml_dsa.Simd.Traits.f_t0_serialize #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - simd_unit - <: - t_Slice u8) <: t_Slice u8) <: @@ -171,3 +109,52 @@ let serialize in let hax_temp_output:Prims.unit = () <: Prims.unit in serialized + +let deserialize_to_vector_then_ntt + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (serialized: t_Slice u8) + (ring_elements: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + = + let ring_elements:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T0S_SIZE + serialized + (fun ring_elements temp_1_ -> + let ring_elements:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + ring_elements + in + let _:usize = temp_1_ in + true) + ring_elements + (fun ring_elements temp_1_ -> + let ring_elements:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + ring_elements + in + let i, bytes:(usize & t_Slice u8) = temp_1_ in + let ring_elements:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize ring_elements + i + (deserialize #v_SIMDUnit + bytes + (ring_elements.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let ring_elements:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize ring_elements + i + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (ring_elements.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + ring_elements) + in + let hax_temp_output:Prims.unit = () <: Prims.unit in + ring_elements diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fsti index 94ac260a2..328e22df6 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fsti @@ -20,19 +20,18 @@ val deserialize Prims.l_True (fun _ -> Prims.l_True) -val deserialize_to_vector_then_ntt +val serialize (#v_SIMDUnit: Type0) - (v_DIMENSION: usize) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (serialized: t_Slice u8) - : Prims.Pure - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) - Prims.l_True - (fun _ -> Prims.l_True) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) -val serialize +val deserialize_to_vector_then_ntt (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (serialized: t_Slice u8) - : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + (ring_elements: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + : Prims.Pure (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst index 4e42a3c10..4b931182e 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst @@ -19,8 +19,8 @@ let deserialize = let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #v_SIMDUnit - (result.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) + (Core.Slice.impl__len #i1.f_Coefficient + (result.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice i1.f_Coefficient) <: usize) (fun result temp_1_ -> @@ -48,10 +48,11 @@ let deserialize Core.Ops.Range.t_Range usize ] <: t_Slice u8) + (result.Libcrux_ml_dsa.Polynomial.f_simd_units.[ i ] <: i1.f_Coefficient) <: - v_SIMDUnit) + i1.f_Coefficient) <: - t_Array v_SIMDUnit (sz 32) + t_Array i1.f_Coefficient (sz 32) } <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) @@ -70,7 +71,7 @@ let serialize let serialized:t_Array u8 (sz 320) = Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units <: - t_Slice v_SIMDUnit) + t_Slice i1.f_Coefficient) (fun serialized temp_1_ -> let serialized:t_Array u8 (sz 320) = serialized in let _:usize = temp_1_ in @@ -78,7 +79,7 @@ let serialize serialized (fun serialized temp_1_ -> let serialized:t_Array u8 (sz 320) = serialized in - let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + let i, simd_unit:(usize & i1.f_Coefficient) = temp_1_ in Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized ({ Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; @@ -88,7 +89,9 @@ let serialize } <: Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 + (Libcrux_ml_dsa.Simd.Traits.f_t1_serialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + simd_unit (serialized.[ { Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; Core.Ops.Range.f_end @@ -99,11 +102,6 @@ let serialize Core.Ops.Range.t_Range usize ] <: t_Slice u8) - (Libcrux_ml_dsa.Simd.Traits.f_t1_serialize #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - simd_unit - <: - t_Slice u8) <: t_Slice u8) <: diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fst index f36227839..cb4c0cb30 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fst @@ -11,44 +11,39 @@ let _ = let deserialize (#v_SIMDUnit: Type0) - (v_ROWS_IN_A v_VERIFICATION_KEY_SIZE: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) + (rows_in_a verification_key_size: usize) + (serialized: t_Slice u8) + (t1: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) = - let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_ROWS_IN_A - in - let seed_for_A, serialized_remaining:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - (serialized <: t_Slice u8) - Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. + (verification_key_size -! Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE <: usize) + <: + bool) + in + () in - let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + let t1:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = Rust_primitives.Hax.Folds.fold_range (sz 0) - v_ROWS_IN_A + rows_in_a (fun t1 temp_1_ -> - let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A - = - t1 - in + let t1:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = t1 in let _:usize = temp_1_ in true) t1 (fun t1 i -> - let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A - = - t1 - in + let t1:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = t1 in let i:usize = i in Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t1 i (Libcrux_ml_dsa.Encoding.T1.deserialize #v_SIMDUnit - (serialized_remaining.[ { + (serialized.[ { Core.Ops.Range.f_start = i *! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T1S_SIZE <: usize; @@ -66,34 +61,21 @@ let deserialize <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) <: - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) in - Core.Result.impl__unwrap #(t_Array u8 (sz 32)) - #Core.Array.t_TryFromSliceError - (Core.Convert.f_try_into #(t_Slice u8) - #(t_Array u8 (sz 32)) - #FStar.Tactics.Typeclasses.solve - seed_for_A - <: - Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError), + let hax_temp_output:Prims.unit = () <: Prims.unit in t1 - <: - (t_Array u8 (sz 32) & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) let generate_serialized (#v_SIMDUnit: Type0) - (v_ROWS_IN_A v_VERIFICATION_KEY_SIZE: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (seed_for_A: t_Slice u8) - (t1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + (seed: t_Slice u8) + (t1: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (verification_key_serialized: t_Slice u8) = - let verification_key_serialized:t_Array u8 v_VERIFICATION_KEY_SIZE = - Rust_primitives.Hax.repeat 0uy v_VERIFICATION_KEY_SIZE - in - let verification_key_serialized:t_Array u8 v_VERIFICATION_KEY_SIZE = + let verification_key_serialized:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_range verification_key_serialized ({ Core.Ops.Range.f_start = sz 0; @@ -110,25 +92,19 @@ let generate_serialized Core.Ops.Range.t_Range usize ] <: t_Slice u8) - seed_for_A + seed <: t_Slice u8) in - let verification_key_serialized:t_Array u8 v_VERIFICATION_KEY_SIZE = - Rust_primitives.Hax.Folds.fold_enumerated_slice (t1 - <: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + let verification_key_serialized:t_Slice u8 = + Rust_primitives.Hax.Folds.fold_enumerated_slice t1 (fun verification_key_serialized temp_1_ -> - let verification_key_serialized:t_Array u8 v_VERIFICATION_KEY_SIZE = - verification_key_serialized - in + let verification_key_serialized:t_Slice u8 = verification_key_serialized in let _:usize = temp_1_ in true) verification_key_serialized (fun verification_key_serialized temp_1_ -> - let verification_key_serialized:t_Array u8 v_VERIFICATION_KEY_SIZE = - verification_key_serialized - in + let verification_key_serialized:t_Slice u8 = verification_key_serialized in let i, ring_element:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = temp_1_ @@ -137,7 +113,7 @@ let generate_serialized Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE +! (i *! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T1S_SIZE <: usize) in - let verification_key_serialized:t_Array u8 v_VERIFICATION_KEY_SIZE = + let verification_key_serialized:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_range verification_key_serialized ({ Core.Ops.Range.f_start = offset; @@ -164,4 +140,5 @@ let generate_serialized in verification_key_serialized) in + let hax_temp_output:Prims.unit = () <: Prims.unit in verification_key_serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fsti index 59e60a0ee..0f2375cef 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fsti @@ -11,19 +11,18 @@ let _ = val deserialize (#v_SIMDUnit: Type0) - (v_ROWS_IN_A v_VERIFICATION_KEY_SIZE: usize) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) - : Prims.Pure - (t_Array u8 (sz 32) & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + (rows_in_a verification_key_size: usize) + (serialized: t_Slice u8) + (t1: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + : Prims.Pure (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) Prims.l_True (fun _ -> Prims.l_True) val generate_serialized (#v_SIMDUnit: Type0) - (v_ROWS_IN_A v_VERIFICATION_KEY_SIZE: usize) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (seed_for_A: t_Slice u8) - (t1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) - : Prims.Pure (t_Array u8 v_VERIFICATION_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) + (seed: t_Slice u8) + (t1: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (verification_key_serialized: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fst index a5339e177..85fee5525 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fst @@ -11,87 +11,71 @@ let _ = let vector_times_ring_element (#v_SIMDUnit: Type0) - (v_DIMENSION: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (vector: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + (vector: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) (ring_element: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_DIMENSION - in - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = - Rust_primitives.Hax.Folds.fold_enumerated_slice (vector + let vector:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) vector <: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (fun result temp_1_ -> - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_DIMENSION = - result + usize) + (fun vector temp_1_ -> + let vector:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + vector in let _:usize = temp_1_ in true) - result - (fun result temp_1_ -> - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_DIMENSION = - result + vector + (fun vector i -> + let vector:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + vector + in + let i:usize = i in + let vector:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vector + i + (Libcrux_ml_dsa.Ntt.ntt_multiply_montgomery #v_SIMDUnit + (vector.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + ring_element + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in - let i, vector_ring_element:(usize & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - temp_1_ + let vector:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vector + i + (Libcrux_ml_dsa.Ntt.invert_ntt_montgomery #v_SIMDUnit + (vector.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result - i - (Libcrux_ml_dsa.Ntt.invert_ntt_montgomery #v_SIMDUnit - (Libcrux_ml_dsa.Ntt.ntt_multiply_montgomery #v_SIMDUnit - vector_ring_element - ring_element - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - <: - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + vector) in - result + let hax_temp_output:Prims.unit = () <: Prims.unit in + vector let add_vectors (#v_SIMDUnit: Type0) - (v_DIMENSION: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (lhs rhs: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + (dimension: usize) + (lhs rhs: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) = - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_DIMENSION - in - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + let lhs:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = Rust_primitives.Hax.Folds.fold_range (sz 0) - v_DIMENSION - (fun result temp_1_ -> - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_DIMENSION = - result - in + dimension + (fun lhs temp_1_ -> + let lhs:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = lhs in let _:usize = temp_1_ in true) - result - (fun result i -> - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_DIMENSION = - result - in + lhs + (fun lhs i -> + let lhs:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = lhs in let i:usize = i in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs i (Libcrux_ml_dsa.Polynomial.impl__add #v_SIMDUnit (lhs.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) @@ -99,199 +83,165 @@ let add_vectors <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) <: - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) in - result + let hax_temp_output:Prims.unit = () <: Prims.unit in + lhs -let compute_A_times_mask +let compute_as1_plus_s2 (#v_SIMDUnit: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (v_A_as_ntt: - t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A) - (mask: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + (rows_in_a columns_in_a: usize) + (a_as_ntt s1_ntt s1_s2 result: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) = - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_ROWS_IN_A - in - let mask_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A - = - Core.Array.impl_23__map #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_COLUMNS_IN_A - #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - mask - (fun s -> - let s:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = s in - Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit s + let result:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + rows_in_a + (fun result temp_1_ -> + let result:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + result + in + let _:usize = temp_1_ in + true) + result + (fun result i -> + let result:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + result + in + let i:usize = i in + Rust_primitives.Hax.Folds.fold_range (sz 0) + columns_in_a + (fun result temp_1_ -> + let result:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + result + in + let _:usize = temp_1_ in + true) + result + (fun result j -> + let result:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + result + in + let j:usize = j in + let product:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + a_as_ntt.[ (i *! columns_in_a <: usize) +! j <: usize ] + in + let product:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Ntt.ntt_multiply_montgomery #v_SIMDUnit + product + (s1_ntt.[ j ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let result:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + i + (Libcrux_ml_dsa.Polynomial.impl__add #v_SIMDUnit + (result.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + product + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + result) <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) in - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = - Rust_primitives.Hax.Folds.fold_enumerated_slice (v_A_as_ntt + let result:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) result <: - t_Slice - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)) + usize) (fun result temp_1_ -> - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_ROWS_IN_A = + let result:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = result in let _:usize = temp_1_ in true) result - (fun result temp_1_ -> - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_ROWS_IN_A = + (fun result i -> + let result:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = result in - let i, row:(usize & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) = - temp_1_ - in - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_ROWS_IN_A = - Rust_primitives.Hax.Folds.fold_enumerated_slice (row + let i:usize = i in + let result:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + i + (Libcrux_ml_dsa.Ntt.invert_ntt_montgomery #v_SIMDUnit + (result.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) <: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (fun result temp_1_ -> - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_ROWS_IN_A = - result - in - let _:usize = temp_1_ in - true) - result - (fun result temp_1_ -> - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_ROWS_IN_A = - result - in - let j, ring_element:(usize & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - temp_1_ - in - let product:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Libcrux_ml_dsa.Ntt.ntt_multiply_montgomery #v_SIMDUnit - ring_element - (mask_ntt.[ j ] - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - in - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_ROWS_IN_A = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result - i - (Libcrux_ml_dsa.Polynomial.impl__add #v_SIMDUnit - (result.[ i ] - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - product - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - in - result) + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_ROWS_IN_A = + let result:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result i - (Libcrux_ml_dsa.Ntt.invert_ntt_montgomery #v_SIMDUnit + (Libcrux_ml_dsa.Polynomial.impl__add #v_SIMDUnit (result.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (s1_s2.[ columns_in_a +! i <: usize ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in result) in + let hax_temp_output:Prims.unit = () <: Prims.unit in result -let compute_As1_plus_s2 +let compute_matrix_x_mask (#v_SIMDUnit: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (v_A_as_ntt: - t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A) - (s1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - (s2: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + (rows_in_a columns_in_a: usize) + (matrix mask result: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) = - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_ROWS_IN_A - in - let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A = - Core.Array.impl_23__map #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_COLUMNS_IN_A - #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - s1 - (fun s -> - let s:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = s in - Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit s - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - in - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = - Rust_primitives.Hax.Folds.fold_enumerated_slice (v_A_as_ntt - <: - t_Slice - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)) + let result:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + rows_in_a (fun result temp_1_ -> - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_ROWS_IN_A = + let result:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = result in let _:usize = temp_1_ in true) result - (fun result temp_1_ -> - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_ROWS_IN_A = + (fun result i -> + let result:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = result in - let i, row:(usize & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) = - temp_1_ - in - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_ROWS_IN_A = - Rust_primitives.Hax.Folds.fold_enumerated_slice (row - <: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + let i:usize = i in + let result:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + columns_in_a (fun result temp_1_ -> - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_ROWS_IN_A = + let result:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = result in let _:usize = temp_1_ in true) result - (fun result temp_1_ -> - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_ROWS_IN_A = + (fun result j -> + let result:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = result in - let j, ring_element:(usize & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - temp_1_ + let j:usize = j in + let product:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + mask.[ j ] in let product:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = Libcrux_ml_dsa.Ntt.ntt_multiply_montgomery #v_SIMDUnit - ring_element - (s1_ntt.[ j ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + product + (matrix.[ (i *! columns_in_a <: usize) +! j <: usize ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_ROWS_IN_A = + let result:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result i (Libcrux_ml_dsa.Polynomial.impl__add #v_SIMDUnit @@ -304,8 +254,7 @@ let compute_As1_plus_s2 in result) in - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_ROWS_IN_A = + let result:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result i (Libcrux_ml_dsa.Ntt.invert_ntt_montgomery #v_SIMDUnit @@ -313,209 +262,141 @@ let compute_As1_plus_s2 <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_ROWS_IN_A = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result - i - (Libcrux_ml_dsa.Polynomial.impl__add #v_SIMDUnit - (result.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (s2.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - in result) in + let hax_temp_output:Prims.unit = () <: Prims.unit in result -let compute_w_approx +let subtract_vectors (#v_SIMDUnit: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (v_A_as_ntt: - t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A) - (signer_response: - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - (verifier_challenge_as_ntt: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (t1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + (dimension: usize) + (lhs rhs: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) = - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_ROWS_IN_A - in - let signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_COLUMNS_IN_A = + let lhs:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (signer_response <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - ) - <: - usize) - (fun signer_response temp_1_ -> - let signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_COLUMNS_IN_A = - signer_response - in + dimension + (fun lhs temp_1_ -> + let lhs:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = lhs in let _:usize = temp_1_ in true) - signer_response - (fun signer_response i -> - let signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_COLUMNS_IN_A = - signer_response - in + lhs + (fun lhs i -> + let lhs:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = lhs in let i:usize = i in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize signer_response + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs i - (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit - (signer_response.[ i ] - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (Libcrux_ml_dsa.Polynomial.impl__subtract #v_SIMDUnit + (lhs.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (rhs.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) <: - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) in - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = - Rust_primitives.Hax.Folds.fold_enumerated_slice (v_A_as_ntt - <: - t_Slice - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)) - (fun result temp_1_ -> - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_ROWS_IN_A = - result - in + let hax_temp_output:Prims.unit = () <: Prims.unit in + lhs + +let compute_w_approx + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (rows_in_a columns_in_a: usize) + (matrix signer_response: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (verifier_challenge_as_ntt: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (t1: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + = + let t1:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + rows_in_a + (fun t1 temp_1_ -> + let t1:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = t1 in let _:usize = temp_1_ in true) - result - (fun result temp_1_ -> - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_ROWS_IN_A = - result - in - let i, row:(usize & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) = - temp_1_ + t1 + (fun t1 i -> + let t1:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = t1 in + let i:usize = i in + let inner_result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () in - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_ROWS_IN_A = - Rust_primitives.Hax.Folds.fold_enumerated_slice (row - <: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (fun result temp_1_ -> - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_ROWS_IN_A = - result + let inner_result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + columns_in_a + (fun inner_result temp_1_ -> + let inner_result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + inner_result in let _:usize = temp_1_ in true) - result - (fun result temp_1_ -> - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_ROWS_IN_A = - result + inner_result + (fun inner_result j -> + let inner_result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + inner_result in - let j, ring_element:(usize & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - temp_1_ + let j:usize = j in + let product:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + matrix.[ (i *! columns_in_a <: usize) +! j <: usize ] in let product:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = Libcrux_ml_dsa.Ntt.ntt_multiply_montgomery #v_SIMDUnit - ring_element + product (signer_response.[ j ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_ROWS_IN_A = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result - i - (Libcrux_ml_dsa.Polynomial.impl__add #v_SIMDUnit - (result.[ i ] - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - product - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + let inner_result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__add #v_SIMDUnit inner_result product in - result) + inner_result) in - let t1_shifted:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Libcrux_ml_dsa.Arithmetic.shift_left_then_reduce #v_SIMDUnit - 13l - (t1.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - in - let t1_shifted:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit t1_shifted + let t1:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t1 + i + (Libcrux_ml_dsa.Arithmetic.shift_left_then_reduce #v_SIMDUnit + 13l + (t1.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in - let challenge_times_t1_shifted:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement - v_SIMDUnit = - Libcrux_ml_dsa.Ntt.ntt_multiply_montgomery #v_SIMDUnit - verifier_challenge_as_ntt - t1_shifted + let t1:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t1 + i + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (t1.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_ROWS_IN_A = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + let t1:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t1 i - (Libcrux_ml_dsa.Ntt.invert_ntt_montgomery #v_SIMDUnit - (Libcrux_ml_dsa.Polynomial.impl__subtract #v_SIMDUnit - (result.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - challenge_times_t1_shifted - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (Libcrux_ml_dsa.Ntt.ntt_multiply_montgomery #v_SIMDUnit + (t1.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + verifier_challenge_as_ntt <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in - result) - in - result - -let subtract_vectors - (#v_SIMDUnit: Type0) - (v_DIMENSION: usize) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (lhs rhs: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) - = - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_DIMENSION - in - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = - Rust_primitives.Hax.Folds.fold_range (sz 0) - v_DIMENSION - (fun result temp_1_ -> - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_DIMENSION = - result + let inner_result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__subtract #v_SIMDUnit + inner_result + (t1.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in - let _:usize = temp_1_ in - true) - result - (fun result i -> - let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_DIMENSION = - result + let t1:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t1 i inner_result in - let i:usize = i in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result - i - (Libcrux_ml_dsa.Polynomial.impl__subtract #v_SIMDUnit - (lhs.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (rhs.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - <: - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + let t1:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t1 + i + (Libcrux_ml_dsa.Ntt.invert_ntt_montgomery #v_SIMDUnit + (t1.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + t1) in - result + let hax_temp_output:Prims.unit = () <: Prims.unit in + t1 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fsti index 7db4128e6..ee21e7601 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fsti @@ -11,80 +11,61 @@ let _ = val vector_times_ring_element (#v_SIMDUnit: Type0) - (v_DIMENSION: usize) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (vector: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + (vector: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) (ring_element: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - : Prims.Pure - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + : Prims.Pure (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) Prims.l_True (fun _ -> Prims.l_True) val add_vectors (#v_SIMDUnit: Type0) - (v_DIMENSION: usize) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (lhs rhs: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) - : Prims.Pure - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + (dimension: usize) + (lhs rhs: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + : Prims.Pure (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) Prims.l_True (fun _ -> Prims.l_True) -/// Compute InvertNTT(Â ◦ ŷ) -val compute_A_times_mask +/// Compute InvertNTT(Â ◦ ŝ₁) + s₂ +val compute_as1_plus_s2 (#v_SIMDUnit: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A: usize) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (v_A_as_ntt: - t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A) - (mask: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - : Prims.Pure - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + (rows_in_a columns_in_a: usize) + (a_as_ntt s1_ntt s1_s2 result: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + : Prims.Pure (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) Prims.l_True (fun _ -> Prims.l_True) -/// Compute InvertNTT(Â ◦ ŝ₁) + s₂ -val compute_As1_plus_s2 +/// Compute InvertNTT(Â ◦ ŷ) +val compute_matrix_x_mask (#v_SIMDUnit: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A: usize) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (v_A_as_ntt: - t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A) - (s1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - (s2: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) - : Prims.Pure - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + (rows_in_a columns_in_a: usize) + (matrix mask result: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + : Prims.Pure (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) Prims.l_True (fun _ -> Prims.l_True) -/// Compute InvertNTT(Â ◦ ẑ - ĉ ◦ NTT(t₁2ᵈ)) -val compute_w_approx +val subtract_vectors (#v_SIMDUnit: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A: usize) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (v_A_as_ntt: - t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A) - (signer_response: - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - (verifier_challenge_as_ntt: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (t1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) - : Prims.Pure - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + (dimension: usize) + (lhs rhs: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + : Prims.Pure (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) Prims.l_True (fun _ -> Prims.l_True) -val subtract_vectors +/// Compute InvertNTT(Â ◦ ẑ - ĉ ◦ NTT(t₁2ᵈ)) +val compute_w_approx (#v_SIMDUnit: Type0) - (v_DIMENSION: usize) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (lhs rhs: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) - : Prims.Pure - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + (rows_in_a columns_in_a: usize) + (matrix signer_response: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (verifier_challenge_as_ntt: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (t1: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + : Prims.Pure (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst index c923aaf46..36357eb9c 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst @@ -4,15 +4,16 @@ open Core open FStar.Mul let generate_key_pair (randomness: t_Array u8 (sz 32)) = - let signing_key, verification_key:(t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.generate_key_pair (sz 4) - (sz 4) - (sz 2) - (sz 96) - (sz 2560) - (sz 1312) - randomness + let signing_key:t_Array u8 (sz 2560) = Rust_primitives.Hax.repeat 0uy (sz 2560) in + let verification_key:t_Array u8 (sz 1312) = Rust_primitives.Hax.repeat 0uy (sz 1312) in + let tmp0, tmp1:(t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.generate_key_pair_v44 randomness + signing_key + verification_key in + let signing_key:t_Array u8 (sz 2560) = tmp0 in + let verification_key:t_Array u8 (sz 1312) = tmp1 in + let _:Prims.unit = () in { Libcrux_ml_dsa.Types.f_signing_key = Libcrux_ml_dsa.Types.impl__new (sz 2560) signing_key; Libcrux_ml_dsa.Types.f_verification_key @@ -27,8 +28,8 @@ let sign (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign (sz 4) (sz 4) (sz 2) (sz 96) (sz 17) 95232l - (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign (sz 4) (sz 4) (sz 16) (sz 2) (sz 96) + (sz 17) 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) (Libcrux_ml_dsa.Types.impl__as_ref (sz 2560) signing_key <: t_Array u8 (sz 2560)) message context randomness @@ -37,18 +38,18 @@ let sign_pre_hashed_shake128 (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign_pre_hashed_shake128 (sz 4) (sz 4) (sz 2) - (sz 96) (sz 17) 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) - (Libcrux_ml_dsa.Types.impl__as_ref (sz 2560) signing_key <: t_Array u8 (sz 2560)) message - context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign_pre_hashed_shake128 (sz 4) (sz 4) (sz 16) + (sz 2) (sz 96) (sz 17) 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) + (sz 2420) (Libcrux_ml_dsa.Types.impl__as_ref (sz 2560) signing_key <: t_Array u8 (sz 2560)) + message context randomness let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify (sz 4) (sz 4) (sz 2420) (sz 1312) (sz 17) - (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify (sz 4) (sz 4) (sz 16) (sz 2420) (sz 1312) + (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1312) verification_key <: t_Array u8 (sz 1312)) message context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) @@ -57,7 +58,7 @@ let verify_pre_hashed_shake128 (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify_pre_hashed_shake128 (sz 4) (sz 4) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify_pre_hashed_shake128 (sz 4) (sz 4) (sz 16) (sz 2420) (sz 1312) (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1312) verification_key <: t_Array u8 (sz 1312)) message context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst index cbfcb41f1..5d3071ea5 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst @@ -4,15 +4,16 @@ open Core open FStar.Mul let generate_key_pair (randomness: t_Array u8 (sz 32)) = - let signing_key, verification_key:(t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.generate_key_pair (sz 4) - (sz 4) - (sz 2) - (sz 96) - (sz 2560) - (sz 1312) - randomness + let signing_key:t_Array u8 (sz 2560) = Rust_primitives.Hax.repeat 0uy (sz 2560) in + let verification_key:t_Array u8 (sz 1312) = Rust_primitives.Hax.repeat 0uy (sz 1312) in + let tmp0, tmp1:(t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.generate_key_pair_v44 randomness + signing_key + verification_key in + let signing_key:t_Array u8 (sz 2560) = tmp0 in + let verification_key:t_Array u8 (sz 1312) = tmp1 in + let _:Prims.unit = () in { Libcrux_ml_dsa.Types.f_signing_key = Libcrux_ml_dsa.Types.impl__new (sz 2560) signing_key; Libcrux_ml_dsa.Types.f_verification_key @@ -27,8 +28,8 @@ let sign (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign (sz 4) (sz 4) (sz 2) (sz 96) (sz 17) 95232l - (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign (sz 4) (sz 4) (sz 16) (sz 2) (sz 96) + (sz 17) 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) (Libcrux_ml_dsa.Types.impl__as_ref (sz 2560) signing_key <: t_Array u8 (sz 2560)) message context randomness @@ -37,18 +38,18 @@ let sign_pre_hashed_shake128 (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign_pre_hashed_shake128 (sz 4) (sz 4) (sz 2) - (sz 96) (sz 17) 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) - (Libcrux_ml_dsa.Types.impl__as_ref (sz 2560) signing_key <: t_Array u8 (sz 2560)) message - context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign_pre_hashed_shake128 (sz 4) (sz 4) (sz 16) + (sz 2) (sz 96) (sz 17) 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) + (sz 2420) (Libcrux_ml_dsa.Types.impl__as_ref (sz 2560) signing_key <: t_Array u8 (sz 2560)) + message context randomness let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify (sz 4) (sz 4) (sz 2420) (sz 1312) (sz 17) - (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify (sz 4) (sz 4) (sz 16) (sz 2420) (sz 1312) + (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1312) verification_key <: t_Array u8 (sz 1312)) message context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) @@ -57,7 +58,7 @@ let verify_pre_hashed_shake128 (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify_pre_hashed_shake128 (sz 4) (sz 4) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify_pre_hashed_shake128 (sz 4) (sz 4) (sz 16) (sz 2420) (sz 1312) (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1312) verification_key <: t_Array u8 (sz 1312)) message context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst index 5ecf58ac3..7dd744603 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst @@ -4,15 +4,16 @@ open Core open FStar.Mul let generate_key_pair (randomness: t_Array u8 (sz 32)) = - let signing_key, verification_key:(t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair (sz 4) - (sz 4) - (sz 2) - (sz 96) - (sz 2560) - (sz 1312) - randomness + let signing_key:t_Array u8 (sz 2560) = Rust_primitives.Hax.repeat 0uy (sz 2560) in + let verification_key:t_Array u8 (sz 1312) = Rust_primitives.Hax.repeat 0uy (sz 1312) in + let tmp0, tmp1:(t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair_v44 randomness + signing_key + verification_key in + let signing_key:t_Array u8 (sz 2560) = tmp0 in + let verification_key:t_Array u8 (sz 1312) = tmp1 in + let _:Prims.unit = () in { Libcrux_ml_dsa.Types.f_signing_key = Libcrux_ml_dsa.Types.impl__new (sz 2560) signing_key; Libcrux_ml_dsa.Types.f_verification_key @@ -27,8 +28,8 @@ let sign (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign (sz 4) (sz 4) (sz 2) (sz 96) (sz 17) - 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign (sz 4) (sz 4) (sz 16) (sz 2) (sz 96) + (sz 17) 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) (Libcrux_ml_dsa.Types.impl__as_ref (sz 2560) signing_key <: t_Array u8 (sz 2560)) message context randomness @@ -38,17 +39,18 @@ let sign_pre_hashed_shake128 (randomness: t_Array u8 (sz 32)) = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign_pre_hashed_shake128 (sz 4) (sz 4) - (sz 2) (sz 96) (sz 17) 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) - (sz 2420) (Libcrux_ml_dsa.Types.impl__as_ref (sz 2560) signing_key <: t_Array u8 (sz 2560)) - message context randomness + (sz 16) (sz 2) (sz 96) (sz 17) 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) + (sz 2560) (sz 2420) + (Libcrux_ml_dsa.Types.impl__as_ref (sz 2560) signing_key <: t_Array u8 (sz 2560)) message + context randomness let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify (sz 4) (sz 4) (sz 2420) (sz 1312) - (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify (sz 4) (sz 4) (sz 16) (sz 2420) + (sz 1312) (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1312) verification_key <: t_Array u8 (sz 1312)) message context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) @@ -58,6 +60,7 @@ let verify_pre_hashed_shake128 (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify_pre_hashed_shake128 (sz 4) (sz 4) - (sz 2420) (sz 1312) (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) - (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1312) verification_key <: t_Array u8 (sz 1312)) message - context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) + (sz 16) (sz 2420) (sz 1312) (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) + (sz 80) (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1312) verification_key <: t_Array u8 (sz 1312)) + message context + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst index fd9368339..4259c747c 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst @@ -4,15 +4,16 @@ open Core open FStar.Mul let generate_key_pair (randomness: t_Array u8 (sz 32)) = - let signing_key, verification_key:(t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.generate_key_pair (sz 4) - (sz 4) - (sz 2) - (sz 96) - (sz 2560) - (sz 1312) - randomness + let signing_key:t_Array u8 (sz 2560) = Rust_primitives.Hax.repeat 0uy (sz 2560) in + let verification_key:t_Array u8 (sz 1312) = Rust_primitives.Hax.repeat 0uy (sz 1312) in + let tmp0, tmp1:(t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.generate_key_pair_v44 randomness + signing_key + verification_key in + let signing_key:t_Array u8 (sz 2560) = tmp0 in + let verification_key:t_Array u8 (sz 1312) = tmp1 in + let _:Prims.unit = () in { Libcrux_ml_dsa.Types.f_signing_key = Libcrux_ml_dsa.Types.impl__new (sz 2560) signing_key; Libcrux_ml_dsa.Types.f_verification_key @@ -27,8 +28,8 @@ let sign (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign (sz 4) (sz 4) (sz 2) (sz 96) (sz 17) 95232l - (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign (sz 4) (sz 4) (sz 16) (sz 2) (sz 96) (sz 17) + 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) (Libcrux_ml_dsa.Types.impl__as_ref (sz 2560) signing_key <: t_Array u8 (sz 2560)) message context randomness @@ -37,8 +38,8 @@ let sign_pre_hashed_shake128 (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign_pre_hashed_shake128 (sz 4) (sz 4) (sz 2) (sz 96) - (sz 17) 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign_pre_hashed_shake128 (sz 4) (sz 4) (sz 16) (sz 2) + (sz 96) (sz 17) 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) (Libcrux_ml_dsa.Types.impl__as_ref (sz 2560) signing_key <: t_Array u8 (sz 2560)) message context randomness @@ -47,8 +48,8 @@ let verify (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify (sz 4) (sz 4) (sz 2420) (sz 1312) (sz 17) - (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify (sz 4) (sz 4) (sz 16) (sz 2420) (sz 1312) + (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1312) verification_key <: t_Array u8 (sz 1312)) message context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) @@ -57,7 +58,7 @@ let verify_pre_hashed_shake128 (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify_pre_hashed_shake128 (sz 4) (sz 4) (sz 2420) - (sz 1312) (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify_pre_hashed_shake128 (sz 4) (sz 4) (sz 16) + (sz 2420) (sz 1312) (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1312) verification_key <: t_Array u8 (sz 1312)) message context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fsti index a677e8e9a..19875b932 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fsti @@ -44,6 +44,8 @@ let v_ROWS_IN_A: usize = sz 4 let v_COMMITMENT_VECTOR_SIZE: usize = v_COMMITMENT_RING_ELEMENT_SIZE *! v_ROWS_IN_A +let v_ROWS_X_COLUMNS: usize = v_ROWS_IN_A *! v_COLUMNS_IN_A + let v_SIGNATURE_SIZE: usize = ((v_COMMITMENT_HASH_SIZE +! (v_COLUMNS_IN_A *! v_GAMMA1_RING_ELEMENT_SIZE <: usize) <: usize) +! v_MAX_ONES_IN_HINT diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst index fb56ab400..a7e1441c6 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst @@ -4,15 +4,16 @@ open Core open FStar.Mul let generate_key_pair (randomness: t_Array u8 (sz 32)) = - let signing_key, verification_key:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.generate_key_pair (sz 6) - (sz 5) - (sz 4) - (sz 128) - (sz 4032) - (sz 1952) - randomness + let signing_key:t_Array u8 (sz 4032) = Rust_primitives.Hax.repeat 0uy (sz 4032) in + let verification_key:t_Array u8 (sz 1952) = Rust_primitives.Hax.repeat 0uy (sz 1952) in + let tmp0, tmp1:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.generate_key_pair_v65 randomness + signing_key + verification_key in + let signing_key:t_Array u8 (sz 4032) = tmp0 in + let verification_key:t_Array u8 (sz 1952) = tmp1 in + let _:Prims.unit = () in { Libcrux_ml_dsa.Types.f_signing_key = Libcrux_ml_dsa.Types.impl__new (sz 4032) signing_key; Libcrux_ml_dsa.Types.f_verification_key @@ -27,8 +28,8 @@ let sign (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign (sz 6) (sz 5) (sz 4) (sz 128) (sz 19) - 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign (sz 6) (sz 5) (sz 30) (sz 4) (sz 128) + (sz 19) 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) (Libcrux_ml_dsa.Types.impl__as_ref (sz 4032) signing_key <: t_Array u8 (sz 4032)) message context randomness @@ -37,18 +38,18 @@ let sign_pre_hashed_shake128 (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign_pre_hashed_shake128 (sz 6) (sz 5) (sz 4) - (sz 128) (sz 19) 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) - (Libcrux_ml_dsa.Types.impl__as_ref (sz 4032) signing_key <: t_Array u8 (sz 4032)) message - context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign_pre_hashed_shake128 (sz 6) (sz 5) (sz 30) + (sz 4) (sz 128) (sz 19) 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) + (sz 3309) (Libcrux_ml_dsa.Types.impl__as_ref (sz 4032) signing_key <: t_Array u8 (sz 4032)) + message context randomness let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify (sz 6) (sz 5) (sz 3309) (sz 1952) (sz 19) - (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify (sz 6) (sz 5) (sz 30) (sz 3309) (sz 1952) + (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1952) verification_key <: t_Array u8 (sz 1952)) message context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) @@ -57,7 +58,7 @@ let verify_pre_hashed_shake128 (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify_pre_hashed_shake128 (sz 6) (sz 5) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify_pre_hashed_shake128 (sz 6) (sz 5) (sz 30) (sz 3309) (sz 1952) (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1952) verification_key <: t_Array u8 (sz 1952)) message context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst index 06692d1d7..a2f7a77d7 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst @@ -4,15 +4,16 @@ open Core open FStar.Mul let generate_key_pair (randomness: t_Array u8 (sz 32)) = - let signing_key, verification_key:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.generate_key_pair (sz 6) - (sz 5) - (sz 4) - (sz 128) - (sz 4032) - (sz 1952) - randomness + let signing_key:t_Array u8 (sz 4032) = Rust_primitives.Hax.repeat 0uy (sz 4032) in + let verification_key:t_Array u8 (sz 1952) = Rust_primitives.Hax.repeat 0uy (sz 1952) in + let tmp0, tmp1:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.generate_key_pair_v65 randomness + signing_key + verification_key in + let signing_key:t_Array u8 (sz 4032) = tmp0 in + let verification_key:t_Array u8 (sz 1952) = tmp1 in + let _:Prims.unit = () in { Libcrux_ml_dsa.Types.f_signing_key = Libcrux_ml_dsa.Types.impl__new (sz 4032) signing_key; Libcrux_ml_dsa.Types.f_verification_key @@ -27,8 +28,8 @@ let sign (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign (sz 6) (sz 5) (sz 4) (sz 128) (sz 19) - 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign (sz 6) (sz 5) (sz 30) (sz 4) (sz 128) + (sz 19) 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) (Libcrux_ml_dsa.Types.impl__as_ref (sz 4032) signing_key <: t_Array u8 (sz 4032)) message context randomness @@ -37,18 +38,18 @@ let sign_pre_hashed_shake128 (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign_pre_hashed_shake128 (sz 6) (sz 5) (sz 4) - (sz 128) (sz 19) 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) - (Libcrux_ml_dsa.Types.impl__as_ref (sz 4032) signing_key <: t_Array u8 (sz 4032)) message - context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign_pre_hashed_shake128 (sz 6) (sz 5) (sz 30) + (sz 4) (sz 128) (sz 19) 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) + (sz 3309) (Libcrux_ml_dsa.Types.impl__as_ref (sz 4032) signing_key <: t_Array u8 (sz 4032)) + message context randomness let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify (sz 6) (sz 5) (sz 3309) (sz 1952) (sz 19) - (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify (sz 6) (sz 5) (sz 30) (sz 3309) (sz 1952) + (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1952) verification_key <: t_Array u8 (sz 1952)) message context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) @@ -57,7 +58,7 @@ let verify_pre_hashed_shake128 (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify_pre_hashed_shake128 (sz 6) (sz 5) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify_pre_hashed_shake128 (sz 6) (sz 5) (sz 30) (sz 3309) (sz 1952) (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1952) verification_key <: t_Array u8 (sz 1952)) message context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst index d696b883f..0bd7ed8ab 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst @@ -4,15 +4,16 @@ open Core open FStar.Mul let generate_key_pair (randomness: t_Array u8 (sz 32)) = - let signing_key, verification_key:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair (sz 6) - (sz 5) - (sz 4) - (sz 128) - (sz 4032) - (sz 1952) - randomness + let signing_key:t_Array u8 (sz 4032) = Rust_primitives.Hax.repeat 0uy (sz 4032) in + let verification_key:t_Array u8 (sz 1952) = Rust_primitives.Hax.repeat 0uy (sz 1952) in + let tmp0, tmp1:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair_v65 randomness + signing_key + verification_key in + let signing_key:t_Array u8 (sz 4032) = tmp0 in + let verification_key:t_Array u8 (sz 1952) = tmp1 in + let _:Prims.unit = () in { Libcrux_ml_dsa.Types.f_signing_key = Libcrux_ml_dsa.Types.impl__new (sz 4032) signing_key; Libcrux_ml_dsa.Types.f_verification_key @@ -27,8 +28,8 @@ let sign (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign (sz 6) (sz 5) (sz 4) (sz 128) (sz 19) - 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign (sz 6) (sz 5) (sz 30) (sz 4) (sz 128) + (sz 19) 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) (Libcrux_ml_dsa.Types.impl__as_ref (sz 4032) signing_key <: t_Array u8 (sz 4032)) message context randomness @@ -38,17 +39,18 @@ let sign_pre_hashed_shake128 (randomness: t_Array u8 (sz 32)) = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign_pre_hashed_shake128 (sz 6) (sz 5) - (sz 4) (sz 128) (sz 19) 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) - (sz 3309) (Libcrux_ml_dsa.Types.impl__as_ref (sz 4032) signing_key <: t_Array u8 (sz 4032)) - message context randomness + (sz 30) (sz 4) (sz 128) (sz 19) 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) + (sz 4032) (sz 3309) + (Libcrux_ml_dsa.Types.impl__as_ref (sz 4032) signing_key <: t_Array u8 (sz 4032)) message + context randomness let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify (sz 6) (sz 5) (sz 3309) (sz 1952) - (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify (sz 6) (sz 5) (sz 30) (sz 3309) + (sz 1952) (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1952) verification_key <: t_Array u8 (sz 1952)) message context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) @@ -58,6 +60,7 @@ let verify_pre_hashed_shake128 (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify_pre_hashed_shake128 (sz 6) (sz 5) - (sz 3309) (sz 1952) (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) - (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1952) verification_key <: t_Array u8 (sz 1952)) message - context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) + (sz 30) (sz 3309) (sz 1952) (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) + (sz 55) (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1952) verification_key <: t_Array u8 (sz 1952)) + message context + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst index 9029cf9f8..12929b739 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst @@ -4,15 +4,16 @@ open Core open FStar.Mul let generate_key_pair (randomness: t_Array u8 (sz 32)) = - let signing_key, verification_key:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.generate_key_pair (sz 6) - (sz 5) - (sz 4) - (sz 128) - (sz 4032) - (sz 1952) - randomness + let signing_key:t_Array u8 (sz 4032) = Rust_primitives.Hax.repeat 0uy (sz 4032) in + let verification_key:t_Array u8 (sz 1952) = Rust_primitives.Hax.repeat 0uy (sz 1952) in + let tmp0, tmp1:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.generate_key_pair_v65 randomness + signing_key + verification_key in + let signing_key:t_Array u8 (sz 4032) = tmp0 in + let verification_key:t_Array u8 (sz 1952) = tmp1 in + let _:Prims.unit = () in { Libcrux_ml_dsa.Types.f_signing_key = Libcrux_ml_dsa.Types.impl__new (sz 4032) signing_key; Libcrux_ml_dsa.Types.f_verification_key @@ -27,8 +28,8 @@ let sign (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign (sz 6) (sz 5) (sz 4) (sz 128) (sz 19) 261888l - (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign (sz 6) (sz 5) (sz 30) (sz 4) (sz 128) (sz 19) + 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) (Libcrux_ml_dsa.Types.impl__as_ref (sz 4032) signing_key <: t_Array u8 (sz 4032)) message context randomness @@ -37,8 +38,8 @@ let sign_pre_hashed_shake128 (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign_pre_hashed_shake128 (sz 6) (sz 5) (sz 4) (sz 128) - (sz 19) 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign_pre_hashed_shake128 (sz 6) (sz 5) (sz 30) (sz 4) + (sz 128) (sz 19) 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) (Libcrux_ml_dsa.Types.impl__as_ref (sz 4032) signing_key <: t_Array u8 (sz 4032)) message context randomness @@ -47,8 +48,8 @@ let verify (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify (sz 6) (sz 5) (sz 3309) (sz 1952) (sz 19) - (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify (sz 6) (sz 5) (sz 30) (sz 3309) (sz 1952) + (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1952) verification_key <: t_Array u8 (sz 1952)) message context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) @@ -57,7 +58,7 @@ let verify_pre_hashed_shake128 (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify_pre_hashed_shake128 (sz 6) (sz 5) (sz 3309) - (sz 1952) (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify_pre_hashed_shake128 (sz 6) (sz 5) (sz 30) + (sz 3309) (sz 1952) (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1952) verification_key <: t_Array u8 (sz 1952)) message context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fsti index 47735a500..46a9a2ac0 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fsti @@ -44,6 +44,8 @@ let v_ROWS_IN_A: usize = sz 6 let v_COMMITMENT_VECTOR_SIZE: usize = v_COMMITMENT_RING_ELEMENT_SIZE *! v_ROWS_IN_A +let v_ROWS_X_COLUMNS: usize = v_ROWS_IN_A *! v_COLUMNS_IN_A + let v_SIGNATURE_SIZE: usize = ((v_COMMITMENT_HASH_SIZE +! (v_COLUMNS_IN_A *! v_GAMMA1_RING_ELEMENT_SIZE <: usize) <: usize) +! v_MAX_ONES_IN_HINT diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst index bed872537..7faac1a9e 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst @@ -4,15 +4,16 @@ open Core open FStar.Mul let generate_key_pair (randomness: t_Array u8 (sz 32)) = - let signing_key, verification_key:(t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.generate_key_pair (sz 8) - (sz 7) - (sz 2) - (sz 96) - (sz 4896) - (sz 2592) - randomness + let signing_key:t_Array u8 (sz 4896) = Rust_primitives.Hax.repeat 0uy (sz 4896) in + let verification_key:t_Array u8 (sz 2592) = Rust_primitives.Hax.repeat 0uy (sz 2592) in + let tmp0, tmp1:(t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.generate_key_pair_v87 randomness + signing_key + verification_key in + let signing_key:t_Array u8 (sz 4896) = tmp0 in + let verification_key:t_Array u8 (sz 2592) = tmp1 in + let _:Prims.unit = () in { Libcrux_ml_dsa.Types.f_signing_key = Libcrux_ml_dsa.Types.impl__new (sz 4896) signing_key; Libcrux_ml_dsa.Types.f_verification_key @@ -27,8 +28,8 @@ let sign (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign (sz 8) (sz 7) (sz 2) (sz 96) (sz 19) - 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign (sz 8) (sz 7) (sz 56) (sz 2) (sz 96) + (sz 19) 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) (Libcrux_ml_dsa.Types.impl__as_ref (sz 4896) signing_key <: t_Array u8 (sz 4896)) message context randomness @@ -37,18 +38,18 @@ let sign_pre_hashed_shake128 (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign_pre_hashed_shake128 (sz 8) (sz 7) (sz 2) - (sz 96) (sz 19) 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) - (Libcrux_ml_dsa.Types.impl__as_ref (sz 4896) signing_key <: t_Array u8 (sz 4896)) message - context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign_pre_hashed_shake128 (sz 8) (sz 7) (sz 56) + (sz 2) (sz 96) (sz 19) 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) + (sz 4627) (Libcrux_ml_dsa.Types.impl__as_ref (sz 4896) signing_key <: t_Array u8 (sz 4896)) + message context randomness let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify (sz 8) (sz 7) (sz 4627) (sz 2592) (sz 19) - (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify (sz 8) (sz 7) (sz 56) (sz 4627) (sz 2592) + (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 2592) verification_key <: t_Array u8 (sz 2592)) message context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) @@ -57,7 +58,7 @@ let verify_pre_hashed_shake128 (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify_pre_hashed_shake128 (sz 8) (sz 7) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify_pre_hashed_shake128 (sz 8) (sz 7) (sz 56) (sz 4627) (sz 2592) (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 2592) verification_key <: t_Array u8 (sz 2592)) message context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst index f4bc8340a..9dc288ca6 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst @@ -4,15 +4,16 @@ open Core open FStar.Mul let generate_key_pair (randomness: t_Array u8 (sz 32)) = - let signing_key, verification_key:(t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.generate_key_pair (sz 8) - (sz 7) - (sz 2) - (sz 96) - (sz 4896) - (sz 2592) - randomness + let signing_key:t_Array u8 (sz 4896) = Rust_primitives.Hax.repeat 0uy (sz 4896) in + let verification_key:t_Array u8 (sz 2592) = Rust_primitives.Hax.repeat 0uy (sz 2592) in + let tmp0, tmp1:(t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.generate_key_pair_v87 randomness + signing_key + verification_key in + let signing_key:t_Array u8 (sz 4896) = tmp0 in + let verification_key:t_Array u8 (sz 2592) = tmp1 in + let _:Prims.unit = () in { Libcrux_ml_dsa.Types.f_signing_key = Libcrux_ml_dsa.Types.impl__new (sz 4896) signing_key; Libcrux_ml_dsa.Types.f_verification_key @@ -27,8 +28,8 @@ let sign (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign (sz 8) (sz 7) (sz 2) (sz 96) (sz 19) - 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign (sz 8) (sz 7) (sz 56) (sz 2) (sz 96) + (sz 19) 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) (Libcrux_ml_dsa.Types.impl__as_ref (sz 4896) signing_key <: t_Array u8 (sz 4896)) message context randomness @@ -37,18 +38,18 @@ let sign_pre_hashed_shake128 (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign_pre_hashed_shake128 (sz 8) (sz 7) (sz 2) - (sz 96) (sz 19) 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) - (Libcrux_ml_dsa.Types.impl__as_ref (sz 4896) signing_key <: t_Array u8 (sz 4896)) message - context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign_pre_hashed_shake128 (sz 8) (sz 7) (sz 56) + (sz 2) (sz 96) (sz 19) 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) + (sz 4627) (Libcrux_ml_dsa.Types.impl__as_ref (sz 4896) signing_key <: t_Array u8 (sz 4896)) + message context randomness let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify (sz 8) (sz 7) (sz 4627) (sz 2592) (sz 19) - (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify (sz 8) (sz 7) (sz 56) (sz 4627) (sz 2592) + (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 2592) verification_key <: t_Array u8 (sz 2592)) message context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) @@ -57,7 +58,7 @@ let verify_pre_hashed_shake128 (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify_pre_hashed_shake128 (sz 8) (sz 7) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify_pre_hashed_shake128 (sz 8) (sz 7) (sz 56) (sz 4627) (sz 2592) (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 2592) verification_key <: t_Array u8 (sz 2592)) message context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst index 6f6364908..d21986579 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst @@ -4,15 +4,16 @@ open Core open FStar.Mul let generate_key_pair (randomness: t_Array u8 (sz 32)) = - let signing_key, verification_key:(t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair (sz 8) - (sz 7) - (sz 2) - (sz 96) - (sz 4896) - (sz 2592) - randomness + let signing_key:t_Array u8 (sz 4896) = Rust_primitives.Hax.repeat 0uy (sz 4896) in + let verification_key:t_Array u8 (sz 2592) = Rust_primitives.Hax.repeat 0uy (sz 2592) in + let tmp0, tmp1:(t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair_v87 randomness + signing_key + verification_key in + let signing_key:t_Array u8 (sz 4896) = tmp0 in + let verification_key:t_Array u8 (sz 2592) = tmp1 in + let _:Prims.unit = () in { Libcrux_ml_dsa.Types.f_signing_key = Libcrux_ml_dsa.Types.impl__new (sz 4896) signing_key; Libcrux_ml_dsa.Types.f_verification_key @@ -27,8 +28,8 @@ let sign (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign (sz 8) (sz 7) (sz 2) (sz 96) (sz 19) - 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign (sz 8) (sz 7) (sz 56) (sz 2) (sz 96) + (sz 19) 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) (Libcrux_ml_dsa.Types.impl__as_ref (sz 4896) signing_key <: t_Array u8 (sz 4896)) message context randomness @@ -38,17 +39,18 @@ let sign_pre_hashed_shake128 (randomness: t_Array u8 (sz 32)) = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign_pre_hashed_shake128 (sz 8) (sz 7) - (sz 2) (sz 96) (sz 19) 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) - (sz 4627) (Libcrux_ml_dsa.Types.impl__as_ref (sz 4896) signing_key <: t_Array u8 (sz 4896)) - message context randomness + (sz 56) (sz 2) (sz 96) (sz 19) 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) + (sz 4896) (sz 4627) + (Libcrux_ml_dsa.Types.impl__as_ref (sz 4896) signing_key <: t_Array u8 (sz 4896)) message + context randomness let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify (sz 8) (sz 7) (sz 4627) (sz 2592) - (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify (sz 8) (sz 7) (sz 56) (sz 4627) + (sz 2592) (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 2592) verification_key <: t_Array u8 (sz 2592)) message context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) @@ -58,6 +60,7 @@ let verify_pre_hashed_shake128 (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify_pre_hashed_shake128 (sz 8) (sz 7) - (sz 4627) (sz 2592) (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) - (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 2592) verification_key <: t_Array u8 (sz 2592)) message - context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) + (sz 56) (sz 4627) (sz 2592) (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) + (sz 75) (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 2592) verification_key <: t_Array u8 (sz 2592)) + message context + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst index a72c5865b..f15dd3783 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst @@ -4,15 +4,16 @@ open Core open FStar.Mul let generate_key_pair (randomness: t_Array u8 (sz 32)) = - let signing_key, verification_key:(t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.generate_key_pair (sz 8) - (sz 7) - (sz 2) - (sz 96) - (sz 4896) - (sz 2592) - randomness + let signing_key:t_Array u8 (sz 4896) = Rust_primitives.Hax.repeat 0uy (sz 4896) in + let verification_key:t_Array u8 (sz 2592) = Rust_primitives.Hax.repeat 0uy (sz 2592) in + let tmp0, tmp1:(t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.generate_key_pair_v87 randomness + signing_key + verification_key in + let signing_key:t_Array u8 (sz 4896) = tmp0 in + let verification_key:t_Array u8 (sz 2592) = tmp1 in + let _:Prims.unit = () in { Libcrux_ml_dsa.Types.f_signing_key = Libcrux_ml_dsa.Types.impl__new (sz 4896) signing_key; Libcrux_ml_dsa.Types.f_verification_key @@ -27,8 +28,8 @@ let sign (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign (sz 8) (sz 7) (sz 2) (sz 96) (sz 19) 261888l - (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign (sz 8) (sz 7) (sz 56) (sz 2) (sz 96) (sz 19) + 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) (Libcrux_ml_dsa.Types.impl__as_ref (sz 4896) signing_key <: t_Array u8 (sz 4896)) message context randomness @@ -37,8 +38,8 @@ let sign_pre_hashed_shake128 (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign_pre_hashed_shake128 (sz 8) (sz 7) (sz 2) (sz 96) - (sz 19) 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign_pre_hashed_shake128 (sz 8) (sz 7) (sz 56) (sz 2) + (sz 96) (sz 19) 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) (Libcrux_ml_dsa.Types.impl__as_ref (sz 4896) signing_key <: t_Array u8 (sz 4896)) message context randomness @@ -47,8 +48,8 @@ let verify (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify (sz 8) (sz 7) (sz 4627) (sz 2592) (sz 19) - (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify (sz 8) (sz 7) (sz 56) (sz 4627) (sz 2592) + (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 2592) verification_key <: t_Array u8 (sz 2592)) message context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) @@ -57,7 +58,7 @@ let verify_pre_hashed_shake128 (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify_pre_hashed_shake128 (sz 8) (sz 7) (sz 4627) - (sz 2592) (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify_pre_hashed_shake128 (sz 8) (sz 7) (sz 56) + (sz 4627) (sz 2592) (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 2592) verification_key <: t_Array u8 (sz 2592)) message context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fsti index f5eb82a25..582c13b5e 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fsti @@ -44,6 +44,8 @@ let v_ROWS_IN_A: usize = sz 8 let v_COMMITMENT_VECTOR_SIZE: usize = v_COMMITMENT_RING_ELEMENT_SIZE *! v_ROWS_IN_A +let v_ROWS_X_COLUMNS: usize = v_ROWS_IN_A *! v_COLUMNS_IN_A + let v_SIGNATURE_SIZE: usize = ((v_COMMITMENT_HASH_SIZE +! (v_COLUMNS_IN_A *! v_GAMMA1_RING_ELEMENT_SIZE <: usize) <: usize) +! v_MAX_ONES_IN_HINT diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fst index c1553434f..a991b1cd8 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fst @@ -17,20 +17,69 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let generate_key_pair - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: - usize) +let generate_key_pair_v44 (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) = - Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit - #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA - v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE randomness + let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = + Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair_v44 #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 + randomness + signing_key + verification_key + in + let signing_key:t_Slice u8 = tmp0 in + let verification_key:t_Slice u8 = tmp1 in + let hax_temp_output:Prims.unit = () in + signing_key, verification_key <: (t_Slice u8 & t_Slice u8) + +let generate_key_pair_v65 + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + = + let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = + Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair_v65 #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 + randomness + signing_key + verification_key + in + let signing_key:t_Slice u8 = tmp0 in + let verification_key:t_Slice u8 = tmp1 in + let hax_temp_output:Prims.unit = () in + signing_key, verification_key <: (t_Slice u8 & t_Slice u8) + +let generate_key_pair_v87 + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + = + let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = + Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair_v87 #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 + randomness + signing_key + verification_key + in + let signing_key:t_Slice u8 = tmp0 in + let verification_key:t_Slice u8 = tmp1 in + let hax_temp_output:Prims.unit = () in + signing_key, verification_key <: (t_Slice u8 & t_Slice u8) let sign - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: + usize) (v_GAMMA2: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: usize) @@ -42,14 +91,15 @@ let sign #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA - v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS + v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context randomness let sign_pre_hashed_shake128 - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: + usize) (v_GAMMA2: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: usize) @@ -63,13 +113,14 @@ let sign_pre_hashed_shake128 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH - (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 - v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE - v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE - v_SIGNATURE_SIZE signing_key message context randomness + (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE + v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE + v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT + v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context + randomness let verify - (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: usize) (v_GAMMA2 v_BETA: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: @@ -82,12 +133,13 @@ let verify #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof v_ROWS_IN_A v_COLUMNS_IN_A - v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 - v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE - v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key message context signature + v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT + v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT + verification_key message context signature let verify_pre_hashed_shake128 - (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: usize) (v_GAMMA2 v_BETA: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: @@ -101,7 +153,7 @@ let verify_pre_hashed_shake128 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH - (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT - v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE + (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE + v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key message context signature diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fsti index aaa4d5643..513d33c88 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fsti @@ -18,17 +18,27 @@ let _ = () /// Generate key pair. -val generate_key_pair - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: - usize) +val generate_key_pair_v44 (randomness: t_Array u8 (sz 32)) - : Prims.Pure (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE) - Prims.l_True - (fun _ -> Prims.l_True) + (signing_key verification_key: t_Slice u8) + : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate key pair. +val generate_key_pair_v65 + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate key pair. +val generate_key_pair_v87 + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) /// Sign. val sign - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: + usize) (v_GAMMA2: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: usize) @@ -41,7 +51,8 @@ val sign /// Sign (pre-hashed). val sign_pre_hashed_shake128 - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: + usize) (v_GAMMA2: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: usize) @@ -54,7 +65,7 @@ val sign_pre_hashed_shake128 /// Verify. val verify - (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: usize) (v_GAMMA2 v_BETA: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: @@ -68,7 +79,7 @@ val verify /// Verify (pre-hashed with SHAKE-128). val verify_pre_hashed_shake128 - (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: usize) (v_GAMMA2 v_BETA: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst index 42e4c6671..b2566a4a0 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst @@ -3,21 +3,51 @@ module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2 open Core open FStar.Mul -let generate_key_pair - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: - usize) +let generate_key_pair_v44 + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + = + let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.generate_key_pair_v44 randomness + signing_key + verification_key + in + let signing_key:t_Slice u8 = tmp0 in + let verification_key:t_Slice u8 = tmp1 in + let hax_temp_output:Prims.unit = () in + signing_key, verification_key <: (t_Slice u8 & t_Slice u8) + +let generate_key_pair_v65 (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.generate_key_pair v_ROWS_IN_A - v_COLUMNS_IN_A - v_ETA - v_ERROR_RING_ELEMENT_SIZE - v_SIGNING_KEY_SIZE - v_VERIFICATION_KEY_SIZE - randomness + let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.generate_key_pair_v65 randomness + signing_key + verification_key + in + let signing_key:t_Slice u8 = tmp0 in + let verification_key:t_Slice u8 = tmp1 in + let hax_temp_output:Prims.unit = () in + signing_key, verification_key <: (t_Slice u8 & t_Slice u8) + +let generate_key_pair_v87 + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + = + let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.generate_key_pair_v87 randomness + signing_key + verification_key + in + let signing_key:t_Slice u8 = tmp0 in + let verification_key:t_Slice u8 = tmp1 in + let hax_temp_output:Prims.unit = () in + signing_key, verification_key <: (t_Slice u8 & t_Slice u8) let sign - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: + usize) (v_GAMMA2: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: usize) @@ -26,13 +56,14 @@ let sign (randomness: t_Array u8 (sz 32)) = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.sign v_ROWS_IN_A v_COLUMNS_IN_A - v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE - v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT - v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context - randomness + v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 + v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE + v_SIGNATURE_SIZE signing_key message context randomness let sign_pre_hashed_shake128 - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: + usize) (v_GAMMA2: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: usize) @@ -41,13 +72,13 @@ let sign_pre_hashed_shake128 (randomness: t_Array u8 (sz 32)) = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.sign_pre_hashed_shake128 v_ROWS_IN_A - v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 + v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context randomness let verify - (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: usize) (v_GAMMA2 v_BETA: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: @@ -57,12 +88,13 @@ let verify (signature: t_Array u8 v_SIGNATURE_SIZE) = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.verify v_ROWS_IN_A v_COLUMNS_IN_A - v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 - v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE - v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key message context signature + v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT + v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT + verification_key message context signature let verify_pre_hashed_shake128 - (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: usize) (v_GAMMA2 v_BETA: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: @@ -72,7 +104,7 @@ let verify_pre_hashed_shake128 (signature: t_Array u8 v_SIGNATURE_SIZE) = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.verify_pre_hashed_shake128 v_ROWS_IN_A - v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT + v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key message context signature diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti index 3763fcb0a..8a692ac3d 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti @@ -4,17 +4,27 @@ open Core open FStar.Mul /// Generate key pair. -val generate_key_pair - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: - usize) +val generate_key_pair_v44 (randomness: t_Array u8 (sz 32)) - : Prims.Pure (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE) - Prims.l_True - (fun _ -> Prims.l_True) + (signing_key verification_key: t_Slice u8) + : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate key pair. +val generate_key_pair_v65 + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate key pair. +val generate_key_pair_v87 + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) /// Sign. val sign - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: + usize) (v_GAMMA2: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: usize) @@ -27,7 +37,8 @@ val sign /// Sign (pre-hashed). val sign_pre_hashed_shake128 - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: + usize) (v_GAMMA2: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: usize) @@ -40,7 +51,7 @@ val sign_pre_hashed_shake128 /// Verify. val verify - (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: usize) (v_GAMMA2 v_BETA: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: @@ -54,7 +65,7 @@ val verify /// Verify (pre-hashed with SHAKE-128). val verify_pre_hashed_shake128 - (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: usize) (v_GAMMA2 v_BETA: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fst index c81b51ec3..87e488d17 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fst @@ -17,20 +17,69 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let generate_key_pair - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: - usize) +let generate_key_pair_v44 (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) = - Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA - v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE randomness + let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = + Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair_v44 #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 + randomness + signing_key + verification_key + in + let signing_key:t_Slice u8 = tmp0 in + let verification_key:t_Slice u8 = tmp1 in + let hax_temp_output:Prims.unit = () in + signing_key, verification_key <: (t_Slice u8 & t_Slice u8) + +let generate_key_pair_v65 + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + = + let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = + Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair_v65 #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 + randomness + signing_key + verification_key + in + let signing_key:t_Slice u8 = tmp0 in + let verification_key:t_Slice u8 = tmp1 in + let hax_temp_output:Prims.unit = () in + signing_key, verification_key <: (t_Slice u8 & t_Slice u8) + +let generate_key_pair_v87 + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + = + let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = + Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair_v87 #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 + randomness + signing_key + verification_key + in + let signing_key:t_Slice u8 = tmp0 in + let verification_key:t_Slice u8 = tmp1 in + let hax_temp_output:Prims.unit = () in + signing_key, verification_key <: (t_Slice u8 & t_Slice u8) let sign - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: + usize) (v_GAMMA2: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: usize) @@ -42,14 +91,15 @@ let sign #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA - v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS + v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context randomness let sign_pre_hashed_shake128 - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: + usize) (v_GAMMA2: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: usize) @@ -63,13 +113,13 @@ let sign_pre_hashed_shake128 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH (sz 256) - v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 - v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT + v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context randomness let verify - (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: usize) (v_GAMMA2 v_BETA: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: @@ -82,12 +132,13 @@ let verify #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof v_ROWS_IN_A v_COLUMNS_IN_A - v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 - v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE - v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key message context signature + v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT + v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT + verification_key message context signature let verify_pre_hashed_shake128 - (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: usize) (v_GAMMA2 v_BETA: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: @@ -101,7 +152,7 @@ let verify_pre_hashed_shake128 #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH - (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT - v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE + (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE + v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key message context signature diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fsti index 45fac8db0..a4c8557fe 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fsti @@ -18,17 +18,27 @@ let _ = () /// Generate key pair. -val generate_key_pair - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: - usize) +val generate_key_pair_v44 (randomness: t_Array u8 (sz 32)) - : Prims.Pure (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE) - Prims.l_True - (fun _ -> Prims.l_True) + (signing_key verification_key: t_Slice u8) + : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate key pair. +val generate_key_pair_v65 + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate key pair. +val generate_key_pair_v87 + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) /// Sign. val sign - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: + usize) (v_GAMMA2: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: usize) @@ -41,7 +51,8 @@ val sign /// Sign (pre-hashed). val sign_pre_hashed_shake128 - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: + usize) (v_GAMMA2: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: usize) @@ -54,7 +65,7 @@ val sign_pre_hashed_shake128 /// Verify. val verify - (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: usize) (v_GAMMA2 v_BETA: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: @@ -68,7 +79,7 @@ val verify /// Verify (pre-hashed with SHAKE-128). val verify_pre_hashed_shake128 - (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: usize) (v_GAMMA2 v_BETA: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fst index fba006d14..4dbc08d0e 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fst @@ -16,21 +16,69 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let generate_key_pair - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: - usize) +let generate_key_pair_v44 (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) = - Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA - v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE randomness + let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = + Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair_v44 #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 + randomness + signing_key + verification_key + in + let signing_key:t_Slice u8 = tmp0 in + let verification_key:t_Slice u8 = tmp1 in + let hax_temp_output:Prims.unit = () in + signing_key, verification_key <: (t_Slice u8 & t_Slice u8) + +let generate_key_pair_v65 + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + = + let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = + Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair_v65 #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 + randomness + signing_key + verification_key + in + let signing_key:t_Slice u8 = tmp0 in + let verification_key:t_Slice u8 = tmp1 in + let hax_temp_output:Prims.unit = () in + signing_key, verification_key <: (t_Slice u8 & t_Slice u8) + +let generate_key_pair_v87 + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + = + let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = + Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair_v87 #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 + randomness + signing_key + verification_key + in + let signing_key:t_Slice u8 = tmp0 in + let verification_key:t_Slice u8 = tmp1 in + let hax_temp_output:Prims.unit = () in + signing_key, verification_key <: (t_Slice u8 & t_Slice u8) let sign - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: + usize) (v_GAMMA2: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: usize) @@ -43,14 +91,15 @@ let sign #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA - v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS + v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context randomness let sign_pre_hashed_shake128 - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: + usize) (v_GAMMA2: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: usize) @@ -65,13 +114,14 @@ let sign_pre_hashed_shake128 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH - (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 - v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE - v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE - v_SIGNATURE_SIZE signing_key message context randomness + (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE + v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE + v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT + v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context + randomness let verify - (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: usize) (v_GAMMA2 v_BETA: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: @@ -85,12 +135,13 @@ let verify #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof v_ROWS_IN_A v_COLUMNS_IN_A - v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 - v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE - v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key message context signature + v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT + v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT + verification_key message context signature let verify_pre_hashed_shake128 - (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: usize) (v_GAMMA2 v_BETA: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: @@ -105,7 +156,7 @@ let verify_pre_hashed_shake128 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH - (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT - v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE + (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE + v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key message context signature diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fsti index 9bd1f00f2..78642deb3 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fsti @@ -17,17 +17,27 @@ let _ = () /// Generate key pair. -val generate_key_pair - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: - usize) +val generate_key_pair_v44 (randomness: t_Array u8 (sz 32)) - : Prims.Pure (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE) - Prims.l_True - (fun _ -> Prims.l_True) + (signing_key verification_key: t_Slice u8) + : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate key pair. +val generate_key_pair_v65 + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate key pair. +val generate_key_pair_v87 + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) /// Sign. val sign - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: + usize) (v_GAMMA2: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: usize) @@ -40,7 +50,8 @@ val sign /// Sign (pre-hashed). val sign_pre_hashed_shake128 - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: + usize) (v_GAMMA2: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: usize) @@ -53,7 +64,7 @@ val sign_pre_hashed_shake128 /// Verify. val verify - (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: usize) (v_GAMMA2 v_BETA: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: @@ -67,7 +78,7 @@ val verify /// Verify (pre-hashed with SHAKE-128). val verify_pre_hashed_shake128 - (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: usize) (v_GAMMA2 v_BETA: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fst index 69d507f61..5b396ef69 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fst @@ -3,41 +3,150 @@ module Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing open Core open FStar.Mul -let generate_key_pair - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: - usize) +let generate_key_pair_v44 (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) = - if Libcrux_platform.Platform.simd256_support () - then - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.generate_key_pair v_ROWS_IN_A - v_COLUMNS_IN_A - v_ETA - v_ERROR_RING_ELEMENT_SIZE - v_SIGNING_KEY_SIZE - v_VERIFICATION_KEY_SIZE - randomness - else - if Libcrux_platform.Platform.simd128_support () + let (signing_key, verification_key), hax_temp_output:((t_Slice u8 & t_Slice u8) & Prims.unit) = + if Libcrux_platform.Platform.simd256_support () + then + let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair_v44 randomness + signing_key + verification_key + in + let signing_key:t_Slice u8 = tmp0 in + let verification_key:t_Slice u8 = tmp1 in + let _:Prims.unit = () in + (signing_key, verification_key <: (t_Slice u8 & t_Slice u8)), () + <: + ((t_Slice u8 & t_Slice u8) & Prims.unit) + else + if Libcrux_platform.Platform.simd128_support () + then + let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.generate_key_pair_v44 randomness + signing_key + verification_key + in + let signing_key:t_Slice u8 = tmp0 in + let verification_key:t_Slice u8 = tmp1 in + let _:Prims.unit = () in + (signing_key, verification_key <: (t_Slice u8 & t_Slice u8)), () + <: + ((t_Slice u8 & t_Slice u8) & Prims.unit) + else + let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair_v44 randomness + signing_key + verification_key + in + let signing_key:t_Slice u8 = tmp0 in + let verification_key:t_Slice u8 = tmp1 in + let _:Prims.unit = () in + (signing_key, verification_key <: (t_Slice u8 & t_Slice u8)), () + <: + ((t_Slice u8 & t_Slice u8) & Prims.unit) + in + signing_key, verification_key <: (t_Slice u8 & t_Slice u8) + +let generate_key_pair_v65 + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + = + let (signing_key, verification_key), hax_temp_output:((t_Slice u8 & t_Slice u8) & Prims.unit) = + if Libcrux_platform.Platform.simd256_support () then - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.generate_key_pair v_ROWS_IN_A - v_COLUMNS_IN_A - v_ETA - v_ERROR_RING_ELEMENT_SIZE - v_SIGNING_KEY_SIZE - v_VERIFICATION_KEY_SIZE - randomness + let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair_v65 randomness + signing_key + verification_key + in + let signing_key:t_Slice u8 = tmp0 in + let verification_key:t_Slice u8 = tmp1 in + let _:Prims.unit = () in + (signing_key, verification_key <: (t_Slice u8 & t_Slice u8)), () + <: + ((t_Slice u8 & t_Slice u8) & Prims.unit) else - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair v_ROWS_IN_A - v_COLUMNS_IN_A - v_ETA - v_ERROR_RING_ELEMENT_SIZE - v_SIGNING_KEY_SIZE - v_VERIFICATION_KEY_SIZE - randomness + if Libcrux_platform.Platform.simd128_support () + then + let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.generate_key_pair_v65 randomness + signing_key + verification_key + in + let signing_key:t_Slice u8 = tmp0 in + let verification_key:t_Slice u8 = tmp1 in + let _:Prims.unit = () in + (signing_key, verification_key <: (t_Slice u8 & t_Slice u8)), () + <: + ((t_Slice u8 & t_Slice u8) & Prims.unit) + else + let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair_v65 randomness + signing_key + verification_key + in + let signing_key:t_Slice u8 = tmp0 in + let verification_key:t_Slice u8 = tmp1 in + let _:Prims.unit = () in + (signing_key, verification_key <: (t_Slice u8 & t_Slice u8)), () + <: + ((t_Slice u8 & t_Slice u8) & Prims.unit) + in + signing_key, verification_key <: (t_Slice u8 & t_Slice u8) + +let generate_key_pair_v87 + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + = + let (signing_key, verification_key), hax_temp_output:((t_Slice u8 & t_Slice u8) & Prims.unit) = + if Libcrux_platform.Platform.simd256_support () + then + let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair_v87 randomness + signing_key + verification_key + in + let signing_key:t_Slice u8 = tmp0 in + let verification_key:t_Slice u8 = tmp1 in + let _:Prims.unit = () in + (signing_key, verification_key <: (t_Slice u8 & t_Slice u8)), () + <: + ((t_Slice u8 & t_Slice u8) & Prims.unit) + else + if Libcrux_platform.Platform.simd128_support () + then + let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.generate_key_pair_v87 randomness + signing_key + verification_key + in + let signing_key:t_Slice u8 = tmp0 in + let verification_key:t_Slice u8 = tmp1 in + let _:Prims.unit = () in + (signing_key, verification_key <: (t_Slice u8 & t_Slice u8)), () + <: + ((t_Slice u8 & t_Slice u8) & Prims.unit) + else + let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair_v87 randomness + signing_key + verification_key + in + let signing_key:t_Slice u8 = tmp0 in + let verification_key:t_Slice u8 = tmp1 in + let _:Prims.unit = () in + (signing_key, verification_key <: (t_Slice u8 & t_Slice u8)), () + <: + ((t_Slice u8 & t_Slice u8) & Prims.unit) + in + signing_key, verification_key <: (t_Slice u8 & t_Slice u8) let sign - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: + usize) (v_GAMMA2: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: usize) @@ -47,28 +156,29 @@ let sign = if Libcrux_platform.Platform.simd256_support () then - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign v_ROWS_IN_A v_COLUMNS_IN_A v_ETA - v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE - v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE - v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key - message context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign v_ROWS_IN_A v_COLUMNS_IN_A + v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 + v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE + v_SIGNATURE_SIZE signing_key message context randomness else if Libcrux_platform.Platform.simd128_support () then - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign v_ROWS_IN_A v_COLUMNS_IN_A v_ETA - v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE - v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE - v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE - signing_key message context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign v_ROWS_IN_A v_COLUMNS_IN_A + v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 + v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE + v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context randomness else - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign v_ROWS_IN_A v_COLUMNS_IN_A v_ETA - v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE - v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE - v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE - signing_key message context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign v_ROWS_IN_A v_COLUMNS_IN_A + v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 + v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE + v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context randomness let sign_pre_hashed_shake128 - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: + usize) (v_GAMMA2: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: usize) @@ -79,7 +189,7 @@ let sign_pre_hashed_shake128 if Libcrux_platform.Platform.simd256_support () then Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign_pre_hashed_shake128 v_ROWS_IN_A - v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 + v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context randomness @@ -87,19 +197,19 @@ let sign_pre_hashed_shake128 if Libcrux_platform.Platform.simd128_support () then Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign_pre_hashed_shake128 v_ROWS_IN_A - v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 + v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context randomness else Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign_pre_hashed_shake128 v_ROWS_IN_A - v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 + v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context randomness let verify - (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: usize) (v_GAMMA2 v_BETA: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: @@ -111,27 +221,27 @@ let verify if Libcrux_platform.Platform.simd256_support () then Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify v_ROWS_IN_A v_COLUMNS_IN_A - v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 - v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE - v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key_serialized message context - signature_serialized + v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT + v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE + v_MAX_ONES_IN_HINT verification_key_serialized message context signature_serialized else if Libcrux_platform.Platform.simd128_support () then Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify v_ROWS_IN_A v_COLUMNS_IN_A - v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE - v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE - v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT - verification_key_serialized message context signature_serialized + v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT + v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE + v_MAX_ONES_IN_HINT verification_key_serialized message context signature_serialized else Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify v_ROWS_IN_A v_COLUMNS_IN_A - v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE - v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE - v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT - verification_key_serialized message context signature_serialized + v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT + v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE + v_MAX_ONES_IN_HINT verification_key_serialized message context signature_serialized let verify_pre_hashed_shake128 - (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: usize) (v_GAMMA2 v_BETA: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: @@ -143,7 +253,7 @@ let verify_pre_hashed_shake128 if Libcrux_platform.Platform.simd256_support () then Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify_pre_hashed_shake128 v_ROWS_IN_A - v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT + v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key_serialized message context signature_serialized @@ -151,13 +261,13 @@ let verify_pre_hashed_shake128 if Libcrux_platform.Platform.simd128_support () then Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify_pre_hashed_shake128 v_ROWS_IN_A - v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT + v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key_serialized message context signature_serialized else Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify_pre_hashed_shake128 v_ROWS_IN_A - v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT + v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key_serialized message context signature_serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fsti index c617ed3c3..a7bfdaf2a 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fsti @@ -3,16 +3,24 @@ module Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing open Core open FStar.Mul -val generate_key_pair - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: - usize) +val generate_key_pair_v44 (randomness: t_Array u8 (sz 32)) - : Prims.Pure (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE) - Prims.l_True - (fun _ -> Prims.l_True) + (signing_key verification_key: t_Slice u8) + : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +val generate_key_pair_v65 + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +val generate_key_pair_v87 + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) val sign - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: + usize) (v_GAMMA2: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: usize) @@ -24,7 +32,8 @@ val sign Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) val sign_pre_hashed_shake128 - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: + usize) (v_GAMMA2: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: usize) @@ -36,7 +45,7 @@ val sign_pre_hashed_shake128 Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) val verify - (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: usize) (v_GAMMA2 v_BETA: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: @@ -49,7 +58,7 @@ val verify (fun _ -> Prims.l_True) val verify_pre_hashed_shake128 - (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: usize) (v_GAMMA2 v_BETA: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst index 1fec04ec9..f0ca1cbc1 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst @@ -8,6 +8,7 @@ let _ = (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_dsa.Hash_functions.Shake128 in let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Polynomial in let open Libcrux_ml_dsa.Pre_hash in let open Libcrux_ml_dsa.Samplex4 in let open Libcrux_ml_dsa.Simd.Traits in @@ -18,12 +19,21 @@ let derive_message_representative (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) - (verification_key_hash: t_Array u8 (sz 64)) + (verification_key_hash: t_Slice u8) (domain_separation_context: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) (message: t_Slice u8) (message_representative: t_Array u8 (sz 64)) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 verification_key_hash <: usize) =. sz 64 <: bool + ) + in + () + in let shake:v_Shake256Xof = Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve () in @@ -31,10 +41,14 @@ let derive_message_representative Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof #FStar.Tactics.Typeclasses.solve shake - (verification_key_hash <: t_Slice u8) + verification_key_hash in let shake:v_Shake256Xof = - match domain_separation_context with + match + domain_separation_context + <: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext + with | Core.Option.Option_Some domain_separation_context -> let shake:v_Shake256Xof = Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof @@ -84,7 +98,11 @@ let derive_message_representative shake (Libcrux_ml_dsa.Pre_hash.impl_1__context domain_separation_context <: t_Slice u8) in - (match Libcrux_ml_dsa.Pre_hash.impl_1__pre_hash_oid domain_separation_context with + (match + Libcrux_ml_dsa.Pre_hash.impl_1__pre_hash_oid domain_separation_context + <: + Core.Option.t_Option (t_Array u8 (sz 11)) + with | Core.Option.Option_Some pre_hash_oid -> Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof #FStar.Tactics.Typeclasses.solve @@ -110,293 +128,10 @@ let derive_message_representative let _:Prims.unit = () in message_representative -let verify_internal - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: - usize) - (v_GAMMA2 v_BETA: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: - usize) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i5: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i7: - Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i8: - Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i9: - Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) - (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) - (message: t_Slice u8) - (domain_separation_context: - Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) - (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) - = - let seed_for_A, t1:(t_Array u8 (sz 32) & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) = - Libcrux_ml_dsa.Encoding.Verification_key.deserialize #v_SIMDUnit - v_ROWS_IN_A - v_VERIFICATION_KEY_SIZE - verification_key_serialized - in - match - Libcrux_ml_dsa.Encoding.Signature.impl__deserialize #v_SIMDUnit - v_COMMITMENT_HASH_SIZE - v_COLUMNS_IN_A - v_ROWS_IN_A - v_GAMMA1_EXPONENT - v_GAMMA1_RING_ELEMENT_SIZE - v_MAX_ONES_IN_HINT - v_SIGNATURE_SIZE - signature_serialized - with - | Core.Result.Result_Ok s -> - let signature:Libcrux_ml_dsa.Encoding.Signature.t_Signature v_SIMDUnit - v_COMMITMENT_HASH_SIZE - v_COLUMNS_IN_A - v_ROWS_IN_A = - s - in - if - Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit - v_COLUMNS_IN_A - signature.Libcrux_ml_dsa.Encoding.Signature.f_signer_response - ((2l < - Core.Result.Result_Err e - <: - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError - -let verify - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: - usize) - (v_GAMMA2 v_BETA: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: - usize) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i5: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i7: - Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i8: - Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i9: - Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) - (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) - (message context: t_Slice u8) - (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) - = - match - Libcrux_ml_dsa.Pre_hash.impl_1__new context - (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11))) - with - | Core.Result.Result_Ok dsc -> - let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in - verify_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof v_ROWS_IN_A - v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT - v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE - v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE - v_MAX_ONES_IN_HINT verification_key_serialized message - (Core.Option.Option_Some domain_separation_context - <: - Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) signature_serialized - | Core.Result.Result_Err _ -> - Core.Result.Result_Err - (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError - <: - Libcrux_ml_dsa.Types.t_VerificationError) - <: - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError - -let verify_pre_hashed - (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0) - (v_PH_DIGEST_LEN v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: - usize) - (v_GAMMA2 v_BETA: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: - usize) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i7: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i8: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i9: - Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i10: - Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i11: - Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i12: - Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i13: - Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN) - (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) - (message context: t_Slice u8) - (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) - = - let pre_hashed_message:t_Array u8 v_PH_DIGEST_LEN = - Libcrux_ml_dsa.Pre_hash.f_hash #v_PH - #v_PH_DIGEST_LEN - #FStar.Tactics.Typeclasses.solve - #v_Shake128 - message - in - match - Libcrux_ml_dsa.Pre_hash.impl_1__new context - (Core.Option.Option_Some - (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #v_PH_DIGEST_LEN #FStar.Tactics.Typeclasses.solve () - <: - t_Array u8 (sz 11)) - <: - Core.Option.t_Option (t_Array u8 (sz 11))) - with - | Core.Result.Result_Ok dsc -> - let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in - verify_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof v_ROWS_IN_A - v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT - v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE - v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE - v_MAX_ONES_IN_HINT verification_key_serialized (pre_hashed_message <: t_Slice u8) - (Core.Option.Option_Some domain_separation_context - <: - Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) signature_serialized - | Core.Result.Result_Err _ -> - Core.Result.Result_Err - (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError - <: - Libcrux_ml_dsa.Types.t_VerificationError) - <: - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError - let sign_internal (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: + usize) (v_GAMMA2: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: usize) @@ -422,32 +157,103 @@ let sign_internal Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) (randomness: t_Array u8 (sz 32)) = - let seed_for_A, seed_for_signing, verification_key_hash, s1_as_ntt, s2_as_ntt, t0_as_ntt:(t_Array - u8 (sz 32) & - t_Array u8 (sz 32) & - t_Array u8 (sz 64) & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) = - Libcrux_ml_dsa.Encoding.Signing_key.deserialize_then_ntt #v_SIMDUnit - v_ROWS_IN_A - v_COLUMNS_IN_A - v_ETA - v_ERROR_RING_ELEMENT_SIZE - v_SIGNING_KEY_SIZE - signing_key + let eta:Libcrux_ml_dsa.Constants.t_Eta = + match cast (v_ETA <: usize) <: u8 with + | 2uy -> Libcrux_ml_dsa.Constants.Eta_Two <: Libcrux_ml_dsa.Constants.t_Eta + | 4uy -> Libcrux_ml_dsa.Constants.Eta_Four <: Libcrux_ml_dsa.Constants.t_Eta + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) in - let v_A_as_ntt:t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A = - Libcrux_ml_dsa.Samplex4.f_matrix_A #v_Sampler - #FStar.Tactics.Typeclasses.solve - #v_SIMDUnit - v_ROWS_IN_A - v_COLUMNS_IN_A - (Libcrux_ml_dsa.Utils.into_padded_array (sz 34) (seed_for_A <: t_Slice u8) + let gamma2:Libcrux_ml_dsa.Constants.t_Gamma2 = + match v_GAMMA2 <: i32 with + | 95232l -> Libcrux_ml_dsa.Constants.Gamma2_V95_232_ <: Libcrux_ml_dsa.Constants.t_Gamma2 + | 261888l -> Libcrux_ml_dsa.Constants.Gamma2_V261_888_ <: Libcrux_ml_dsa.Constants.t_Gamma2 + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + in + let seed_for_a, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + (signing_key <: t_Slice u8) + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + in + let seed_for_signing, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE + in + let verification_key_hash, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH + in + let s1_serialized, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + (v_ERROR_RING_ELEMENT_SIZE *! v_COLUMNS_IN_A <: usize) + in + let s2_serialized, t0_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + (v_ERROR_RING_ELEMENT_SIZE *! v_ROWS_IN_A <: usize) + in + let s1_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A + in + let s2_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A + in + let t0_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A + in + let s1_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A = + Libcrux_ml_dsa.Encoding.Error.deserialize_to_vector_then_ntt #v_SIMDUnit + eta + v_ERROR_RING_ELEMENT_SIZE + s1_serialized + s1_as_ntt + in + let s2_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Libcrux_ml_dsa.Encoding.Error.deserialize_to_vector_then_ntt #v_SIMDUnit + eta + v_ERROR_RING_ELEMENT_SIZE + s2_serialized + s2_as_ntt + in + let t0_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Libcrux_ml_dsa.Encoding.T0.deserialize_to_vector_then_ntt #v_SIMDUnit t0_serialized t0_as_ntt + in + let matrix:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_X_COLUMNS + = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () <: - t_Array u8 (sz 34)) + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_X_COLUMNS + in + let matrix:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_X_COLUMNS + = + Libcrux_ml_dsa.Samplex4.f_matrix_flat #v_Sampler + #FStar.Tactics.Typeclasses.solve + #v_SIMDUnit + v_COLUMNS_IN_A + seed_for_a + matrix in let message_representative:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in let message_representative:t_Array u8 (sz 64) = @@ -465,7 +271,7 @@ let sign_internal Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof #FStar.Tactics.Typeclasses.solve shake - (seed_for_signing <: t_Slice u8) + seed_for_signing in let shake:v_Shake256Xof = Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof @@ -490,7 +296,7 @@ let sign_internal let _:Prims.unit = () in let _:Prims.unit = () in let (domain_separator_for_mask: u16):u16 = 0us in - let v_BETA:i32 = cast (v_ONES_IN_VERIFIER_CHALLENGE *! v_ETA <: usize) <: i32 in + let beta:i32 = cast (v_ONES_IN_VERIFIER_CHALLENGE *! v_ETA <: usize) <: i32 in let attempt:usize = sz 0 in let commitment_hash:Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) = Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) @@ -539,48 +345,133 @@ let sign_internal temp_0_ in let attempt:usize = attempt +! sz 1 in - let tmp0, out:(u16 & + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A + in + let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A + = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A + in + let commitment:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A + in + let tmp0, tmp1:(u16 & t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) = Libcrux_ml_dsa.Sample.sample_mask_vector #v_SIMDUnit #v_Shake256 #v_Shake256X4 v_COLUMNS_IN_A v_GAMMA1_EXPONENT - (Libcrux_ml_dsa.Utils.into_padded_array (sz 66) (mask_seed <: t_Slice u8) - <: - t_Array u8 (sz 66)) + mask_seed domain_separator_for_mask + mask in let domain_separator_for_mask:u16 = tmp0 in let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A = - out + tmp1 in - let v_A_times_mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + let _:Prims.unit = () in + let a_x_mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = - Libcrux_ml_dsa.Matrix.compute_A_times_mask #v_SIMDUnit + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A - v_COLUMNS_IN_A - v_A_as_ntt + in + let mask_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A = + Core.Clone.f_clone #(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + #FStar.Tactics.Typeclasses.solve mask in - let w0, commitment:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + let mask_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (mask_ntt + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + usize) + (fun mask_ntt temp_1_ -> + let mask_ntt:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A = + mask_ntt + in + let _:usize = temp_1_ in + true) + mask_ntt + (fun mask_ntt i -> + let mask_ntt:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A = + mask_ntt + in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask_ntt + i + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (mask_ntt.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A) + in + let a_x_mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + Libcrux_ml_dsa.Matrix.compute_matrix_x_mask #v_SIMDUnit + v_ROWS_IN_A + v_COLUMNS_IN_A + (matrix <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (mask_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + a_x_mask + in + let tmp0, tmp1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A & t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) = Libcrux_ml_dsa.Arithmetic.decompose_vector #v_SIMDUnit v_ROWS_IN_A - v_GAMMA2 - v_A_times_mask + gamma2 + (a_x_mask <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + w0 + commitment in + let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A + = + tmp0 + in + let commitment:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + tmp1 + in + let _:Prims.unit = () in + let _:Prims.unit = () in let commitment_hash_candidate:t_Array u8 v_COMMITMENT_HASH_SIZE = Rust_primitives.Hax.repeat 0uy v_COMMITMENT_HASH_SIZE in + let commitment_serialized:t_Array u8 v_COMMITMENT_VECTOR_SIZE = + Rust_primitives.Hax.repeat 0uy v_COMMITMENT_VECTOR_SIZE + in let commitment_serialized:t_Array u8 v_COMMITMENT_VECTOR_SIZE = Libcrux_ml_dsa.Encoding.Commitment.serialize_vector #v_SIMDUnit - v_ROWS_IN_A v_COMMITMENT_RING_ELEMENT_SIZE - v_COMMITMENT_VECTOR_SIZE - commitment + (commitment <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + commitment_serialized in let shake:v_Shake256Xof = Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof @@ -609,44 +500,67 @@ let sign_internal let commitment_hash_candidate:t_Array u8 v_COMMITMENT_HASH_SIZE = tmp1 in let _:Prims.unit = () in let _:Prims.unit = () in - let verifier_challenge_as_ntt:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit - = - Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit - (Libcrux_ml_dsa.Sample.sample_challenge_ring_element #v_SIMDUnit - #v_Shake256 - v_ONES_IN_VERIFIER_CHALLENGE - v_COMMITMENT_HASH_SIZE - commitment_hash_candidate - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + in + let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Sample.sample_challenge_ring_element #v_SIMDUnit + #v_Shake256 + (commitment_hash_candidate <: t_Slice u8) + v_ONES_IN_VERIFIER_CHALLENGE + verifier_challenge + in + let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit verifier_challenge in let challenge_times_s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A = - Libcrux_ml_dsa.Matrix.vector_times_ring_element #v_SIMDUnit - v_COLUMNS_IN_A + Core.Clone.f_clone #(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + #FStar.Tactics.Typeclasses.solve s1_as_ntt - verifier_challenge_as_ntt in let challenge_times_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = - Libcrux_ml_dsa.Matrix.vector_times_ring_element #v_SIMDUnit - v_ROWS_IN_A + Core.Clone.f_clone #(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + #FStar.Tactics.Typeclasses.solve s2_as_ntt - verifier_challenge_as_ntt in - let signer_response_candidate:t_Array + let challenge_times_s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A = - Libcrux_ml_dsa.Matrix.add_vectors #v_SIMDUnit v_COLUMNS_IN_A mask challenge_times_s1 + Libcrux_ml_dsa.Matrix.vector_times_ring_element #v_SIMDUnit + challenge_times_s1 + verifier_challenge in - let w0_minus_challenge_times_s2:t_Array + let challenge_times_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = - Libcrux_ml_dsa.Matrix.subtract_vectors #v_SIMDUnit v_ROWS_IN_A w0 challenge_times_s2 + Libcrux_ml_dsa.Matrix.vector_times_ring_element #v_SIMDUnit + challenge_times_s2 + verifier_challenge + in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A = + Libcrux_ml_dsa.Matrix.add_vectors #v_SIMDUnit + v_COLUMNS_IN_A + mask + (challenge_times_s1 + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + in + let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A + = + Libcrux_ml_dsa.Matrix.subtract_vectors #v_SIMDUnit + v_ROWS_IN_A + w0 + (challenge_times_s2 + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) in if Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit - v_COLUMNS_IN_A - signer_response_candidate - ((1l <. v_MAX_ONES_IN_HINT then attempt, commitment_hash, domain_separator_for_mask, hint, signer_response @@ -725,7 +655,7 @@ let sign_internal let signer_response:Core.Option.t_Option (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) = - Core.Option.Option_Some signer_response_candidate + Core.Option.Option_Some mask <: Core.Option.t_Option (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) @@ -744,37 +674,35 @@ let sign_internal (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A))) in - match commitment_hash with + match commitment_hash <: Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) with | Core.Option.Option_Some commitment_hash -> let commitment_hash:t_Array u8 v_COMMITMENT_HASH_SIZE = commitment_hash in - (match signer_response with + (match + signer_response + <: + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + with | Core.Option.Option_Some signer_response -> let signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A = signer_response in - (match hint with + (match hint <: Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) with | Core.Option.Option_Some hint -> let hint:t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A = hint in let signature:t_Array u8 v_SIGNATURE_SIZE = - Libcrux_ml_dsa.Encoding.Signature.impl__serialize #v_SIMDUnit - v_COMMITMENT_HASH_SIZE - v_COLUMNS_IN_A - v_ROWS_IN_A - v_GAMMA1_EXPONENT - v_GAMMA1_RING_ELEMENT_SIZE - v_MAX_ONES_IN_HINT - v_SIGNATURE_SIZE - ({ - Libcrux_ml_dsa.Encoding.Signature.f_commitment_hash = commitment_hash; - Libcrux_ml_dsa.Encoding.Signature.f_signer_response = signer_response; - Libcrux_ml_dsa.Encoding.Signature.f_hint = hint - } + Rust_primitives.Hax.repeat 0uy v_SIGNATURE_SIZE + in + let signature:t_Array u8 v_SIGNATURE_SIZE = + Libcrux_ml_dsa.Encoding.Signature.serialize #v_SIMDUnit + (commitment_hash <: t_Slice u8) + (signer_response <: - Libcrux_ml_dsa.Encoding.Signature.t_Signature v_SIMDUnit - v_COMMITMENT_HASH_SIZE - v_COLUMNS_IN_A - v_ROWS_IN_A) + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (hint <: t_Slice (t_Array i32 (sz 256))) v_COMMITMENT_HASH_SIZE v_COLUMNS_IN_A + v_ROWS_IN_A v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_MAX_ONES_IN_HINT + signature in Core.Result.Result_Ok (Libcrux_ml_dsa.Types.impl_4__new v_SIGNATURE_SIZE signature) <: @@ -806,7 +734,8 @@ let sign_internal let sign (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: + usize) (v_GAMMA2: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: usize) @@ -833,12 +762,15 @@ let sign match Libcrux_ml_dsa.Pre_hash.impl_1__new context (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11))) + <: + Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext + Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError with | Core.Result.Result_Ok dsc -> let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 - v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 - v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT + v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message (Core.Option.Option_Some domain_separation_context @@ -854,7 +786,7 @@ let sign let sign_pre_hashed (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: Type0) - (v_PH_DIGEST_LEN v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: + (v_PH_DIGEST_LEN v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) (v_GAMMA2: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: @@ -908,14 +840,18 @@ let sign_pre_hashed t_Array u8 (sz 11)) <: Core.Option.t_Option (t_Array u8 (sz 11))) + <: + Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext + Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError with | Core.Result.Result_Ok dsc -> let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 - v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 - v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE - v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE - v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key (pre_hashed_message <: t_Slice u8) + v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE + v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE + v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT + v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key + (pre_hashed_message <: t_Slice u8) (Core.Option.Option_Some domain_separation_context <: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness @@ -926,106 +862,985 @@ let sign_pre_hashed Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) Libcrux_ml_dsa.Types.t_SigningError -let generate_key_pair - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: +let verify_internal + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i6: + i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i8: + i7: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i9: + i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i10: + i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i11: - Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) - (randomness: t_Array u8 (sz 32)) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message: t_Slice u8) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) = - let seed_expanded:t_Array u8 (sz 128) = Rust_primitives.Hax.repeat 0uy (sz 128) in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve () - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - (randomness <: t_Slice u8) - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - ((let list = [cast (v_ROWS_IN_A <: usize) <: u8; cast (v_COLUMNS_IN_A <: usize) <: u8] in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); - Rust_primitives.Hax.array_of_list 2 list) - <: - t_Slice u8) - in - let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 128)) = - Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - seed_expanded + let gamma2:Libcrux_ml_dsa.Constants.t_Gamma2 = + match v_GAMMA2 <: i32 with + | 95232l -> Libcrux_ml_dsa.Constants.Gamma2_V95_232_ <: Libcrux_ml_dsa.Constants.t_Gamma2 + | 261888l -> Libcrux_ml_dsa.Constants.Gamma2_V261_888_ <: Libcrux_ml_dsa.Constants.t_Gamma2 + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) in - let shake:v_Shake256Xof = tmp0 in - let seed_expanded:t_Array u8 (sz 128) = tmp1 in - let _:Prims.unit = () in - let _:Prims.unit = () in - let seed_for_a, seed_expanded:(t_Slice u8 & t_Slice u8) = + let seed_for_a, t1_serialized:(t_Slice u8 & t_Slice u8) = Core.Slice.impl__split_at #u8 - (seed_expanded <: t_Slice u8) + (verification_key <: t_Slice u8) Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE in - let seed_for_error_vectors, seed_for_signing:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - seed_expanded - Libcrux_ml_dsa.Constants.v_SEED_FOR_ERROR_VECTORS_SIZE + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A in - let a_as_ntt:t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A = - Libcrux_ml_dsa.Samplex4.f_matrix_A #v_Sampler - #FStar.Tactics.Typeclasses.solve - #v_SIMDUnit + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Libcrux_ml_dsa.Encoding.Verification_key.deserialize #v_SIMDUnit v_ROWS_IN_A - v_COLUMNS_IN_A - (Libcrux_ml_dsa.Utils.into_padded_array (sz 34) seed_for_a <: t_Array u8 (sz 34)) + v_VERIFICATION_KEY_SIZE + t1_serialized + t1 in - let s1, s2:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) = - Libcrux_ml_dsa.Samplex4.sample_s1_and_s2 #v_SIMDUnit - #v_Shake256X4 - v_ETA + let deserialized_commitment_hash:t_Array u8 v_COMMITMENT_HASH_SIZE = + Rust_primitives.Hax.repeat 0uy v_COMMITMENT_HASH_SIZE + in + let deserialized_signer_response:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A + in + let deserialized_hint:t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A = + Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0l (sz 256) <: t_Array i32 (sz 256)) v_ROWS_IN_A - (Libcrux_ml_dsa.Utils.into_padded_array (sz 66) seed_for_error_vectors <: t_Array u8 (sz 66)) in - let t:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = - Libcrux_ml_dsa.Matrix.compute_As1_plus_s2 #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A a_as_ntt s1 s2 + let tmp0, tmp1, tmp2, out:(t_Array u8 v_COMMITMENT_HASH_SIZE & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A & + t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Encoding.Signature.deserialize #v_SIMDUnit v_COLUMNS_IN_A v_ROWS_IN_A + v_COMMITMENT_HASH_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_MAX_ONES_IN_HINT + v_SIGNATURE_SIZE (signature_serialized <: t_Slice u8) deserialized_commitment_hash + deserialized_signer_response deserialized_hint in - let t0, t1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) = - Libcrux_ml_dsa.Arithmetic.power2round_vector #v_SIMDUnit v_ROWS_IN_A t + let deserialized_commitment_hash:t_Array u8 v_COMMITMENT_HASH_SIZE = tmp0 in + let deserialized_signer_response:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A = + tmp1 in - let verification_key_serialized:t_Array u8 v_VERIFICATION_KEY_SIZE = - Libcrux_ml_dsa.Encoding.Verification_key.generate_serialized #v_SIMDUnit - v_ROWS_IN_A - v_VERIFICATION_KEY_SIZE - seed_for_a - t1 + let deserialized_hint:t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A = tmp2 in + match out <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError with + | Core.Result.Result_Ok _ -> + let _:Prims.unit = () <: Prims.unit in + if + Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit + (deserialized_signer_response + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + ((2l < + let deserialized_signer_response:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A = + deserialized_signer_response + in + let _:usize = temp_1_ in + true) + deserialized_signer_response + (fun deserialized_signer_response i -> + let deserialized_signer_response:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A = + deserialized_signer_response + in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize deserialized_signer_response + i + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (deserialized_signer_response.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Libcrux_ml_dsa.Matrix.compute_w_approx #v_SIMDUnit + v_ROWS_IN_A + v_COLUMNS_IN_A + (matrix <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (deserialized_signer_response + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + verifier_challenge + t1 + in + let recomputed_commitment_hash:t_Array u8 v_COMMITMENT_HASH_SIZE = + Rust_primitives.Hax.repeat 0uy v_COMMITMENT_HASH_SIZE + in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Libcrux_ml_dsa.Arithmetic.use_hint #v_SIMDUnit + gamma2 + (deserialized_hint <: t_Slice (t_Array i32 (sz 256))) + t1 + in + let commitment_serialized:t_Array u8 v_COMMITMENT_VECTOR_SIZE = + Rust_primitives.Hax.repeat 0uy v_COMMITMENT_VECTOR_SIZE + in + let commitment_serialized:t_Array u8 v_COMMITMENT_VECTOR_SIZE = + Libcrux_ml_dsa.Encoding.Commitment.serialize_vector #v_SIMDUnit + v_COMMITMENT_RING_ELEMENT_SIZE + (t1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + commitment_serialized + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + () + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (message_representative <: t_Slice u8) + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (commitment_serialized <: t_Slice u8) + in + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 v_COMMITMENT_HASH_SIZE) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + recomputed_commitment_hash + in + let shake:v_Shake256Xof = tmp0 in + let recomputed_commitment_hash:t_Array u8 v_COMMITMENT_HASH_SIZE = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + if deserialized_commitment_hash =. recomputed_commitment_hash + then + Core.Result.Result_Ok (() <: Prims.unit) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + else + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.VerificationError_CommitmentHashesDontMatchError + <: + Libcrux_ml_dsa.Types.t_VerificationError) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + | Core.Result.Result_Err e -> + Core.Result.Result_Err e + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + +let verify + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i5: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i7: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) + = + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11))) + <: + Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext + Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + with + | Core.Result.Result_Ok dsc -> + let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in + verify_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof v_ROWS_IN_A + v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT + v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE + v_MAX_ONES_IN_HINT verification_key_serialized message + (Core.Option.Option_Some domain_separation_context + <: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) signature_serialized + | Core.Result.Result_Err _ -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError + <: + Libcrux_ml_dsa.Types.t_VerificationError) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + +let verify_pre_hashed + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0) + (v_PH_DIGEST_LEN v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i7: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i8: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i12: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i13: + Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN) + (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) + = + let pre_hashed_message:t_Array u8 v_PH_DIGEST_LEN = + Libcrux_ml_dsa.Pre_hash.f_hash #v_PH + #v_PH_DIGEST_LEN + #FStar.Tactics.Typeclasses.solve + #v_Shake128 + message + in + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_Some + (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #v_PH_DIGEST_LEN #FStar.Tactics.Typeclasses.solve () + <: + t_Array u8 (sz 11)) + <: + Core.Option.t_Option (t_Array u8 (sz 11))) + <: + Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext + Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + with + | Core.Result.Result_Ok dsc -> + let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in + verify_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof v_ROWS_IN_A + v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT + v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE + v_MAX_ONES_IN_HINT verification_key_serialized (pre_hashed_message <: t_Slice u8) + (Core.Option.Option_Some domain_separation_context + <: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) signature_serialized + | Core.Result.Result_Err _ -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError + <: + Libcrux_ml_dsa.Types.t_VerificationError) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + +let generate_key_pair_v44 + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i6: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 signing_key <: usize) =. + generate_key_pair_v44__SIGNING_KEY_SIZE + <: + bool) + in + () + in + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 verification_key <: usize) =. + generate_key_pair_v44__VERIFICATION_KEY_SIZE + <: + bool) + in + () + in + let seed_expanded:t_Array u8 (sz 128) = Rust_primitives.Hax.repeat 0uy (sz 128) in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve () + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (randomness <: t_Slice u8) + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + ((let list = + [ + cast (generate_key_pair_v44__ROWS_IN_A <: usize) <: u8; + cast (generate_key_pair_v44__COLUMNS_IN_A <: usize) <: u8 + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); + Rust_primitives.Hax.array_of_list 2 list) + <: + t_Slice u8) + in + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 128)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + seed_expanded + in + let shake:v_Shake256Xof = tmp0 in + let seed_expanded:t_Array u8 (sz 128) = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + let seed_for_a, seed_expanded:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + (seed_expanded <: t_Slice u8) + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + in + let seed_for_error_vectors, seed_for_signing:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + seed_expanded + Libcrux_ml_dsa.Constants.v_SEED_FOR_ERROR_VECTORS_SIZE + in + let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 16) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 16) + in + let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 16) = + Libcrux_ml_dsa.Samplex4.f_matrix_flat #v_Sampler + #FStar.Tactics.Typeclasses.solve + #v_SIMDUnit + generate_key_pair_v44__COLUMNS_IN_A + seed_for_a + a_as_ntt + in + let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 8) + in + let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Libcrux_ml_dsa.Samplex4.sample_s1_and_s2 #v_SIMDUnit + #v_Shake256X4 + generate_key_pair_v44__ETA + seed_for_error_vectors + s1_s2 + in + let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) + in + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) + in + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Core.Slice.impl__copy_from_slice #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + s1_ntt + (s1_s2.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = generate_key_pair_v44__COLUMNS_IN_A + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + in + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + usize) + (fun s1_ntt temp_1_ -> + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + s1_ntt + in + let _:usize = temp_1_ in + true) + s1_ntt + (fun s1_ntt i -> + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + s1_ntt + in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1_ntt + i + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (s1_ntt.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) + in + let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Libcrux_ml_dsa.Matrix.compute_as1_plus_s2 #v_SIMDUnit + generate_key_pair_v44__ROWS_IN_A + generate_key_pair_v44__COLUMNS_IN_A + (a_as_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + t0 + in + let _:Prims.unit = () in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) + in + let tmp0, tmp1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) = + Libcrux_ml_dsa.Arithmetic.power2round_vector #v_SIMDUnit t0 t1 + in + let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = tmp0 in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = tmp1 in + let _:Prims.unit = () in + let verification_key:t_Slice u8 = + Libcrux_ml_dsa.Encoding.Verification_key.generate_serialized #v_SIMDUnit + seed_for_a + (t1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + verification_key + in + let signing_key:t_Slice u8 = + Libcrux_ml_dsa.Encoding.Signing_key.generate_serialized #v_SIMDUnit #v_Shake256 + generate_key_pair_v44__ETA generate_key_pair_v44__ERROR_RING_ELEMENT_SIZE seed_for_a + seed_for_signing verification_key + (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (t0 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) signing_key + in + let hax_temp_output:Prims.unit = () in + signing_key, verification_key <: (t_Slice u8 & t_Slice u8) + +let generate_key_pair_v65 + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i6: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 signing_key <: usize) =. + generate_key_pair_v65__SIGNING_KEY_SIZE + <: + bool) + in + () + in + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 verification_key <: usize) =. + generate_key_pair_v65__VERIFICATION_KEY_SIZE + <: + bool) + in + () + in + let seed_expanded:t_Array u8 (sz 128) = Rust_primitives.Hax.repeat 0uy (sz 128) in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve () + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (randomness <: t_Slice u8) + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + ((let list = + [ + cast (generate_key_pair_v65__ROWS_IN_A <: usize) <: u8; + cast (generate_key_pair_v65__COLUMNS_IN_A <: usize) <: u8 + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); + Rust_primitives.Hax.array_of_list 2 list) + <: + t_Slice u8) + in + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 128)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + seed_expanded + in + let shake:v_Shake256Xof = tmp0 in + let seed_expanded:t_Array u8 (sz 128) = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + let seed_for_a, seed_expanded:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + (seed_expanded <: t_Slice u8) + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + in + let seed_for_error_vectors, seed_for_signing:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + seed_expanded + Libcrux_ml_dsa.Constants.v_SEED_FOR_ERROR_VECTORS_SIZE + in + let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 30) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 30) + in + let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 30) = + Libcrux_ml_dsa.Samplex4.f_matrix_flat #v_Sampler + #FStar.Tactics.Typeclasses.solve + #v_SIMDUnit + generate_key_pair_v65__COLUMNS_IN_A + seed_for_a + a_as_ntt + in + let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 11) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 11) + in + let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 11) = + Libcrux_ml_dsa.Samplex4.sample_s1_and_s2 #v_SIMDUnit + #v_Shake256X4 + generate_key_pair_v65__ETA + seed_for_error_vectors + s1_s2 + in + let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 6) + in + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 5) + in + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + Core.Slice.impl__copy_from_slice #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + s1_ntt + (s1_s2.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = generate_key_pair_v65__COLUMNS_IN_A + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + in + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + usize) + (fun s1_ntt temp_1_ -> + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + s1_ntt + in + let _:usize = temp_1_ in + true) + s1_ntt + (fun s1_ntt i -> + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + s1_ntt + in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1_ntt + i + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (s1_ntt.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) + in + let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Libcrux_ml_dsa.Matrix.compute_as1_plus_s2 #v_SIMDUnit + generate_key_pair_v65__ROWS_IN_A + generate_key_pair_v65__COLUMNS_IN_A + (a_as_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + t0 + in + let _:Prims.unit = () in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 6) + in + let tmp0, tmp1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6)) = + Libcrux_ml_dsa.Arithmetic.power2round_vector #v_SIMDUnit t0 t1 + in + let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = tmp0 in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = tmp1 in + let _:Prims.unit = () in + let verification_key:t_Slice u8 = + Libcrux_ml_dsa.Encoding.Verification_key.generate_serialized #v_SIMDUnit + seed_for_a + (t1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + verification_key + in + let signing_key:t_Slice u8 = + Libcrux_ml_dsa.Encoding.Signing_key.generate_serialized #v_SIMDUnit #v_Shake256 + generate_key_pair_v65__ETA generate_key_pair_v65__ERROR_RING_ELEMENT_SIZE seed_for_a + seed_for_signing verification_key + (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (t0 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) signing_key + in + let hax_temp_output:Prims.unit = () in + signing_key, verification_key <: (t_Slice u8 & t_Slice u8) + +let generate_key_pair_v87 + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i6: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 signing_key <: usize) =. + generate_key_pair_v87__SIGNING_KEY_SIZE + <: + bool) + in + () + in + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 verification_key <: usize) =. + generate_key_pair_v87__VERIFICATION_KEY_SIZE + <: + bool) + in + () + in + let seed_expanded:t_Array u8 (sz 128) = Rust_primitives.Hax.repeat 0uy (sz 128) in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve () + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (randomness <: t_Slice u8) + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + ((let list = + [ + cast (generate_key_pair_v87__ROWS_IN_A <: usize) <: u8; + cast (generate_key_pair_v87__COLUMNS_IN_A <: usize) <: u8 + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); + Rust_primitives.Hax.array_of_list 2 list) + <: + t_Slice u8) + in + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 128)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + seed_expanded + in + let shake:v_Shake256Xof = tmp0 in + let seed_expanded:t_Array u8 (sz 128) = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + let seed_for_a, seed_expanded:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + (seed_expanded <: t_Slice u8) + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + in + let seed_for_error_vectors, seed_for_signing:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + seed_expanded + Libcrux_ml_dsa.Constants.v_SEED_FOR_ERROR_VECTORS_SIZE + in + let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 56) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 56) + in + let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 56) = + Libcrux_ml_dsa.Samplex4.f_matrix_flat #v_Sampler + #FStar.Tactics.Typeclasses.solve + #v_SIMDUnit + generate_key_pair_v87__COLUMNS_IN_A + seed_for_a + a_as_ntt + in + let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 15) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 15) + in + let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 15) = + Libcrux_ml_dsa.Samplex4.sample_s1_and_s2 #v_SIMDUnit + #v_Shake256X4 + generate_key_pair_v87__ETA + seed_for_error_vectors + s1_s2 + in + let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 8) + in + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 7) + in + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + Core.Slice.impl__copy_from_slice #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + s1_ntt + (s1_s2.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = generate_key_pair_v87__COLUMNS_IN_A + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + in + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + usize) + (fun s1_ntt temp_1_ -> + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + s1_ntt + in + let _:usize = temp_1_ in + true) + s1_ntt + (fun s1_ntt i -> + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + s1_ntt + in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1_ntt + i + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (s1_ntt.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) + in + let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Libcrux_ml_dsa.Matrix.compute_as1_plus_s2 #v_SIMDUnit + generate_key_pair_v87__ROWS_IN_A + generate_key_pair_v87__COLUMNS_IN_A + (a_as_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + t0 + in + let _:Prims.unit = () in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 8) + in + let tmp0, tmp1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8)) = + Libcrux_ml_dsa.Arithmetic.power2round_vector #v_SIMDUnit t0 t1 + in + let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = tmp0 in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = tmp1 in + let _:Prims.unit = () in + let verification_key:t_Slice u8 = + Libcrux_ml_dsa.Encoding.Verification_key.generate_serialized #v_SIMDUnit + seed_for_a + (t1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + verification_key in - let signing_key_serialized:t_Array u8 v_SIGNING_KEY_SIZE = - Libcrux_ml_dsa.Encoding.Signing_key.generate_serialized #v_SIMDUnit #v_Shake256 v_ROWS_IN_A - v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE seed_for_a seed_for_signing - (verification_key_serialized <: t_Slice u8) s1 s2 t0 + let signing_key:t_Slice u8 = + Libcrux_ml_dsa.Encoding.Signing_key.generate_serialized #v_SIMDUnit #v_Shake256 + generate_key_pair_v87__ETA generate_key_pair_v87__ERROR_RING_ELEMENT_SIZE seed_for_a + seed_for_signing verification_key + (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (t0 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) signing_key in - signing_key_serialized, verification_key_serialized - <: - (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE) + let hax_temp_output:Prims.unit = () in + signing_key, verification_key <: (t_Slice u8 & t_Slice u8) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti index a1ac213b3..a43ffe936 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti @@ -8,11 +8,90 @@ let _ = (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_dsa.Hash_functions.Shake128 in let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Polynomial in let open Libcrux_ml_dsa.Pre_hash in let open Libcrux_ml_dsa.Samplex4 in let open Libcrux_ml_dsa.Simd.Traits in () +let generate_key_pair_v44__BITS_PER_ERROR_COEFFICIENT: usize = + Libcrux_ml_dsa.Constants.V44.v_BITS_PER_ERROR_COEFFICIENT + +let generate_key_pair_v44__COLUMNS_IN_A: usize = Libcrux_ml_dsa.Constants.V44.v_COLUMNS_IN_A + +let generate_key_pair_v44__ERROR_RING_ELEMENT_SIZE: usize = + Libcrux_ml_dsa.Constants.error_ring_element_size generate_key_pair_v44__BITS_PER_ERROR_COEFFICIENT + +let generate_key_pair_v44__ETA: Libcrux_ml_dsa.Constants.t_Eta = Libcrux_ml_dsa.Constants.V44.v_ETA + +let generate_key_pair_v44__ROWS_IN_A: usize = Libcrux_ml_dsa.Constants.V44.v_ROWS_IN_A + +let generate_key_pair_v44__ROW_COLUMN: usize = + generate_key_pair_v44__ROWS_IN_A +! generate_key_pair_v44__COLUMNS_IN_A + +let generate_key_pair_v44__ROW_X_COLUMN: usize = + generate_key_pair_v44__ROWS_IN_A *! generate_key_pair_v44__COLUMNS_IN_A + +let generate_key_pair_v44__SIGNING_KEY_SIZE: usize = + Libcrux_ml_dsa.Constants.signing_key_size generate_key_pair_v44__ROWS_IN_A + generate_key_pair_v44__COLUMNS_IN_A + generate_key_pair_v44__ERROR_RING_ELEMENT_SIZE + +let generate_key_pair_v44__VERIFICATION_KEY_SIZE: usize = + Libcrux_ml_dsa.Constants.verification_key_size generate_key_pair_v44__ROWS_IN_A + +let generate_key_pair_v65__BITS_PER_ERROR_COEFFICIENT: usize = + Libcrux_ml_dsa.Constants.V65.v_BITS_PER_ERROR_COEFFICIENT + +let generate_key_pair_v65__COLUMNS_IN_A: usize = Libcrux_ml_dsa.Constants.V65.v_COLUMNS_IN_A + +let generate_key_pair_v65__ERROR_RING_ELEMENT_SIZE: usize = + Libcrux_ml_dsa.Constants.error_ring_element_size generate_key_pair_v65__BITS_PER_ERROR_COEFFICIENT + +let generate_key_pair_v65__ETA: Libcrux_ml_dsa.Constants.t_Eta = Libcrux_ml_dsa.Constants.V65.v_ETA + +let generate_key_pair_v65__ROWS_IN_A: usize = Libcrux_ml_dsa.Constants.V65.v_ROWS_IN_A + +let generate_key_pair_v65__ROW_COLUMN: usize = + generate_key_pair_v65__ROWS_IN_A +! generate_key_pair_v65__COLUMNS_IN_A + +let generate_key_pair_v65__ROW_X_COLUMN: usize = + generate_key_pair_v65__ROWS_IN_A *! generate_key_pair_v65__COLUMNS_IN_A + +let generate_key_pair_v65__SIGNING_KEY_SIZE: usize = + Libcrux_ml_dsa.Constants.signing_key_size generate_key_pair_v65__ROWS_IN_A + generate_key_pair_v65__COLUMNS_IN_A + generate_key_pair_v65__ERROR_RING_ELEMENT_SIZE + +let generate_key_pair_v65__VERIFICATION_KEY_SIZE: usize = + Libcrux_ml_dsa.Constants.verification_key_size generate_key_pair_v65__ROWS_IN_A + +let generate_key_pair_v87__BITS_PER_ERROR_COEFFICIENT: usize = + Libcrux_ml_dsa.Constants.V87.v_BITS_PER_ERROR_COEFFICIENT + +let generate_key_pair_v87__COLUMNS_IN_A: usize = Libcrux_ml_dsa.Constants.V87.v_COLUMNS_IN_A + +let generate_key_pair_v87__ERROR_RING_ELEMENT_SIZE: usize = + Libcrux_ml_dsa.Constants.error_ring_element_size generate_key_pair_v87__BITS_PER_ERROR_COEFFICIENT + +let generate_key_pair_v87__ETA: Libcrux_ml_dsa.Constants.t_Eta = Libcrux_ml_dsa.Constants.V87.v_ETA + +let generate_key_pair_v87__ROWS_IN_A: usize = Libcrux_ml_dsa.Constants.V87.v_ROWS_IN_A + +let generate_key_pair_v87__ROW_COLUMN: usize = + generate_key_pair_v87__ROWS_IN_A +! generate_key_pair_v87__COLUMNS_IN_A + +let generate_key_pair_v87__ROW_X_COLUMN: usize = + generate_key_pair_v87__ROWS_IN_A *! generate_key_pair_v87__COLUMNS_IN_A + +let generate_key_pair_v87__SIGNING_KEY_SIZE: usize = + Libcrux_ml_dsa.Constants.signing_key_size generate_key_pair_v87__ROWS_IN_A + generate_key_pair_v87__COLUMNS_IN_A + generate_key_pair_v87__ERROR_RING_ELEMENT_SIZE + +let generate_key_pair_v87__VERIFICATION_KEY_SIZE: usize = + Libcrux_ml_dsa.Constants.verification_key_size generate_key_pair_v87__ROWS_IN_A + /// This corresponds to line 6 in algorithm 7 in FIPS 204 (line 7 in algorithm /// 8, resp.). /// If `domain_separation_context` is supplied, applies domain @@ -33,19 +112,87 @@ let _ = val derive_message_representative (#v_Shake256Xof: Type0) {| i1: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} - (verification_key_hash: t_Array u8 (sz 64)) + (verification_key_hash: t_Slice u8) (domain_separation_context: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) (message: t_Slice u8) (message_representative: t_Array u8 (sz 64)) : Prims.Pure (t_Array u8 (sz 64)) Prims.l_True (fun _ -> Prims.l_True) +/// The internal signing API. +/// If no `domain_separation_context` is supplied, it is assumed that +/// `message` already contains the domain separation. +val sign_internal + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: + usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message: t_Slice u8) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: + usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign_pre_hashed + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: + Type0) + (v_PH_DIGEST_LEN v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: + usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + {| i8: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i9: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i13: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i14: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + {| i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN |} + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + /// The internal verification API. /// If no `domain_separation_context` is supplied, it is assumed that /// `message` already contains the domain separation. val verify_internal (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: usize) (v_GAMMA2 v_BETA: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: @@ -55,7 +202,7 @@ val verify_internal {| i7: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} - (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) (message: t_Slice u8) (domain_separation_context: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) @@ -66,7 +213,7 @@ val verify_internal val verify (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: usize) (v_GAMMA2 v_BETA: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: @@ -85,7 +232,7 @@ val verify val verify_pre_hashed (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0) - (v_PH_DIGEST_LEN v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + (v_PH_DIGEST_LEN v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: usize) (v_GAMMA2 v_BETA: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: @@ -104,77 +251,35 @@ val verify_pre_hashed Prims.l_True (fun _ -> Prims.l_True) -/// The internal signing API. -/// If no `domain_separation_context` is supplied, it is assumed that -/// `message` already contains the domain separation. -val sign_internal +/// Generate a key pair. +val generate_key_pair_v44 (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) - (v_GAMMA2: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: - usize) {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} - (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) - (message: t_Slice u8) - (domain_separation_context: - Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + (signing_key verification_key: t_Slice u8) + : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) -val sign +/// Generate a key pair. +val generate_key_pair_v65 (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) - (v_GAMMA2: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: - usize) {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} - (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) - (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) - -val sign_pre_hashed - (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: - Type0) - (v_PH_DIGEST_LEN v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: - usize) - (v_GAMMA2: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: - usize) - {| i8: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i9: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} - {| i10: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |} - {| i11: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - {| i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} - {| i13: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} - {| i14: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} - {| i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN |} - (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + (signing_key verification_key: t_Slice u8) + : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) /// Generate a key pair. -val generate_key_pair +val generate_key_pair_v87 (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: - usize) {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} @@ -182,6 +287,5 @@ val generate_key_pair {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} (randomness: t_Array u8 (sz 32)) - : Prims.Pure (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE) - Prims.l_True - (fun _ -> Prims.l_True) + (signing_key verification_key: t_Slice u8) + : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst index 05275542e..f9ceb7c45 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst @@ -16,15 +16,19 @@ let invert_ntt_montgomery Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - { - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_montgomery #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - re.Libcrux_ml_dsa.Polynomial.f_simd_units - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_montgomery #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + re.Libcrux_ml_dsa.Polynomial.f_simd_units + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + re let ntt (#v_SIMDUnit: Type0) @@ -33,15 +37,19 @@ let ntt Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - { - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Libcrux_ml_dsa.Simd.Traits.f_ntt #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - re.Libcrux_ml_dsa.Polynomial.f_simd_units - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Libcrux_ml_dsa.Simd.Traits.f_ntt #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + re.Libcrux_ml_dsa.Polynomial.f_simd_units + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + re let ntt_multiply_montgomery (#v_SIMDUnit: Type0) @@ -50,40 +58,38 @@ let ntt_multiply_montgomery Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (lhs rhs: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - let out:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () - in - let out:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + let lhs:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #v_SIMDUnit - (out.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) + (Core.Slice.impl__len #i1.f_Coefficient + (lhs.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice i1.f_Coefficient) <: usize) - (fun out temp_1_ -> - let out:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = out in + (fun lhs temp_1_ -> + let lhs:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = lhs in let _:usize = temp_1_ in true) - out - (fun out i -> - let out:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = out in + lhs + (fun lhs i -> + let lhs:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = lhs in let i:usize = i in { - out with + lhs with Libcrux_ml_dsa.Polynomial.f_simd_units = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs .Libcrux_ml_dsa.Polynomial.f_simd_units i (Libcrux_ml_dsa.Simd.Traits.f_montgomery_multiply #v_SIMDUnit #FStar.Tactics.Typeclasses.solve - (lhs.Libcrux_ml_dsa.Polynomial.f_simd_units.[ i ] <: v_SIMDUnit) - (rhs.Libcrux_ml_dsa.Polynomial.f_simd_units.[ i ] <: v_SIMDUnit) + (lhs.Libcrux_ml_dsa.Polynomial.f_simd_units.[ i ] <: i1.f_Coefficient) + (rhs.Libcrux_ml_dsa.Polynomial.f_simd_units.[ i ] <: i1.f_Coefficient) <: - v_SIMDUnit) + i1.f_Coefficient) <: - t_Array v_SIMDUnit (sz 32) + t_Array i1.f_Coefficient (sz 32) } <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in - out + let hax_temp_output:Prims.unit = () <: Prims.unit in + lhs diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst index 99e46c0e2..7f0a7f910 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst @@ -9,57 +9,46 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -[@@ FStar.Tactics.Typeclasses.tcinstance] -assume -val impl_1': - #v_SIMDUnit: Type0 -> - {| i1: Core.Clone.t_Clone v_SIMDUnit |} -> - {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - -> Core.Clone.t_Clone (t_PolynomialRingElement v_SIMDUnit) - -let impl_1 - (#v_SIMDUnit: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Core.Clone.t_Clone v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - = impl_1' #v_SIMDUnit #i1 #i2 - -[@@ FStar.Tactics.Typeclasses.tcinstance] -assume -val impl_2': - #v_SIMDUnit: Type0 -> - {| i1: Core.Marker.t_Copy v_SIMDUnit |} -> - {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - -> Core.Marker.t_Copy (t_PolynomialRingElement v_SIMDUnit) - -let impl_2 - (#v_SIMDUnit: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Core.Marker.t_Copy v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - = impl_2' #v_SIMDUnit #i1 #i2 - -let impl__ZERO +let impl__add (#v_SIMDUnit: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (_: Prims.unit) + (self rhs: t_PolynomialRingElement v_SIMDUnit) = - { - f_simd_units - = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Simd.Traits.f_ZERO #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - () + let self:t_PolynomialRingElement v_SIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #i1.f_Coefficient (self.f_simd_units <: t_Slice i1.f_Coefficient) <: - v_SIMDUnit) - (sz 32) - } - <: - t_PolynomialRingElement v_SIMDUnit + usize) + (fun self temp_1_ -> + let self:t_PolynomialRingElement v_SIMDUnit = self in + let _:usize = temp_1_ in + true) + self + (fun self i -> + let self:t_PolynomialRingElement v_SIMDUnit = self in + let i:usize = i in + { + self with + f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_simd_units + i + (Libcrux_ml_dsa.Simd.Traits.f_add #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (self.f_simd_units.[ i ] <: i1.f_Coefficient) + (rhs.f_simd_units.[ i ] <: i1.f_Coefficient) + <: + i1.f_Coefficient) + <: + t_Array i1.f_Coefficient (sz 32) + } + <: + t_PolynomialRingElement v_SIMDUnit) + in + let hax_temp_output:Prims.unit = () <: Prims.unit in + self let impl__from_i32_array (#v_SIMDUnit: Type0) @@ -67,6 +56,7 @@ let impl__from_i32_array i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (array: t_Slice i32) + (result: t_PolynomialRingElement v_SIMDUnit) = let _:Prims.unit = if true @@ -76,7 +66,6 @@ let impl__from_i32_array in () in - let result:t_PolynomialRingElement v_SIMDUnit = impl__ZERO #v_SIMDUnit () in let result:t_PolynomialRingElement v_SIMDUnit = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_dsa.Simd.Traits.v_SIMD_UNITS_IN_RING_ELEMENT @@ -111,55 +100,18 @@ let impl__from_i32_array Core.Ops.Range.t_Range usize ] <: t_Slice i32) + (result.f_simd_units.[ i ] <: i1.f_Coefficient) <: - v_SIMDUnit) + i1.f_Coefficient) <: - t_Array v_SIMDUnit (sz 32) + t_Array i1.f_Coefficient (sz 32) } <: t_PolynomialRingElement v_SIMDUnit) in + let hax_temp_output:Prims.unit = () <: Prims.unit in result -let impl__add - (#v_SIMDUnit: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (self rhs: t_PolynomialRingElement v_SIMDUnit) - = - let sum:t_PolynomialRingElement v_SIMDUnit = impl__ZERO #v_SIMDUnit () in - let sum:t_PolynomialRingElement v_SIMDUnit = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #v_SIMDUnit (sum.f_simd_units <: t_Slice v_SIMDUnit) <: usize) - (fun sum temp_1_ -> - let sum:t_PolynomialRingElement v_SIMDUnit = sum in - let _:usize = temp_1_ in - true) - sum - (fun sum i -> - let sum:t_PolynomialRingElement v_SIMDUnit = sum in - let i:usize = i in - { - sum with - f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize sum.f_simd_units - i - (Libcrux_ml_dsa.Simd.Traits.f_add #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (self.f_simd_units.[ i ] <: v_SIMDUnit) - (rhs.f_simd_units.[ i ] <: v_SIMDUnit) - <: - v_SIMDUnit) - <: - t_Array v_SIMDUnit (sz 32) - } - <: - t_PolynomialRingElement v_SIMDUnit) - in - sum - let impl__infinity_norm_exceeds (#v_SIMDUnit: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -168,27 +120,34 @@ let impl__infinity_norm_exceeds (self: t_PolynomialRingElement v_SIMDUnit) (bound: i32) = - let exceeds:bool = false in - let exceeds:bool = + let result:bool = false in + let result:bool = Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #v_SIMDUnit (self.f_simd_units <: t_Slice v_SIMDUnit) <: usize) - (fun exceeds temp_1_ -> - let exceeds:bool = exceeds in + (Core.Slice.impl__len #i1.f_Coefficient (self.f_simd_units <: t_Slice i1.f_Coefficient) + <: + usize) + (fun result temp_1_ -> + let result:bool = result in let _:usize = temp_1_ in true) - exceeds - (fun exceeds i -> - let exceeds:bool = exceeds in + result + (fun result i -> + let result:bool = result in let i:usize = i in - exceeds || - (Libcrux_ml_dsa.Simd.Traits.f_infinity_norm_exceeds #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (self.f_simd_units.[ i ] <: v_SIMDUnit) - bound - <: - bool)) + if + (~.result <: bool) && + (Libcrux_ml_dsa.Simd.Traits.f_infinity_norm_exceeds #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (self.f_simd_units.[ i ] <: i1.f_Coefficient) + bound + <: + bool) + then + let result:bool = result || true in + result + else result) in - exceeds + result let impl__subtract (#v_SIMDUnit: Type0) @@ -197,37 +156,39 @@ let impl__subtract Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (self rhs: t_PolynomialRingElement v_SIMDUnit) = - let difference:t_PolynomialRingElement v_SIMDUnit = impl__ZERO #v_SIMDUnit () in - let difference:t_PolynomialRingElement v_SIMDUnit = + let self:t_PolynomialRingElement v_SIMDUnit = Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #v_SIMDUnit (difference.f_simd_units <: t_Slice v_SIMDUnit) <: usize) - (fun difference temp_1_ -> - let difference:t_PolynomialRingElement v_SIMDUnit = difference in + (Core.Slice.impl__len #i1.f_Coefficient (self.f_simd_units <: t_Slice i1.f_Coefficient) + <: + usize) + (fun self temp_1_ -> + let self:t_PolynomialRingElement v_SIMDUnit = self in let _:usize = temp_1_ in true) - difference - (fun difference i -> - let difference:t_PolynomialRingElement v_SIMDUnit = difference in + self + (fun self i -> + let self:t_PolynomialRingElement v_SIMDUnit = self in let i:usize = i in { - difference with + self with f_simd_units = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize difference.f_simd_units + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_simd_units i (Libcrux_ml_dsa.Simd.Traits.f_subtract #v_SIMDUnit #FStar.Tactics.Typeclasses.solve - (self.f_simd_units.[ i ] <: v_SIMDUnit) - (rhs.f_simd_units.[ i ] <: v_SIMDUnit) + (self.f_simd_units.[ i ] <: i1.f_Coefficient) + (rhs.f_simd_units.[ i ] <: i1.f_Coefficient) <: - v_SIMDUnit) + i1.f_Coefficient) <: - t_Array v_SIMDUnit (sz 32) + t_Array i1.f_Coefficient (sz 32) } <: t_PolynomialRingElement v_SIMDUnit) in - difference + let hax_temp_output:Prims.unit = () <: Prims.unit in + self let impl__to_i32_array (#v_SIMDUnit: Type0) @@ -238,7 +199,7 @@ let impl__to_i32_array = let result:t_Array i32 (sz 256) = Rust_primitives.Hax.repeat 0l (sz 256) in let result:t_Array i32 (sz 256) = - Rust_primitives.Hax.Folds.fold_enumerated_slice (self.f_simd_units <: t_Slice v_SIMDUnit) + Rust_primitives.Hax.Folds.fold_enumerated_slice (self.f_simd_units <: t_Slice i1.f_Coefficient) (fun result temp_1_ -> let result:t_Array i32 (sz 256) = result in let _:usize = temp_1_ in @@ -246,7 +207,7 @@ let impl__to_i32_array result (fun result temp_1_ -> let result:t_Array i32 (sz 256) = result in - let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + let i, simd_unit:(usize & i1.f_Coefficient) = temp_1_ in Rust_primitives.Hax.Monomorphized_update_at.update_at_range result ({ Core.Ops.Range.f_start @@ -260,7 +221,9 @@ let impl__to_i32_array } <: Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #i32 + (Libcrux_ml_dsa.Simd.Traits.f_to_coefficient_array #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + simd_unit (result.[ { Core.Ops.Range.f_start = @@ -275,14 +238,69 @@ let impl__to_i32_array Core.Ops.Range.t_Range usize ] <: t_Slice i32) - (Libcrux_ml_dsa.Simd.Traits.f_to_coefficient_array #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - simd_unit - <: - t_Slice i32) <: t_Slice i32) <: t_Array i32 (sz 256)) in result + +let impl__zero + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (_: Prims.unit) + = + { + f_simd_units + = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Simd.Traits.f_zero #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + () + <: + i1.f_Coefficient) + (sz 32) + } + <: + t_PolynomialRingElement v_SIMDUnit + +// [@@ FStar.Tactics.Typeclasses.tcinstance] +// assume +// val impl_1': +// #v_SIMDUnit: Type0 -> +// {| i1: Core.Clone.t_Clone v_SIMDUnit |} -> +// {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} -> +// {| i3: Core.Clone.t_Clone v_7494601369702794077.f_Coefficient |} +// -> Core.Clone.t_Clone (t_PolynomialRingElement v_SIMDUnit) + +// let impl_1 +// (#v_SIMDUnit: Type0) +// (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Core.Clone.t_Clone v_SIMDUnit) +// (#[FStar.Tactics.Typeclasses.tcresolve ()] +// i2: +// Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) +// (#[FStar.Tactics.Typeclasses.tcresolve ()] +// i3: +// Core.Clone.t_Clone v_7494601369702794077.f_Coefficient) +// = impl_1' #v_SIMDUnit #i1 #i2 #i3 + +// [@@ FStar.Tactics.Typeclasses.tcinstance] +// assume +// val impl_2': +// #v_SIMDUnit: Type0 -> +// {| i1: Core.Marker.t_Copy v_SIMDUnit |} -> +// {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} -> +// {| i3: Core.Marker.t_Copy v_7494601369702794077.f_Coefficient |} +// -> Core.Marker.t_Copy (t_PolynomialRingElement v_SIMDUnit) + +// let impl_2 +// (#v_SIMDUnit: Type0) +// (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Core.Marker.t_Copy v_SIMDUnit) +// (#[FStar.Tactics.Typeclasses.tcresolve ()] +// i2: +// Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) +// (#[FStar.Tactics.Typeclasses.tcresolve ()] +// i3: +// Core.Marker.t_Copy v_7494601369702794077.f_Coefficient) +// = impl_2' #v_SIMDUnit #i1 #i2 #i3 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fsti index b9648e9ab..b35ca6810 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fsti @@ -11,38 +11,19 @@ let _ = type t_PolynomialRingElement (v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - = { f_simd_units:t_Array v_SIMDUnit (sz 32) } + = { f_simd_units:t_Array i1.f_Coefficient (sz 32) } -[@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_1 - (#v_SIMDUnit: Type0) - {| i1: Core.Clone.t_Clone v_SIMDUnit |} - {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - : Core.Clone.t_Clone (t_PolynomialRingElement v_SIMDUnit) - -[@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_2 - (#v_SIMDUnit: Type0) - {| i1: Core.Marker.t_Copy v_SIMDUnit |} - {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - : Core.Marker.t_Copy (t_PolynomialRingElement v_SIMDUnit) - -val impl__ZERO: - #v_SIMDUnit: Type0 -> - {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} -> - Prims.unit - -> Prims.Pure (t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) - -val impl__from_i32_array +val impl__add (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (array: t_Slice i32) + (self rhs: t_PolynomialRingElement v_SIMDUnit) : Prims.Pure (t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) -val impl__add +val impl__from_i32_array (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (self rhs: t_PolynomialRingElement v_SIMDUnit) + (array: t_Slice i32) + (result: t_PolynomialRingElement v_SIMDUnit) : Prims.Pure (t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) val impl__infinity_norm_exceeds @@ -63,3 +44,25 @@ val impl__to_i32_array {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} (self: t_PolynomialRingElement v_SIMDUnit) : Prims.Pure (t_Array i32 (sz 256)) Prims.l_True (fun _ -> Prims.l_True) + +val impl__zero: + #v_SIMDUnit: Type0 -> + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} -> + Prims.unit + -> Prims.Pure (t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) + +// [@@ FStar.Tactics.Typeclasses.tcinstance] +// val impl_1 +// (#v_SIMDUnit: Type0) +// {| i1: Core.Clone.t_Clone v_SIMDUnit |} +// {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} +// {| i3: Core.Clone.t_Clone v_7494601369702794077.f_Coefficient |} +// : Core.Clone.t_Clone (t_PolynomialRingElement v_SIMDUnit) + +// [@@ FStar.Tactics.Typeclasses.tcinstance] +// val impl_2 +// (#v_SIMDUnit: Type0) +// {| i1: Core.Marker.t_Copy v_SIMDUnit |} +// {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} +// {| i3: Core.Marker.t_Copy v_7494601369702794077.f_Coefficient |} +// : Core.Marker.t_Copy (t_PolynomialRingElement v_SIMDUnit) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fst index a9b6eddc8..43d3a2fb7 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fst @@ -14,7 +14,7 @@ let impl_1__context (self: t_DomainSeparationContext) = self.f_context let impl_1__pre_hash_oid (self: t_DomainSeparationContext) = self.f_pre_hash_oid let t_DomainSeparationError_cast_to_repr (x: t_DomainSeparationError) = - match x with | DomainSeparationError_ContextTooLongError -> isz 0 + match x <: t_DomainSeparationError with | DomainSeparationError_ContextTooLongError -> isz 0 [@@ FStar.Tactics.Typeclasses.tcinstance] let impl_2: Core.Convert.t_From Libcrux_ml_dsa.Types.t_SigningError t_DomainSeparationError = @@ -26,7 +26,7 @@ let impl_2: Core.Convert.t_From Libcrux_ml_dsa.Types.t_SigningError t_DomainSepa f_from = fun (e: t_DomainSeparationError) -> - match e with + match e <: t_DomainSeparationError with | DomainSeparationError_ContextTooLongError -> Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError } @@ -41,7 +41,7 @@ let impl_3: Core.Convert.t_From Libcrux_ml_dsa.Types.t_VerificationError t_Domai f_from = fun (e: t_DomainSeparationError) -> - match e with + match e <: t_DomainSeparationError with | DomainSeparationError_ContextTooLongError -> Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError <: diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst index da6c38417..f6360477a 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst @@ -14,48 +14,129 @@ let _ = let generate_domain_separator (row, column: (u8 & u8)) = (cast (column <: u8) <: u16) |. ((cast (row <: u8) <: u16) <>! 8l <: u16) <: u8) + in + out + +let add_error_domain_separator (slice: t_Slice u8) (domain_separator: u16) = + let out:t_Array u8 (sz 66) = Rust_primitives.Hax.repeat 0uy (sz 66) in + let out:t_Array u8 (sz 66) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range out + ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Core.Slice.impl__len #u8 slice <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (out.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Core.Slice.impl__len #u8 slice <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + slice + <: + t_Slice u8) + in + let out:t_Array u8 (sz 66) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 64) (cast (domain_separator <: u16) <: u8) in - let seed:t_Array u8 (sz 66) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed + let out:t_Array u8 (sz 66) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 65) (cast (domain_separator >>! 8l <: u16) <: u8) in - let domain_separator:u16 = domain_separator +! 1us in - let hax_temp_output:t_Array u8 (sz 66) = seed in - domain_separator, hax_temp_output <: (u16 & t_Array u8 (sz 66)) + out -let update_matrix - (#v_SIMDUnit: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A: usize) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (m: - t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A) - (i j: usize) - (v: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) +let inside_out_shuffle + (randomness: t_Slice u8) + (out_index: usize) + (signs: u64) + (result: t_Array i32 (sz 256)) = - let m:t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize m - i - (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (m.[ i ] - <: - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - j - v + let done:bool = false in + let done, out_index, result, signs:(bool & usize & t_Array i32 (sz 256) & u64) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Iter + u8) + #FStar.Tactics.Typeclasses.solve + (Core.Slice.impl__iter #u8 randomness <: Core.Slice.Iter.t_Iter u8) <: - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + Core.Slice.Iter.t_Iter u8) + (done, out_index, result, signs <: (bool & usize & t_Array i32 (sz 256) & u64)) + (fun temp_0_ byte -> + let done, out_index, result, signs:(bool & usize & t_Array i32 (sz 256) & u64) = + temp_0_ + in + let byte:u8 = byte in + if ~.done <: bool + then + let sample_at:usize = cast (byte <: u8) <: usize in + let out_index, result, signs:(usize & t_Array i32 (sz 256) & u64) = + if sample_at <=. out_index + then + let result:t_Array i32 (sz 256) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + out_index + (result.[ sample_at ] <: i32) + in + let out_index:usize = out_index +! sz 1 in + let result:t_Array i32 (sz 256) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + sample_at + (1l -! (2l *! (cast (signs &. 1uL <: u64) <: i32) <: i32) <: i32) + in + let signs:u64 = signs >>! 1l in + out_index, result, signs <: (usize & t_Array i32 (sz 256) & u64) + else out_index, result, signs <: (usize & t_Array i32 (sz 256) & u64) + in + let done:bool = + out_index =. (Core.Slice.impl__len #i32 (result <: t_Slice i32) <: usize) + in + done, out_index, result, signs <: (bool & usize & t_Array i32 (sz 256) & u64) + else done, out_index, result, signs <: (bool & usize & t_Array i32 (sz 256) & u64)) in - m + let hax_temp_output:bool = done in + out_index, signs, result, hax_temp_output <: (usize & u64 & t_Array i32 (sz 256) & bool) let rejection_sample_less_than_eta_equals_2_ (#v_SIMDUnit: Type0) @@ -163,17 +244,17 @@ let rejection_sample_less_than_eta_equals_4_ let rejection_sample_less_than_eta (#v_SIMDUnit: Type0) - (v_ETA: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (eta: Libcrux_ml_dsa.Constants.t_Eta) (randomness: t_Slice u8) (sampled: usize) (out: t_Array i32 (sz 263)) = let (out, sampled), hax_temp_output:((t_Array i32 (sz 263) & usize) & bool) = - match cast (v_ETA <: usize) <: u8 with - | 2uy -> + match eta <: Libcrux_ml_dsa.Constants.t_Eta with + | Libcrux_ml_dsa.Constants.Eta_Two -> let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) = rejection_sample_less_than_eta_equals_2_ #v_SIMDUnit randomness sampled out in @@ -182,7 +263,7 @@ let rejection_sample_less_than_eta (out, sampled <: (t_Array i32 (sz 263) & usize)), out1 <: ((t_Array i32 (sz 263) & usize) & bool) - | 4uy -> + | Libcrux_ml_dsa.Constants.Eta_Four -> let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) = rejection_sample_less_than_eta_equals_4_ #v_SIMDUnit randomness sampled out in @@ -191,14 +272,6 @@ let rejection_sample_less_than_eta (out, sampled <: (t_Array i32 (sz 263) & usize)), out1 <: ((t_Array i32 (sz 263) & usize) & bool) - | _ -> - (out, sampled <: (t_Array i32 (sz 263) & usize)), - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - - <: - Rust_primitives.Hax.t_Never) - <: - ((t_Array i32 (sz 263) & usize) & bool) in sampled, out, hax_temp_output <: (usize & t_Array i32 (sz 263) & bool) @@ -254,71 +327,22 @@ let rejection_sample_less_than_field_modulus let hax_temp_output:bool = done in sampled_coefficients, out, hax_temp_output <: (usize & t_Array i32 (sz 263) & bool) -let inside_out_shuffle - (randomness: t_Slice u8) - (out_index: usize) - (signs: u64) - (result: t_Array i32 (sz 256)) - = - let done:bool = false in - let done, out_index, result, signs:(bool & usize & t_Array i32 (sz 256) & u64) = - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Iter - u8) - #FStar.Tactics.Typeclasses.solve - (Core.Slice.impl__iter #u8 randomness <: Core.Slice.Iter.t_Iter u8) - <: - Core.Slice.Iter.t_Iter u8) - (done, out_index, result, signs <: (bool & usize & t_Array i32 (sz 256) & u64)) - (fun temp_0_ byte -> - let done, out_index, result, signs:(bool & usize & t_Array i32 (sz 256) & u64) = - temp_0_ - in - let byte:u8 = byte in - if ~.done <: bool - then - let sample_at:usize = cast (byte <: u8) <: usize in - let out_index, result, signs:(usize & t_Array i32 (sz 256) & u64) = - if sample_at <=. out_index - then - let result:t_Array i32 (sz 256) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result - out_index - (result.[ sample_at ] <: i32) - in - let out_index:usize = out_index +! sz 1 in - let result:t_Array i32 (sz 256) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result - sample_at - (1l -! (2l *! (cast (signs &. 1uL <: u64) <: i32) <: i32) <: i32) - in - let signs:u64 = signs >>! 1l in - out_index, result, signs <: (usize & t_Array i32 (sz 256) & u64) - else out_index, result, signs <: (usize & t_Array i32 (sz 256) & u64) - in - let done:bool = - out_index =. (Core.Slice.impl__len #i32 (result <: t_Slice i32) <: usize) - in - done, out_index, result, signs <: (bool & usize & t_Array i32 (sz 256) & u64) - else done, out_index, result, signs <: (bool & usize & t_Array i32 (sz 256) & u64)) - in - let hax_temp_output:bool = done in - out_index, signs, result, hax_temp_output <: (usize & u64 & t_Array i32 (sz 256) & bool) - let sample_challenge_ring_element (#v_SIMDUnit #v_Shake256: Type0) - (v_NUMBER_OF_ONES v_SEED_SIZE: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (#[FStar.Tactics.Typeclasses.tcresolve ()] i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) - (seed: t_Array u8 v_SEED_SIZE) + (seed: t_Slice u8) + (number_of_ones: usize) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = let state:v_Shake256 = Libcrux_ml_dsa.Hash_functions.Shake256.f_init_absorb_final #v_Shake256 #FStar.Tactics.Typeclasses.solve - (seed <: t_Slice u8) + seed in let tmp0, out:(v_Shake256 & t_Array u8 (sz 136)) = Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze_first_block #v_Shake256 @@ -345,7 +369,7 @@ let sample_challenge_ring_element in let result:t_Array i32 (sz 256) = Rust_primitives.Hax.repeat 0l (sz 256) in let out_index:usize = - (Core.Slice.impl__len #i32 (result <: t_Slice i32) <: usize) -! v_NUMBER_OF_ONES + (Core.Slice.impl__len #i32 (result <: t_Slice i32) <: usize) -! number_of_ones in let tmp0, tmp1, tmp2, out:(usize & u64 & t_Array i32 (sz 256) & bool) = inside_out_shuffle (randomness.[ { Core.Ops.Range.f_start = sz 8 } @@ -395,64 +419,28 @@ let sample_challenge_ring_element <: (bool & usize & t_Array i32 (sz 256) & u64 & v_Shake256)) in - Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (result <: t_Slice i32) + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (result <: t_Slice i32) re + in + re let sample_four_error_ring_elements (#v_SIMDUnit #v_Shake256: Type0) - (v_ETA: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (#[FStar.Tactics.Typeclasses.tcresolve ()] i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256) - (seed_base: t_Array u8 (sz 66)) - (domain_separator0 domain_separator1 domain_seperator2 domain_separator3: u16) + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (seed: t_Slice u8) + (start_index: u16) + (re: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) = - let seed0:t_Array u8 (sz 66) = seed_base in - let seed0:t_Array u8 (sz 66) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed0 - (sz 64) - (cast (domain_separator0 <: u16) <: u8) - in - let seed0:t_Array u8 (sz 66) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed0 - (sz 65) - (cast (domain_separator0 >>! 8l <: u16) <: u8) - in - let seed1:t_Array u8 (sz 66) = seed0 in - let seed1:t_Array u8 (sz 66) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed1 - (sz 64) - (cast (domain_separator1 <: u16) <: u8) - in - let seed1:t_Array u8 (sz 66) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed1 - (sz 65) - (cast (domain_separator1 >>! 8l <: u16) <: u8) - in - let seed2:t_Array u8 (sz 66) = seed0 in - let seed2:t_Array u8 (sz 66) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed2 - (sz 64) - (cast (domain_seperator2 <: u16) <: u8) - in - let seed2:t_Array u8 (sz 66) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed2 - (sz 65) - (cast (domain_seperator2 >>! 8l <: u16) <: u8) - in - let seed3:t_Array u8 (sz 66) = seed0 in - let seed3:t_Array u8 (sz 66) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed3 - (sz 64) - (cast (domain_separator3 <: u16) <: u8) - in - let seed3:t_Array u8 (sz 66) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed3 - (sz 65) - (cast (domain_separator3 >>! 8l <: u16) <: u8) - in + let seed0:t_Array u8 (sz 66) = add_error_domain_separator seed start_index in + let seed1:t_Array u8 (sz 66) = add_error_domain_separator seed (start_index +! 1us <: u16) in + let seed2:t_Array u8 (sz 66) = add_error_domain_separator seed (start_index +! 2us <: u16) in + let seed3:t_Array u8 (sz 66) = add_error_domain_separator seed (start_index +! 3us <: u16) in let state:v_Shake256 = Libcrux_ml_dsa.Hash_functions.Shake256.f_init_absorb_x4 #v_Shake256 #FStar.Tactics.Typeclasses.solve @@ -461,7 +449,7 @@ let sample_four_error_ring_elements (seed2 <: t_Slice u8) (seed3 <: t_Slice u8) in - let tmp0, out4:(v_Shake256 & + let tmp0, out1:(v_Shake256 & (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) = Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze_first_block_x4 #v_Shake256 #FStar.Tactics.Typeclasses.solve @@ -470,66 +458,79 @@ let sample_four_error_ring_elements let state:v_Shake256 = tmp0 in let randomnesses:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)) = - out4 + out1 + in + let out:t_Array (t_Array i32 (sz 263)) (sz 4) = + Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0l (sz 263) <: t_Array i32 (sz 263)) + (sz 4) in - let out0:t_Array i32 (sz 263) = Rust_primitives.Hax.repeat 0l (sz 263) in - let out1:t_Array i32 (sz 263) = Rust_primitives.Hax.repeat 0l (sz 263) in - let out2:t_Array i32 (sz 263) = Rust_primitives.Hax.repeat 0l (sz 263) in - let out3:t_Array i32 (sz 263) = Rust_primitives.Hax.repeat 0l (sz 263) in let sampled0:usize = sz 0 in let sampled1:usize = sz 0 in let sampled2:usize = sz 0 in let sampled3:usize = sz 0 in - let tmp0, tmp1, out4:(usize & t_Array i32 (sz 263) & bool) = - rejection_sample_less_than_eta #v_SIMDUnit v_ETA (randomnesses._1 <: t_Slice u8) sampled0 out0 + let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_eta #v_SIMDUnit + eta + (randomnesses._1 <: t_Slice u8) + sampled0 + (out.[ sz 0 ] <: t_Array i32 (sz 263)) in let sampled0:usize = tmp0 in - let out0:t_Array i32 (sz 263) = tmp1 in - let done0:bool = out4 in - let tmp0, tmp1, out4:(usize & t_Array i32 (sz 263) & bool) = - rejection_sample_less_than_eta #v_SIMDUnit v_ETA (randomnesses._2 <: t_Slice u8) sampled1 out1 + let out:t_Array (t_Array i32 (sz 263)) (sz 4) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 0) tmp1 + in + let done0:bool = out1 in + let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_eta #v_SIMDUnit + eta + (randomnesses._2 <: t_Slice u8) + sampled1 + (out.[ sz 1 ] <: t_Array i32 (sz 263)) in let sampled1:usize = tmp0 in - let out1:t_Array i32 (sz 263) = tmp1 in - let done1:bool = out4 in - let tmp0, tmp1, out4:(usize & t_Array i32 (sz 263) & bool) = - rejection_sample_less_than_eta #v_SIMDUnit v_ETA (randomnesses._3 <: t_Slice u8) sampled2 out2 + let out:t_Array (t_Array i32 (sz 263)) (sz 4) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 1) tmp1 + in + let done1:bool = out1 in + let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_eta #v_SIMDUnit + eta + (randomnesses._3 <: t_Slice u8) + sampled2 + (out.[ sz 2 ] <: t_Array i32 (sz 263)) in let sampled2:usize = tmp0 in - let out2:t_Array i32 (sz 263) = tmp1 in - let done2:bool = out4 in - let tmp0, tmp1, out4:(usize & t_Array i32 (sz 263) & bool) = - rejection_sample_less_than_eta #v_SIMDUnit v_ETA (randomnesses._4 <: t_Slice u8) sampled3 out3 + let out:t_Array (t_Array i32 (sz 263)) (sz 4) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 2) tmp1 + in + let done2:bool = out1 in + let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_eta #v_SIMDUnit + eta + (randomnesses._4 <: t_Slice u8) + sampled3 + (out.[ sz 3 ] <: t_Array i32 (sz 263)) in let sampled3:usize = tmp0 in - let out3:t_Array i32 (sz 263) = tmp1 in - let done3:bool = out4 in - let - done0, done1, done2, done3, out0, out1, out2, out3, sampled0, sampled1, sampled2, sampled3, state:( - bool & bool & bool & bool & t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & - t_Array i32 (sz 263) & + let out:t_Array (t_Array i32 (sz 263)) (sz 4) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 3) tmp1 + in + let done3:bool = out1 in + let done0, done1, done2, done3, out, sampled0, sampled1, sampled2, sampled3, state:(bool & bool & + bool & + bool & + t_Array (t_Array i32 (sz 263)) (sz 4) & usize & usize & usize & usize & v_Shake256) = Rust_primitives.f_while_loop (fun temp_0_ -> - let - done0, - done1, - done2, - done3, - out0, - out1, - out2, - out3, - sampled0, - sampled1, - sampled2, - sampled3, - state:(bool & bool & bool & bool & t_Array i32 (sz 263) & t_Array i32 (sz 263) & - t_Array i32 (sz 263) & - t_Array i32 (sz 263) & + let done0, done1, done2, done3, out, sampled0, sampled1, sampled2, sampled3, state:(bool & + bool & + bool & + bool & + t_Array (t_Array i32 (sz 263)) (sz 4) & usize & usize & usize & @@ -538,45 +539,17 @@ let sample_four_error_ring_elements temp_0_ in (~.done0 <: bool) || (~.done1 <: bool) || (~.done2 <: bool) || (~.done3 <: bool)) - (done0, - done1, - done2, - done3, - out0, - out1, - out2, - out3, - sampled0, - sampled1, - sampled2, - sampled3, - state + (done0, done1, done2, done3, out, sampled0, sampled1, sampled2, sampled3, state <: - (bool & bool & bool & bool & t_Array i32 (sz 263) & t_Array i32 (sz 263) & - t_Array i32 (sz 263) & - t_Array i32 (sz 263) & - usize & - usize & - usize & + (bool & bool & bool & bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize & usize & usize & usize & v_Shake256)) (fun temp_0_ -> - let - done0, - done1, - done2, - done3, - out0, - out1, - out2, - out3, - sampled0, - sampled1, - sampled2, - sampled3, - state:(bool & bool & bool & bool & t_Array i32 (sz 263) & t_Array i32 (sz 263) & - t_Array i32 (sz 263) & - t_Array i32 (sz 263) & + let done0, done1, done2, done3, out, sampled0, sampled1, sampled2, sampled3, state:(bool & + bool & + bool & + bool & + t_Array (t_Array i32 (sz 263)) (sz 4) & usize & usize & usize & @@ -584,7 +557,7 @@ let sample_four_error_ring_elements v_Shake256) = temp_0_ in - let tmp0, out4:(v_Shake256 & + let tmp0, out1:(v_Shake256 & (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) = Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze_next_block_x4 #v_Shake256 @@ -594,127 +567,126 @@ let sample_four_error_ring_elements let state:v_Shake256 = tmp0 in let randomnesses:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)) = - out4 + out1 in - let done0, out0, sampled0:(bool & t_Array i32 (sz 263) & usize) = + let done0, out, sampled0:(bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize) = if ~.done0 then - let tmp0, tmp1, out4:(usize & t_Array i32 (sz 263) & bool) = + let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) = rejection_sample_less_than_eta #v_SIMDUnit - v_ETA + eta (randomnesses._1 <: t_Slice u8) sampled0 - out0 + (out.[ sz 0 ] <: t_Array i32 (sz 263)) in let sampled0:usize = tmp0 in - let out0:t_Array i32 (sz 263) = tmp1 in - let done0:bool = out4 in - done0, out0, sampled0 <: (bool & t_Array i32 (sz 263) & usize) - else done0, out0, sampled0 <: (bool & t_Array i32 (sz 263) & usize) + let out:t_Array (t_Array i32 (sz 263)) (sz 4) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 0) tmp1 + in + let done0:bool = out1 in + done0, out, sampled0 <: (bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize) + else done0, out, sampled0 <: (bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize) in - let done1, out1, sampled1:(bool & t_Array i32 (sz 263) & usize) = + let done1, out, sampled1:(bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize) = if ~.done1 then - let tmp0, tmp1, out4:(usize & t_Array i32 (sz 263) & bool) = + let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) = rejection_sample_less_than_eta #v_SIMDUnit - v_ETA + eta (randomnesses._2 <: t_Slice u8) sampled1 - out1 + (out.[ sz 1 ] <: t_Array i32 (sz 263)) in let sampled1:usize = tmp0 in - let out1:t_Array i32 (sz 263) = tmp1 in - let done1:bool = out4 in - done1, out1, sampled1 <: (bool & t_Array i32 (sz 263) & usize) - else done1, out1, sampled1 <: (bool & t_Array i32 (sz 263) & usize) + let out:t_Array (t_Array i32 (sz 263)) (sz 4) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 1) tmp1 + in + let done1:bool = out1 in + done1, out, sampled1 <: (bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize) + else done1, out, sampled1 <: (bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize) in - let done2, out2, sampled2:(bool & t_Array i32 (sz 263) & usize) = + let done2, out, sampled2:(bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize) = if ~.done2 then - let tmp0, tmp1, out4:(usize & t_Array i32 (sz 263) & bool) = + let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) = rejection_sample_less_than_eta #v_SIMDUnit - v_ETA + eta (randomnesses._3 <: t_Slice u8) sampled2 - out2 + (out.[ sz 2 ] <: t_Array i32 (sz 263)) in let sampled2:usize = tmp0 in - let out2:t_Array i32 (sz 263) = tmp1 in - let done2:bool = out4 in - done2, out2, sampled2 <: (bool & t_Array i32 (sz 263) & usize) - else done2, out2, sampled2 <: (bool & t_Array i32 (sz 263) & usize) + let out:t_Array (t_Array i32 (sz 263)) (sz 4) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 2) tmp1 + in + let done2:bool = out1 in + done2, out, sampled2 <: (bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize) + else done2, out, sampled2 <: (bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize) in if ~.done3 then - let tmp0, tmp1, out4:(usize & t_Array i32 (sz 263) & bool) = + let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) = rejection_sample_less_than_eta #v_SIMDUnit - v_ETA + eta (randomnesses._4 <: t_Slice u8) sampled3 - out3 + (out.[ sz 3 ] <: t_Array i32 (sz 263)) in let sampled3:usize = tmp0 in - let out3:t_Array i32 (sz 263) = tmp1 in - let done3:bool = out4 in - done0, - done1, - done2, - done3, - out0, - out1, - out2, - out3, - sampled0, - sampled1, - sampled2, - sampled3, - state + let out:t_Array (t_Array i32 (sz 263)) (sz 4) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 3) tmp1 + in + let done3:bool = out1 in + done0, done1, done2, done3, out, sampled0, sampled1, sampled2, sampled3, state <: - (bool & bool & bool & bool & t_Array i32 (sz 263) & t_Array i32 (sz 263) & - t_Array i32 (sz 263) & - t_Array i32 (sz 263) & - usize & - usize & + (bool & bool & bool & bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize & usize & usize & usize & v_Shake256) else - done0, - done1, - done2, - done3, - out0, - out1, - out2, - out3, - sampled0, - sampled1, - sampled2, - sampled3, - state + done0, done1, done2, done3, out, sampled0, sampled1, sampled2, sampled3, state <: - (bool & bool & bool & bool & t_Array i32 (sz 263) & t_Array i32 (sz 263) & - t_Array i32 (sz 263) & - t_Array i32 (sz 263) & - usize & - usize & + (bool & bool & bool & bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize & usize & usize & usize & v_Shake256)) in - Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (out0 <: t_Slice i32), - Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (out1 <: t_Slice i32), - Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (out2 <: t_Slice i32), - Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (out3 <: t_Slice i32) - <: - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + let max:usize = (cast (start_index <: u16) <: usize) +! sz 4 in + let max:usize = + if + (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) re + <: + usize) <. + max + then Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) re + else max + in + let re:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Rust_primitives.Hax.Folds.fold_range (cast (start_index <: u16) <: usize) + max + (fun re temp_1_ -> + let re:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = re in + let _:usize = temp_1_ in + true) + re + (fun re i -> + let re:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = re in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + i + (Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit + (out.[ i %! sz 4 <: usize ] <: t_Slice i32) + (re.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + in + let hax_temp_output:Prims.unit = () <: Prims.unit in + re let sample_mask_ring_element (#v_SIMDUnit #v_Shake256: Type0) - (v_GAMMA1_EXPONENT: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) @@ -723,10 +695,11 @@ let sample_mask_ring_element Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) (seed: t_Array u8 (sz 66)) (result: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (gamma1_exponent: usize) = let result, hax_temp_output:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & Prims.unit) = - match cast (v_GAMMA1_EXPONENT <: usize) <: u8 with + match cast (gamma1_exponent <: usize) <: u8 with | 17uy -> let out:t_Array u8 (sz 576) = Rust_primitives.Hax.repeat 0uy (sz 576) in let out:t_Array u8 (sz 576) = @@ -738,7 +711,7 @@ let sample_mask_ring_element in let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit - v_GAMMA1_EXPONENT + gamma1_exponent (out <: t_Slice u8) result in @@ -754,7 +727,7 @@ let sample_mask_ring_element in let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit - v_GAMMA1_EXPONENT + gamma1_exponent (out <: t_Slice u8) result in @@ -772,7 +745,6 @@ let sample_mask_ring_element let sample_mask_vector (#v_SIMDUnit #v_Shake256 #v_Shake256X4: Type0) - (v_DIMENSION v_GAMMA1_EXPONENT: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i3: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) @@ -782,38 +754,33 @@ let sample_mask_vector (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) - (seed: t_Array u8 (sz 66)) + (dimension gamma1_exponent: usize) + (seed: t_Array u8 (sz 64)) (domain_separator: u16) + (mask: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) = - let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_DIMENSION - in let _:Prims.unit = if true then let _:Prims.unit = - Hax_lib.v_assert ((v_DIMENSION =. sz 4 <: bool) || (v_DIMENSION =. sz 5 <: bool) || - (v_DIMENSION =. sz 7 <: bool)) + Hax_lib.v_assert ((dimension =. sz 4 <: bool) || (dimension =. sz 5 <: bool) || + (dimension =. sz 7 <: bool)) in () in - let tmp0, out4:(u16 & t_Array u8 (sz 66)) = update_seed seed domain_separator in - let domain_separator:u16 = tmp0 in - let seed0:t_Array u8 (sz 66) = out4 in - let tmp0, out4:(u16 & t_Array u8 (sz 66)) = update_seed seed domain_separator in - let domain_separator:u16 = tmp0 in - let seed1:t_Array u8 (sz 66) = out4 in - let tmp0, out4:(u16 & t_Array u8 (sz 66)) = update_seed seed domain_separator in - let domain_separator:u16 = tmp0 in - let seed2:t_Array u8 (sz 66) = out4 in - let tmp0, out4:(u16 & t_Array u8 (sz 66)) = update_seed seed domain_separator in - let domain_separator:u16 = tmp0 in - let seed3:t_Array u8 (sz 66) = out4 in - let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = - match cast (v_GAMMA1_EXPONENT <: usize) <: u8 with + let seed0:t_Array u8 (sz 66) = add_error_domain_separator (seed <: t_Slice u8) domain_separator in + let seed1:t_Array u8 (sz 66) = + add_error_domain_separator (seed <: t_Slice u8) (domain_separator +! 1us <: u16) + in + let seed2:t_Array u8 (sz 66) = + add_error_domain_separator (seed <: t_Slice u8) (domain_separator +! 2us <: u16) + in + let seed3:t_Array u8 (sz 66) = + add_error_domain_separator (seed <: t_Slice u8) (domain_separator +! 3us <: u16) + in + let domain_separator:u16 = domain_separator +! 4us in + let mask:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + match cast (gamma1_exponent <: usize) <: u8 with | 17uy -> let out0:t_Array u8 (sz 576) = Rust_primitives.Hax.repeat 0uy (sz 576) in let out1:t_Array u8 (sz 576) = Rust_primitives.Hax.repeat 0uy (sz 576) in @@ -830,41 +797,41 @@ let sample_mask_vector let out2:t_Array u8 (sz 576) = tmp2 in let out3:t_Array u8 (sz 576) = tmp3 in let _:Prims.unit = () in - let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + let mask:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask (sz 0) (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit - v_GAMMA1_EXPONENT + gamma1_exponent (out0 <: t_Slice u8) (mask.[ sz 0 ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in - let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + let mask:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask (sz 1) (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit - v_GAMMA1_EXPONENT + gamma1_exponent (out1 <: t_Slice u8) (mask.[ sz 1 ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in - let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + let mask:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask (sz 2) (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit - v_GAMMA1_EXPONENT + gamma1_exponent (out2 <: t_Slice u8) (mask.[ sz 2 ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in - let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + let mask:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask (sz 3) (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit - v_GAMMA1_EXPONENT + gamma1_exponent (out3 <: t_Slice u8) (mask.[ sz 3 ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) <: @@ -887,41 +854,41 @@ let sample_mask_vector let out2:t_Array u8 (sz 640) = tmp2 in let out3:t_Array u8 (sz 640) = tmp3 in let _:Prims.unit = () in - let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + let mask:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask (sz 0) (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit - v_GAMMA1_EXPONENT + gamma1_exponent (out0 <: t_Slice u8) (mask.[ sz 0 ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in - let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + let mask:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask (sz 1) (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit - v_GAMMA1_EXPONENT + gamma1_exponent (out1 <: t_Slice u8) (mask.[ sz 1 ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in - let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + let mask:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask (sz 2) (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit - v_GAMMA1_EXPONENT + gamma1_exponent (out2 <: t_Slice u8) (mask.[ sz 2 ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in - let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + let mask:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask (sz 3) (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit - v_GAMMA1_EXPONENT + gamma1_exponent (out3 <: t_Slice u8) (mask.[ sz 3 ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) <: @@ -930,84 +897,64 @@ let sample_mask_vector mask | _ -> mask in - let domain_separator, mask, seed:(u16 & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & - t_Array u8 (sz 66)) = + let domain_separator, mask:(u16 & + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) = Rust_primitives.Hax.Folds.fold_range (sz 4) - v_DIMENSION + dimension (fun temp_0_ temp_1_ -> - let domain_separator, mask, seed:(u16 & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & - t_Array u8 (sz 66)) = + let domain_separator, mask:(u16 & + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) = temp_0_ in let _:usize = temp_1_ in true) - (domain_separator, mask, seed + (domain_separator, mask <: - (u16 & t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & - t_Array u8 (sz 66))) + (u16 & t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))) (fun temp_0_ i -> - let domain_separator, mask, seed:(u16 & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & - t_Array u8 (sz 66)) = + let domain_separator, mask:(u16 & + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) = temp_0_ in let i:usize = i in let seed:t_Array u8 (sz 66) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed - (sz 64) - (cast (domain_separator <: u16) <: u8) - in - let seed:t_Array u8 (sz 66) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed - (sz 65) - (cast (domain_separator >>! 8l <: u16) <: u8) + add_error_domain_separator (seed <: t_Slice u8) domain_separator in let domain_separator:u16 = domain_separator +! 1us in - let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_DIMENSION = + let mask:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask i (sample_mask_ring_element #v_SIMDUnit #v_Shake256 - v_GAMMA1_EXPONENT seed (mask.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + gamma1_exponent <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in - domain_separator, mask, seed + domain_separator, mask <: - (u16 & t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & - t_Array u8 (sz 66))) - in - let hax_temp_output:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_DIMENSION = - mask + (u16 & t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))) in - domain_separator, hax_temp_output + let hax_temp_output:Prims.unit = () <: Prims.unit in + domain_separator, mask <: - (u16 & t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + (u16 & t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) -let sample_up_to_four_ring_elements +let sample_up_to_four_ring_elements_flat (#v_SIMDUnit #v_Shake128: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (#[FStar.Tactics.Typeclasses.tcresolve ()] i3: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128) - (seed0: t_Array u8 (sz 34)) - (matrix: - t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A) + (columns: usize) + (seed: t_Slice u8) + (matrix: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) (rand_stack0 rand_stack1 rand_stack2 rand_stack3: t_Array u8 (sz 840)) (tmp_stack: t_Slice (t_Array i32 (sz 263))) - (indices: t_Array (u8 & u8) (sz 4)) - (elements_requested: usize) + (start_index elements_requested: usize) = let _:Prims.unit = if true @@ -1015,52 +962,21 @@ let sample_up_to_four_ring_elements let _:Prims.unit = Hax_lib.v_assert (elements_requested <=. sz 4 <: bool) in () in - let domain_separator0:u16 = generate_domain_separator (indices.[ sz 0 ] <: (u8 & u8)) in - let domain_separator1:u16 = generate_domain_separator (indices.[ sz 1 ] <: (u8 & u8)) in - let domain_separator2:u16 = generate_domain_separator (indices.[ sz 2 ] <: (u8 & u8)) in - let domain_separator3:u16 = generate_domain_separator (indices.[ sz 3 ] <: (u8 & u8)) in - let seed0:t_Array u8 (sz 34) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed0 - (sz 32) - (cast (domain_separator0 <: u16) <: u8) - in let seed0:t_Array u8 (sz 34) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed0 - (sz 33) - (cast (domain_separator0 >>! 8l <: u16) <: u8) + add_domain_separator seed + (sample_up_to_four_ring_elements_flat__xy start_index columns <: (u8 & u8)) in - let seed1:t_Array u8 (sz 34) = seed0 in let seed1:t_Array u8 (sz 34) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed1 - (sz 32) - (cast (domain_separator1 <: u16) <: u8) + add_domain_separator seed + (sample_up_to_four_ring_elements_flat__xy (start_index +! sz 1 <: usize) columns <: (u8 & u8)) in - let seed1:t_Array u8 (sz 34) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed1 - (sz 33) - (cast (domain_separator1 >>! 8l <: u16) <: u8) - in - let seed2:t_Array u8 (sz 34) = seed0 in let seed2:t_Array u8 (sz 34) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed2 - (sz 32) - (cast (domain_separator2 <: u16) <: u8) + add_domain_separator seed + (sample_up_to_four_ring_elements_flat__xy (start_index +! sz 2 <: usize) columns <: (u8 & u8)) in - let seed2:t_Array u8 (sz 34) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed2 - (sz 33) - (cast (domain_separator2 >>! 8l <: u16) <: u8) - in - let seed3:t_Array u8 (sz 34) = seed0 in let seed3:t_Array u8 (sz 34) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed3 - (sz 32) - (cast (domain_separator3 <: u16) <: u8) - in - let seed3:t_Array u8 (sz 34) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed3 - (sz 33) - (cast (domain_separator3 >>! 8l <: u16) <: u8) + add_domain_separator seed + (sample_up_to_four_ring_elements_flat__xy (start_index +! sz 3 <: usize) columns <: (u8 & u8)) in let state:v_Shake128 = Libcrux_ml_dsa.Hash_functions.Shake128.f_init_absorb #v_Shake128 @@ -1262,50 +1178,37 @@ let sample_up_to_four_ring_elements (bool & bool & bool & bool & usize & usize & usize & usize & v_Shake128 & t_Slice (t_Array i32 (sz 263)))) in - let matrix:t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A = + let matrix:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = Rust_primitives.Hax.Folds.fold_range (sz 0) elements_requested (fun matrix temp_1_ -> - let matrix:t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A = + let matrix:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = matrix in let _:usize = temp_1_ in true) matrix (fun matrix k -> - let matrix:t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A = + let matrix:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = matrix in let k:usize = k in - let i, j:(u8 & u8) = indices.[ k ] in - let matrix:t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A = - update_matrix #v_SIMDUnit - v_ROWS_IN_A - v_COLUMNS_IN_A - matrix - (cast (i <: u8) <: usize) - (cast (j <: u8) <: usize) - (Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit - (tmp_stack.[ k ] <: t_Slice i32) - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - in - matrix) + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize matrix + (start_index +! k <: usize) + (Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit + (tmp_stack.[ k ] <: t_Slice i32) + (matrix.[ start_index +! k <: usize ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) in let hax_temp_output:Prims.unit = () <: Prims.unit in matrix, rand_stack0, rand_stack1, rand_stack2, rand_stack3, tmp_stack <: - (t_Array (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A & - t_Array u8 (sz 840) & + (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti index 5e6082b9b..b10105ece 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti @@ -13,23 +13,21 @@ let _ = val generate_domain_separator: (u8 & u8) -> Prims.Pure u16 Prims.l_True (fun _ -> Prims.l_True) -val update_seed (seed: t_Array u8 (sz 66)) (domain_separator: u16) - : Prims.Pure (u16 & t_Array u8 (sz 66)) Prims.l_True (fun _ -> Prims.l_True) +val sample_up_to_four_ring_elements_flat__xy (index width: usize) + : Prims.Pure (u8 & u8) Prims.l_True (fun _ -> Prims.l_True) -val update_matrix - (#v_SIMDUnit: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A: usize) - {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (m: - t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A) - (i j: usize) - (v: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - : Prims.Pure - (t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A) Prims.l_True (fun _ -> Prims.l_True) +val add_domain_separator (slice: t_Slice u8) (indices: (u8 & u8)) + : Prims.Pure (t_Array u8 (sz 34)) Prims.l_True (fun _ -> Prims.l_True) + +val add_error_domain_separator (slice: t_Slice u8) (domain_separator: u16) + : Prims.Pure (t_Array u8 (sz 66)) Prims.l_True (fun _ -> Prims.l_True) + +val inside_out_shuffle + (randomness: t_Slice u8) + (out_index: usize) + (signs: u64) + (result: t_Array i32 (sz 256)) + : Prims.Pure (usize & u64 & t_Array i32 (sz 256) & bool) Prims.l_True (fun _ -> Prims.l_True) val rejection_sample_less_than_eta_equals_2_ (#v_SIMDUnit: Type0) @@ -49,8 +47,8 @@ val rejection_sample_less_than_eta_equals_4_ val rejection_sample_less_than_eta (#v_SIMDUnit: Type0) - (v_ETA: usize) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (eta: Libcrux_ml_dsa.Constants.t_Eta) (randomness: t_Slice u8) (sampled: usize) (out: t_Array i32 (sz 263)) @@ -64,59 +62,50 @@ val rejection_sample_less_than_field_modulus (out: t_Array i32 (sz 263)) : Prims.Pure (usize & t_Array i32 (sz 263) & bool) Prims.l_True (fun _ -> Prims.l_True) -val inside_out_shuffle - (randomness: t_Slice u8) - (out_index: usize) - (signs: u64) - (result: t_Array i32 (sz 256)) - : Prims.Pure (usize & u64 & t_Array i32 (sz 256) & bool) Prims.l_True (fun _ -> Prims.l_True) - val sample_challenge_ring_element (#v_SIMDUnit #v_Shake256: Type0) - (v_NUMBER_OF_ONES v_SEED_SIZE: usize) {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} - (seed: t_Array u8 v_SEED_SIZE) + (seed: t_Slice u8) + (number_of_ones: usize) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) val sample_four_error_ring_elements (#v_SIMDUnit #v_Shake256: Type0) - (v_ETA: usize) {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256 |} - (seed_base: t_Array u8 (sz 66)) - (domain_separator0 domain_separator1 domain_seperator2 domain_separator3: u16) - : Prims.Pure - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (seed: t_Slice u8) + (start_index: u16) + (re: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + : Prims.Pure (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) Prims.l_True (fun _ -> Prims.l_True) val sample_mask_ring_element (#v_SIMDUnit #v_Shake256: Type0) - (v_GAMMA1_EXPONENT: usize) {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} (seed: t_Array u8 (sz 66)) (result: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (gamma1_exponent: usize) : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) val sample_mask_vector (#v_SIMDUnit #v_Shake256 #v_Shake256X4: Type0) - (v_DIMENSION v_GAMMA1_EXPONENT: usize) {| i3: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} {| i4: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} {| i5: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} - (seed: t_Array u8 (sz 66)) + (dimension gamma1_exponent: usize) + (seed: t_Array u8 (sz 64)) (domain_separator: u16) - : Prims.Pure - (u16 & t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + (mask: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + : Prims.Pure (u16 & t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) Prims.l_True (fun _ -> Prims.l_True) @@ -127,25 +116,18 @@ val sample_mask_vector /// `tmp_stack[i]`, the ring element is written to `matrix` at the /// provided index in `indices[i]`. /// `rand_stack` is a working buffer that holds initial Shake output. -val sample_up_to_four_ring_elements +val sample_up_to_four_ring_elements_flat (#v_SIMDUnit #v_Shake128: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A: usize) {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} {| i3: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128 |} - (seed0: t_Array u8 (sz 34)) - (matrix: - t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A) + (columns: usize) + (seed: t_Slice u8) + (matrix: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) (rand_stack0 rand_stack1 rand_stack2 rand_stack3: t_Array u8 (sz 840)) (tmp_stack: t_Slice (t_Array i32 (sz 263))) - (indices: t_Array (u8 & u8) (sz 4)) - (elements_requested: usize) + (start_index elements_requested: usize) : Prims.Pure - (t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A & - t_Array u8 (sz 840) & + (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Avx2.fst index 96cf97528..e37581122 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Avx2.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Avx2.fst @@ -11,82 +11,69 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let matrix_A_avx2 +let matrix_flat__inner (#v_SIMDUnit: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (seed: t_Array u8 (sz 34)) + (columns: usize) + (seed: t_Slice u8) + (matrix: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) = - match - (cast (v_ROWS_IN_A <: usize) <: u8), (cast (v_COLUMNS_IN_A <: usize) <: u8) <: (u8 & u8) - with - | 4uy, 4uy -> - Libcrux_ml_dsa.Samplex4.matrix_A_4_by_4_ #v_SIMDUnit + let hax_temp_output, matrix:(Prims.unit & + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) = + (), + Libcrux_ml_dsa.Samplex4.matrix_flat #v_SIMDUnit #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 - v_ROWS_IN_A - v_COLUMNS_IN_A + columns seed - | 6uy, 5uy -> - Libcrux_ml_dsa.Samplex4.matrix_A_6_by_5_ #v_SIMDUnit - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 - v_ROWS_IN_A - v_COLUMNS_IN_A - seed - | 8uy, 7uy -> - Libcrux_ml_dsa.Samplex4.matrix_A_8_by_7_ #v_SIMDUnit - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 - v_ROWS_IN_A - v_COLUMNS_IN_A - seed - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - - <: - Rust_primitives.Hax.t_Never) + matrix + <: + (Prims.unit & t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + in + matrix [@@ FStar.Tactics.Typeclasses.tcinstance] let impl: Libcrux_ml_dsa.Samplex4.t_X4Sampler t_AVX2Sampler = { - f_matrix_A_pre + f_matrix_flat_pre = (fun (#v_SIMDUnit: Type0) - (v_ROWS_IN_A: usize) - (v_COLUMNS_IN_A: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (seed: t_Array u8 (sz 34)) + (columns: usize) + (seed: t_Slice u8) + (matrix: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) -> true); - f_matrix_A_post + f_matrix_flat_post = (fun (#v_SIMDUnit: Type0) - (v_ROWS_IN_A: usize) - (v_COLUMNS_IN_A: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (seed: t_Array u8 (sz 34)) - (out: - t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A) + (columns: usize) + (seed: t_Slice u8) + (matrix: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (out: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) -> true); - f_matrix_A + f_matrix_flat = fun (#v_SIMDUnit: Type0) - (v_ROWS_IN_A: usize) - (v_COLUMNS_IN_A: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (seed: t_Array u8 (sz 34)) + (columns: usize) + (seed: t_Slice u8) + (matrix: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) -> - matrix_A_avx2 #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A seed + let matrix:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + matrix_flat__inner #v_SIMDUnit columns seed matrix + in + matrix } diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Avx2.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Avx2.fsti index 618fe2e20..d13a7340b 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Avx2.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Avx2.fsti @@ -13,15 +13,15 @@ let _ = type t_AVX2Sampler = | AVX2Sampler : t_AVX2Sampler -val matrix_A_avx2 +val matrix_flat__inner (#v_SIMDUnit: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A: usize) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (seed: t_Array u8 (sz 34)) - : Prims.Pure - (t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A) Prims.l_True (fun _ -> Prims.l_True) + (columns: usize) + (seed: t_Slice u8) + (matrix: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + : Prims.Pure (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + Prims.l_True + (fun _ -> Prims.l_True) [@@ FStar.Tactics.Typeclasses.tcinstance] val impl:Libcrux_ml_dsa.Samplex4.t_X4Sampler t_AVX2Sampler diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Neon.fst index 9d975149f..d90d272f9 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Neon.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Neon.fst @@ -14,48 +14,52 @@ let _ = [@@ FStar.Tactics.Typeclasses.tcinstance] let impl: Libcrux_ml_dsa.Samplex4.t_X4Sampler t_NeonSampler = { - f_matrix_A_pre + f_matrix_flat_pre = (fun (#v_SIMDUnit: Type0) - (v_ROWS_IN_A: usize) - (v_COLUMNS_IN_A: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (seed: t_Array u8 (sz 34)) + (columns: usize) + (seed: t_Slice u8) + (matrix: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) -> true); - f_matrix_A_post + f_matrix_flat_post = (fun (#v_SIMDUnit: Type0) - (v_ROWS_IN_A: usize) - (v_COLUMNS_IN_A: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (seed: t_Array u8 (sz 34)) - (out: - t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A) + (columns: usize) + (seed: t_Slice u8) + (matrix: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (out: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) -> true); - f_matrix_A + f_matrix_flat = fun (#v_SIMDUnit: Type0) - (v_ROWS_IN_A: usize) - (v_COLUMNS_IN_A: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (seed: t_Array u8 (sz 34)) + (columns: usize) + (seed: t_Slice u8) + (matrix: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) -> - Libcrux_ml_dsa.Samplex4.matrix_A_generic #v_SIMDUnit - #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 - v_ROWS_IN_A - v_COLUMNS_IN_A - seed + let hax_temp_output, matrix:(Prims.unit & + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) = + (), + Libcrux_ml_dsa.Samplex4.matrix_flat #v_SIMDUnit + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + columns + seed + matrix + <: + (Prims.unit & t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + in + matrix } diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Portable.fst index 47473f479..ae973a8f9 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Portable.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.Portable.fst @@ -14,48 +14,52 @@ let _ = [@@ FStar.Tactics.Typeclasses.tcinstance] let impl: Libcrux_ml_dsa.Samplex4.t_X4Sampler t_PortableSampler = { - f_matrix_A_pre + f_matrix_flat_pre = (fun (#v_SIMDUnit: Type0) - (v_ROWS_IN_A: usize) - (v_COLUMNS_IN_A: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (seed: t_Array u8 (sz 34)) + (columns: usize) + (seed: t_Slice u8) + (matrix: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) -> true); - f_matrix_A_post + f_matrix_flat_post = (fun (#v_SIMDUnit: Type0) - (v_ROWS_IN_A: usize) - (v_COLUMNS_IN_A: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (seed: t_Array u8 (sz 34)) - (out: - t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A) + (columns: usize) + (seed: t_Slice u8) + (matrix: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (out: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) -> true); - f_matrix_A + f_matrix_flat = fun (#v_SIMDUnit: Type0) - (v_ROWS_IN_A: usize) - (v_COLUMNS_IN_A: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (seed: t_Array u8 (sz 34)) + (columns: usize) + (seed: t_Slice u8) + (matrix: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) -> - Libcrux_ml_dsa.Samplex4.matrix_A_generic #v_SIMDUnit - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 - v_ROWS_IN_A - v_COLUMNS_IN_A - seed + let hax_temp_output, matrix:(Prims.unit & + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) = + (), + Libcrux_ml_dsa.Samplex4.matrix_flat #v_SIMDUnit + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + columns + seed + matrix + <: + (Prims.unit & t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + in + matrix } diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fst index e4e0c4571..01461283e 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fst @@ -11,201 +11,18 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let matrix_A_4_by_4_ +let matrix_flat (#v_SIMDUnit #v_Shake128: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (#[FStar.Tactics.Typeclasses.tcresolve ()] i3: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128) - (seed: t_Array u8 (sz 34)) + (columns: usize) + (seed: t_Slice u8) + (matrix: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) = - let - (v_A: - t_Array (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A):t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A = - Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit - () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_COLUMNS_IN_A - <: - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A - in - let rand_stack0:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in - let rand_stack1:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in - let rand_stack2:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in - let rand_stack3:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in - let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = - let list = - [ - Rust_primitives.Hax.repeat 0l (sz 263); - Rust_primitives.Hax.repeat 0l (sz 263); - Rust_primitives.Hax.repeat 0l (sz 263); - Rust_primitives.Hax.repeat 0l (sz 263) - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4); - Rust_primitives.Hax.array_of_list 4 list - in - let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array (t_Array i32 (sz 263)) (sz 4)) = - Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A - v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack - (let list = - [ - 0uy, 0uy <: (u8 & u8); - 0uy, 1uy <: (u8 & u8); - 0uy, 2uy <: (u8 & u8); - 0uy, 3uy <: (u8 & u8) - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4); - Rust_primitives.Hax.array_of_list 4 list) (sz 4) - in - let v_A:t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A = - tmp0 - in - let rand_stack0:t_Array u8 (sz 840) = tmp1 in - let rand_stack1:t_Array u8 (sz 840) = tmp2 in - let rand_stack2:t_Array u8 (sz 840) = tmp3 in - let rand_stack3:t_Array u8 (sz 840) = tmp4 in - let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in - let _:Prims.unit = () in - let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array (t_Array i32 (sz 263)) (sz 4)) = - Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A - v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack - (let list = - [ - 1uy, 0uy <: (u8 & u8); - 1uy, 1uy <: (u8 & u8); - 1uy, 2uy <: (u8 & u8); - 1uy, 3uy <: (u8 & u8) - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4); - Rust_primitives.Hax.array_of_list 4 list) (sz 4) - in - let v_A:t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A = - tmp0 - in - let rand_stack0:t_Array u8 (sz 840) = tmp1 in - let rand_stack1:t_Array u8 (sz 840) = tmp2 in - let rand_stack2:t_Array u8 (sz 840) = tmp3 in - let rand_stack3:t_Array u8 (sz 840) = tmp4 in - let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in - let _:Prims.unit = () in - let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array (t_Array i32 (sz 263)) (sz 4)) = - Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A - v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack - (let list = - [ - 2uy, 0uy <: (u8 & u8); - 2uy, 1uy <: (u8 & u8); - 2uy, 2uy <: (u8 & u8); - 2uy, 3uy <: (u8 & u8) - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4); - Rust_primitives.Hax.array_of_list 4 list) (sz 4) - in - let v_A:t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A = - tmp0 - in - let rand_stack0:t_Array u8 (sz 840) = tmp1 in - let rand_stack1:t_Array u8 (sz 840) = tmp2 in - let rand_stack2:t_Array u8 (sz 840) = tmp3 in - let rand_stack3:t_Array u8 (sz 840) = tmp4 in - let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in - let _:Prims.unit = () in - let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array (t_Array i32 (sz 263)) (sz 4)) = - Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A - v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack - (let list = - [ - 3uy, 0uy <: (u8 & u8); - 3uy, 1uy <: (u8 & u8); - 3uy, 2uy <: (u8 & u8); - 3uy, 3uy <: (u8 & u8) - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4); - Rust_primitives.Hax.array_of_list 4 list) (sz 4) - in - let v_A:t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A = - tmp0 - in - let rand_stack0:t_Array u8 (sz 840) = tmp1 in - let rand_stack1:t_Array u8 (sz 840) = tmp2 in - let rand_stack2:t_Array u8 (sz 840) = tmp3 in - let rand_stack3:t_Array u8 (sz 840) = tmp4 in - let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in - let _:Prims.unit = () in - v_A - -let matrix_A_6_by_5_ - (#v_SIMDUnit #v_Shake128: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A: usize) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: - Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128) - (seed: t_Array u8 (sz 34)) - = - let v_A:t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A = - Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit - () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_COLUMNS_IN_A - <: - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A - in let rand_stack0:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in let rand_stack1:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in let rand_stack2:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in @@ -222,1101 +39,154 @@ let matrix_A_6_by_5_ FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4); Rust_primitives.Hax.array_of_list 4 list in - let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array (t_Array i32 (sz 263)) (sz 4)) = - Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A - v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack - (let list = - [ - 0uy, 0uy <: (u8 & u8); - 0uy, 1uy <: (u8 & u8); - 0uy, 2uy <: (u8 & u8); - 0uy, 3uy <: (u8 & u8) - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4); - Rust_primitives.Hax.array_of_list 4 list) (sz 4) - in - let v_A:t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A = - tmp0 - in - let rand_stack0:t_Array u8 (sz 840) = tmp1 in - let rand_stack1:t_Array u8 (sz 840) = tmp2 in - let rand_stack2:t_Array u8 (sz 840) = tmp3 in - let rand_stack3:t_Array u8 (sz 840) = tmp4 in - let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in - let _:Prims.unit = () in - let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array (t_Array i32 (sz 263)) (sz 4)) = - Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A - v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack - (let list = - [ - 0uy, 4uy <: (u8 & u8); - 1uy, 0uy <: (u8 & u8); - 1uy, 1uy <: (u8 & u8); - 1uy, 2uy <: (u8 & u8) - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4); - Rust_primitives.Hax.array_of_list 4 list) (sz 4) - in - let v_A:t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A = - tmp0 - in - let rand_stack0:t_Array u8 (sz 840) = tmp1 in - let rand_stack1:t_Array u8 (sz 840) = tmp2 in - let rand_stack2:t_Array u8 (sz 840) = tmp3 in - let rand_stack3:t_Array u8 (sz 840) = tmp4 in - let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in - let _:Prims.unit = () in - let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array (t_Array i32 (sz 263)) (sz 4)) = - Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A - v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack - (let list = - [ - 1uy, 3uy <: (u8 & u8); - 1uy, 4uy <: (u8 & u8); - 2uy, 0uy <: (u8 & u8); - 2uy, 1uy <: (u8 & u8) - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4); - Rust_primitives.Hax.array_of_list 4 list) (sz 4) - in - let v_A:t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A = - tmp0 - in - let rand_stack0:t_Array u8 (sz 840) = tmp1 in - let rand_stack1:t_Array u8 (sz 840) = tmp2 in - let rand_stack2:t_Array u8 (sz 840) = tmp3 in - let rand_stack3:t_Array u8 (sz 840) = tmp4 in - let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in - let _:Prims.unit = () in - let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array (t_Array i32 (sz 263)) (sz 4)) = - Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A - v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack - (let list = - [ - 2uy, 2uy <: (u8 & u8); - 2uy, 3uy <: (u8 & u8); - 2uy, 4uy <: (u8 & u8); - 3uy, 0uy <: (u8 & u8) - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4); - Rust_primitives.Hax.array_of_list 4 list) (sz 4) - in - let v_A:t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A = - tmp0 - in - let rand_stack0:t_Array u8 (sz 840) = tmp1 in - let rand_stack1:t_Array u8 (sz 840) = tmp2 in - let rand_stack2:t_Array u8 (sz 840) = tmp3 in - let rand_stack3:t_Array u8 (sz 840) = tmp4 in - let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in - let _:Prims.unit = () in - let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array (t_Array i32 (sz 263)) (sz 4)) = - Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A - v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack - (let list = - [ - 3uy, 1uy <: (u8 & u8); - 3uy, 2uy <: (u8 & u8); - 3uy, 3uy <: (u8 & u8); - 3uy, 4uy <: (u8 & u8) - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4); - Rust_primitives.Hax.array_of_list 4 list) (sz 4) - in - let v_A:t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A = - tmp0 - in - let rand_stack0:t_Array u8 (sz 840) = tmp1 in - let rand_stack1:t_Array u8 (sz 840) = tmp2 in - let rand_stack2:t_Array u8 (sz 840) = tmp3 in - let rand_stack3:t_Array u8 (sz 840) = tmp4 in - let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in - let _:Prims.unit = () in - let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array (t_Array i32 (sz 263)) (sz 4)) = - Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A - v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack - (let list = - [ - 4uy, 0uy <: (u8 & u8); - 4uy, 1uy <: (u8 & u8); - 4uy, 2uy <: (u8 & u8); - 4uy, 3uy <: (u8 & u8) - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4); - Rust_primitives.Hax.array_of_list 4 list) (sz 4) - in - let v_A:t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A = - tmp0 - in - let rand_stack0:t_Array u8 (sz 840) = tmp1 in - let rand_stack1:t_Array u8 (sz 840) = tmp2 in - let rand_stack2:t_Array u8 (sz 840) = tmp3 in - let rand_stack3:t_Array u8 (sz 840) = tmp4 in - let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in - let _:Prims.unit = () in - let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array (t_Array i32 (sz 263)) (sz 4)) = - Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A - v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack - (let list = - [ - 4uy, 4uy <: (u8 & u8); - 5uy, 0uy <: (u8 & u8); - 5uy, 1uy <: (u8 & u8); - 5uy, 2uy <: (u8 & u8) - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4); - Rust_primitives.Hax.array_of_list 4 list) (sz 4) - in - let v_A:t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A = - tmp0 - in - let rand_stack0:t_Array u8 (sz 840) = tmp1 in - let rand_stack1:t_Array u8 (sz 840) = tmp2 in - let rand_stack2:t_Array u8 (sz 840) = tmp3 in - let rand_stack3:t_Array u8 (sz 840) = tmp4 in - let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in - let _:Prims.unit = () in - let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array (t_Array i32 (sz 263)) (sz 4)) = - Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A - v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack - (let list = - [ - 5uy, 3uy <: (u8 & u8); - 5uy, 4uy <: (u8 & u8); - 5uy, 5uy <: (u8 & u8); - 5uy, 6uy <: (u8 & u8) - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4); - Rust_primitives.Hax.array_of_list 4 list) (sz 2) - in - let v_A:t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A = - tmp0 - in - let rand_stack0:t_Array u8 (sz 840) = tmp1 in - let rand_stack1:t_Array u8 (sz 840) = tmp2 in - let rand_stack2:t_Array u8 (sz 840) = tmp3 in - let rand_stack3:t_Array u8 (sz 840) = tmp4 in - let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in - let _:Prims.unit = () in - v_A - -let matrix_A_8_by_7_ - (#v_SIMDUnit #v_Shake128: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A: usize) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: - Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128) - (seed: t_Array u8 (sz 34)) - = - let v_A:t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A = - Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit - () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_COLUMNS_IN_A - <: - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A - in - let rand_stack0:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in - let rand_stack1:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in - let rand_stack2:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in - let rand_stack3:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in - let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = - let list = - [ - Rust_primitives.Hax.repeat 0l (sz 263); - Rust_primitives.Hax.repeat 0l (sz 263); - Rust_primitives.Hax.repeat 0l (sz 263); - Rust_primitives.Hax.repeat 0l (sz 263) - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4); - Rust_primitives.Hax.array_of_list 4 list - in - let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array (t_Array i32 (sz 263)) (sz 4)) = - Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A - v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack - (let list = - [ - 0uy, 0uy <: (u8 & u8); - 0uy, 1uy <: (u8 & u8); - 0uy, 2uy <: (u8 & u8); - 0uy, 3uy <: (u8 & u8) - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4); - Rust_primitives.Hax.array_of_list 4 list) (sz 4) - in - let v_A:t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A = - tmp0 - in - let rand_stack0:t_Array u8 (sz 840) = tmp1 in - let rand_stack1:t_Array u8 (sz 840) = tmp2 in - let rand_stack2:t_Array u8 (sz 840) = tmp3 in - let rand_stack3:t_Array u8 (sz 840) = tmp4 in - let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in - let _:Prims.unit = () in - let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array (t_Array i32 (sz 263)) (sz 4)) = - Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A - v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack - (let list = - [ - 0uy, 4uy <: (u8 & u8); - 0uy, 5uy <: (u8 & u8); - 0uy, 6uy <: (u8 & u8); - 1uy, 0uy <: (u8 & u8) - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4); - Rust_primitives.Hax.array_of_list 4 list) (sz 4) - in - let v_A:t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A = - tmp0 - in - let rand_stack0:t_Array u8 (sz 840) = tmp1 in - let rand_stack1:t_Array u8 (sz 840) = tmp2 in - let rand_stack2:t_Array u8 (sz 840) = tmp3 in - let rand_stack3:t_Array u8 (sz 840) = tmp4 in - let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in - let _:Prims.unit = () in - let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array (t_Array i32 (sz 263)) (sz 4)) = - Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A - v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack - (let list = - [ - 1uy, 1uy <: (u8 & u8); - 1uy, 2uy <: (u8 & u8); - 1uy, 3uy <: (u8 & u8); - 1uy, 4uy <: (u8 & u8) - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4); - Rust_primitives.Hax.array_of_list 4 list) (sz 4) - in - let v_A:t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A = - tmp0 - in - let rand_stack0:t_Array u8 (sz 840) = tmp1 in - let rand_stack1:t_Array u8 (sz 840) = tmp2 in - let rand_stack2:t_Array u8 (sz 840) = tmp3 in - let rand_stack3:t_Array u8 (sz 840) = tmp4 in - let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in - let _:Prims.unit = () in - let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array (t_Array i32 (sz 263)) (sz 4)) = - Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A - v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack - (let list = - [ - 1uy, 5uy <: (u8 & u8); - 1uy, 6uy <: (u8 & u8); - 2uy, 0uy <: (u8 & u8); - 2uy, 1uy <: (u8 & u8) - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4); - Rust_primitives.Hax.array_of_list 4 list) (sz 4) - in - let v_A:t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A = - tmp0 - in - let rand_stack0:t_Array u8 (sz 840) = tmp1 in - let rand_stack1:t_Array u8 (sz 840) = tmp2 in - let rand_stack2:t_Array u8 (sz 840) = tmp3 in - let rand_stack3:t_Array u8 (sz 840) = tmp4 in - let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in - let _:Prims.unit = () in - let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array (t_Array i32 (sz 263)) (sz 4)) = - Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A - v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack - (let list = - [ - 2uy, 2uy <: (u8 & u8); - 2uy, 3uy <: (u8 & u8); - 2uy, 4uy <: (u8 & u8); - 2uy, 5uy <: (u8 & u8) - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4); - Rust_primitives.Hax.array_of_list 4 list) (sz 4) - in - let v_A:t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A = - tmp0 - in - let rand_stack0:t_Array u8 (sz 840) = tmp1 in - let rand_stack1:t_Array u8 (sz 840) = tmp2 in - let rand_stack2:t_Array u8 (sz 840) = tmp3 in - let rand_stack3:t_Array u8 (sz 840) = tmp4 in - let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in - let _:Prims.unit = () in - let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array (t_Array i32 (sz 263)) (sz 4)) = - Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A - v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack - (let list = - [ - 2uy, 6uy <: (u8 & u8); - 3uy, 0uy <: (u8 & u8); - 3uy, 1uy <: (u8 & u8); - 3uy, 2uy <: (u8 & u8) - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4); - Rust_primitives.Hax.array_of_list 4 list) (sz 4) - in - let v_A:t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A = - tmp0 - in - let rand_stack0:t_Array u8 (sz 840) = tmp1 in - let rand_stack1:t_Array u8 (sz 840) = tmp2 in - let rand_stack2:t_Array u8 (sz 840) = tmp3 in - let rand_stack3:t_Array u8 (sz 840) = tmp4 in - let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in - let _:Prims.unit = () in - let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array (t_Array i32 (sz 263)) (sz 4)) = - Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A - v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack - (let list = - [ - 3uy, 3uy <: (u8 & u8); - 3uy, 4uy <: (u8 & u8); - 3uy, 5uy <: (u8 & u8); - 3uy, 6uy <: (u8 & u8) - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4); - Rust_primitives.Hax.array_of_list 4 list) (sz 4) - in - let v_A:t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A = - tmp0 - in - let rand_stack0:t_Array u8 (sz 840) = tmp1 in - let rand_stack1:t_Array u8 (sz 840) = tmp2 in - let rand_stack2:t_Array u8 (sz 840) = tmp3 in - let rand_stack3:t_Array u8 (sz 840) = tmp4 in - let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in - let _:Prims.unit = () in - let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array (t_Array i32 (sz 263)) (sz 4)) = - Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A - v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack - (let list = - [ - 4uy, 0uy <: (u8 & u8); - 4uy, 1uy <: (u8 & u8); - 4uy, 2uy <: (u8 & u8); - 4uy, 3uy <: (u8 & u8) - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4); - Rust_primitives.Hax.array_of_list 4 list) (sz 4) - in - let v_A:t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A = - tmp0 - in - let rand_stack0:t_Array u8 (sz 840) = tmp1 in - let rand_stack1:t_Array u8 (sz 840) = tmp2 in - let rand_stack2:t_Array u8 (sz 840) = tmp3 in - let rand_stack3:t_Array u8 (sz 840) = tmp4 in - let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in - let _:Prims.unit = () in - let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array (t_Array i32 (sz 263)) (sz 4)) = - Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A - v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack - (let list = - [ - 4uy, 4uy <: (u8 & u8); - 4uy, 5uy <: (u8 & u8); - 4uy, 6uy <: (u8 & u8); - 5uy, 0uy <: (u8 & u8) - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4); - Rust_primitives.Hax.array_of_list 4 list) (sz 4) - in - let v_A:t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A = - tmp0 - in - let rand_stack0:t_Array u8 (sz 840) = tmp1 in - let rand_stack1:t_Array u8 (sz 840) = tmp2 in - let rand_stack2:t_Array u8 (sz 840) = tmp3 in - let rand_stack3:t_Array u8 (sz 840) = tmp4 in - let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in - let _:Prims.unit = () in - let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array (t_Array i32 (sz 263)) (sz 4)) = - Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A - v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack - (let list = - [ - 5uy, 1uy <: (u8 & u8); - 5uy, 2uy <: (u8 & u8); - 5uy, 3uy <: (u8 & u8); - 5uy, 4uy <: (u8 & u8) - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4); - Rust_primitives.Hax.array_of_list 4 list) (sz 4) - in - let v_A:t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A = - tmp0 - in - let rand_stack0:t_Array u8 (sz 840) = tmp1 in - let rand_stack1:t_Array u8 (sz 840) = tmp2 in - let rand_stack2:t_Array u8 (sz 840) = tmp3 in - let rand_stack3:t_Array u8 (sz 840) = tmp4 in - let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in - let _:Prims.unit = () in - let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A & + let matrix, rand_stack0, rand_stack1, rand_stack2, rand_stack3, tmp_stack:(t_Slice + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array (t_Array i32 (sz 263)) (sz 4)) = - Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A - v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack - (let list = - [ - 5uy, 5uy <: (u8 & u8); - 5uy, 6uy <: (u8 & u8); - 6uy, 0uy <: (u8 & u8); - 6uy, 1uy <: (u8 & u8) - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4); - Rust_primitives.Hax.array_of_list 4 list) (sz 4) - in - let v_A:t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A = - tmp0 - in - let rand_stack0:t_Array u8 (sz 840) = tmp1 in - let rand_stack1:t_Array u8 (sz 840) = tmp2 in - let rand_stack2:t_Array u8 (sz 840) = tmp3 in - let rand_stack3:t_Array u8 (sz 840) = tmp4 in - let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in - let _:Prims.unit = () in - let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array (t_Array i32 (sz 263)) (sz 4)) = - Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A - v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack - (let list = - [ - 6uy, 2uy <: (u8 & u8); - 6uy, 3uy <: (u8 & u8); - 6uy, 4uy <: (u8 & u8); - 6uy, 5uy <: (u8 & u8) - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4); - Rust_primitives.Hax.array_of_list 4 list) (sz 4) - in - let v_A:t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A = - tmp0 - in - let rand_stack0:t_Array u8 (sz 840) = tmp1 in - let rand_stack1:t_Array u8 (sz 840) = tmp2 in - let rand_stack2:t_Array u8 (sz 840) = tmp3 in - let rand_stack3:t_Array u8 (sz 840) = tmp4 in - let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in - let _:Prims.unit = () in - let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array (t_Array i32 (sz 263)) (sz 4)) = - Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A - v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack - (let list = - [ - 6uy, 6uy <: (u8 & u8); - 7uy, 0uy <: (u8 & u8); - 7uy, 1uy <: (u8 & u8); - 7uy, 2uy <: (u8 & u8) - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4); - Rust_primitives.Hax.array_of_list 4 list) (sz 4) - in - let v_A:t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A = - tmp0 - in - let rand_stack0:t_Array u8 (sz 840) = tmp1 in - let rand_stack1:t_Array u8 (sz 840) = tmp2 in - let rand_stack2:t_Array u8 (sz 840) = tmp3 in - let rand_stack3:t_Array u8 (sz 840) = tmp4 in - let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in - let _:Prims.unit = () in - let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array (t_Array i32 (sz 263)) (sz 4)) = - Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements #v_SIMDUnit #v_Shake128 v_ROWS_IN_A - v_COLUMNS_IN_A seed v_A rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack - (let list = - [ - 7uy, 3uy <: (u8 & u8); - 7uy, 4uy <: (u8 & u8); - 7uy, 5uy <: (u8 & u8); - 7uy, 6uy <: (u8 & u8) - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 4); - Rust_primitives.Hax.array_of_list 4 list) (sz 4) - in - let v_A:t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A = - tmp0 - in - let rand_stack0:t_Array u8 (sz 840) = tmp1 in - let rand_stack1:t_Array u8 (sz 840) = tmp2 in - let rand_stack2:t_Array u8 (sz 840) = tmp3 in - let rand_stack3:t_Array u8 (sz 840) = tmp4 in - let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in - let _:Prims.unit = () in - v_A - -let matrix_A_generic - (#v_SIMDUnit #v_Shake128: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A: usize) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: - Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128) - (seed: t_Array u8 (sz 34)) - = - match - (cast (v_ROWS_IN_A <: usize) <: u8), (cast (v_COLUMNS_IN_A <: usize) <: u8) <: (u8 & u8) - with - | 4uy, 4uy -> matrix_A_4_by_4_ #v_SIMDUnit #v_Shake128 v_ROWS_IN_A v_COLUMNS_IN_A seed - | 6uy, 5uy -> matrix_A_6_by_5_ #v_SIMDUnit #v_Shake128 v_ROWS_IN_A v_COLUMNS_IN_A seed - | 8uy, 7uy -> matrix_A_8_by_7_ #v_SIMDUnit #v_Shake128 v_ROWS_IN_A v_COLUMNS_IN_A seed - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - + Rust_primitives.Hax.Folds.fold_range_step_by (sz 0) + (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) matrix <: - Rust_primitives.Hax.t_Never) - -let sample_s1_and_s2_4_by_4_ - (#v_SIMDUnit #v_Shake256X4: Type0) - (v_ETA v_S1_DIMENSION v_S2_DIMENSION: usize) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: - Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) - (seed_base: t_Array u8 (sz 66)) - = - let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_S1_DIMENSION - in - let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + usize) + (sz 4) + (fun temp_0_ temp_1_ -> + let matrix, rand_stack0, rand_stack1, rand_stack2, rand_stack3, tmp_stack:(t_Slice + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & + t_Array u8 (sz 840) & + t_Array u8 (sz 840) & + t_Array u8 (sz 840) & + t_Array u8 (sz 840) & + t_Array (t_Array i32 (sz 263)) (sz 4)) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (matrix, rand_stack0, rand_stack1, rand_stack2, rand_stack3, tmp_stack <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_S2_DIMENSION - in - let four:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - Libcrux_ml_dsa.Sample.sample_four_error_ring_elements #v_SIMDUnit - #v_Shake256X4 - v_ETA - seed_base - 0us - 1us - 2us - 3us - in - let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 0) four._1 - in - let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 1) four._2 - in - let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 2) four._3 - in - let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 3) four._4 - in - let four:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - Libcrux_ml_dsa.Sample.sample_four_error_ring_elements #v_SIMDUnit - #v_Shake256X4 - v_ETA - seed_base - 4us - 5us - 6us - 7us - in - let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 0) four._1 - in - let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 1) four._2 - in - let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 2) four._3 - in - let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 3) four._4 - in - s1, s2 - <: - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION) - -let sample_s1_and_s2_5_by_6_ - (#v_SIMDUnit #v_Shake256X4: Type0) - (v_ETA v_S1_DIMENSION v_S2_DIMENSION: usize) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: - Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) - (seed_base: t_Array u8 (sz 66)) - = - let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_S1_DIMENSION - in - let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_S2_DIMENSION - in - let four:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - Libcrux_ml_dsa.Sample.sample_four_error_ring_elements #v_SIMDUnit - #v_Shake256X4 - v_ETA - seed_base - 0us - 1us - 2us - 3us - in - let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 0) four._1 - in - let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 1) four._2 - in - let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 2) four._3 - in - let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 3) four._4 - in - let four:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - Libcrux_ml_dsa.Sample.sample_four_error_ring_elements #v_SIMDUnit - #v_Shake256X4 - v_ETA - seed_base - 4us - 5us - 6us - 7us - in - let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 4) four._1 - in - let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 0) four._2 - in - let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 1) four._3 - in - let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 2) four._4 - in - let four:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - Libcrux_ml_dsa.Sample.sample_four_error_ring_elements #v_SIMDUnit - #v_Shake256X4 - v_ETA - seed_base - 8us - 9us - 10us - 11us - in - let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 3) four._1 - in - let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 4) four._2 - in - let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 5) four._3 - in - s1, s2 - <: - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION) - -let sample_s1_and_s2_7_by_8_ - (#v_SIMDUnit #v_Shake256X4: Type0) - (v_ETA v_S1_DIMENSION v_S2_DIMENSION: usize) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: - Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) - (seed_base: t_Array u8 (sz 66)) - = - let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_S1_DIMENSION - in - let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_S2_DIMENSION - in - let four:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - Libcrux_ml_dsa.Sample.sample_four_error_ring_elements #v_SIMDUnit - #v_Shake256X4 - v_ETA - seed_base - 0us - 1us - 2us - 3us - in - let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 0) four._1 - in - let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 1) four._2 - in - let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 2) four._3 - in - let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 3) four._4 - in - let four:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - Libcrux_ml_dsa.Sample.sample_four_error_ring_elements #v_SIMDUnit - #v_Shake256X4 - v_ETA - seed_base - 4us - 5us - 6us - 7us - in - let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 4) four._1 - in - let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 5) four._2 - in - let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 6) four._3 - in - let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 0) four._4 - in - let four:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - Libcrux_ml_dsa.Sample.sample_four_error_ring_elements #v_SIMDUnit - #v_Shake256X4 - v_ETA - seed_base - 8us - 9us - 10us - 11us - in - let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 1) four._1 - in - let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 2) four._2 - in - let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 3) four._3 - in - let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 4) four._4 - in - let four:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - Libcrux_ml_dsa.Sample.sample_four_error_ring_elements #v_SIMDUnit - #v_Shake256X4 - v_ETA - seed_base - 12us - 13us - 14us - 15us - in - let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 5) four._1 - in - let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 6) four._2 - in - let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 7) four._3 - in - s1, s2 - <: - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION) + (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & + t_Array u8 (sz 840) & + t_Array u8 (sz 840) & + t_Array u8 (sz 840) & + t_Array u8 (sz 840) & + t_Array (t_Array i32 (sz 263)) (sz 4))) + (fun temp_0_ start_index -> + let matrix, rand_stack0, rand_stack1, rand_stack2, rand_stack3, tmp_stack:(t_Slice + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & + t_Array u8 (sz 840) & + t_Array u8 (sz 840) & + t_Array u8 (sz 840) & + t_Array u8 (sz 840) & + t_Array (t_Array i32 (sz 263)) (sz 4)) = + temp_0_ + in + let start_index:usize = start_index in + let elements_requested:usize = + if + (start_index +! sz 4 <: usize) <=. + (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + matrix + <: + usize) + then sz 4 + else + (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + matrix + <: + usize) -! + start_index + in + let tmp0, tmp1, tmp2, tmp3, tmp4, tmp5:(t_Slice + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & + t_Array u8 (sz 840) & + t_Array u8 (sz 840) & + t_Array u8 (sz 840) & + t_Array u8 (sz 840) & + t_Array (t_Array i32 (sz 263)) (sz 4)) = + Libcrux_ml_dsa.Sample.sample_up_to_four_ring_elements_flat #v_SIMDUnit #v_Shake128 + columns seed matrix rand_stack0 rand_stack1 rand_stack2 rand_stack3 tmp_stack + start_index elements_requested + in + let matrix:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + tmp0 + in + let rand_stack0:t_Array u8 (sz 840) = tmp1 in + let rand_stack1:t_Array u8 (sz 840) = tmp2 in + let rand_stack2:t_Array u8 (sz 840) = tmp3 in + let rand_stack3:t_Array u8 (sz 840) = tmp4 in + let tmp_stack:t_Array (t_Array i32 (sz 263)) (sz 4) = tmp5 in + let _:Prims.unit = () in + matrix, rand_stack0, rand_stack1, rand_stack2, rand_stack3, tmp_stack + <: + (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & + t_Array u8 (sz 840) & + t_Array u8 (sz 840) & + t_Array u8 (sz 840) & + t_Array u8 (sz 840) & + t_Array (t_Array i32 (sz 263)) (sz 4))) + in + let hax_temp_output:Prims.unit = () <: Prims.unit in + matrix let sample_s1_and_s2 (#v_SIMDUnit #v_Shake256X4: Type0) - (v_ETA v_S1_DIMENSION v_S2_DIMENSION: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (#[FStar.Tactics.Typeclasses.tcresolve ()] i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) - (seed: t_Array u8 (sz 66)) + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (seed: t_Slice u8) + (s1_s2: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) = - match - (cast (v_S1_DIMENSION <: usize) <: u8), (cast (v_S2_DIMENSION <: usize) <: u8) <: (u8 & u8) - with - | 4uy, 4uy -> - sample_s1_and_s2_4_by_4_ #v_SIMDUnit #v_Shake256X4 v_ETA v_S1_DIMENSION v_S2_DIMENSION seed - | 5uy, 6uy -> - sample_s1_and_s2_5_by_6_ #v_SIMDUnit #v_Shake256X4 v_ETA v_S1_DIMENSION v_S2_DIMENSION seed - | 7uy, 8uy -> - sample_s1_and_s2_7_by_8_ #v_SIMDUnit #v_Shake256X4 v_ETA v_S1_DIMENSION v_S2_DIMENSION seed - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - - <: - Rust_primitives.Hax.t_Never) + let len:usize = + Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) s1_s2 + in + let s1_s2:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (len /! sz 4 <: usize) + (fun s1_s2 temp_1_ -> + let s1_s2:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + s1_s2 + in + let _:usize = temp_1_ in + true) + s1_s2 + (fun s1_s2 i -> + let s1_s2:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + s1_s2 + in + let i:usize = i in + Libcrux_ml_dsa.Sample.sample_four_error_ring_elements #v_SIMDUnit + #v_Shake256X4 + eta + seed + (4us *! (cast (i <: usize) <: u16) <: u16) + s1_s2 + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + in + let remainder:usize = len %! sz 4 in + let s1_s2, hax_temp_output:(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & + Prims.unit) = + if remainder <>. sz 0 + then + let s1_s2:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Libcrux_ml_dsa.Sample.sample_four_error_ring_elements #v_SIMDUnit + #v_Shake256X4 + eta + seed + (cast (len -! remainder <: usize) <: u16) + s1_s2 + in + s1_s2, () + <: + (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & Prims.unit) + else + s1_s2, () + <: + (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & Prims.unit) + in + s1_s2 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fsti index 13aa21421..1d5ccc362 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fsti @@ -13,125 +13,50 @@ let _ = /// The x4 sampling implementation that is selected during multiplexing. class t_X4Sampler (v_Self: Type0) = { - f_matrix_A_pre: + f_matrix_flat_pre: #v_SIMDUnit: Type0 -> - v_ROWS_IN_A: usize -> - v_COLUMNS_IN_A: usize -> {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} -> - t_Array u8 (sz 34) + usize -> + t_Slice u8 -> + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) -> Type0; - f_matrix_A_post: + f_matrix_flat_post: #v_SIMDUnit: Type0 -> - v_ROWS_IN_A: usize -> - v_COLUMNS_IN_A: usize -> {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} -> - t_Array u8 (sz 34) -> - t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A + usize -> + t_Slice u8 -> + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) -> + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) -> Type0; - f_matrix_A: + f_matrix_flat: #v_SIMDUnit: Type0 -> - v_ROWS_IN_A: usize -> - v_COLUMNS_IN_A: usize -> {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} -> - x0: t_Array u8 (sz 34) - -> Prims.Pure - (t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A) - (f_matrix_A_pre #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A #i1 x0) - (fun result -> f_matrix_A_post #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A #i1 x0 result) + x0: usize -> + x1: t_Slice u8 -> + x2: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + -> Prims.Pure (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (f_matrix_flat_pre #v_SIMDUnit #i1 x0 x1 x2) + (fun result -> f_matrix_flat_post #v_SIMDUnit #i1 x0 x1 x2 result) } -val matrix_A_4_by_4_ +val matrix_flat (#v_SIMDUnit #v_Shake128: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A: usize) {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} {| i3: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128 |} - (seed: t_Array u8 (sz 34)) - : Prims.Pure - (t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A) Prims.l_True (fun _ -> Prims.l_True) - -val matrix_A_6_by_5_ - (#v_SIMDUnit #v_Shake128: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A: usize) - {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i3: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128 |} - (seed: t_Array u8 (sz 34)) - : Prims.Pure - (t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A) Prims.l_True (fun _ -> Prims.l_True) - -val matrix_A_8_by_7_ - (#v_SIMDUnit #v_Shake128: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A: usize) - {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i3: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128 |} - (seed: t_Array u8 (sz 34)) - : Prims.Pure - (t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A) Prims.l_True (fun _ -> Prims.l_True) - -val matrix_A_generic - (#v_SIMDUnit #v_Shake128: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A: usize) - {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i3: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128 |} - (seed: t_Array u8 (sz 34)) - : Prims.Pure - (t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A) Prims.l_True (fun _ -> Prims.l_True) - -val sample_s1_and_s2_4_by_4_ - (#v_SIMDUnit #v_Shake256X4: Type0) - (v_ETA v_S1_DIMENSION v_S2_DIMENSION: usize) - {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} - (seed_base: t_Array u8 (sz 66)) - : Prims.Pure - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION) - Prims.l_True - (fun _ -> Prims.l_True) - -val sample_s1_and_s2_5_by_6_ - (#v_SIMDUnit #v_Shake256X4: Type0) - (v_ETA v_S1_DIMENSION v_S2_DIMENSION: usize) - {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} - (seed_base: t_Array u8 (sz 66)) - : Prims.Pure - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION) - Prims.l_True - (fun _ -> Prims.l_True) - -val sample_s1_and_s2_7_by_8_ - (#v_SIMDUnit #v_Shake256X4: Type0) - (v_ETA v_S1_DIMENSION v_S2_DIMENSION: usize) - {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} - (seed_base: t_Array u8 (sz 66)) - : Prims.Pure - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION) + (columns: usize) + (seed: t_Slice u8) + (matrix: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + : Prims.Pure (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) Prims.l_True (fun _ -> Prims.l_True) val sample_s1_and_s2 (#v_SIMDUnit #v_Shake256X4: Type0) - (v_ETA v_S1_DIMENSION v_S2_DIMENSION: usize) {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} - (seed: t_Array u8 (sz 66)) - : Prims.Pure - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION) + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (seed: t_Slice u8) + (s1_s2: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + : Prims.Pure (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst index 3dd67c65e..ed263e9c6 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst @@ -3,10 +3,21 @@ module Libcrux_ml_dsa.Simd.Avx2.Arithmetic open Core open FStar.Mul +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_intrinsics.Avx2_extract in + () + let add (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 lhs rhs + let hax_temp_output, lhs:(Prims.unit & Libcrux_intrinsics.Avx2_extract.t_Vec256) = + (), Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 lhs rhs + <: + (Prims.unit & Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + lhs -let compute_hint (v_GAMMA2: i32) (low high: Libcrux_intrinsics.Avx2_extract.t_Vec256) = +let compute_hint (v_GAMMA2: i32) (low high hint: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let gamma2:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 v_GAMMA2 in @@ -26,22 +37,24 @@ let compute_hint (v_GAMMA2: i32) (low high: Libcrux_intrinsics.Avx2_extract.t_Ve let low_equals_minus_gamma2_and_high_is_nonzero:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_sign_epi32 low_equals_minus_gamma2 high in - let hints:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let hint:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_or_si256 low_within_bound low_equals_minus_gamma2_and_high_is_nonzero in let hints_mask:i32 = Libcrux_intrinsics.Avx2_extract.mm256_movemask_ps (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_ps - hints + hint <: u8) in - (cast (Core.Num.impl__i32__count_ones hints_mask <: u32) <: usize), - Libcrux_intrinsics.Avx2_extract.mm256_and_si256 hints - (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 1l <: Libcrux_intrinsics.Avx2_extract.t_Vec256 - ) - <: - (usize & Libcrux_intrinsics.Avx2_extract.t_Vec256) + let hint:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_and_si256 hint + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 1l + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let hax_temp_output:usize = cast (Core.Num.impl__i32__count_ones hints_mask <: u32) <: usize in + hint, hax_temp_output <: (Libcrux_intrinsics.Avx2_extract.t_Vec256 & usize) let infinity_norm_exceeds (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (bound: i32) = let absolute_values:Libcrux_intrinsics.Avx2_extract.t_Vec256 = @@ -56,10 +69,15 @@ let infinity_norm_exceeds (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) let result:i32 = Libcrux_intrinsics.Avx2_extract.mm256_testz_si256 compare_with_bound compare_with_bound in - if result =. 1l then false else true + result <>. 1l let subtract (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 lhs rhs + let hax_temp_output, lhs:(Prims.unit & Libcrux_intrinsics.Avx2_extract.t_Vec256) = + (), Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 lhs rhs + <: + (Prims.unit & Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + lhs let shift_left_then_reduce (v_SHIFT_BY: i32) (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 = @@ -80,7 +98,10 @@ let shift_left_then_reduce (v_SHIFT_BY: i32) (simd_unit: Libcrux_intrinsics.Avx2 <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 shifted quotient_times_field_modulus + let simd_unit:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 shifted quotient_times_field_modulus + in + simd_unit let to_unsigned_representatives (t: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let signs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = @@ -92,131 +113,18 @@ let to_unsigned_representatives (t: Libcrux_intrinsics.Avx2_extract.t_Vec256) = <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in - Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 t conditional_add_field_modulus - -let power2round (r: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let r:Libcrux_intrinsics.Avx2_extract.t_Vec256 = to_unsigned_representatives r in - let r1:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 r - (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 ((1l < + match gamma2 <: Libcrux_ml_dsa.Constants.t_Gamma2 with + | Libcrux_ml_dsa.Constants.Gamma2_V95_232_ -> let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 ceil_of_r_by_128_ (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 11275l @@ -269,7 +176,7 @@ let decompose (v_GAMMA2: i32) (r: Libcrux_intrinsics.Avx2_extract.t_Vec256) = Libcrux_intrinsics.Avx2_extract.mm256_xor_si256 result mask in Libcrux_intrinsics.Avx2_extract.mm256_and_si256 result not_result - | 523776l -> + | Libcrux_ml_dsa.Constants.Gamma2_V261_888_ -> let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 ceil_of_r_by_128_ (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 1025l @@ -289,15 +196,13 @@ let decompose (v_GAMMA2: i32) (r: Libcrux_intrinsics.Avx2_extract.t_Vec256) = (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 15l <: Libcrux_intrinsics.Avx2_extract.t_Vec256) - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - - <: - Rust_primitives.Hax.t_Never) + in + let alpha:i32 = + (cast (Libcrux_ml_dsa.Constants.t_Gamma2_cast_to_repr gamma2 <: isize) <: i32) *! 2l in let r0:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 r1 - (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 v_ALPHA + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 alpha <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in @@ -321,10 +226,47 @@ let decompose (v_GAMMA2: i32) (r: Libcrux_intrinsics.Avx2_extract.t_Vec256) = in r0, r1 <: (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) -let use_hint (v_GAMMA2: i32) (r hint: Libcrux_intrinsics.Avx2_extract.t_Vec256) = +let power2round (r0 r1: Libcrux_intrinsics.Avx2_extract.t_Vec256) = + let r0:Libcrux_intrinsics.Avx2_extract.t_Vec256 = to_unsigned_representatives r0 in + let r1:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 r0 + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 ((1l < - let max:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 43l - in - let r1_plus_hints:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.vec256_blendv_epi32 r1_plus_hints max r1_plus_hints - in - let greater_than_or_equal_to_max:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_cmpgt_epi32 r1_plus_hints max - in - Libcrux_intrinsics.Avx2_extract.vec256_blendv_epi32 r1_plus_hints - all_zeros - greater_than_or_equal_to_max - | 261888l -> - Libcrux_intrinsics.Avx2_extract.mm256_and_si256 r1_plus_hints - (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 15l + let (hint, r1_plus_hints), hax_temp_output:((Libcrux_intrinsics.Avx2_extract.t_Vec256 & + Libcrux_intrinsics.Avx2_extract.t_Vec256) & + Prims.unit) = + match gamma2 <: Libcrux_ml_dsa.Constants.t_Gamma2 with + | Libcrux_ml_dsa.Constants.Gamma2_V95_232_ -> + let max:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 43l + in + let r1_plus_hints:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.vec256_blendv_epi32 r1_plus_hints max r1_plus_hints + in + let greater_than_or_equal_to_max:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_cmpgt_epi32 r1_plus_hints max + in + let hint:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.vec256_blendv_epi32 r1_plus_hints + all_zeros + greater_than_or_equal_to_max + in + (hint, r1_plus_hints + <: + (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256)), + () + <: + ((Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) & + Prims.unit) + | Libcrux_ml_dsa.Constants.Gamma2_V261_888_ -> + let hint:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_and_si256 r1_plus_hints + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 15l + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + (hint, r1_plus_hints + <: + (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256)), + () + <: + ((Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) & + Prims.unit) + in + hint + +let montgomery_multiply (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) = + let field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS + in + let inverse_of_modulus_mod_montgomery_r:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (cast (Libcrux_ml_dsa.Simd.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R + <: + u64) + <: + i32) + in + let prod02:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 lhs rhs + in + let prod13:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + lhs + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l rhs <: Libcrux_intrinsics.Avx2_extract.t_Vec256) - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + in + let k02:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus + in + let c13:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus + in + let res02:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 + in + let res13:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 + in + let res02_shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 + in + let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 + in + lhs +let montgomery_multiply_by_constant (lhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) (constant: i32) = + let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 constant + in + let field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS + in + let inverse_of_modulus_mod_montgomery_r:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (cast (Libcrux_ml_dsa.Simd.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R + <: + u64) <: - Rust_primitives.Hax.t_Never) + i32) + in + let prod02:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 lhs rhs + in + let prod13:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + lhs + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l rhs + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let k02:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus + in + let c13:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus + in + let res02:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 + in + let res13:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 + in + let res02_shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 + in + Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fsti index a8ec4e3d7..368816f48 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fsti @@ -3,11 +3,17 @@ module Libcrux_ml_dsa.Simd.Avx2.Arithmetic open Core open FStar.Mul +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_intrinsics.Avx2_extract in + () + val add (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) -val compute_hint (v_GAMMA2: i32) (low high: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure (usize & Libcrux_intrinsics.Avx2_extract.t_Vec256) +val compute_hint (v_GAMMA2: i32) (low high hint: Libcrux_intrinsics.Avx2_extract.t_Vec256) + : Prims.Pure (Libcrux_intrinsics.Avx2_extract.t_Vec256 & usize) Prims.l_True (fun _ -> Prims.l_True) @@ -23,23 +29,27 @@ val shift_left_then_reduce (v_SHIFT_BY: i32) (simd_unit: Libcrux_intrinsics.Avx2 val to_unsigned_representatives (t: Libcrux_intrinsics.Avx2_extract.t_Vec256) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) -val power2round (r: Libcrux_intrinsics.Avx2_extract.t_Vec256) +val decompose + (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) + (r r0 r1: Libcrux_intrinsics.Avx2_extract.t_Vec256) : Prims.Pure (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) Prims.l_True (fun _ -> Prims.l_True) -val montgomery_multiply (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) - -val montgomery_multiply_by_constant (lhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) (constant: i32) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) - -val decompose (v_GAMMA2: i32) (r: Libcrux_intrinsics.Avx2_extract.t_Vec256) +val power2round (r0 r1: Libcrux_intrinsics.Avx2_extract.t_Vec256) : Prims.Pure (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) Prims.l_True (fun _ -> Prims.l_True) -val use_hint (v_GAMMA2: i32) (r hint: Libcrux_intrinsics.Avx2_extract.t_Vec256) +val use_hint + (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) + (r hint: Libcrux_intrinsics.Avx2_extract.t_Vec256) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + +val montgomery_multiply (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + +val montgomery_multiply_by_constant (lhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) (constant: i32) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst index 4aa6023ae..b42de31f4 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst @@ -69,25 +69,25 @@ let deserialize_to_unsigned_when_eta_is_4_ (bytes: t_Slice u8) = <: Libcrux_intrinsics.Avx2_extract.t_Vec256) -let deserialize_to_unsigned (v_ETA: usize) (serialized: t_Slice u8) = - match cast (v_ETA <: usize) <: u8 with - | 2uy -> deserialize_to_unsigned_when_eta_is_2_ serialized - | 4uy -> deserialize_to_unsigned_when_eta_is_4_ serialized - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" +let deserialize_to_unsigned (eta: Libcrux_ml_dsa.Constants.t_Eta) (serialized: t_Slice u8) = + match eta <: Libcrux_ml_dsa.Constants.t_Eta with + | Libcrux_ml_dsa.Constants.Eta_Two -> deserialize_to_unsigned_when_eta_is_2_ serialized + | Libcrux_ml_dsa.Constants.Eta_Four -> deserialize_to_unsigned_when_eta_is_4_ serialized +let deserialize + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (serialized: t_Slice u8) + (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) + = + let unsigned:Libcrux_intrinsics.Avx2_extract.t_Vec256 = deserialize_to_unsigned eta serialized in + let out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 + (cast (Libcrux_ml_dsa.Constants.t_Eta_cast_to_repr eta <: isize) <: i32) <: - Rust_primitives.Hax.t_Never) - -let deserialize (v_ETA: usize) (serialized: t_Slice u8) = - let deserialized:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - deserialize_to_unsigned v_ETA serialized + Libcrux_intrinsics.Avx2_extract.t_Vec256) + unsigned in - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 ( - cast (v_ETA <: usize) <: i32) - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - deserialized + out let serialize_when_eta_is_2_ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice u8) = let serialized:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in @@ -234,21 +234,15 @@ let serialize_when_eta_is_4_ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec25 out let serialize - (v_ETA: usize) + (eta: Libcrux_ml_dsa.Constants.t_Eta) (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (serialized: t_Slice u8) = let serialized, hax_temp_output:(t_Slice u8 & Prims.unit) = - match cast (v_ETA <: usize) <: u8 with - | 2uy -> serialize_when_eta_is_2_ simd_unit serialized, () <: (t_Slice u8 & Prims.unit) - | 4uy -> serialize_when_eta_is_4_ simd_unit serialized, () <: (t_Slice u8 & Prims.unit) - | _ -> - serialized, - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - - <: - Rust_primitives.Hax.t_Never) - <: - (t_Slice u8 & Prims.unit) + match eta <: Libcrux_ml_dsa.Constants.t_Eta with + | Libcrux_ml_dsa.Constants.Eta_Two -> + serialize_when_eta_is_2_ simd_unit serialized, () <: (t_Slice u8 & Prims.unit) + | Libcrux_ml_dsa.Constants.Eta_Four -> + serialize_when_eta_is_4_ simd_unit serialized, () <: (t_Slice u8 & Prims.unit) in serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti index 9513a3f02..b88141b5b 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti @@ -17,10 +17,13 @@ val deserialize_to_unsigned_when_eta_is_2_ (bytes: t_Slice u8) val deserialize_to_unsigned_when_eta_is_4_ (bytes: t_Slice u8) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) -val deserialize_to_unsigned (v_ETA: usize) (serialized: t_Slice u8) +val deserialize_to_unsigned (eta: Libcrux_ml_dsa.Constants.t_Eta) (serialized: t_Slice u8) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) -val deserialize (v_ETA: usize) (serialized: t_Slice u8) +val deserialize + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (serialized: t_Slice u8) + (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) val serialize_when_eta_is_2_ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice u8) @@ -30,7 +33,7 @@ val serialize_when_eta_is_4_ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec25 : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) val serialize - (v_ETA: usize) + (eta: Libcrux_ml_dsa.Constants.t_Eta) (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (serialized: t_Slice u8) : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst index 03445e6a8..0d58dcd4a 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst @@ -3,7 +3,10 @@ module Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1 open Core open FStar.Mul -let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) = +let deserialize_when_gamma1_is_2_pow_17_ + (serialized: t_Slice u8) + (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) + = let _:Prims.unit = if true then @@ -55,13 +58,19 @@ let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) = <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize_when_gamma1_is_2_pow_17___GAMMA1 - - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - coefficients + let out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 + deserialize_when_gamma1_is_2_pow_17___GAMMA1 + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + coefficients + in + out -let deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) = +let deserialize_when_gamma1_is_2_pow_19_ + (serialized: t_Slice u8) + (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) + = let _:Prims.unit = if true then @@ -113,21 +122,43 @@ let deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) = <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize_when_gamma1_is_2_pow_19___GAMMA1 + let hax_temp_output, out:(Prims.unit & Libcrux_intrinsics.Avx2_extract.t_Vec256) = + (), + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 + deserialize_when_gamma1_is_2_pow_19___GAMMA1 + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + coefficients + <: + (Prims.unit & Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + out +let deserialize + (serialized: t_Slice u8) + (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (gamma1_exponent: usize) + = + let out, hax_temp_output:(Libcrux_intrinsics.Avx2_extract.t_Vec256 & Prims.unit) = + match cast (gamma1_exponent <: usize) <: u8 with + | 17uy -> + deserialize_when_gamma1_is_2_pow_17_ serialized out, () <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - coefficients - -let deserialize (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) = - match cast (v_GAMMA1_EXPONENT <: usize) <: u8 with - | 17uy -> deserialize_when_gamma1_is_2_pow_17_ serialized - | 19uy -> deserialize_when_gamma1_is_2_pow_19_ serialized - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Prims.unit) + | 19uy -> + deserialize_when_gamma1_is_2_pow_19_ serialized out, () + <: + (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Prims.unit) + | _ -> + out, + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - <: - Rust_primitives.Hax.t_Never) + <: + Rust_primitives.Hax.t_Never) + <: + (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Prims.unit) + in + out let serialize_when_gamma1_is_2_pow_17_ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) @@ -300,12 +331,12 @@ let serialize_when_gamma1_is_2_pow_19_ out let serialize - (v_GAMMA1_EXPONENT: usize) (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (serialized: t_Slice u8) + (gamma1_exponent: usize) = let serialized, hax_temp_output:(t_Slice u8 & Prims.unit) = - match cast (v_GAMMA1_EXPONENT <: usize) <: u8 with + match cast (gamma1_exponent <: usize) <: u8 with | 17uy -> serialize_when_gamma1_is_2_pow_17_ simd_unit serialized, () <: (t_Slice u8 & Prims.unit) | 19uy -> diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti index 052cac8ee..2eef37a40 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti @@ -17,13 +17,20 @@ let serialize_when_gamma1_is_2_pow_17___GAMMA1: i32 = 1l < Prims.l_True) -val deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) +val deserialize_when_gamma1_is_2_pow_19_ + (serialized: t_Slice u8) + (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) -val deserialize (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) +val deserialize + (serialized: t_Slice u8) + (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (gamma1_exponent: usize) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) val serialize_when_gamma1_is_2_pow_17_ @@ -37,7 +44,7 @@ val serialize_when_gamma1_is_2_pow_19_ : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) val serialize - (v_GAMMA1_EXPONENT: usize) (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (serialized: t_Slice u8) + (gamma1_exponent: usize) : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fst index cf9feff51..b95c1b986 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fst @@ -12,7 +12,7 @@ let change_interval (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) = in Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 interval_end simd_unit -let deserialize (serialized: t_Slice u8) = +let deserialize (serialized: t_Slice u8) (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let _:Prims.unit = if true then @@ -64,9 +64,10 @@ let deserialize (serialized: t_Slice u8) = <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in - change_interval coefficients + let out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = change_interval coefficients in + out -let serialize (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) = +let serialize (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice u8) = let serialized:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in let simd_unit:Libcrux_intrinsics.Avx2_extract.t_Vec256 = change_interval simd_unit in let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = @@ -114,15 +115,16 @@ let serialize (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let serialized:t_Array u8 (sz 16) = Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 serialized bits_sequential in - Core.Result.impl__unwrap #(t_Array u8 (sz 13)) - #Core.Array.t_TryFromSliceError - (Core.Convert.f_try_into #(t_Slice u8) - #(t_Array u8 (sz 13)) - #FStar.Tactics.Typeclasses.solve - (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 13 } - <: - Core.Ops.Range.t_Range usize ] + let hax_temp_output, out:(Prims.unit & t_Slice u8) = + (), + Core.Slice.impl__copy_from_slice #u8 + out + (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 13 } <: - t_Slice u8) - <: - Core.Result.t_Result (t_Array u8 (sz 13)) Core.Array.t_TryFromSliceError) + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + (Prims.unit & t_Slice u8) + in + out diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fsti index 6ecaf9832..bc8592ab5 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fsti @@ -8,8 +8,8 @@ val change_interval (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) let deserialize__COEFFICIENT_MASK: i32 = (1l < Prims.l_True) -val serialize (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure (t_Array u8 (sz 13)) Prims.l_True (fun _ -> Prims.l_True) +val serialize (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fst index 5c03793af..71cf87a0d 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fst @@ -3,7 +3,15 @@ module Libcrux_ml_dsa.Simd.Avx2.Encoding.T1 open Core open FStar.Mul -let serialize (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) = +let serialize (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 out <: usize) =. sz 10 <: bool) + in + () + in let serialized:t_Array u8 (sz 24) = Rust_primitives.Hax.repeat 0uy (sz 24) in let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit @@ -69,20 +77,18 @@ let serialize (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) = <: t_Slice u8) in - Core.Result.impl__unwrap #(t_Array u8 (sz 10)) - #Core.Array.t_TryFromSliceError - (Core.Convert.f_try_into #(t_Slice u8) - #(t_Array u8 (sz 10)) - #FStar.Tactics.Typeclasses.solve - (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 10 } - <: - Core.Ops.Range.t_Range usize ] + let out:t_Slice u8 = + Core.Slice.impl__copy_from_slice #u8 + out + (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 10 } <: - t_Slice u8) - <: - Core.Result.t_Result (t_Array u8 (sz 10)) Core.Array.t_TryFromSliceError) + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + in + out -let deserialize (bytes: t_Slice u8) = +let deserialize (bytes: t_Slice u8) (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let _:Prims.unit = if true then @@ -128,7 +134,10 @@ let deserialize (bytes: t_Slice u8) = <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in - Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients - (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize__COEFFICIENT_MASK - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + let out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize__COEFFICIENT_MASK + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + out diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fsti index 53c46df38..e47831a31 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fsti @@ -5,8 +5,8 @@ open FStar.Mul let deserialize__COEFFICIENT_MASK: i32 = (1l < Prims.l_True) +val serialize (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) -val deserialize (bytes: t_Slice u8) +val deserialize (bytes: t_Slice u8) (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Invntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Invntt.fst index dc0b422fd..da803f26d 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Invntt.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Invntt.fst @@ -19,12 +19,14 @@ let simd_unit_invert_ntt_at_layer_0_ let hi_values:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 a_shuffled b_shuffled in - let sums:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add lo_values hi_values - in + let differences:Libcrux_intrinsics.Avx2_extract.t_Vec256 = hi_values in let differences:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract hi_values lo_values + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract differences lo_values in + let lo_values:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add lo_values hi_values + in + let sums:Libcrux_intrinsics.Avx2_extract.t_Vec256 = lo_values in let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta13 zeta12 @@ -35,14 +37,14 @@ let simd_unit_invert_ntt_at_layer_0_ zeta01 zeta00 in - let products:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let differences:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply differences zetas in let a_shuffled:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 sums products + Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 sums differences in let b_shuffled:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 sums products + Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 sums differences in let a:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l a_shuffled @@ -149,12 +151,14 @@ let simd_unit_invert_ntt_at_layer_1_ let hi_values:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 simd_unit0 simd_unit1 in - let sums:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add lo_values hi_values - in + let differences:Libcrux_intrinsics.Avx2_extract.t_Vec256 = hi_values in let differences:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract hi_values lo_values + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract differences lo_values + in + let lo_values:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add lo_values hi_values in + let sums:Libcrux_intrinsics.Avx2_extract.t_Vec256 = lo_values in let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta11 zeta11 @@ -165,14 +169,14 @@ let simd_unit_invert_ntt_at_layer_1_ zeta00 zeta00 in - let products:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let differences:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply differences zetas in let a:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 sums products + Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 sums differences in let b:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 sums products + Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 sums differences in a, b <: (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) @@ -260,23 +264,25 @@ let simd_unit_invert_ntt_at_layer_2_ let hi_values:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 49l simd_unit0 simd_unit1 in - let sums:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add lo_values hi_values - in + let differences:Libcrux_intrinsics.Avx2_extract.t_Vec256 = hi_values in let differences:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract hi_values lo_values + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract differences lo_values + in + let lo_values:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add lo_values hi_values in + let sums:Libcrux_intrinsics.Avx2_extract.t_Vec256 = lo_values in let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta1 zeta1 zeta1 zeta1 zeta0 zeta0 zeta0 zeta0 in - let products:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let differences:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply differences zetas in let a:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 32l sums products + Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 32l sums differences in let b:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 49l sums products + Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 49l sums differences in a, b <: (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) @@ -369,7 +375,7 @@ let outer_3_plus let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = re in let j:usize = j in let a_minus_b:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j +! v_STEP_BY <: usize ] + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (re.[ j +! v_STEP_BY <: usize ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) (re.[ j ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) @@ -377,7 +383,7 @@ let outer_3_plus let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re j - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] + (Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 (re.[ j ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) (re.[ j +! v_STEP_BY <: usize ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) @@ -504,7 +510,7 @@ let invert_ntt_at_layer_7_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 in re -let invert_ntt_montgomery (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = +let invert_ntt_montgomery__inv_inner (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = invert_ntt_at_layer_0_ re in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = invert_ntt_at_layer_1_ re in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = invert_ntt_at_layer_2_ re in @@ -513,7 +519,6 @@ let invert_ntt_montgomery (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = invert_ntt_at_layer_5_ re in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = invert_ntt_at_layer_6_ re in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = invert_ntt_at_layer_7_ re in - let _:Prims.unit = () in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = Rust_primitives.Hax.Folds.fold_range (sz 0) (Core.Slice.impl__len #Libcrux_intrinsics.Avx2_extract.t_Vec256 @@ -533,10 +538,17 @@ let invert_ntt_montgomery (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply_by_constant (re.[ i ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) - 41978l + invert_ntt_montgomery__inv_inner__FACTOR <: Libcrux_intrinsics.Avx2_extract.t_Vec256) <: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) in + let hax_temp_output:Prims.unit = () <: Prims.unit in + re + +let invert_ntt_montgomery (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + invert_ntt_montgomery__inv_inner re + in re diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Invntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Invntt.fsti index 23e4bca7c..cd43cba2e 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Invntt.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Invntt.fsti @@ -23,6 +23,8 @@ let invert_ntt_at_layer_7___STEP: usize = sz 128 let invert_ntt_at_layer_7___STEP_BY: usize = sz 16 +let invert_ntt_montgomery__inv_inner__FACTOR: i32 = 41978l + let simd_unit_invert_ntt_at_layer_0___SHUFFLE: i32 = 216l val simd_unit_invert_ntt_at_layer_0_ @@ -121,6 +123,11 @@ val invert_ntt_at_layer_7_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val invert_ntt_montgomery__inv_inner (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + val invert_ntt_montgomery (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) Prims.l_True diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst index d8d17ec4c..0e6894cda 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst @@ -53,7 +53,12 @@ let ntt_at_layer_7_and_6___mul let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (index +! step_by <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ index ] + (re.[ index ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (index +! step_by <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ index +! step_by <: usize ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) t @@ -73,20 +78,23 @@ let ntt_at_layer_7_and_6___mul re let butterfly_2_ - (a b: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + (index: usize) (zeta_a0 zeta_a1 zeta_a2 zeta_a3 zeta_b0 zeta_b1 zeta_b2 zeta_b3: i32) = - let a_shuffled:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l a + let a:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l + (re.[ index ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in - let b_shuffled:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l b + let b:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l + (re.[ index +! sz 1 <: usize ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in let summands:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 a_shuffled b_shuffled + Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 a b in - let zeta_multiplicands:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 a_shuffled b_shuffled + let zeta_products:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 a b in let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta_b3 @@ -99,13 +107,13 @@ let butterfly_2_ zeta_a0 in let zeta_products:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply zeta_multiplicands zetas - in - let add_terms:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add summands zeta_products + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply zeta_products zetas in let sub_terms:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract summands zeta_products + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 summands zeta_products + in + let add_terms:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 summands zeta_products in let a_terms_shuffled:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 add_terms sub_terms @@ -113,25 +121,38 @@ let butterfly_2_ let b_terms_shuffled:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 add_terms sub_terms in - let a_out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l a_terms_shuffled + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + index + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l a_terms_shuffled + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) in - let b_out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l b_terms_shuffled + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (index +! sz 1 <: usize) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l b_terms_shuffled + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) in - a_out, b_out - <: - (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) + re let butterfly_4_ - (a b: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + (index: usize) (zeta_a0 zeta_a1 zeta_b0 zeta_b1: i32) = let summands:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 a b + Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 (re.[ index ] + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + (re.[ index +! sz 1 <: usize ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in - let zeta_multiplicands:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 a b + let zeta_products:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 (re.[ index ] + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + (re.[ index +! sz 1 <: usize ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta_b1 @@ -144,289 +165,250 @@ let butterfly_4_ zeta_a0 in let zeta_products:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply zeta_multiplicands zetas - in - let add_terms:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add summands zeta_products + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply zeta_products zetas in let sub_terms:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract summands zeta_products + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 summands zeta_products in - let a_out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 add_terms sub_terms + let add_terms:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 summands zeta_products in - let b_out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 add_terms sub_terms + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + index + (Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 add_terms sub_terms + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) in - a_out, b_out - <: - (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (index +! sz 1 <: usize) + (Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 add_terms sub_terms + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + re -let butterfly_8_ (a b: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i32) = +let butterfly_8_ + (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + (index: usize) + (zeta0 zeta1: i32) + = let summands:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_set_m128i (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 - b + (re.[ index +! sz 1 <: usize ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) <: Libcrux_intrinsics.Avx2_extract.t_Vec128) - (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 a + (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 (re.[ index ] + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) <: Libcrux_intrinsics.Avx2_extract.t_Vec128) in - let zeta_multiplicands:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 19l b a + let zeta_products:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 19l + (re.[ index +! sz 1 <: usize ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (re.[ index ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta1 zeta1 zeta1 zeta1 zeta0 zeta0 zeta0 zeta0 in let zeta_products:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply zeta_multiplicands zetas - in - let add_terms:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add summands zeta_products + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply zeta_products zetas in let sub_terms:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract summands zeta_products + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 summands zeta_products in - let a_out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set_m128i (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 - sub_terms - <: - Libcrux_intrinsics.Avx2_extract.t_Vec128) - (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 add_terms - <: - Libcrux_intrinsics.Avx2_extract.t_Vec128) - in - let b_out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 19l sub_terms add_terms - in - a_out, b_out - <: - (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) - -let ntt_at_layer_0___round - (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) - (index: usize) - (zeta_0_ zeta_1_ zeta_2_ zeta_3_ zeta_4_ zeta_5_ zeta_6_ zeta_7_: i32) - = - let a, b:(Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) = - butterfly_2_ (re.[ index ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (re.[ index +! sz 1 <: usize ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) zeta_0_ zeta_1_ - zeta_2_ zeta_3_ zeta_4_ zeta_5_ zeta_6_ zeta_7_ + let add_terms:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 summands zeta_products in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re index a + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + index + (Libcrux_intrinsics.Avx2_extract.mm256_set_m128i (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 + sub_terms + <: + Libcrux_intrinsics.Avx2_extract.t_Vec128) + (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 add_terms + <: + Libcrux_intrinsics.Avx2_extract.t_Vec128) + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (index +! sz 1 <: usize) b + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (index +! sz 1 <: usize) + (Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 19l sub_terms add_terms + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) in re let ntt_at_layer_0_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_0___round re (sz 0) 2091667l 3407706l 2316500l 3817976l (-3342478l) 2244091l - (-2446433l) (-3562462l) + butterfly_2_ re (sz 0) 2091667l 3407706l 2316500l 3817976l (-3342478l) 2244091l (-2446433l) + (-3562462l) in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_0___round re (sz 2) 266997l 2434439l (-1235728l) 3513181l (-3520352l) (-3759364l) - (-1197226l) (-3193378l) + butterfly_2_ re (sz 2) 266997l 2434439l (-1235728l) 3513181l (-3520352l) (-3759364l) (-1197226l) + (-3193378l) in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_0___round re (sz 4) 900702l 1859098l 909542l 819034l 495491l (-1613174l) (-43260l) - (-522500l) + butterfly_2_ re (sz 4) 900702l 1859098l 909542l 819034l 495491l (-1613174l) (-43260l) (-522500l) in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_0___round re (sz 6) (-655327l) (-3122442l) 2031748l 3207046l (-3556995l) (-525098l) + butterfly_2_ re (sz 6) (-655327l) (-3122442l) 2031748l 3207046l (-3556995l) (-525098l) (-768622l) (-3595838l) in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_0___round re (sz 8) 342297l 286988l (-2437823l) 4108315l 3437287l (-3342277l) - 1735879l 203044l + butterfly_2_ re (sz 8) 342297l 286988l (-2437823l) 4108315l 3437287l (-3342277l) 1735879l + 203044l in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_0___round re (sz 10) 2842341l 2691481l (-2590150l) 1265009l 4055324l 1247620l - 2486353l 1595974l + butterfly_2_ re (sz 10) 2842341l 2691481l (-2590150l) 1265009l 4055324l 1247620l 2486353l + 1595974l in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_0___round re (sz 12) (-3767016l) 1250494l 2635921l (-3548272l) (-2994039l) 1869119l - 1903435l (-1050970l) + butterfly_2_ re (sz 12) (-3767016l) 1250494l 2635921l (-3548272l) (-2994039l) 1869119l 1903435l + (-1050970l) in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_0___round re (sz 14) (-1333058l) 1237275l (-3318210l) (-1430225l) (-451100l) - 1312455l 3306115l (-1962642l) + butterfly_2_ re (sz 14) (-1333058l) 1237275l (-3318210l) (-1430225l) (-451100l) 1312455l + 3306115l (-1962642l) in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_0___round re (sz 16) (-1279661l) 1917081l (-2546312l) (-1374803l) 1500165l 777191l - 2235880l 3406031l + butterfly_2_ re (sz 16) (-1279661l) 1917081l (-2546312l) (-1374803l) 1500165l 777191l 2235880l + 3406031l in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_0___round re (sz 18) (-542412l) (-2831860l) (-1671176l) (-1846953l) (-2584293l) - (-3724270l) 594136l (-3776993l) + butterfly_2_ re (sz 18) (-542412l) (-2831860l) (-1671176l) (-1846953l) (-2584293l) (-3724270l) + 594136l (-3776993l) in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_0___round re (sz 20) (-2013608l) 2432395l 2454455l (-164721l) 1957272l 3369112l - 185531l (-1207385l) + butterfly_2_ re (sz 20) (-2013608l) 2432395l 2454455l (-164721l) 1957272l 3369112l 185531l + (-1207385l) in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_0___round re (sz 22) (-3183426l) 162844l 1616392l 3014001l 810149l 1652634l - (-3694233l) (-1799107l) + butterfly_2_ re (sz 22) (-3183426l) 162844l 1616392l 3014001l 810149l 1652634l (-3694233l) + (-1799107l) in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_0___round re (sz 24) (-3038916l) 3523897l 3866901l 269760l 2213111l (-975884l) - 1717735l 472078l + butterfly_2_ re (sz 24) (-3038916l) 3523897l 3866901l 269760l 2213111l (-975884l) 1717735l + 472078l in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_0___round re (sz 26) (-426683l) 1723600l (-1803090l) 1910376l (-1667432l) - (-1104333l) (-260646l) (-3833893l) + butterfly_2_ re (sz 26) (-426683l) 1723600l (-1803090l) 1910376l (-1667432l) (-1104333l) + (-260646l) (-3833893l) in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_0___round re (sz 28) (-2939036l) (-2235985l) (-420899l) (-2286327l) 183443l - (-976891l) 1612842l (-3545687l) + butterfly_2_ re (sz 28) (-2939036l) (-2235985l) (-420899l) (-2286327l) 183443l (-976891l) + 1612842l (-3545687l) in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_0___round re (sz 30) (-554416l) 3919660l (-48306l) (-1362209l) 3937738l 1400424l - (-846154l) 1976782l - in - re - -let ntt_at_layer_1___round - (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) - (index: usize) - (zeta_0_ zeta_1_ zeta_2_ zeta_3_: i32) - = - let a, b:(Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) = - butterfly_4_ (re.[ index ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (re.[ index +! sz 1 <: usize ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) - zeta_0_ - zeta_1_ - zeta_2_ - zeta_3_ - in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re index a - in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (index +! sz 1 <: usize) b + butterfly_2_ re (sz 30) (-554416l) 3919660l (-48306l) (-1362209l) 3937738l 1400424l (-846154l) + 1976782l in re let ntt_at_layer_1_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_1___round re (sz 0) (-3930395l) (-1528703l) (-3677745l) (-3041255l) + butterfly_4_ re (sz 0) (-3930395l) (-1528703l) (-3677745l) (-3041255l) in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_1___round re (sz 2) (-1452451l) 3475950l 2176455l (-1585221l) + butterfly_4_ re (sz 2) (-1452451l) 3475950l 2176455l (-1585221l) in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_1___round re (sz 4) (-1257611l) 1939314l (-4083598l) (-1000202l) + butterfly_4_ re (sz 4) (-1257611l) 1939314l (-4083598l) (-1000202l) in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_1___round re (sz 6) (-3190144l) (-3157330l) (-3632928l) 126922l + butterfly_4_ re (sz 6) (-3190144l) (-3157330l) (-3632928l) 126922l in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_1___round re (sz 8) 3412210l (-983419l) 2147896l 2715295l + butterfly_4_ re (sz 8) 3412210l (-983419l) 2147896l 2715295l in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_1___round re (sz 10) (-2967645l) (-3693493l) (-411027l) (-2477047l) + butterfly_4_ re (sz 10) (-2967645l) (-3693493l) (-411027l) (-2477047l) in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_1___round re (sz 12) (-671102l) (-1228525l) (-22981l) (-1308169l) + butterfly_4_ re (sz 12) (-671102l) (-1228525l) (-22981l) (-1308169l) in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_1___round re (sz 14) (-381987l) 1349076l 1852771l (-1430430l) + butterfly_4_ re (sz 14) (-381987l) 1349076l 1852771l (-1430430l) in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_1___round re (sz 16) (-3343383l) 264944l 508951l 3097992l + butterfly_4_ re (sz 16) (-3343383l) 264944l 508951l 3097992l in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_1___round re (sz 18) 44288l (-1100098l) 904516l 3958618l + butterfly_4_ re (sz 18) 44288l (-1100098l) 904516l 3958618l in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_1___round re (sz 20) (-3724342l) (-8578l) 1653064l (-3249728l) + butterfly_4_ re (sz 20) (-3724342l) (-8578l) 1653064l (-3249728l) in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_1___round re (sz 22) 2389356l (-210977l) 759969l (-1316856l) + butterfly_4_ re (sz 22) 2389356l (-210977l) 759969l (-1316856l) in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_1___round re (sz 24) 189548l (-3553272l) 3159746l (-1851402l) + butterfly_4_ re (sz 24) 189548l (-3553272l) 3159746l (-1851402l) in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_1___round re (sz 26) (-2409325l) (-177440l) 1315589l 1341330l + butterfly_4_ re (sz 26) (-2409325l) (-177440l) 1315589l 1341330l in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_1___round re (sz 28) 1285669l (-1584928l) (-812732l) (-1439742l) + butterfly_4_ re (sz 28) 1285669l (-1584928l) (-812732l) (-1439742l) in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_1___round re (sz 30) (-3019102l) (-3881060l) (-3628969l) 3839961l - in - re - -let ntt_at_layer_2___round - (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) - (index: usize) - (zeta_0_ zeta_1_: i32) - = - let a, b:(Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) = - butterfly_8_ (re.[ index ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (re.[ index +! sz 1 <: usize ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) - zeta_0_ - zeta_1_ - in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re index a - in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (index +! sz 1 <: usize) b + butterfly_4_ re (sz 30) (-3019102l) (-3881060l) (-3628969l) 3839961l in re let ntt_at_layer_2_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_2___round re (sz 0) 2706023l 95776l + butterfly_8_ re (sz 0) 2706023l 95776l in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_2___round re (sz 2) 3077325l 3530437l + butterfly_8_ re (sz 2) 3077325l 3530437l in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_2___round re (sz 4) (-1661693l) (-3592148l) + butterfly_8_ re (sz 4) (-1661693l) (-3592148l) in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_2___round re (sz 6) (-2537516l) 3915439l + butterfly_8_ re (sz 6) (-2537516l) 3915439l in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_2___round re (sz 8) (-3861115l) (-3043716l) + butterfly_8_ re (sz 8) (-3861115l) (-3043716l) in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_2___round re (sz 10) 3574422l (-2867647l) + butterfly_8_ re (sz 10) 3574422l (-2867647l) in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_2___round re (sz 12) 3539968l (-300467l) + butterfly_8_ re (sz 12) 3539968l (-300467l) in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_2___round re (sz 14) 2348700l (-539299l) + butterfly_8_ re (sz 14) 2348700l (-539299l) in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_2___round re (sz 16) (-1699267l) (-1643818l) + butterfly_8_ re (sz 16) (-1699267l) (-1643818l) in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_2___round re (sz 18) 3505694l (-3821735l) + butterfly_8_ re (sz 18) 3505694l (-3821735l) in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_2___round re (sz 20) 3507263l (-2140649l) + butterfly_8_ re (sz 20) 3507263l (-2140649l) in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_2___round re (sz 22) (-1600420l) 3699596l + butterfly_8_ re (sz 22) (-1600420l) 3699596l in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_2___round re (sz 24) 811944l 531354l + butterfly_8_ re (sz 24) 811944l 531354l in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_2___round re (sz 26) 954230l 3881043l + butterfly_8_ re (sz 26) 954230l 3881043l in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_2___round re (sz 28) 3900724l (-2556880l) + butterfly_8_ re (sz 28) 3900724l (-2556880l) in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - ntt_at_layer_2___round re (sz 30) 2071892l (-2797779l) + butterfly_8_ re (sz 30) 2071892l (-2797779l) in re @@ -740,32 +722,38 @@ let ntt_at_layer_5_to_3___round (fun re j -> let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = re in let j:usize = j in - let t:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! v_STEP_BY <: usize ] - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - rhs - in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (j +! v_STEP_BY <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! v_STEP_BY <: usize + ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) - t + rhs + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let tmp:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (re.[ j ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (re.[ j +! v_STEP_BY <: usize ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re j - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] + (Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 (re.[ j ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) - t + (re.[ j +! v_STEP_BY <: usize ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! v_STEP_BY <: usize) + tmp + in re) in let hax_temp_output:Prims.unit = () <: Prims.unit in @@ -862,11 +850,16 @@ let ntt_at_layer_5_to_3_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 ( let hax_temp_output:Prims.unit = () <: Prims.unit in re -let ntt (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = +let ntt__avx2_ntt (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = ntt_at_layer_7_and_6_ re in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = ntt_at_layer_5_to_3_ re in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = ntt_at_layer_2_ re in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = ntt_at_layer_1_ re in let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = ntt_at_layer_0_ re in - let _:Prims.unit = () in + re + +let ntt (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = + let hax_temp_output, re:(Prims.unit & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = + (), ntt__avx2_ntt re <: (Prims.unit & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + in re diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti index 40c8f1b32..da6a0f9c0 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti @@ -37,57 +37,35 @@ let ntt_at_layer_7_and_6___STEP_BY_7_: usize = sz 2 *! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT val butterfly_2_ - (a b: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + (index: usize) (zeta_a0 zeta_a1 zeta_a2 zeta_a3 zeta_b0 zeta_b1 zeta_b2 zeta_b3: i32) - : Prims.Pure - (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) + : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) val butterfly_4_ - (a b: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (zeta_a0 zeta_a1 zeta_b0 zeta_b1: i32) - : Prims.Pure - (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) - Prims.l_True - (fun _ -> Prims.l_True) - -val butterfly_8_ (a b: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i32) - : Prims.Pure - (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) - Prims.l_True - (fun _ -> Prims.l_True) - -val ntt_at_layer_0___round (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) (index: usize) - (zeta_0_ zeta_1_ zeta_2_ zeta_3_ zeta_4_ zeta_5_ zeta_6_ zeta_7_: i32) - : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -val ntt_at_layer_0_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + (zeta_a0 zeta_a1 zeta_b0 zeta_b1: i32) : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -val ntt_at_layer_1___round +val butterfly_8_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) (index: usize) - (zeta_0_ zeta_1_ zeta_2_ zeta_3_: i32) + (zeta0 zeta1: i32) : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -val ntt_at_layer_1_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) +val ntt_at_layer_0_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -val ntt_at_layer_2___round - (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) - (index: usize) - (zeta_0_ zeta_1_: i32) +val ntt_at_layer_1_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) @@ -122,6 +100,11 @@ val ntt_at_layer_5_to_3_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 ( Prims.l_True (fun _ -> Prims.l_True) +val ntt__avx2_ntt (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + val ntt (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) Prims.l_True diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fst index 67e806244..ad5c4fcc5 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fst @@ -43,7 +43,10 @@ let shift_interval (v_ETA: usize) (coefficients: Libcrux_intrinsics.Avx2_extract let sample (v_ETA: usize) (input: t_Slice u8) (output: t_Slice i32) = let potential_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.deserialize_to_unsigned (sz 4) input + Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.deserialize_to_unsigned (Libcrux_ml_dsa.Constants.Eta_Four + <: + Libcrux_ml_dsa.Constants.t_Eta) + input in let (interval_boundary: i32):i32 = match cast (v_ETA <: usize) <: u8 with diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst index 1956943ed..889c3bb6c 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst @@ -3,50 +3,31 @@ module Libcrux_ml_dsa.Simd.Avx2.Vector_type open Core open FStar.Mul -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl: Core.Convert.t_From t_AVX2SIMDUnit Libcrux_intrinsics.Avx2_extract.t_Vec256 = - { - f_from_pre = (fun (coefficients: Libcrux_intrinsics.Avx2_extract.t_Vec256) -> true); - f_from_post - = - (fun (coefficients: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_AVX2SIMDUnit) -> true); - f_from - = - fun (coefficients: Libcrux_intrinsics.Avx2_extract.t_Vec256) -> - { f_coefficients = coefficients } <: t_AVX2SIMDUnit - } +let from_coefficient_array + (coefficient_array: t_Slice i32) + (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) + = + let hax_temp_output, out:(Prims.unit & Libcrux_intrinsics.Avx2_extract.t_Vec256) = + (), Libcrux_intrinsics.Avx2_extract.mm256_loadu_si256_i32 coefficient_array + <: + (Prims.unit & Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + out -let v_ZERO (_: Prims.unit) = - Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 - #t_AVX2SIMDUnit - #FStar.Tactics.Typeclasses.solve - (Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 () - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) +let to_coefficient_array (value: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice i32) = + let out:t_Slice i32 = Libcrux_intrinsics.Avx2_extract.mm256_storeu_si256_i32 out value in + out -let from_coefficient_array (coefficient_array: t_Slice i32) = - Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 - #t_AVX2SIMDUnit - #FStar.Tactics.Typeclasses.solve - (Libcrux_intrinsics.Avx2_extract.mm256_loadu_si256_i32 coefficient_array - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) +let zero (_: Prims.unit) = Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 () [@@ FStar.Tactics.Typeclasses.tcinstance] assume -val impl_1': Core.Clone.t_Clone t_AVX2SIMDUnit +val impl': Core.Clone.t_Clone t_AVX2SIMDUnit -let impl_1 = impl_1' +let impl = impl' [@@ FStar.Tactics.Typeclasses.tcinstance] assume -val impl_2': Core.Marker.t_Copy t_AVX2SIMDUnit +val impl_1': Core.Marker.t_Copy t_AVX2SIMDUnit -let impl_2 = impl_2' - -let to_coefficient_array (x: t_AVX2SIMDUnit) = - let coefficient_array:t_Array i32 (sz 8) = Rust_primitives.Hax.repeat 0l (sz 8) in - let coefficient_array:t_Array i32 (sz 8) = - Libcrux_intrinsics.Avx2_extract.mm256_storeu_si256_i32 coefficient_array x.f_coefficients - in - coefficient_array +let impl_1 = impl_1' diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti index 22d84936b..04bc27f9d 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti @@ -3,21 +3,25 @@ module Libcrux_ml_dsa.Simd.Avx2.Vector_type open Core open FStar.Mul -type t_AVX2SIMDUnit = { f_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 } +/// An empty type to implement the SIMD operations on +type t_AVX2SIMDUnit = | AVX2SIMDUnit : t_AVX2SIMDUnit -[@@ FStar.Tactics.Typeclasses.tcinstance] -val impl:Core.Convert.t_From t_AVX2SIMDUnit Libcrux_intrinsics.Avx2_extract.t_Vec256 +/// Create a coefficient from an `i32` array +val from_coefficient_array + (coefficient_array: t_Slice i32) + (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) -val v_ZERO: Prims.unit -> Prims.Pure t_AVX2SIMDUnit Prims.l_True (fun _ -> Prims.l_True) +/// Write out the coefficient to an `i32` array +val to_coefficient_array (value: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice i32) + : Prims.Pure (t_Slice i32) Prims.l_True (fun _ -> Prims.l_True) -val from_coefficient_array (coefficient_array: t_Slice i32) - : Prims.Pure t_AVX2SIMDUnit Prims.l_True (fun _ -> Prims.l_True) +/// Create an all-zero vector coefficient +val zero: Prims.unit + -> Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_1:Core.Clone.t_Clone t_AVX2SIMDUnit +val impl:Core.Clone.t_Clone t_AVX2SIMDUnit [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_2:Core.Marker.t_Copy t_AVX2SIMDUnit - -val to_coefficient_array (x: t_AVX2SIMDUnit) - : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) +val impl_1:Core.Marker.t_Copy t_AVX2SIMDUnit diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fst deleted file mode 100644 index 4a4ea00ea..000000000 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fst +++ /dev/null @@ -1,683 +0,0 @@ -module Libcrux_ml_dsa.Simd.Avx2 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" -open Core -open FStar.Mul - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_dsa.Simd.Avx2.Vector_type in - () - -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl: Libcrux_ml_dsa.Simd.Traits.t_Operations -Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = - { - _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve; - _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve; - f_ZERO_pre = (fun (_: Prims.unit) -> true); - f_ZERO_post - = - (fun (_: Prims.unit) (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true); - f_ZERO = (fun (_: Prims.unit) -> Libcrux_ml_dsa.Simd.Avx2.Vector_type.v_ZERO ()); - f_from_coefficient_array_pre = (fun (coefficient_array: t_Slice i32) -> true); - f_from_coefficient_array_post - = - (fun - (coefficient_array: t_Slice i32) - (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - -> - true); - f_from_coefficient_array - = - (fun (coefficient_array: t_Slice i32) -> - Libcrux_ml_dsa.Simd.Avx2.Vector_type.from_coefficient_array coefficient_array); - f_to_coefficient_array_pre - = - (fun (self: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true); - f_to_coefficient_array_post - = - (fun (self: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) (out: t_Array i32 (sz 8)) -> - true); - f_to_coefficient_array - = - (fun (self: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> - Libcrux_ml_dsa.Simd.Avx2.Vector_type.to_coefficient_array self); - f_add_pre - = - (fun - (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - -> - true); - f_add_post - = - (fun - (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - -> - true); - f_add - = - (fun - (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - -> - Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 - #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit - #FStar.Tactics.Typeclasses.solve - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add lhs - .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients - rhs.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256)); - f_subtract_pre - = - (fun - (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - -> - true); - f_subtract_post - = - (fun - (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - -> - true); - f_subtract - = - (fun - (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - -> - Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 - #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit - #FStar.Tactics.Typeclasses.solve - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract lhs - .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients - rhs.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256)); - f_montgomery_multiply_pre - = - (fun - (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - -> - true); - f_montgomery_multiply_post - = - (fun - (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - -> - true); - f_montgomery_multiply - = - (fun - (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - -> - Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 - #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit - #FStar.Tactics.Typeclasses.solve - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply lhs - .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients - rhs.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256)); - f_shift_left_then_reduce_pre - = - (fun (v_SHIFT_BY: i32) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true); - f_shift_left_then_reduce_post - = - (fun - (v_SHIFT_BY: i32) - (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - -> - true); - f_shift_left_then_reduce - = - (fun (v_SHIFT_BY: i32) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> - Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 - #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit - #FStar.Tactics.Typeclasses.solve - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.shift_left_then_reduce v_SHIFT_BY - simd_unit.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256)); - f_power2round_pre - = - (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true); - f_power2round_post - = - (fun - (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - (out: - (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit & - Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)) - -> - true); - f_power2round - = - (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> - let lower, upper:(Libcrux_intrinsics.Avx2_extract.t_Vec256 & - Libcrux_intrinsics.Avx2_extract.t_Vec256) = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.power2round simd_unit - .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients - in - Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 - #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit - #FStar.Tactics.Typeclasses.solve - lower, - Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 - #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit - #FStar.Tactics.Typeclasses.solve - upper - <: - (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit & - Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)); - f_infinity_norm_exceeds_pre - = - (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) (bound: i32) -> true); - f_infinity_norm_exceeds_post - = - (fun - (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - (bound: i32) - (out: bool) - -> - true); - f_infinity_norm_exceeds - = - (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) (bound: i32) -> - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.infinity_norm_exceeds simd_unit - .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients - bound); - f_decompose_pre - = - (fun (v_GAMMA2: i32) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true); - f_decompose_post - = - (fun - (v_GAMMA2: i32) - (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - (out: - (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit & - Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)) - -> - true); - f_decompose - = - (fun (v_GAMMA2: i32) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> - let lower, upper:(Libcrux_intrinsics.Avx2_extract.t_Vec256 & - Libcrux_intrinsics.Avx2_extract.t_Vec256) = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.decompose v_GAMMA2 - simd_unit.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients - in - Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 - #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit - #FStar.Tactics.Typeclasses.solve - lower, - Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 - #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit - #FStar.Tactics.Typeclasses.solve - upper - <: - (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit & - Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)); - f_compute_hint_pre - = - (fun - (v_GAMMA2: i32) - (low: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - (high: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - -> - true); - f_compute_hint_post - = - (fun - (v_GAMMA2: i32) - (low: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - (high: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - (out: (usize & Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)) - -> - true); - f_compute_hint - = - (fun - (v_GAMMA2: i32) - (low: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - (high: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - -> - let count, hint:(usize & Libcrux_intrinsics.Avx2_extract.t_Vec256) = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.compute_hint v_GAMMA2 - low.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients - high.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients - in - count, - Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 - #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit - #FStar.Tactics.Typeclasses.solve - hint - <: - (usize & Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)); - f_use_hint_pre - = - (fun - (v_GAMMA2: i32) - (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - (hint: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - -> - true); - f_use_hint_post - = - (fun - (v_GAMMA2: i32) - (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - (hint: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - -> - true); - f_use_hint - = - (fun - (v_GAMMA2: i32) - (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - (hint: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - -> - Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 - #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit - #FStar.Tactics.Typeclasses.solve - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.use_hint v_GAMMA2 - simd_unit.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients - hint.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256)); - f_rejection_sample_less_than_field_modulus_pre - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); - f_rejection_sample_less_than_field_modulus_post - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); - f_rejection_sample_less_than_field_modulus - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) -> - let tmp0, out1:(t_Slice i32 & usize) = - Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.sample randomness out - in - let out:t_Slice i32 = tmp0 in - let hax_temp_output:usize = out1 in - out, hax_temp_output <: (t_Slice i32 & usize)); - f_rejection_sample_less_than_eta_equals_2_pre - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); - f_rejection_sample_less_than_eta_equals_2_post - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); - f_rejection_sample_less_than_eta_equals_2_ - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) -> - let tmp0, out1:(t_Slice i32 & usize) = - Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.sample (sz 2) randomness out - in - let out:t_Slice i32 = tmp0 in - let hax_temp_output:usize = out1 in - out, hax_temp_output <: (t_Slice i32 & usize)); - f_rejection_sample_less_than_eta_equals_4_pre - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); - f_rejection_sample_less_than_eta_equals_4_post - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); - f_rejection_sample_less_than_eta_equals_4_ - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) -> - let tmp0, out1:(t_Slice i32 & usize) = - Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.sample (sz 4) randomness out - in - let out:t_Slice i32 = tmp0 in - let hax_temp_output:usize = out1 in - out, hax_temp_output <: (t_Slice i32 & usize)); - f_gamma1_serialize_pre - = - (fun - (v_GAMMA1_EXPONENT: usize) - (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - (serialized: t_Slice u8) - -> - true); - f_gamma1_serialize_post - = - (fun - (v_GAMMA1_EXPONENT: usize) - (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - (serialized: t_Slice u8) - (out: t_Slice u8) - -> - true); - f_gamma1_serialize - = - (fun - (v_GAMMA1_EXPONENT: usize) - (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - (serialized: t_Slice u8) - -> - let hax_temp_output, serialized:(Prims.unit & t_Slice u8) = - (), - Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.serialize v_GAMMA1_EXPONENT - simd_unit.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients - serialized - <: - (Prims.unit & t_Slice u8) - in - serialized); - f_gamma1_deserialize_pre = (fun (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) -> true); - f_gamma1_deserialize_post - = - (fun - (v_GAMMA1_EXPONENT: usize) - (serialized: t_Slice u8) - (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - -> - true); - f_gamma1_deserialize - = - (fun (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) -> - Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 - #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit - #FStar.Tactics.Typeclasses.solve - (Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.deserialize v_GAMMA1_EXPONENT serialized - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256)); - f_commitment_serialize_pre - = - (fun - (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - (serialized: t_Slice u8) - -> - true); - f_commitment_serialize_post - = - (fun - (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - (serialized: t_Slice u8) - (out: t_Slice u8) - -> - true); - f_commitment_serialize - = - (fun - (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - (serialized: t_Slice u8) - -> - let hax_temp_output, serialized:(Prims.unit & t_Slice u8) = - (), - Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.serialize simd_unit - .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients - serialized - <: - (Prims.unit & t_Slice u8) - in - serialized); - f_error_serialize_pre - = - (fun - (v_ETA: usize) - (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - (serialized: t_Slice u8) - -> - true); - f_error_serialize_post - = - (fun - (v_ETA: usize) - (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - (serialized: t_Slice u8) - (out: t_Slice u8) - -> - true); - f_error_serialize - = - (fun - (v_ETA: usize) - (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - (serialized: t_Slice u8) - -> - let hax_temp_output, serialized:(Prims.unit & t_Slice u8) = - (), - Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.serialize v_ETA - simd_unit.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients - serialized - <: - (Prims.unit & t_Slice u8) - in - serialized); - f_error_deserialize_pre = (fun (v_ETA: usize) (serialized: t_Slice u8) -> true); - f_error_deserialize_post - = - (fun - (v_ETA: usize) - (serialized: t_Slice u8) - (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - -> - true); - f_error_deserialize - = - (fun (v_ETA: usize) (serialized: t_Slice u8) -> - Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 - #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit - #FStar.Tactics.Typeclasses.solve - (Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.deserialize v_ETA serialized - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256)); - f_t0_serialize_pre - = - (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true); - f_t0_serialize_post - = - (fun - (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - (out: t_Array u8 (sz 13)) - -> - true); - f_t0_serialize - = - (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> - Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.serialize simd_unit - .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients); - f_t0_deserialize_pre = (fun (serialized: t_Slice u8) -> true); - f_t0_deserialize_post - = - (fun (serialized: t_Slice u8) (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true - ); - f_t0_deserialize - = - (fun (serialized: t_Slice u8) -> - Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 - #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit - #FStar.Tactics.Typeclasses.solve - (Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.deserialize serialized - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256)); - f_t1_serialize_pre - = - (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true); - f_t1_serialize_post - = - (fun - (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - (out: t_Array u8 (sz 10)) - -> - true); - f_t1_serialize - = - (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> - Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.serialize simd_unit - .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients); - f_t1_deserialize_pre = (fun (serialized: t_Slice u8) -> true); - f_t1_deserialize_post - = - (fun (serialized: t_Slice u8) (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true - ); - f_t1_deserialize - = - (fun (serialized: t_Slice u8) -> - Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 - #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit - #FStar.Tactics.Typeclasses.solve - (Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.deserialize serialized - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256)); - f_ntt_pre - = - (fun (simd_units: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit (sz 32)) -> true); - f_ntt_post - = - (fun - (simd_units: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit (sz 32)) - (out1: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit (sz 32)) - -> - true); - f_ntt - = - (fun (simd_units: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit (sz 32)) -> - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - Rust_primitives.Hax.repeat (Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 () - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - (sz 32) - in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - Rust_primitives.Hax.Folds.fold_range (sz 0) - Libcrux_ml_dsa.Simd.Traits.v_SIMD_UNITS_IN_RING_ELEMENT - (fun re temp_1_ -> - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = re in - let _:usize = temp_1_ in - true) - re - (fun re i -> - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = re in - let i:usize = i in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - i - (simd_units.[ i ] <: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients - <: - t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) - in - let result:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - Libcrux_ml_dsa.Simd.Avx2.Ntt.ntt re - in - let out:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit (sz 32) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Simd.Avx2.Vector_type.v_ZERO () - <: - Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - (sz 32) - in - let out:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit (sz 32) = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #Libcrux_intrinsics.Avx2_extract.t_Vec256 - (result <: t_Slice Libcrux_intrinsics.Avx2_extract.t_Vec256) - <: - usize) - (fun out temp_1_ -> - let out:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit (sz 32) = out in - let _:usize = temp_1_ in - true) - out - (fun out i -> - let out:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit (sz 32) = out in - let i:usize = i in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out - i - ({ - Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients - = - result.[ i ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256 - } - <: - Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - <: - t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit (sz 32)) - in - out); - f_invert_ntt_montgomery_pre - = - (fun (simd_units: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit (sz 32)) -> true); - f_invert_ntt_montgomery_post - = - (fun - (simd_units: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit (sz 32)) - (out1: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit (sz 32)) - -> - true); - f_invert_ntt_montgomery - = - fun (simd_units: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit (sz 32)) -> - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - Rust_primitives.Hax.repeat (Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 () - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - (sz 32) - in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - Rust_primitives.Hax.Folds.fold_range (sz 0) - Libcrux_ml_dsa.Simd.Traits.v_SIMD_UNITS_IN_RING_ELEMENT - (fun re temp_1_ -> - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = re in - let _:usize = temp_1_ in - true) - re - (fun re i -> - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = re in - let i:usize = i in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - i - (simd_units.[ i ] <: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients - <: - t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) - in - let result:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - Libcrux_ml_dsa.Simd.Avx2.Invntt.invert_ntt_montgomery re - in - let out:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit (sz 32) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Simd.Avx2.Vector_type.v_ZERO () - <: - Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - (sz 32) - in - let out:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit (sz 32) = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #Libcrux_intrinsics.Avx2_extract.t_Vec256 - (result <: t_Slice Libcrux_intrinsics.Avx2_extract.t_Vec256) - <: - usize) - (fun out temp_1_ -> - let out:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit (sz 32) = out in - let _:usize = temp_1_ in - true) - out - (fun out i -> - let out:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit (sz 32) = out in - let i:usize = i in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out - i - ({ - Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients - = - result.[ i ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256 - } - <: - Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - <: - t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit (sz 32)) - in - out - } diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fsti index 708395ec3..ab1a4cc34 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fsti @@ -6,8 +6,576 @@ open FStar.Mul let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_intrinsics.Avx2_extract in let open Libcrux_ml_dsa.Simd.Avx2.Vector_type in () +/// Implementing the [`Operations`] for AVX2. [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl:Libcrux_ml_dsa.Simd.Traits.t_Operations Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit +let impl: Libcrux_ml_dsa.Simd.Traits.t_Operations +Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = + { + _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve; + _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve; + f_Coefficient = Libcrux_intrinsics.Avx2_extract.t_Vec256; + f_Coefficient_11316922548682728705 = FStar.Tactics.Typeclasses.solve; + f_zero_pre = (fun (_: Prims.unit) -> true); + f_zero_post = (fun (_: Prims.unit) (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) -> true); + f_zero = (fun (_: Prims.unit) -> Libcrux_ml_dsa.Simd.Avx2.Vector_type.zero ()); + f_from_coefficient_array_pre + = + (fun (coefficient_array: t_Slice i32) (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) -> true); + f_from_coefficient_array_post + = + (fun + (coefficient_array: t_Slice i32) + (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (out1: Libcrux_intrinsics.Avx2_extract.t_Vec256) + -> + true); + f_from_coefficient_array + = + (fun (coefficient_array: t_Slice i32) (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) -> + let hax_temp_output, out:(Prims.unit & Libcrux_intrinsics.Avx2_extract.t_Vec256) = + (), Libcrux_ml_dsa.Simd.Avx2.Vector_type.from_coefficient_array coefficient_array out + <: + (Prims.unit & Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + out); + f_to_coefficient_array_pre + = + (fun (value: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice i32) -> true); + f_to_coefficient_array_post + = + (fun (value: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice i32) (out1: t_Slice i32) -> + true); + f_to_coefficient_array + = + (fun (value: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice i32) -> + let hax_temp_output, out:(Prims.unit & t_Slice i32) = + (), Libcrux_ml_dsa.Simd.Avx2.Vector_type.to_coefficient_array value out + <: + (Prims.unit & t_Slice i32) + in + out); + f_add_pre + = + (fun + (lhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) + -> + true); + f_add_post + = + (fun + (lhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) + -> + true); + f_add + = + (fun + (lhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) + -> + let hax_temp_output, lhs:(Prims.unit & Libcrux_intrinsics.Avx2_extract.t_Vec256) = + (), Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add lhs rhs + <: + (Prims.unit & Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + lhs); + f_subtract_pre + = + (fun + (lhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) + -> + true); + f_subtract_post + = + (fun + (lhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) + -> + true); + f_subtract + = + (fun + (lhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) + -> + let hax_temp_output, lhs:(Prims.unit & Libcrux_intrinsics.Avx2_extract.t_Vec256) = + (), Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract lhs rhs + <: + (Prims.unit & Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + lhs); + f_montgomery_multiply_pre + = + (fun + (lhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) + -> + true); + f_montgomery_multiply_post + = + (fun + (lhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) + -> + true); + f_montgomery_multiply + = + (fun + (lhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) + -> + let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply lhs rhs + in + lhs); + f_shift_left_then_reduce_pre + = + (fun (v_SHIFT_BY: i32) (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) -> true); + f_shift_left_then_reduce_post + = + (fun + (v_SHIFT_BY: i32) + (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) + -> + true); + f_shift_left_then_reduce + = + (fun (v_SHIFT_BY: i32) (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) -> + let hax_temp_output, simd_unit:(Prims.unit & Libcrux_intrinsics.Avx2_extract.t_Vec256) = + (), Libcrux_ml_dsa.Simd.Avx2.Arithmetic.shift_left_then_reduce v_SHIFT_BY simd_unit + <: + (Prims.unit & Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + simd_unit); + f_power2round_pre + = + (fun + (t0: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (t1: Libcrux_intrinsics.Avx2_extract.t_Vec256) + -> + true); + f_power2round_post + = + (fun + (t0: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (t1: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (out: (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256)) + -> + true); + f_power2round + = + (fun + (t0: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (t1: Libcrux_intrinsics.Avx2_extract.t_Vec256) + -> + let tmp0, tmp1:(Libcrux_intrinsics.Avx2_extract.t_Vec256 & + Libcrux_intrinsics.Avx2_extract.t_Vec256) = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.power2round t0 t1 + in + let t0:Libcrux_intrinsics.Avx2_extract.t_Vec256 = tmp0 in + let t1:Libcrux_intrinsics.Avx2_extract.t_Vec256 = tmp1 in + let _:Prims.unit = () in + t0, t1 + <: + (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256)); + f_infinity_norm_exceeds_pre + = + (fun (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (bound: i32) -> true); + f_infinity_norm_exceeds_post + = + (fun (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (bound: i32) (out: bool) -> true); + f_infinity_norm_exceeds + = + (fun (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (bound: i32) -> + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.infinity_norm_exceeds simd_unit bound); + f_decompose_pre + = + (fun + (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) + (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (low: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (high: Libcrux_intrinsics.Avx2_extract.t_Vec256) + -> + true); + f_decompose_post + = + (fun + (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) + (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (low: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (high: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (out: (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256)) + -> + true); + f_decompose + = + (fun + (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) + (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (low: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (high: Libcrux_intrinsics.Avx2_extract.t_Vec256) + -> + let tmp0, tmp1:(Libcrux_intrinsics.Avx2_extract.t_Vec256 & + Libcrux_intrinsics.Avx2_extract.t_Vec256) = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.decompose gamma2 simd_unit low high + in + let low:Libcrux_intrinsics.Avx2_extract.t_Vec256 = tmp0 in + let high:Libcrux_intrinsics.Avx2_extract.t_Vec256 = tmp1 in + let _:Prims.unit = () in + low, high + <: + (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256)); + f_compute_hint_pre + = + (fun + (v_GAMMA2: i32) + (low: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (high: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (hint: Libcrux_intrinsics.Avx2_extract.t_Vec256) + -> + true); + f_compute_hint_post + = + (fun + (v_GAMMA2: i32) + (low: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (high: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (hint: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (out2: (Libcrux_intrinsics.Avx2_extract.t_Vec256 & usize)) + -> + true); + f_compute_hint + = + (fun + (v_GAMMA2: i32) + (low: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (high: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (hint: Libcrux_intrinsics.Avx2_extract.t_Vec256) + -> + let tmp0, out1:(Libcrux_intrinsics.Avx2_extract.t_Vec256 & usize) = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.compute_hint v_GAMMA2 low high hint + in + let hint:Libcrux_intrinsics.Avx2_extract.t_Vec256 = tmp0 in + let hax_temp_output:usize = out1 in + hint, hax_temp_output <: (Libcrux_intrinsics.Avx2_extract.t_Vec256 & usize)); + f_use_hint_pre + = + (fun + (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) + (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (hint: Libcrux_intrinsics.Avx2_extract.t_Vec256) + -> + true); + f_use_hint_post + = + (fun + (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) + (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (hint: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) + -> + true); + f_use_hint + = + (fun + (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) + (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (hint: Libcrux_intrinsics.Avx2_extract.t_Vec256) + -> + let hint:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.use_hint gamma2 simd_unit hint + in + hint); + f_rejection_sample_less_than_field_modulus_pre + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); + f_rejection_sample_less_than_field_modulus_post + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); + f_rejection_sample_less_than_field_modulus + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.sample randomness out + in + let out:t_Slice i32 = tmp0 in + let hax_temp_output:usize = out1 in + out, hax_temp_output <: (t_Slice i32 & usize)); + f_rejection_sample_less_than_eta_equals_2_pre + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); + f_rejection_sample_less_than_eta_equals_2_post + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); + f_rejection_sample_less_than_eta_equals_2_ + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.sample (sz 2) randomness out + in + let out:t_Slice i32 = tmp0 in + let hax_temp_output:usize = out1 in + out, hax_temp_output <: (t_Slice i32 & usize)); + f_rejection_sample_less_than_eta_equals_4_pre + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); + f_rejection_sample_less_than_eta_equals_4_post + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); + f_rejection_sample_less_than_eta_equals_4_ + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.sample (sz 4) randomness out + in + let out:t_Slice i32 = tmp0 in + let hax_temp_output:usize = out1 in + out, hax_temp_output <: (t_Slice i32 & usize)); + f_gamma1_serialize_pre + = + (fun + (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (serialized: t_Slice u8) + (gamma1_exponent: usize) + -> + true); + f_gamma1_serialize_post + = + (fun + (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (serialized: t_Slice u8) + (gamma1_exponent: usize) + (out: t_Slice u8) + -> + true); + f_gamma1_serialize + = + (fun + (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (serialized: t_Slice u8) + (gamma1_exponent: usize) + -> + let hax_temp_output, serialized:(Prims.unit & t_Slice u8) = + (), + Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.serialize simd_unit serialized gamma1_exponent + <: + (Prims.unit & t_Slice u8) + in + serialized); + f_gamma1_deserialize_pre + = + (fun + (serialized: t_Slice u8) + (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (gamma1_exponent: usize) + -> + true); + f_gamma1_deserialize_post + = + (fun + (serialized: t_Slice u8) + (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (gamma1_exponent: usize) + (out1: Libcrux_intrinsics.Avx2_extract.t_Vec256) + -> + true); + f_gamma1_deserialize + = + (fun + (serialized: t_Slice u8) + (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (gamma1_exponent: usize) + -> + let out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.deserialize serialized out gamma1_exponent + in + out); + f_commitment_serialize_pre + = + (fun (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (serialized: t_Slice u8) -> true); + f_commitment_serialize_post + = + (fun + (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (serialized: t_Slice u8) + (out: t_Slice u8) + -> + true); + f_commitment_serialize + = + (fun (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (serialized: t_Slice u8) -> + let hax_temp_output, serialized:(Prims.unit & t_Slice u8) = + (), Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.serialize simd_unit serialized + <: + (Prims.unit & t_Slice u8) + in + serialized); + f_error_serialize_pre + = + (fun + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (serialized: t_Slice u8) + -> + true); + f_error_serialize_post + = + (fun + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (serialized: t_Slice u8) + (out: t_Slice u8) + -> + true); + f_error_serialize + = + (fun + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (serialized: t_Slice u8) + -> + let hax_temp_output, serialized:(Prims.unit & t_Slice u8) = + (), Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.serialize eta simd_unit serialized + <: + (Prims.unit & t_Slice u8) + in + serialized); + f_error_deserialize_pre + = + (fun + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (serialized: t_Slice u8) + (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) + -> + true); + f_error_deserialize_post + = + (fun + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (serialized: t_Slice u8) + (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (out1: Libcrux_intrinsics.Avx2_extract.t_Vec256) + -> + true); + f_error_deserialize + = + (fun + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (serialized: t_Slice u8) + (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) + -> + let out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.deserialize eta serialized out + in + out); + f_t0_serialize_pre + = + (fun (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice u8) -> true); + f_t0_serialize_post + = + (fun + (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (out: t_Slice u8) + (out1: t_Slice u8) + -> + true); + f_t0_serialize + = + (fun (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice u8) -> + let out:t_Slice u8 = Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.serialize simd_unit out in + out); + f_t0_deserialize_pre + = + (fun (serialized: t_Slice u8) (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) -> true); + f_t0_deserialize_post + = + (fun + (serialized: t_Slice u8) + (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (out1: Libcrux_intrinsics.Avx2_extract.t_Vec256) + -> + true); + f_t0_deserialize + = + (fun (serialized: t_Slice u8) (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) -> + let out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.deserialize serialized out + in + out); + f_t1_serialize_pre + = + (fun (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice u8) -> true); + f_t1_serialize_post + = + (fun + (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (out: t_Slice u8) + (out1: t_Slice u8) + -> + true); + f_t1_serialize + = + (fun (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice u8) -> + let out:t_Slice u8 = Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.serialize simd_unit out in + out); + f_t1_deserialize_pre + = + (fun (serialized: t_Slice u8) (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) -> true); + f_t1_deserialize_post + = + (fun + (serialized: t_Slice u8) + (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (out1: Libcrux_intrinsics.Avx2_extract.t_Vec256) + -> + true); + f_t1_deserialize + = + (fun (serialized: t_Slice u8) (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) -> + let out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.deserialize serialized out + in + out); + f_ntt_pre = (fun (simd_units: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) -> true); + f_ntt_post + = + (fun + (simd_units: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + (out: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + -> + true); + f_ntt + = + (fun (simd_units: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) -> + let simd_units:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + Libcrux_ml_dsa.Simd.Avx2.Ntt.ntt simd_units + in + simd_units); + f_invert_ntt_montgomery_pre + = + (fun (simd_units: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) -> true); + f_invert_ntt_montgomery_post + = + (fun + (simd_units: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + (out: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + -> + true); + f_invert_ntt_montgomery + = + fun (simd_units: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) -> + let simd_units:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + Libcrux_ml_dsa.Simd.Avx2.Invntt.invert_ntt_montgomery simd_units + in + simd_units + } diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst index b8a8a4b00..bbaaa296e 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst @@ -32,7 +32,7 @@ let montgomery_reduce_element (value: i64) = let montgomery_multiply_fe_by_fer (fe fer: i32) = montgomery_reduce_element ((cast (fe <: i32) <: i64) *! (cast (fer <: i32) <: i64) <: i64) -let decompose_element (v_GAMMA2 r: i32) = +let decompose_element (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) (r: i32) = let _:Prims.unit = if true then @@ -46,27 +46,24 @@ let decompose_element (v_GAMMA2 r: i32) = () in let r:i32 = r +! ((r >>! 31l <: i32) &. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) in - let v_ALPHA:i32 = v_GAMMA2 *! 2l in let ceil_of_r_by_128_:i32 = (r +! 127l <: i32) >>! 7l in let r1:i32 = - match v_ALPHA with - | 190464l -> + match gamma2 <: Libcrux_ml_dsa.Constants.t_Gamma2 with + | Libcrux_ml_dsa.Constants.Gamma2_V95_232_ -> let result:i32 = ((ceil_of_r_by_128_ *! 11275l <: i32) +! (1l <>! 24l in (result ^. ((43l -! result <: i32) >>! 31l <: i32) <: i32) &. result - | 523776l -> + | Libcrux_ml_dsa.Constants.Gamma2_V261_888_ -> let result:i32 = ((ceil_of_r_by_128_ *! 1025l <: i32) +! (1l <>! 22l in result &. 15l - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - - <: - Rust_primitives.Hax.t_Never) in - let r0:i32 = r -! (r1 *! v_ALPHA <: i32) in + let alpha:i32 = + (cast (Libcrux_ml_dsa.Constants.t_Gamma2_cast_to_repr gamma2 <: isize) <: i32) *! 2l + in + let r0:i32 = r -! (r1 *! alpha <: i32) in let r0:i32 = r0 -! (((((Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS -! 1l <: i32) /! 2l <: i32) -! r0 <: i32) >>! @@ -79,45 +76,6 @@ let decompose_element (v_GAMMA2 r: i32) = in r0, r1 <: (i32 & i32) -let infinity_norm_exceeds - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (bound: i32) - = - let exceeds:bool = false in - let exceeds:bool = - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Array.Iter.t_IntoIter - i32 (sz 8)) - #FStar.Tactics.Typeclasses.solve - (Core.Iter.Traits.Collect.f_into_iter #(t_Array i32 (sz 8)) - #FStar.Tactics.Typeclasses.solve - simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - <: - Core.Array.Iter.t_IntoIter i32 (sz 8)) - <: - Core.Array.Iter.t_IntoIter i32 (sz 8)) - exceeds - (fun exceeds coefficient -> - let exceeds:bool = exceeds in - let coefficient:i32 = coefficient in - let _:Prims.unit = - if true - then - let _:Prims.unit = - Hax_lib.v_assert ((coefficient >. - (Core.Ops.Arith.Neg.neg Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) - <: - bool) && - (coefficient <. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: bool)) - in - () - in - let sign:i32 = coefficient >>! 31l in - let normalized:i32 = coefficient -! (sign &. (2l *! coefficient <: i32) <: i32) in - let exceeds:bool = exceeds || normalized >=. bound in - exceeds) - in - exceeds - let power2round_element (t: i32) = let _:Prims.unit = if true @@ -142,467 +100,258 @@ let power2round_element (t: i32) = let t0:i32 = t -! (t1 < + match gamma2 <: Libcrux_ml_dsa.Constants.t_Gamma2 with + | Libcrux_ml_dsa.Constants.Gamma2_V95_232_ -> if r0 >. 0l then if r1 =. 43l then 0l else r1 +! hint else if r1 =. 0l then 43l else r1 -! hint - | 261888l -> if r0 >. 0l then (r1 +! hint <: i32) &. 15l else (r1 -! hint <: i32) &. 15l - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + | Libcrux_ml_dsa.Constants.Gamma2_V261_888_ -> + if r0 >. 0l then (r1 +! hint <: i32) &. 15l else (r1 -! hint <: i32) &. 15l - <: - Rust_primitives.Hax.t_Never) - -let power2round (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = - let t0_simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () - in - let t1_simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () - in - let t0_simd_unit, t1_simd_unit:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = - Rust_primitives.Hax.Folds.fold_enumerated_slice simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (fun temp_0_ temp_1_ -> - let t0_simd_unit, t1_simd_unit:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = - temp_0_ - in - let _:usize = temp_1_ in - true) - (t0_simd_unit, t1_simd_unit - <: - (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)) - (fun temp_0_ temp_1_ -> - let t0_simd_unit, t1_simd_unit:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = - temp_0_ - in - let i, t:(usize & i32) = temp_1_ in - let t0, t1:(i32 & i32) = power2round_element t in - let t0_simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - t0_simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t0_simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - i - t0 - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let t1_simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - t1_simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t1_simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - i - t1 - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - t0_simd_unit, t1_simd_unit - <: - (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)) - in - t0_simd_unit, t1_simd_unit - <: - (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - -let add (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = - let sum:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () - in - let sum:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = +let add (lhs rhs: t_Array i32 (sz 8)) = + let lhs:t_Array i32 (sz 8) = Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #i32 - (sum.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) - <: - usize) - (fun sum temp_1_ -> - let sum:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = sum in + (Core.Slice.impl__len #i32 (lhs <: t_Slice i32) <: usize) + (fun lhs temp_1_ -> + let lhs:t_Array i32 (sz 8) = lhs in let _:usize = temp_1_ in true) - sum - (fun sum i -> - let sum:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = sum in + lhs + (fun lhs i -> + let lhs:t_Array i32 (sz 8) = lhs in let i:usize = i in - { - sum with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize sum - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - i - ((lhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) +! - (rhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) - <: - i32) - <: - t_Array i32 (sz 8) - } + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs + i + ((lhs.[ i ] <: i32) +! (rhs.[ i ] <: i32) <: i32) <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + t_Array i32 (sz 8)) in - sum + let hax_temp_output:Prims.unit = () <: Prims.unit in + lhs -let compute_hint - (v_GAMMA2: i32) - (low high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - = - let hint:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () - in +let compute_hint (v_GAMMA2: i32) (low high hint: t_Array i32 (sz 8)) = let one_hints_count:usize = sz 0 in - let hint, one_hints_count:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & usize) = + let hint, one_hints_count:(t_Array i32 (sz 8) & usize) = Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #i32 - (hint.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) - <: - usize) + (Core.Slice.impl__len #i32 (hint <: t_Slice i32) <: usize) (fun temp_0_ temp_1_ -> - let hint, one_hints_count:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - usize) = - temp_0_ - in + let hint, one_hints_count:(t_Array i32 (sz 8) & usize) = temp_0_ in let _:usize = temp_1_ in true) - (hint, one_hints_count - <: - (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & usize)) + (hint, one_hints_count <: (t_Array i32 (sz 8) & usize)) (fun temp_0_ i -> - let hint, one_hints_count:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - usize) = - temp_0_ - in + let hint, one_hints_count:(t_Array i32 (sz 8) & usize) = temp_0_ in let i:usize = i in - let hint:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - hint with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize hint - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - i - (compute_one_hint v_GAMMA2 - (low.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) - (high.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let one_hints_count:usize = - one_hints_count +! - (cast (hint.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) - <: - usize) + let hint:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize hint + i + (compute_one_hint v_GAMMA2 (low.[ i ] <: i32) (high.[ i ] <: i32) <: i32) in - hint, one_hints_count - <: - (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & usize)) + let one_hints_count:usize = one_hints_count +! (cast (hint.[ i ] <: i32) <: usize) in + hint, one_hints_count <: (t_Array i32 (sz 8) & usize)) in - one_hints_count, hint <: (usize & Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + let hax_temp_output:usize = one_hints_count in + hint, hax_temp_output <: (t_Array i32 (sz 8) & usize) -let decompose - (v_GAMMA2: i32) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - = - let low:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () - in - let high:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () - in - let high, low:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = +let decompose (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) (simd_unit low high: t_Array i32 (sz 8)) = + let high, low:(t_Array i32 (sz 8) & t_Array i32 (sz 8)) = Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #i32 - (low.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) - <: - usize) + (Core.Slice.impl__len #i32 (low <: t_Slice i32) <: usize) (fun temp_0_ temp_1_ -> - let high, low:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = - temp_0_ - in + let high, low:(t_Array i32 (sz 8) & t_Array i32 (sz 8)) = temp_0_ in let _:usize = temp_1_ in true) - (high, low - <: - (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)) + (high, low <: (t_Array i32 (sz 8) & t_Array i32 (sz 8))) (fun temp_0_ i -> - let high, low:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = - temp_0_ - in + let high, low:(t_Array i32 (sz 8) & t_Array i32 (sz 8)) = temp_0_ in let i:usize = i in - let low_part, high_part:(i32 & i32) = - decompose_element v_GAMMA2 - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) + let lhs, lhs_1_:(i32 & i32) = decompose_element gamma2 (simd_unit.[ i ] <: i32) in + let low:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize low i lhs in - let low:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - low with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize low - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - i - low_part - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + let high:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize high i lhs_1_ in - let high:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - high with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize high - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - i - high_part - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - high, low - <: - (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)) + high, low <: (t_Array i32 (sz 8) & t_Array i32 (sz 8))) in - low, high - <: - (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + let hax_temp_output:Prims.unit = () <: Prims.unit in + low, high <: (t_Array i32 (sz 8) & t_Array i32 (sz 8)) -let montgomery_multiply (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = - let product:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () +let infinity_norm_exceeds (simd_unit: t_Array i32 (sz 8)) (bound: i32) = + let result:bool = false in + let result:bool = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Iter + i32) + #FStar.Tactics.Typeclasses.solve + (Core.Slice.impl__iter #i32 (simd_unit <: t_Slice i32) <: Core.Slice.Iter.t_Iter i32) + <: + Core.Slice.Iter.t_Iter i32) + result + (fun result coefficient -> + let result:bool = result in + let coefficient:i32 = coefficient in + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((coefficient >. + (Core.Ops.Arith.Neg.neg Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) + <: + bool) && + (coefficient <. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: bool)) + in + () + in + let sign:i32 = coefficient >>! 31l in + let normalized:i32 = coefficient -! (sign &. (2l *! coefficient <: i32) <: i32) in + if normalized >=. bound + then + let result:bool = true in + result + else result) in - let product:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + result + +let montgomery_multiply (lhs rhs: t_Array i32 (sz 8)) = + let lhs:t_Array i32 (sz 8) = Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #i32 - (product.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) - <: - usize) - (fun product temp_1_ -> - let product:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = product in + (Core.Slice.impl__len #i32 (lhs <: t_Slice i32) <: usize) + (fun lhs temp_1_ -> + let lhs:t_Array i32 (sz 8) = lhs in let _:usize = temp_1_ in true) - product - (fun product i -> - let product:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = product in + lhs + (fun lhs i -> + let lhs:t_Array i32 (sz 8) = lhs in let i:usize = i in - { - product with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize product - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - i - (montgomery_reduce_element ((cast (lhs - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] - <: - i32) - <: - i64) *! - (cast (rhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) - <: - i64) - <: - i64) - <: - i32) - <: - t_Array i32 (sz 8) - } + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs + i + (montgomery_reduce_element ((cast (lhs.[ i ] <: i32) <: i64) *! + (cast (rhs.[ i ] <: i32) <: i64) + <: + i64) + <: + i32) <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + t_Array i32 (sz 8)) in - product + let hax_temp_output:Prims.unit = () <: Prims.unit in + lhs -let montgomery_multiply_by_constant - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (c: i32) - = - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = +let montgomery_multiply_by_constant (simd_unit: t_Array i32 (sz 8)) (c: i32) = + let simd_unit:t_Array i32 (sz 8) = Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #i32 - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) - <: - usize) + (Core.Slice.impl__len #i32 (simd_unit <: t_Slice i32) <: usize) (fun simd_unit temp_1_ -> - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let simd_unit:t_Array i32 (sz 8) = simd_unit in let _:usize = temp_1_ in true) simd_unit (fun simd_unit i -> - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let simd_unit:t_Array i32 (sz 8) = simd_unit in let i:usize = i in - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - i - (montgomery_reduce_element ((cast (simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] - <: - i32) - <: - i64) *! - (cast (c <: i32) <: i64) - <: - i64) - <: - i32) - <: - t_Array i32 (sz 8) - } + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + i + (montgomery_reduce_element ((cast (simd_unit.[ i ] <: i32) <: i64) *! + (cast (c <: i32) <: i64) + <: + i64) + <: + i32) <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + t_Array i32 (sz 8)) in + let hax_temp_output:Prims.unit = () <: Prims.unit in simd_unit -let shift_left_then_reduce - (v_SHIFT_BY: i32) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - = - let out:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () +let power2round (t0 t1: t_Array i32 (sz 8)) = + let t0, t1:(t_Array i32 (sz 8) & t_Array i32 (sz 8)) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #i32 (t0 <: t_Slice i32) <: usize) + (fun temp_0_ temp_1_ -> + let t0, t1:(t_Array i32 (sz 8) & t_Array i32 (sz 8)) = temp_0_ in + let _:usize = temp_1_ in + true) + (t0, t1 <: (t_Array i32 (sz 8) & t_Array i32 (sz 8))) + (fun temp_0_ i -> + let t0, t1:(t_Array i32 (sz 8) & t_Array i32 (sz 8)) = temp_0_ in + let i:usize = i in + let lhs, lhs_1_:(i32 & i32) = power2round_element (t0.[ i ] <: i32) in + let t0:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t0 i lhs + in + let t1:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t1 i lhs_1_ + in + t0, t1 <: (t_Array i32 (sz 8) & t_Array i32 (sz 8))) in - let out:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + let hax_temp_output:Prims.unit = () <: Prims.unit in + t0, t1 <: (t_Array i32 (sz 8) & t_Array i32 (sz 8)) + +let shift_left_then_reduce (v_SHIFT_BY: i32) (simd_unit: t_Array i32 (sz 8)) = + let simd_unit:t_Array i32 (sz 8) = Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #i32 - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) - <: - usize) - (fun out temp_1_ -> - let out:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = out in + (Core.Slice.impl__len #i32 (simd_unit <: t_Slice i32) <: usize) + (fun simd_unit temp_1_ -> + let simd_unit:t_Array i32 (sz 8) = simd_unit in let _:usize = temp_1_ in true) - out - (fun out i -> - let out:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = out in + simd_unit + (fun simd_unit i -> + let simd_unit:t_Array i32 (sz 8) = simd_unit in let i:usize = i in - { - out with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - i - (reduce_element ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i - ] - <: - i32) < - let difference:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = difference in + (Core.Slice.impl__len #i32 (lhs <: t_Slice i32) <: usize) + (fun lhs temp_1_ -> + let lhs:t_Array i32 (sz 8) = lhs in let _:usize = temp_1_ in true) - difference - (fun difference i -> - let difference:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = difference in + lhs + (fun lhs i -> + let lhs:t_Array i32 (sz 8) = lhs in let i:usize = i in - { - difference with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize difference - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - i - ((lhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) -! - (rhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) - <: - i32) - <: - t_Array i32 (sz 8) - } + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs + i + ((lhs.[ i ] <: i32) -! (rhs.[ i ] <: i32) <: i32) <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + t_Array i32 (sz 8)) in - difference + let hax_temp_output:Prims.unit = () <: Prims.unit in + lhs -let use_hint - (v_GAMMA2: i32) - (simd_unit hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - = - let result:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () - in - let result:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = +let use_hint (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) (simd_unit hint: t_Array i32 (sz 8)) = + let hint:t_Array i32 (sz 8) = Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #i32 - (result.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) - <: - usize) - (fun result temp_1_ -> - let result:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = result in + (Core.Slice.impl__len #i32 (hint <: t_Slice i32) <: usize) + (fun hint temp_1_ -> + let hint:t_Array i32 (sz 8) = hint in let _:usize = temp_1_ in true) - result - (fun result i -> - let result:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = result in + hint + (fun hint i -> + let hint:t_Array i32 (sz 8) = hint in let i:usize = i in - { - result with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - i - (use_one_hint v_GAMMA2 - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) - (hint.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) - <: - i32) - <: - t_Array i32 (sz 8) - } + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize hint + i + (use_one_hint gamma2 (simd_unit.[ i ] <: i32) (hint.[ i ] <: i32) <: i32) <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + t_Array i32 (sz 8)) in - result + let hax_temp_output:Prims.unit = () <: Prims.unit in + hint diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti index 2a50db3ec..de990a150 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti @@ -17,73 +17,40 @@ val montgomery_reduce_element (value: i64) : Prims.Pure i32 Prims.l_True (fun _ val montgomery_multiply_fe_by_fer (fe fer: i32) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) -val decompose_element (v_GAMMA2 r: i32) +val decompose_element (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) (r: i32) : Prims.Pure (i32 & i32) Prims.l_True (fun _ -> Prims.l_True) -val infinity_norm_exceeds - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (bound: i32) +val power2round_element (t: i32) : Prims.Pure (i32 & i32) Prims.l_True (fun _ -> Prims.l_True) + +val use_one_hint (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) (r hint: i32) + : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) + +val add (lhs rhs: t_Array i32 (sz 8)) + : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) + +val compute_hint (v_GAMMA2: i32) (low high hint: t_Array i32 (sz 8)) + : Prims.Pure (t_Array i32 (sz 8) & usize) Prims.l_True (fun _ -> Prims.l_True) + +val decompose (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) (simd_unit low high: t_Array i32 (sz 8)) + : Prims.Pure (t_Array i32 (sz 8) & t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) + +val infinity_norm_exceeds (simd_unit: t_Array i32 (sz 8)) (bound: i32) : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) -val power2round_element (t: i32) : Prims.Pure (i32 & i32) Prims.l_True (fun _ -> Prims.l_True) +val montgomery_multiply (lhs rhs: t_Array i32 (sz 8)) + : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) + +val montgomery_multiply_by_constant (simd_unit: t_Array i32 (sz 8)) (c: i32) + : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) + +val power2round (t0 t1: t_Array i32 (sz 8)) + : Prims.Pure (t_Array i32 (sz 8) & t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) + +val shift_left_then_reduce (v_SHIFT_BY: i32) (simd_unit: t_Array i32 (sz 8)) + : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) + +val subtract (lhs rhs: t_Array i32 (sz 8)) + : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) -val use_one_hint (v_GAMMA2 r hint: i32) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) - -val power2round (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure - (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - Prims.l_True - (fun _ -> Prims.l_True) - -val add (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) - -val compute_hint - (v_GAMMA2: i32) - (low high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure (usize & Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - Prims.l_True - (fun _ -> Prims.l_True) - -val decompose - (v_GAMMA2: i32) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure - (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - Prims.l_True - (fun _ -> Prims.l_True) - -val montgomery_multiply (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) - -val montgomery_multiply_by_constant - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (c: i32) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) - -val shift_left_then_reduce - (v_SHIFT_BY: i32) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) - -val subtract (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) - -val use_hint - (v_GAMMA2: i32) - (simd_unit hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) +val use_hint (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) (simd_unit hint: t_Array i32 (sz 8)) + : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fst index 3fb3f1467..e89cbc069 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fst @@ -3,16 +3,13 @@ module Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment open Core open FStar.Mul -let serialize - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (serialized: t_Slice u8) - = +let serialize (simd_unit: t_Array i32 (sz 8)) (serialized: t_Slice u8) = let serialized, hax_temp_output:(t_Slice u8 & Prims.unit) = match cast (Core.Slice.impl__len #u8 serialized <: usize) <: u8 with | 4uy -> let serialized:t_Slice u8 = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 2) - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + (simd_unit <: t_Slice i32) (fun serialized temp_1_ -> let serialized:t_Slice u8 = serialized in let _:usize = temp_1_ in @@ -34,7 +31,7 @@ let serialize | 6uy -> let serialized:t_Slice u8 = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 4) - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + (simd_unit <: t_Slice i32) (fun serialized temp_1_ -> let serialized:t_Slice u8 = serialized in let _:usize = temp_1_ in diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fsti index a06e23904..49715b93a 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fsti @@ -3,7 +3,5 @@ module Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment open Core open FStar.Mul -val serialize - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (serialized: t_Slice u8) +val serialize (simd_unit: t_Array i32 (sz 8)) (serialized: t_Slice u8) : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst index 2b13f6a43..ccf545016 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst @@ -3,73 +3,146 @@ module Libcrux_ml_dsa.Simd.Portable.Encoding.Error open Core open FStar.Mul -let serialize_when_eta_is_2_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (serialized: t_Slice u8) - = - let coefficient0:u8 = - cast (serialize_when_eta_is_2___ETA -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) +let deserialize_when_eta_is_2_ (serialized: t_Slice u8) (simd_unit: t_Array i32 (sz 8)) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 3 <: bool) + in + () + in + let byte0:i32 = cast (serialized.[ sz 0 ] <: u8) <: i32 in + let byte1:i32 = cast (serialized.[ sz 1 ] <: u8) <: i32 in + let byte2:i32 = cast (serialized.[ sz 2 ] <: u8) <: i32 in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 0) + (deserialize_when_eta_is_2___ETA -! (byte0 &. 7l <: i32) <: i32) + in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 1) + (deserialize_when_eta_is_2___ETA -! ((byte0 >>! 3l <: i32) &. 7l <: i32) <: i32) + in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 2) + (deserialize_when_eta_is_2___ETA -! + (((byte0 >>! 6l <: i32) |. (byte1 <>! 1l <: i32) &. 7l <: i32) <: i32) + in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 4) + (deserialize_when_eta_is_2___ETA -! ((byte1 >>! 4l <: i32) &. 7l <: i32) <: i32) + in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 5) + (deserialize_when_eta_is_2___ETA -! + (((byte1 >>! 7l <: i32) |. (byte2 <>! 2l <: i32) &. 7l <: i32) <: i32) + in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 7) + (deserialize_when_eta_is_2___ETA -! ((byte2 >>! 5l <: i32) &. 7l <: i32) <: i32) + in + simd_unit + +let deserialize_when_eta_is_4_ (serialized: t_Slice u8) (simd_units: t_Array i32 (sz 8)) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 4 <: bool) + in + () + in + let simd_units:t_Array i32 (sz 8) = + Rust_primitives.Hax.Folds.fold_enumerated_slice serialized + (fun simd_units temp_1_ -> + let simd_units:t_Array i32 (sz 8) = simd_units in + let _:usize = temp_1_ in + true) + simd_units + (fun simd_units temp_1_ -> + let simd_units:t_Array i32 (sz 8) = simd_units in + let i, byte:(usize & u8) = temp_1_ in + let simd_units:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_units + (sz 2 *! i <: usize) + (deserialize_when_eta_is_4___ETA -! (cast (byte &. 15uy <: u8) <: i32) <: i32) + in + let simd_units:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_units + ((sz 2 *! i <: usize) +! sz 1 <: usize) + (deserialize_when_eta_is_4___ETA -! (cast (byte >>! 4l <: u8) <: i32) <: i32) + in + simd_units) + in + let hax_temp_output:Prims.unit = () <: Prims.unit in + simd_units + +let deserialize + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (serialized: t_Slice u8) + (out: t_Array i32 (sz 8)) + = + let out, hax_temp_output:(t_Array i32 (sz 8) & Prims.unit) = + match eta <: Libcrux_ml_dsa.Constants.t_Eta with + | Libcrux_ml_dsa.Constants.Eta_Two -> + deserialize_when_eta_is_2_ serialized out, () <: (t_Array i32 (sz 8) & Prims.unit) + | Libcrux_ml_dsa.Constants.Eta_Four -> + deserialize_when_eta_is_4_ serialized out, () <: (t_Array i32 (sz 8) & Prims.unit) + in + out + +let serialize_when_eta_is_2_ (simd_unit: t_Array i32 (sz 8)) (serialized: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 3 <: bool) + in + () + in + let coefficient0:u8 = + cast (serialize_when_eta_is_2___ETA -! (simd_unit.[ sz 0 ] <: i32) <: i32) <: u8 + in + let coefficient1:u8 = + cast (serialize_when_eta_is_2___ETA -! (simd_unit.[ sz 1 ] <: i32) <: i32) <: u8 in let coefficient2:u8 = - cast (serialize_when_eta_is_2___ETA -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) - <: - i32) - <: - u8 + cast (serialize_when_eta_is_2___ETA -! (simd_unit.[ sz 2 ] <: i32) <: i32) <: u8 in let coefficient3:u8 = - cast (serialize_when_eta_is_2___ETA -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) - <: - i32) - <: - u8 + cast (serialize_when_eta_is_2___ETA -! (simd_unit.[ sz 3 ] <: i32) <: i32) <: u8 in let coefficient4:u8 = - cast (serialize_when_eta_is_2___ETA -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) - <: - i32) - <: - u8 + cast (serialize_when_eta_is_2___ETA -! (simd_unit.[ sz 4 ] <: i32) <: i32) <: u8 in let coefficient5:u8 = - cast (serialize_when_eta_is_2___ETA -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) - <: - i32) - <: - u8 + cast (serialize_when_eta_is_2___ETA -! (simd_unit.[ sz 5 ] <: i32) <: i32) <: u8 in let coefficient6:u8 = - cast (serialize_when_eta_is_2___ETA -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) - <: - i32) - <: - u8 + cast (serialize_when_eta_is_2___ETA -! (simd_unit.[ sz 6 ] <: i32) <: i32) <: u8 in let coefficient7:u8 = - cast (serialize_when_eta_is_2___ETA -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) - <: - i32) - <: - u8 + cast (serialize_when_eta_is_2___ETA -! (simd_unit.[ sz 7 ] <: i32) <: i32) <: u8 in let serialized:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized @@ -97,202 +170,10 @@ let serialize_when_eta_is_2_ in serialized -let deserialize_when_eta_is_2_ (serialized: t_Slice u8) = - let _:Prims.unit = - if true - then - let _:Prims.unit = - Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 3 <: bool) - in - () - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () - in - let byte0:i32 = cast (serialized.[ sz 0 ] <: u8) <: i32 in - let byte1:i32 = cast (serialized.[ sz 1 ] <: u8) <: i32 in - let byte2:i32 = cast (serialized.[ sz 2 ] <: u8) <: i32 in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 0) - (deserialize_when_eta_is_2___ETA -! (byte0 &. 7l <: i32) <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 1) - (deserialize_when_eta_is_2___ETA -! ((byte0 >>! 3l <: i32) &. 7l <: i32) <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 2) - (deserialize_when_eta_is_2___ETA -! - (((byte0 >>! 6l <: i32) |. (byte1 <>! 1l <: i32) &. 7l <: i32) <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 4) - (deserialize_when_eta_is_2___ETA -! ((byte1 >>! 4l <: i32) &. 7l <: i32) <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 5) - (deserialize_when_eta_is_2___ETA -! - (((byte1 >>! 7l <: i32) |. (byte2 <>! 2l <: i32) &. 7l <: i32) <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 7) - (deserialize_when_eta_is_2___ETA -! ((byte2 >>! 5l <: i32) &. 7l <: i32) <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - simd_unit - -let deserialize_when_eta_is_4_ (serialized: t_Slice u8) = - let _:Prims.unit = - if true - then - let _:Prims.unit = - Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 4 <: bool) - in - () - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Rust_primitives.Hax.Folds.fold_enumerated_slice serialized - (fun simd_unit temp_1_ -> - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in - let _:usize = temp_1_ in - true) - simd_unit - (fun simd_unit temp_1_ -> - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in - let i, byte:(usize & u8) = temp_1_ in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 2 *! i <: usize) - (deserialize_when_eta_is_4___ETA -! (cast (byte &. 15uy <: u8) <: i32) <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - ((sz 2 *! i <: usize) +! sz 1 <: usize) - (deserialize_when_eta_is_4___ETA -! (cast (byte >>! 4l <: u8) <: i32) <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - simd_unit) - in - simd_unit - -let deserialize (v_ETA: usize) (serialized: t_Slice u8) = - match cast (v_ETA <: usize) <: u8 with - | 2uy -> deserialize_when_eta_is_2_ serialized - | 4uy -> deserialize_when_eta_is_4_ serialized - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - - <: - Rust_primitives.Hax.t_Never) - -let serialize_when_eta_is_4_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (serialized: t_Slice u8) - = +let serialize_when_eta_is_4_ (simd_unit: t_Array i32 (sz 8)) (serialized: t_Slice u8) = let serialized:t_Slice u8 = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 2) - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + (simd_unit <: t_Slice i32) (fun serialized temp_1_ -> let serialized:t_Slice u8 = serialized in let _:usize = temp_1_ in @@ -318,21 +199,15 @@ let serialize_when_eta_is_4_ serialized let serialize - (v_ETA: usize) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (simd_unit: t_Array i32 (sz 8)) (serialized: t_Slice u8) = let serialized, hax_temp_output:(t_Slice u8 & Prims.unit) = - match cast (v_ETA <: usize) <: u8 with - | 2uy -> serialize_when_eta_is_2_ simd_unit serialized, () <: (t_Slice u8 & Prims.unit) - | 4uy -> serialize_when_eta_is_4_ simd_unit serialized, () <: (t_Slice u8 & Prims.unit) - | _ -> - serialized, - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - - <: - Rust_primitives.Hax.t_Never) - <: - (t_Slice u8 & Prims.unit) + match eta <: Libcrux_ml_dsa.Constants.t_Eta with + | Libcrux_ml_dsa.Constants.Eta_Two -> + serialize_when_eta_is_2_ simd_unit serialized, () <: (t_Slice u8 & Prims.unit) + | Libcrux_ml_dsa.Constants.Eta_Four -> + serialize_when_eta_is_4_ simd_unit serialized, () <: (t_Slice u8 & Prims.unit) in serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti index 3d5414485..ee25b5b18 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti @@ -11,33 +11,26 @@ let serialize_when_eta_is_2___ETA: i32 = 2l let serialize_when_eta_is_4___ETA: i32 = 4l -val serialize_when_eta_is_2_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (serialized: t_Slice u8) - : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) +val deserialize_when_eta_is_2_ (serialized: t_Slice u8) (simd_unit: t_Array i32 (sz 8)) + : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) -val deserialize_when_eta_is_2_ (serialized: t_Slice u8) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) +val deserialize_when_eta_is_4_ (serialized: t_Slice u8) (simd_units: t_Array i32 (sz 8)) + : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) -val deserialize_when_eta_is_4_ (serialized: t_Slice u8) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) +val deserialize + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (serialized: t_Slice u8) + (out: t_Array i32 (sz 8)) + : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) -val deserialize (v_ETA: usize) (serialized: t_Slice u8) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) +val serialize_when_eta_is_2_ (simd_unit: t_Array i32 (sz 8)) (serialized: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) -val serialize_when_eta_is_4_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (serialized: t_Slice u8) +val serialize_when_eta_is_4_ (simd_unit: t_Array i32 (sz 8)) (serialized: t_Slice u8) : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) val serialize - (v_ETA: usize) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (simd_unit: t_Array i32 (sz 8)) (serialized: t_Slice u8) : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst index 2f3e006e4..228bf6211 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst @@ -3,7 +3,7 @@ module Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1 open Core open FStar.Mul -let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) = +let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) (simd_unit: t_Array i32 (sz 8)) = let _:Prims.unit = if true then @@ -12,19 +12,16 @@ let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) = in () in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + let simd_unit:t_Array i32 (sz 8) = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 9) serialized (fun simd_unit temp_1_ -> - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let simd_unit:t_Array i32 (sz 8) = simd_unit in let _:usize = temp_1_ in true) simd_unit (fun simd_unit temp_1_ -> - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let simd_unit:t_Array i32 (sz 8) = simd_unit in let i, bytes:(usize & t_Slice u8) = temp_1_ in let coefficient0:i32 = cast (bytes.[ sz 0 ] <: u8) <: i32 in let coefficient0:i32 = @@ -66,63 +63,32 @@ let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) = let coefficient3:i32 = coefficient3 &. deserialize_when_gamma1_is_2_pow_17___GAMMA1_TIMES_2_BITMASK in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 4 *! i <: usize) - (deserialize_when_gamma1_is_2_pow_17___GAMMA1 -! coefficient0 <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - ((sz 4 *! i <: usize) +! sz 1 <: usize) - (deserialize_when_gamma1_is_2_pow_17___GAMMA1 -! coefficient1 <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - ((sz 4 *! i <: usize) +! sz 2 <: usize) - (deserialize_when_gamma1_is_2_pow_17___GAMMA1 -! coefficient2 <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - ((sz 4 *! i <: usize) +! sz 3 <: usize) - (deserialize_when_gamma1_is_2_pow_17___GAMMA1 -! coefficient3 <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 4 *! i <: usize) + (deserialize_when_gamma1_is_2_pow_17___GAMMA1 -! coefficient0 <: i32) + in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + ((sz 4 *! i <: usize) +! sz 1 <: usize) + (deserialize_when_gamma1_is_2_pow_17___GAMMA1 -! coefficient1 <: i32) + in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + ((sz 4 *! i <: usize) +! sz 2 <: usize) + (deserialize_when_gamma1_is_2_pow_17___GAMMA1 -! coefficient2 <: i32) + in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + ((sz 4 *! i <: usize) +! sz 3 <: usize) + (deserialize_when_gamma1_is_2_pow_17___GAMMA1 -! coefficient3 <: i32) in simd_unit) in + let hax_temp_output:Prims.unit = () <: Prims.unit in simd_unit -let deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) = +let deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) (simd_unit: t_Array i32 (sz 8)) = let _:Prims.unit = if true then @@ -131,19 +97,16 @@ let deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) = in () in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + let simd_unit:t_Array i32 (sz 8) = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 5) serialized (fun simd_unit temp_1_ -> - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let simd_unit:t_Array i32 (sz 8) = simd_unit in let _:usize = temp_1_ in true) simd_unit (fun simd_unit temp_1_ -> - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let simd_unit:t_Array i32 (sz 8) = simd_unit in let i, bytes:(usize & t_Slice u8) = temp_1_ in let coefficient0:i32 = cast (bytes.[ sz 0 ] <: u8) <: i32 in let coefficient0:i32 = @@ -162,53 +125,43 @@ let deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) = let coefficient1:i32 = coefficient1 |. ((cast (bytes.[ sz 4 ] <: u8) <: i32) < deserialize_when_gamma1_is_2_pow_17_ serialized - | 19uy -> deserialize_when_gamma1_is_2_pow_19_ serialized - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" +let deserialize (serialized: t_Slice u8) (out: t_Array i32 (sz 8)) (gamma1_exponent: usize) = + let out, hax_temp_output:(t_Array i32 (sz 8) & Prims.unit) = + match cast (gamma1_exponent <: usize) <: u8 with + | 17uy -> + deserialize_when_gamma1_is_2_pow_17_ serialized out, () <: (t_Array i32 (sz 8) & Prims.unit) + | 19uy -> + deserialize_when_gamma1_is_2_pow_19_ serialized out, () <: (t_Array i32 (sz 8) & Prims.unit) + | _ -> + out, + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - <: - Rust_primitives.Hax.t_Never) + <: + Rust_primitives.Hax.t_Never) + <: + (t_Array i32 (sz 8) & Prims.unit) + in + out -let serialize_when_gamma1_is_2_pow_17_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (serialized: t_Slice u8) - = +let serialize_when_gamma1_is_2_pow_17_ (simd_unit: t_Array i32 (sz 8)) (serialized: t_Slice u8) = let serialized:t_Slice u8 = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 4) - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + (simd_unit <: t_Slice i32) (fun serialized temp_1_ -> let serialized:t_Slice u8 = serialized in let _:usize = temp_1_ in @@ -303,13 +256,10 @@ let serialize_when_gamma1_is_2_pow_17_ let hax_temp_output:Prims.unit = () <: Prims.unit in serialized -let serialize_when_gamma1_is_2_pow_19_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (serialized: t_Slice u8) - = +let serialize_when_gamma1_is_2_pow_19_ (simd_unit: t_Array i32 (sz 8)) (serialized: t_Slice u8) = let serialized:t_Slice u8 = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 2) - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + (simd_unit <: t_Slice i32) (fun serialized temp_1_ -> let serialized:t_Slice u8 = serialized in let _:usize = temp_1_ in @@ -362,13 +312,9 @@ let serialize_when_gamma1_is_2_pow_19_ let hax_temp_output:Prims.unit = () <: Prims.unit in serialized -let serialize - (v_GAMMA1_EXPONENT: usize) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (serialized: t_Slice u8) - = +let serialize (simd_unit: t_Array i32 (sz 8)) (serialized: t_Slice u8) (gamma1_exponent: usize) = let serialized, hax_temp_output:(t_Slice u8 & Prims.unit) = - match cast (v_GAMMA1_EXPONENT <: usize) <: u8 with + match cast (gamma1_exponent <: usize) <: u8 with | 17uy -> serialize_when_gamma1_is_2_pow_17_ simd_unit serialized, () <: (t_Slice u8 & Prims.unit) | 19uy -> diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti index 635329f6a..0c419dc90 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti @@ -17,33 +17,20 @@ let serialize_when_gamma1_is_2_pow_17___GAMMA1: i32 = 1l < Prims.l_True) - -val deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) - -val deserialize (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) - -val serialize_when_gamma1_is_2_pow_17_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (serialized: t_Slice u8) +val deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) (simd_unit: t_Array i32 (sz 8)) + : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) + +val deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) (simd_unit: t_Array i32 (sz 8)) + : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) + +val deserialize (serialized: t_Slice u8) (out: t_Array i32 (sz 8)) (gamma1_exponent: usize) + : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) + +val serialize_when_gamma1_is_2_pow_17_ (simd_unit: t_Array i32 (sz 8)) (serialized: t_Slice u8) : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) -val serialize_when_gamma1_is_2_pow_19_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (serialized: t_Slice u8) +val serialize_when_gamma1_is_2_pow_19_ (simd_unit: t_Array i32 (sz 8)) (serialized: t_Slice u8) : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) -val serialize - (v_GAMMA1_EXPONENT: usize) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (serialized: t_Slice u8) +val serialize (simd_unit: t_Array i32 (sz 8)) (serialized: t_Slice u8) (gamma1_exponent: usize) : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fst index b9ecdb13c..115f600f7 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fst @@ -6,305 +6,213 @@ open FStar.Mul let change_t0_interval (t0: i32) = (1l <>! 5l in + let coefficient1:i32 = coefficient1 |. (byte2 <>! 2l in + let coefficient2:i32 = coefficient2 |. (byte4 <>! 7l in + let coefficient3:i32 = coefficient3 |. (byte5 <>! 4l in + let coefficient4:i32 = coefficient4 |. (byte7 <>! 1l in + let coefficient5:i32 = coefficient5 |. (byte9 <>! 6l in + let coefficient6:i32 = coefficient6 |. (byte10 <>! 3l in + let coefficient7:i32 = coefficient7 |. (byte12 <>! 8l <: i32) <: u8) in - let serialized:t_Array u8 (sz 13) = + let serialized:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized (sz 1) ((serialized.[ sz 1 ] <: u8) |. (cast (coefficient1 <>! 3l <: i32) <: u8) in - let serialized:t_Array u8 (sz 13) = + let serialized:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized (sz 3) (cast (coefficient1 >>! 11l <: i32) <: u8) in - let serialized:t_Array u8 (sz 13) = + let serialized:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized (sz 3) ((serialized.[ sz 3 ] <: u8) |. (cast (coefficient2 <>! 6l <: i32) <: u8) in - let serialized:t_Array u8 (sz 13) = + let serialized:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized (sz 4) ((serialized.[ sz 4 ] <: u8) |. (cast (coefficient3 <>! 1l <: i32) <: u8) in - let serialized:t_Array u8 (sz 13) = + let serialized:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized (sz 6) (cast (coefficient3 >>! 9l <: i32) <: u8) in - let serialized:t_Array u8 (sz 13) = + let serialized:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized (sz 6) ((serialized.[ sz 6 ] <: u8) |. (cast (coefficient4 <>! 4l <: i32) <: u8) in - let serialized:t_Array u8 (sz 13) = + let serialized:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized (sz 8) (cast (coefficient4 >>! 12l <: i32) <: u8) in - let serialized:t_Array u8 (sz 13) = + let serialized:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized (sz 8) ((serialized.[ sz 8 ] <: u8) |. (cast (coefficient5 <>! 7l <: i32) <: u8) in - let serialized:t_Array u8 (sz 13) = + let serialized:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized (sz 9) ((serialized.[ sz 9 ] <: u8) |. (cast (coefficient6 <>! 2l <: i32) <: u8) in - let serialized:t_Array u8 (sz 13) = + let serialized:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized (sz 11) (cast (coefficient6 >>! 10l <: i32) <: u8) in - let serialized:t_Array u8 (sz 13) = + let serialized:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized (sz 11) ((serialized.[ sz 11 ] <: u8) |. (cast (coefficient7 <>! 5l <: i32) <: u8) in serialized - -let deserialize (serialized: t_Slice u8) = - let _:Prims.unit = - if true - then - let _:Prims.unit = - Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 13 <: bool) - in - () - in - let byte0:i32 = cast (serialized.[ sz 0 ] <: u8) <: i32 in - let byte1:i32 = cast (serialized.[ sz 1 ] <: u8) <: i32 in - let byte2:i32 = cast (serialized.[ sz 2 ] <: u8) <: i32 in - let byte3:i32 = cast (serialized.[ sz 3 ] <: u8) <: i32 in - let byte4:i32 = cast (serialized.[ sz 4 ] <: u8) <: i32 in - let byte5:i32 = cast (serialized.[ sz 5 ] <: u8) <: i32 in - let byte6:i32 = cast (serialized.[ sz 6 ] <: u8) <: i32 in - let byte7:i32 = cast (serialized.[ sz 7 ] <: u8) <: i32 in - let byte8:i32 = cast (serialized.[ sz 8 ] <: u8) <: i32 in - let byte9:i32 = cast (serialized.[ sz 9 ] <: u8) <: i32 in - let byte10:i32 = cast (serialized.[ sz 10 ] <: u8) <: i32 in - let byte11:i32 = cast (serialized.[ sz 11 ] <: u8) <: i32 in - let byte12:i32 = cast (serialized.[ sz 12 ] <: u8) <: i32 in - let coefficient0:i32 = byte0 in - let coefficient0:i32 = coefficient0 |. (byte1 <>! 5l in - let coefficient1:i32 = coefficient1 |. (byte2 <>! 2l in - let coefficient2:i32 = coefficient2 |. (byte4 <>! 7l in - let coefficient3:i32 = coefficient3 |. (byte5 <>! 4l in - let coefficient4:i32 = coefficient4 |. (byte7 <>! 1l in - let coefficient5:i32 = coefficient5 |. (byte9 <>! 6l in - let coefficient6:i32 = coefficient6 |. (byte10 <>! 3l in - let coefficient7:i32 = coefficient7 |. (byte12 < Prims.l let deserialize__BITS_IN_LOWER_PART_OF_T_MASK: i32 = (1l < Prims.l_True) +val deserialize (serialized: t_Slice u8) (simd_unit: t_Array i32 (sz 8)) + : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) -val deserialize (serialized: t_Slice u8) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) +val serialize (simd_unit: t_Array i32 (sz 8)) (serialized: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fst index aab3acfcc..f04008433 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fst @@ -3,7 +3,7 @@ module Libcrux_ml_dsa.Simd.Portable.Encoding.T1 open Core open FStar.Mul -let deserialize (serialized: t_Slice u8) = +let deserialize (serialized: t_Slice u8) (simd_unit: t_Array i32 (sz 8)) = let _:Prims.unit = if true then @@ -12,101 +12,74 @@ let deserialize (serialized: t_Slice u8) = in () in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () - in let mask:i32 = (1l < - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let simd_unit:t_Array i32 (sz 8) = simd_unit in let _:usize = temp_1_ in true) simd_unit (fun simd_unit temp_1_ -> - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let simd_unit:t_Array i32 (sz 8) = simd_unit in let i, bytes:(usize & t_Slice u8) = temp_1_ in let byte0:i32 = cast (bytes.[ sz 0 ] <: u8) <: i32 in let byte1:i32 = cast (bytes.[ sz 1 ] <: u8) <: i32 in let byte2:i32 = cast (bytes.[ sz 2 ] <: u8) <: i32 in let byte3:i32 = cast (bytes.[ sz 3 ] <: u8) <: i32 in let byte4:i32 = cast (bytes.[ sz 4 ] <: u8) <: i32 in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 4 *! i <: usize) - ((byte0 |. (byte1 <>! 2l <: i32) |. (byte2 <>! 2l <: i32) |. (byte2 <>! 4l <: i32) |. (byte3 <>! 4l <: i32) |. (byte3 <>! 6l <: i32) |. (byte4 <>! 6l <: i32) |. (byte4 < - let serialized:t_Array u8 (sz 10) = serialized in + let serialized:t_Slice u8 = serialized in let _:usize = temp_1_ in true) serialized (fun serialized temp_1_ -> - let serialized:t_Array u8 (sz 10) = serialized in + let serialized:t_Slice u8 = serialized in let i, coefficients:(usize & t_Slice i32) = temp_1_ in - let serialized:t_Array u8 (sz 10) = + let serialized:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized (sz 5 *! i <: usize) (cast ((coefficients.[ sz 0 ] <: i32) &. 255l <: i32) <: u8) in - let serialized:t_Array u8 (sz 10) = + let serialized:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized ((sz 5 *! i <: usize) +! sz 1 <: usize) (((cast ((coefficients.[ sz 1 ] <: i32) &. 63l <: i32) <: u8) <>! 2l <: i32) &. 255l <: i32) <: u8) in serialized) in + let hax_temp_output:Prims.unit = () <: Prims.unit in serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fsti index 0d94a5f30..9d31471bc 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fsti @@ -3,10 +3,8 @@ module Libcrux_ml_dsa.Simd.Portable.Encoding.T1 open Core open FStar.Mul -val deserialize (serialized: t_Slice u8) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) +val deserialize (serialized: t_Slice u8) (simd_unit: t_Array i32 (sz 8)) + : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) -val serialize (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True) +val serialize (simd_unit: t_Array i32 (sz 8)) (serialized: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Invntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Invntt.fst index e4d06be44..868d2a328 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Invntt.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Invntt.fst @@ -3,1013 +3,586 @@ module Libcrux_ml_dsa.Simd.Portable.Invntt open Core open FStar.Mul -let simd_unit_invert_ntt_at_layer_0_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (zeta0 zeta1 zeta2 zeta3: i32) - = - let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 0) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 1) - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta0 - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 2) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 3) - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta1 - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 4) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 5) - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta2 - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 6) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 7) - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta3 - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit +let simd_unit_invert_ntt_at_layer_0_ (simd_unit: t_Array i32 (sz 8)) (zeta0 zeta1 zeta2 zeta3: i32) = + let a_minus_b:i32 = (simd_unit.[ sz 1 ] <: i32) -! (simd_unit.[ sz 0 ] <: i32) in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 0) + ((simd_unit.[ sz 0 ] <: i32) +! (simd_unit.[ sz 1 ] <: i32) <: i32) + in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 1) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta0 <: i32) + in + let a_minus_b:i32 = (simd_unit.[ sz 3 ] <: i32) -! (simd_unit.[ sz 2 ] <: i32) in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 2) + ((simd_unit.[ sz 2 ] <: i32) +! (simd_unit.[ sz 3 ] <: i32) <: i32) + in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 3) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta1 <: i32) + in + let a_minus_b:i32 = (simd_unit.[ sz 5 ] <: i32) -! (simd_unit.[ sz 4 ] <: i32) in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 4) + ((simd_unit.[ sz 4 ] <: i32) +! (simd_unit.[ sz 5 ] <: i32) <: i32) + in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 5) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta2 <: i32) + in + let a_minus_b:i32 = (simd_unit.[ sz 7 ] <: i32) -! (simd_unit.[ sz 6 ] <: i32) in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 6) + ((simd_unit.[ sz 6 ] <: i32) +! (simd_unit.[ sz 7 ] <: i32) <: i32) + in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 7) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta3 <: i32) in simd_unit let invert_ntt_at_layer_0___round - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + (re: t_Array (t_Array i32 (sz 8)) (sz 32)) (index: usize) (zeta0 zeta1 zeta2 zeta3: i32) = - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re index - (simd_unit_invert_ntt_at_layer_0_ (re.[ index ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - zeta0 - zeta1 - zeta2 - zeta3 + (simd_unit_invert_ntt_at_layer_0_ (re.[ index ] <: t_Array i32 (sz 8)) zeta0 zeta1 zeta2 zeta3 <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + t_Array i32 (sz 8)) in re -let invert_ntt_at_layer_0_ - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - = - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = +let invert_ntt_at_layer_0_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_0___round re (sz 0) 1976782l (-846154l) 1400424l 3937738l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_0___round re (sz 1) (-1362209l) (-48306l) 3919660l (-554416l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_0___round re (sz 2) (-3545687l) 1612842l (-976891l) 183443l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_0___round re (sz 3) (-2286327l) (-420899l) (-2235985l) (-2939036l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_0___round re (sz 4) (-3833893l) (-260646l) (-1104333l) (-1667432l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_0___round re (sz 5) 1910376l (-1803090l) 1723600l (-426683l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_0___round re (sz 6) 472078l 1717735l (-975884l) 2213111l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_0___round re (sz 7) 269760l 3866901l 3523897l (-3038916l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_0___round re (sz 8) (-1799107l) (-3694233l) 1652634l 810149l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_0___round re (sz 9) 3014001l 1616392l 162844l (-3183426l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_0___round re (sz 10) (-1207385l) 185531l 3369112l 1957272l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_0___round re (sz 11) (-164721l) 2454455l 2432395l (-2013608l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_0___round re (sz 12) (-3776993l) 594136l (-3724270l) (-2584293l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_0___round re (sz 13) (-1846953l) (-1671176l) (-2831860l) (-542412l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_0___round re (sz 14) 3406031l 2235880l 777191l 1500165l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_0___round re (sz 15) (-1374803l) (-2546312l) 1917081l (-1279661l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_0___round re (sz 16) (-1962642l) 3306115l 1312455l (-451100l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_0___round re (sz 17) (-1430225l) (-3318210l) 1237275l (-1333058l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_0___round re (sz 18) (-1050970l) 1903435l 1869119l (-2994039l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_0___round re (sz 19) (-3548272l) 2635921l 1250494l (-3767016l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_0___round re (sz 20) 1595974l 2486353l 1247620l 4055324l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_0___round re (sz 21) 1265009l (-2590150l) 2691481l 2842341l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_0___round re (sz 22) 203044l 1735879l (-3342277l) 3437287l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_0___round re (sz 23) 4108315l (-2437823l) 286988l 342297l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_0___round re (sz 24) (-3595838l) (-768622l) (-525098l) (-3556995l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_0___round re (sz 25) 3207046l 2031748l (-3122442l) (-655327l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_0___round re (sz 26) (-522500l) (-43260l) (-1613174l) 495491l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_0___round re (sz 27) 819034l 909542l 1859098l 900702l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_0___round re (sz 28) (-3193378l) (-1197226l) (-3759364l) (-3520352l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_0___round re (sz 29) 3513181l (-1235728l) 2434439l 266997l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_0___round re (sz 30) (-3562462l) (-2446433l) 2244091l (-3342478l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_0___round re (sz 31) 3817976l 2316500l 3407706l 2091667l in re -let simd_unit_invert_ntt_at_layer_1_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (zeta0 zeta1: i32) - = - let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 0) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 2) - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta0 - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 1) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 3) - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta0 - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 4) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 6) - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta1 - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 5) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 7) - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta1 - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit +let simd_unit_invert_ntt_at_layer_1_ (simd_unit: t_Array i32 (sz 8)) (zeta0 zeta1: i32) = + let a_minus_b:i32 = (simd_unit.[ sz 2 ] <: i32) -! (simd_unit.[ sz 0 ] <: i32) in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 0) + ((simd_unit.[ sz 0 ] <: i32) +! (simd_unit.[ sz 2 ] <: i32) <: i32) + in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 2) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta0 <: i32) + in + let a_minus_b:i32 = (simd_unit.[ sz 3 ] <: i32) -! (simd_unit.[ sz 1 ] <: i32) in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 1) + ((simd_unit.[ sz 1 ] <: i32) +! (simd_unit.[ sz 3 ] <: i32) <: i32) + in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 3) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta0 <: i32) + in + let a_minus_b:i32 = (simd_unit.[ sz 6 ] <: i32) -! (simd_unit.[ sz 4 ] <: i32) in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 4) + ((simd_unit.[ sz 4 ] <: i32) +! (simd_unit.[ sz 6 ] <: i32) <: i32) + in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 6) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta1 <: i32) + in + let a_minus_b:i32 = (simd_unit.[ sz 7 ] <: i32) -! (simd_unit.[ sz 5 ] <: i32) in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 5) + ((simd_unit.[ sz 5 ] <: i32) +! (simd_unit.[ sz 7 ] <: i32) <: i32) + in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 7) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta1 <: i32) in simd_unit let invert_ntt_at_layer_1___round - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + (re: t_Array (t_Array i32 (sz 8)) (sz 32)) (index: usize) (zeta_00_ zeta_01_: i32) = - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re index - (simd_unit_invert_ntt_at_layer_1_ (re.[ index ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - zeta_00_ - zeta_01_ + (simd_unit_invert_ntt_at_layer_1_ (re.[ index ] <: t_Array i32 (sz 8)) zeta_00_ zeta_01_ <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + t_Array i32 (sz 8)) in re -let invert_ntt_at_layer_1_ - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - = - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = +let invert_ntt_at_layer_1_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_1___round re (sz 0) 3839961l (-3628969l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_1___round re (sz 1) (-3881060l) (-3019102l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_1___round re (sz 2) (-1439742l) (-812732l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_1___round re (sz 3) (-1584928l) 1285669l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_1___round re (sz 4) 1341330l 1315589l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_1___round re (sz 5) (-177440l) (-2409325l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_1___round re (sz 6) (-1851402l) 3159746l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_1___round re (sz 7) (-3553272l) 189548l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_1___round re (sz 8) (-1316856l) 759969l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_1___round re (sz 9) (-210977l) 2389356l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_1___round re (sz 10) (-3249728l) 1653064l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_1___round re (sz 11) (-8578l) (-3724342l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_1___round re (sz 12) 3958618l 904516l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_1___round re (sz 13) (-1100098l) 44288l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_1___round re (sz 14) 3097992l 508951l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_1___round re (sz 15) 264944l (-3343383l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_1___round re (sz 16) (-1430430l) 1852771l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_1___round re (sz 17) 1349076l (-381987l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_1___round re (sz 18) (-1308169l) (-22981l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_1___round re (sz 19) (-1228525l) (-671102l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_1___round re (sz 20) (-2477047l) (-411027l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_1___round re (sz 21) (-3693493l) (-2967645l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_1___round re (sz 22) 2715295l 2147896l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_1___round re (sz 23) (-983419l) 3412210l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_1___round re (sz 24) 126922l (-3632928l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_1___round re (sz 25) (-3157330l) (-3190144l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_1___round re (sz 26) (-1000202l) (-4083598l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_1___round re (sz 27) 1939314l (-1257611l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_1___round re (sz 28) (-1585221l) 2176455l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_1___round re (sz 29) 3475950l (-1452451l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_1___round re (sz 30) (-3041255l) (-3677745l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_1___round re (sz 31) (-1528703l) (-3930395l) in re -let simd_unit_invert_ntt_at_layer_2_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (zeta: i32) - = - let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 0) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 4) - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta <: i32 - ) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 1) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 5) - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta <: i32 - ) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 2) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 6) - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta <: i32 - ) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 3) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 7) - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta <: i32 - ) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit +let simd_unit_invert_ntt_at_layer_2_ (simd_unit: t_Array i32 (sz 8)) (zeta: i32) = + let a_minus_b:i32 = (simd_unit.[ sz 4 ] <: i32) -! (simd_unit.[ sz 0 ] <: i32) in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 0) + ((simd_unit.[ sz 0 ] <: i32) +! (simd_unit.[ sz 4 ] <: i32) <: i32) + in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 4) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta <: i32) + in + let a_minus_b:i32 = (simd_unit.[ sz 5 ] <: i32) -! (simd_unit.[ sz 1 ] <: i32) in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 1) + ((simd_unit.[ sz 1 ] <: i32) +! (simd_unit.[ sz 5 ] <: i32) <: i32) + in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 5) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta <: i32) + in + let a_minus_b:i32 = (simd_unit.[ sz 6 ] <: i32) -! (simd_unit.[ sz 2 ] <: i32) in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 2) + ((simd_unit.[ sz 2 ] <: i32) +! (simd_unit.[ sz 6 ] <: i32) <: i32) + in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 6) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta <: i32) + in + let a_minus_b:i32 = (simd_unit.[ sz 7 ] <: i32) -! (simd_unit.[ sz 3 ] <: i32) in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 3) + ((simd_unit.[ sz 3 ] <: i32) +! (simd_unit.[ sz 7 ] <: i32) <: i32) + in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 7) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta <: i32) in simd_unit let invert_ntt_at_layer_2___round - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + (re: t_Array (t_Array i32 (sz 8)) (sz 32)) (index: usize) (zeta1: i32) = - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re index - (simd_unit_invert_ntt_at_layer_2_ (re.[ index ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - zeta1 + (simd_unit_invert_ntt_at_layer_2_ (re.[ index ] <: t_Array i32 (sz 8)) zeta1 <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + t_Array i32 (sz 8)) in re -let invert_ntt_at_layer_2_ - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - = - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = +let invert_ntt_at_layer_2_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 0) (-2797779l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - invert_ntt_at_layer_2___round re (sz 1) 2071892l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 1) 2071892l in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 2) (-2556880l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - invert_ntt_at_layer_2___round re (sz 3) 3900724l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - invert_ntt_at_layer_2___round re (sz 4) 3881043l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - invert_ntt_at_layer_2___round re (sz 5) 954230l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - invert_ntt_at_layer_2___round re (sz 6) 531354l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - invert_ntt_at_layer_2___round re (sz 7) 811944l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - invert_ntt_at_layer_2___round re (sz 8) 3699596l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 3) 3900724l in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 4) 3881043l in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 5) 954230l in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 6) 531354l in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 7) 811944l in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 8) 3699596l in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 9) (-1600420l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 10) (-2140649l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - invert_ntt_at_layer_2___round re (sz 11) 3507263l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 11) 3507263l in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 12) (-3821735l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - invert_ntt_at_layer_2___round re (sz 13) 3505694l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 13) 3505694l in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 14) (-1643818l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 15) (-1699267l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 16) (-539299l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - invert_ntt_at_layer_2___round re (sz 17) 2348700l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 17) 2348700l in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 18) (-300467l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - invert_ntt_at_layer_2___round re (sz 19) 3539968l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 19) 3539968l in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 20) (-2867647l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - invert_ntt_at_layer_2___round re (sz 21) 3574422l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 21) 3574422l in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 22) (-3043716l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 23) (-3861115l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - invert_ntt_at_layer_2___round re (sz 24) 3915439l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 24) 3915439l in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 25) (-2537516l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 26) (-3592148l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 27) (-1661693l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - invert_ntt_at_layer_2___round re (sz 28) 3530437l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - invert_ntt_at_layer_2___round re (sz 29) 3077325l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - invert_ntt_at_layer_2___round re (sz 30) 95776l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - invert_ntt_at_layer_2___round re (sz 31) 2706023l - in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 28) 3530437l in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 29) 3077325l in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 30) 95776l in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 31) 2706023l in re let outer_3_plus (v_OFFSET v_STEP_BY: usize) (v_ZETA: i32) - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + (re: t_Array (t_Array i32 (sz 8)) (sz 32)) = - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = Rust_primitives.Hax.Folds.fold_range v_OFFSET (v_OFFSET +! v_STEP_BY <: usize) (fun re temp_1_ -> - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = re in let _:usize = temp_1_ in true) re (fun re j -> - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = re in let j:usize = j in - let a_minus_b:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.subtract (re.[ j +! v_STEP_BY <: usize ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (re.[ j ] <: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + let rejs:t_Array i32 (sz 8) = + Core.Clone.f_clone #(t_Array i32 (sz 8)) + #FStar.Tactics.Typeclasses.solve + (re.[ j +! v_STEP_BY <: usize ] <: t_Array i32 (sz 8)) + in + let a_minus_b:t_Array i32 (sz 8) = + Core.Clone.f_clone #(t_Array i32 (sz 8)) #FStar.Tactics.Typeclasses.solve rejs + in + let a_minus_b:t_Array i32 (sz 8) = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.subtract a_minus_b + (re.[ j ] <: t_Array i32 (sz 8)) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re j - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.add (re.[ j ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (re.[ j +! v_STEP_BY <: usize ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.add (re.[ j ] <: t_Array i32 (sz 8)) rejs <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + t_Array i32 (sz 8)) + in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! v_STEP_BY <: usize) + a_minus_b in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (j +! v_STEP_BY <: usize) - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_by_constant a_minus_b + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_by_constant (re.[ j +! + v_STEP_BY + <: + usize ] + <: + t_Array i32 (sz 8)) v_ZETA <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + t_Array i32 (sz 8)) in re) in let hax_temp_output:Prims.unit = () <: Prims.unit in re -let invert_ntt_at_layer_3_ - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - = - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 0) (sz 1) 280005l re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 2) (sz 1) 4010497l re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 4) (sz 1) (-19422l) re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 6) (sz 1) 1757237l re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 8) (sz 1) (-3277672l) re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 10) (sz 1) (-1399561l) re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 12) (sz 1) (-3859737l) re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 14) (sz 1) (-2118186l) re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 16) (sz 1) (-2108549l) re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 18) (sz 1) 2619752l re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 20) (sz 1) (-1119584l) re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 22) (sz 1) (-549488l) re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 24) (sz 1) 3585928l re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 26) (sz 1) (-1079900l) re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 28) (sz 1) 1024112l re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 30) (sz 1) 2725464l re - in +let invert_ntt_at_layer_3_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 0) (sz 1) 280005l re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 2) (sz 1) 4010497l re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 4) (sz 1) (-19422l) re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 6) (sz 1) 1757237l re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 8) (sz 1) (-3277672l) re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 10) (sz 1) (-1399561l) re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 12) (sz 1) (-3859737l) re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 14) (sz 1) (-2118186l) re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 16) (sz 1) (-2108549l) re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 18) (sz 1) 2619752l re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 20) (sz 1) (-1119584l) re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 22) (sz 1) (-549488l) re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 24) (sz 1) 3585928l re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 26) (sz 1) (-1079900l) re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 28) (sz 1) 1024112l re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 30) (sz 1) 2725464l re in re -let invert_ntt_at_layer_4_ - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - = - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 0) (sz 2) 2680103l re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 4) (sz 2) 3111497l re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 8) (sz 2) (-2884855l) re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 12) (sz 2) 3119733l re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 16) (sz 2) (-2091905l) re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 20) (sz 2) (-359251l) re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 24) (sz 2) 2353451l re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 28) (sz 2) 1826347l re - in +let invert_ntt_at_layer_4_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 0) (sz 2) 2680103l re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 4) (sz 2) 3111497l re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 8) (sz 2) (-2884855l) re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 12) (sz 2) 3119733l re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 16) (sz 2) (-2091905l) re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 20) (sz 2) (-359251l) re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 24) (sz 2) 2353451l re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 28) (sz 2) 1826347l re in re -let invert_ntt_at_layer_5_ - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - = - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 0) (sz 4) 466468l re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 8) (sz 4) (-876248l) re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 16) (sz 4) (-777960l) re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 24) (sz 4) 237124l re - in +let invert_ntt_at_layer_5_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 0) (sz 4) 466468l re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 8) (sz 4) (-876248l) re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 16) (sz 4) (-777960l) re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 24) (sz 4) 237124l re in re -let invert_ntt_at_layer_6_ - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - = - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 0) (sz 8) (-518909l) re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 16) (sz 8) (-2608894l) re - in +let invert_ntt_at_layer_6_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 0) (sz 8) (-518909l) re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 16) (sz 8) (-2608894l) re in re -let invert_ntt_at_layer_7_ - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - = - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 0) (sz 16) 25847l re - in +let invert_ntt_at_layer_7_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 0) (sz 16) 25847l re in re -let invert_ntt_montgomery - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - = - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - invert_ntt_at_layer_0_ re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - invert_ntt_at_layer_1_ re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - invert_ntt_at_layer_2_ re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - invert_ntt_at_layer_3_ re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - invert_ntt_at_layer_4_ re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - invert_ntt_at_layer_5_ re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - invert_ntt_at_layer_6_ re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - invert_ntt_at_layer_7_ re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = +let invert_ntt_montgomery (re: t_Array (t_Array i32 (sz 8)) (sz 32)) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_0_ re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_1_ re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2_ re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_3_ re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_4_ re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_5_ re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_6_ re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_7_ re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (re <: t_Slice Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - <: - usize) + (Core.Slice.impl__len #(t_Array i32 (sz 8)) (re <: t_Slice (t_Array i32 (sz 8))) <: usize) (fun re temp_1_ -> - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = re in let _:usize = temp_1_ in true) re (fun re i -> - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = re in let i:usize = i in Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re i (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_by_constant (re.[ i ] <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + t_Array i32 (sz 8)) 41978l <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + t_Array i32 (sz 8)) <: - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + t_Array (t_Array i32 (sz 8)) (sz 32)) in + let hax_temp_output:Prims.unit = () <: Prims.unit in re diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Invntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Invntt.fsti index 341dd3468..6a4a2fd5d 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Invntt.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Invntt.fsti @@ -23,109 +23,62 @@ let invert_ntt_at_layer_7___STEP: usize = sz 128 let invert_ntt_at_layer_7___STEP_BY: usize = sz 16 -val simd_unit_invert_ntt_at_layer_0_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (zeta0 zeta1 zeta2 zeta3: i32) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) +val simd_unit_invert_ntt_at_layer_0_ (simd_unit: t_Array i32 (sz 8)) (zeta0 zeta1 zeta2 zeta3: i32) + : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) val invert_ntt_at_layer_0___round - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + (re: t_Array (t_Array i32 (sz 8)) (sz 32)) (index: usize) (zeta0 zeta1 zeta2 zeta3: i32) - : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -val invert_ntt_at_layer_0_ - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -val simd_unit_invert_ntt_at_layer_1_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (zeta0 zeta1: i32) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) + : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_0_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) + : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +val simd_unit_invert_ntt_at_layer_1_ (simd_unit: t_Array i32 (sz 8)) (zeta0 zeta1: i32) + : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) val invert_ntt_at_layer_1___round - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + (re: t_Array (t_Array i32 (sz 8)) (sz 32)) (index: usize) (zeta_00_ zeta_01_: i32) - : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -val invert_ntt_at_layer_1_ - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -val simd_unit_invert_ntt_at_layer_2_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (zeta: i32) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) + : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_1_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) + : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +val simd_unit_invert_ntt_at_layer_2_ (simd_unit: t_Array i32 (sz 8)) (zeta: i32) + : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) val invert_ntt_at_layer_2___round - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + (re: t_Array (t_Array i32 (sz 8)) (sz 32)) (index: usize) (zeta1: i32) - : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) + : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -val invert_ntt_at_layer_2_ - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) +val invert_ntt_at_layer_2_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) + : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) val outer_3_plus (v_OFFSET v_STEP_BY: usize) (v_ZETA: i32) - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -val invert_ntt_at_layer_3_ - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -val invert_ntt_at_layer_4_ - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -val invert_ntt_at_layer_5_ - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -val invert_ntt_at_layer_6_ - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -val invert_ntt_at_layer_7_ - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -val invert_ntt_montgomery - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) + (re: t_Array (t_Array i32 (sz 8)) (sz 32)) + : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_3_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) + : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_4_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) + : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_5_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) + : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_6_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) + : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_7_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) + : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +val invert_ntt_montgomery (re: t_Array (t_Array i32 (sz 8)) (sz 32)) + : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst index 6e1832690..568d9ac0a 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst @@ -3,1017 +3,568 @@ module Libcrux_ml_dsa.Simd.Portable.Ntt open Core open FStar.Mul -let simd_unit_ntt_at_layer_0_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (zeta0 zeta1 zeta2 zeta3: i32) - = +let simd_unit_ntt_at_layer_0_ (simd_unit: t_Array i32 (sz 8)) (zeta0 zeta1 zeta2 zeta3: i32) = let t:i32 = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] - <: - i32) + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit.[ sz 1 ] <: i32 + ) zeta0 in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 1) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) -! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 0) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) +! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 1) + ((simd_unit.[ sz 0 ] <: i32) -! t <: i32) + in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 0) + ((simd_unit.[ sz 0 ] <: i32) +! t <: i32) in let t:i32 = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] - <: - i32) + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit.[ sz 3 ] <: i32 + ) zeta1 in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 3) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) -! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 2) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) +! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 3) + ((simd_unit.[ sz 2 ] <: i32) -! t <: i32) + in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 2) + ((simd_unit.[ sz 2 ] <: i32) +! t <: i32) in let t:i32 = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] - <: - i32) + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit.[ sz 5 ] <: i32 + ) zeta2 in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 5) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) -! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 4) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) +! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 5) + ((simd_unit.[ sz 4 ] <: i32) -! t <: i32) + in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 4) + ((simd_unit.[ sz 4 ] <: i32) +! t <: i32) in let t:i32 = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] - <: - i32) + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit.[ sz 7 ] <: i32 + ) zeta3 in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 7) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) -! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 6) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) +! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 7) + ((simd_unit.[ sz 6 ] <: i32) -! t <: i32) + in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 6) + ((simd_unit.[ sz 6 ] <: i32) +! t <: i32) in simd_unit let ntt_at_layer_0___round - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + (re: t_Array (t_Array i32 (sz 8)) (sz 32)) (index: usize) (zeta_0_ zeta_1_ zeta_2_ zeta_3_: i32) = - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re index - (simd_unit_ntt_at_layer_0_ (re.[ index ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (simd_unit_ntt_at_layer_0_ (re.[ index ] <: t_Array i32 (sz 8)) zeta_0_ zeta_1_ zeta_2_ zeta_3_ <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + t_Array i32 (sz 8)) in re -let ntt_at_layer_0_ - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - = - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = +let ntt_at_layer_0_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_0___round re (sz 0) 2091667l 3407706l 2316500l 3817976l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_0___round re (sz 1) (-3342478l) 2244091l (-2446433l) (-3562462l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_0___round re (sz 2) 266997l 2434439l (-1235728l) 3513181l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_0___round re (sz 3) (-3520352l) (-3759364l) (-1197226l) (-3193378l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_0___round re (sz 4) 900702l 1859098l 909542l 819034l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_0___round re (sz 5) 495491l (-1613174l) (-43260l) (-522500l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_0___round re (sz 6) (-655327l) (-3122442l) 2031748l 3207046l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_0___round re (sz 7) (-3556995l) (-525098l) (-768622l) (-3595838l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_0___round re (sz 8) 342297l 286988l (-2437823l) 4108315l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_0___round re (sz 9) 3437287l (-3342277l) 1735879l 203044l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_0___round re (sz 10) 2842341l 2691481l (-2590150l) 1265009l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_0___round re (sz 11) 4055324l 1247620l 2486353l 1595974l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_0___round re (sz 12) (-3767016l) 1250494l 2635921l (-3548272l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_0___round re (sz 13) (-2994039l) 1869119l 1903435l (-1050970l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_0___round re (sz 14) (-1333058l) 1237275l (-3318210l) (-1430225l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_0___round re (sz 15) (-451100l) 1312455l 3306115l (-1962642l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_0___round re (sz 16) (-1279661l) 1917081l (-2546312l) (-1374803l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_0___round re (sz 17) 1500165l 777191l 2235880l 3406031l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_0___round re (sz 18) (-542412l) (-2831860l) (-1671176l) (-1846953l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_0___round re (sz 19) (-2584293l) (-3724270l) 594136l (-3776993l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_0___round re (sz 20) (-2013608l) 2432395l 2454455l (-164721l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_0___round re (sz 21) 1957272l 3369112l 185531l (-1207385l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_0___round re (sz 22) (-3183426l) 162844l 1616392l 3014001l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_0___round re (sz 23) 810149l 1652634l (-3694233l) (-1799107l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_0___round re (sz 24) (-3038916l) 3523897l 3866901l 269760l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_0___round re (sz 25) 2213111l (-975884l) 1717735l 472078l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_0___round re (sz 26) (-426683l) 1723600l (-1803090l) 1910376l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_0___round re (sz 27) (-1667432l) (-1104333l) (-260646l) (-3833893l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_0___round re (sz 28) (-2939036l) (-2235985l) (-420899l) (-2286327l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_0___round re (sz 29) 183443l (-976891l) 1612842l (-3545687l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_0___round re (sz 30) (-554416l) 3919660l (-48306l) (-1362209l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_0___round re (sz 31) 3937738l 1400424l (-846154l) 1976782l in re -let simd_unit_ntt_at_layer_1_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (zeta1 zeta2: i32) - = +let simd_unit_ntt_at_layer_1_ (simd_unit: t_Array i32 (sz 8)) (zeta1 zeta2: i32) = let t:i32 = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] - <: - i32) + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit.[ sz 2 ] <: i32 + ) zeta1 in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 2) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) -! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 0) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) +! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 2) + ((simd_unit.[ sz 0 ] <: i32) -! t <: i32) + in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 0) + ((simd_unit.[ sz 0 ] <: i32) +! t <: i32) in let t:i32 = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] - <: - i32) + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit.[ sz 3 ] <: i32 + ) zeta1 in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 3) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) -! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 1) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) +! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 3) + ((simd_unit.[ sz 1 ] <: i32) -! t <: i32) + in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 1) + ((simd_unit.[ sz 1 ] <: i32) +! t <: i32) in let t:i32 = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] - <: - i32) + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit.[ sz 6 ] <: i32 + ) zeta2 in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 6) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) -! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 4) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) +! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 6) + ((simd_unit.[ sz 4 ] <: i32) -! t <: i32) + in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 4) + ((simd_unit.[ sz 4 ] <: i32) +! t <: i32) in let t:i32 = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] - <: - i32) + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit.[ sz 7 ] <: i32 + ) zeta2 in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 7) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) -! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 5) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) +! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 7) + ((simd_unit.[ sz 5 ] <: i32) -! t <: i32) + in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 5) + ((simd_unit.[ sz 5 ] <: i32) +! t <: i32) in simd_unit let ntt_at_layer_1___round - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + (re: t_Array (t_Array i32 (sz 8)) (sz 32)) (index: usize) (zeta_0_ zeta_1_: i32) = - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re index - (simd_unit_ntt_at_layer_1_ (re.[ index ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - zeta_0_ - zeta_1_ + (simd_unit_ntt_at_layer_1_ (re.[ index ] <: t_Array i32 (sz 8)) zeta_0_ zeta_1_ <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + t_Array i32 (sz 8)) in re -let ntt_at_layer_1_ - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - = - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = +let ntt_at_layer_1_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_1___round re (sz 0) (-3930395l) (-1528703l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_1___round re (sz 1) (-3677745l) (-3041255l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_1___round re (sz 2) (-1452451l) 3475950l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_1___round re (sz 3) 2176455l (-1585221l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_1___round re (sz 4) (-1257611l) 1939314l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_1___round re (sz 5) (-4083598l) (-1000202l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_1___round re (sz 6) (-3190144l) (-3157330l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_1___round re (sz 7) (-3632928l) 126922l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_1___round re (sz 8) 3412210l (-983419l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_1___round re (sz 9) 2147896l 2715295l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_1___round re (sz 10) (-2967645l) (-3693493l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_1___round re (sz 11) (-411027l) (-2477047l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_1___round re (sz 12) (-671102l) (-1228525l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_1___round re (sz 13) (-22981l) (-1308169l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_1___round re (sz 14) (-381987l) 1349076l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_1___round re (sz 15) 1852771l (-1430430l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_1___round re (sz 16) (-3343383l) 264944l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_1___round re (sz 17) 508951l 3097992l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_1___round re (sz 18) 44288l (-1100098l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_1___round re (sz 19) 904516l 3958618l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_1___round re (sz 20) (-3724342l) (-8578l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_1___round re (sz 21) 1653064l (-3249728l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_1___round re (sz 22) 2389356l (-210977l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_1___round re (sz 23) 759969l (-1316856l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_1___round re (sz 24) 189548l (-3553272l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_1___round re (sz 25) 3159746l (-1851402l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_1___round re (sz 26) (-2409325l) (-177440l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_1___round re (sz 27) 1315589l 1341330l in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_1___round re (sz 28) 1285669l (-1584928l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_1___round re (sz 29) (-812732l) (-1439742l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_1___round re (sz 30) (-3019102l) (-3881060l) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_1___round re (sz 31) (-3628969l) 3839961l in re -let simd_unit_ntt_at_layer_2_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (zeta: i32) - = +let simd_unit_ntt_at_layer_2_ (simd_unit: t_Array i32 (sz 8)) (zeta: i32) = let t:i32 = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] - <: - i32) + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit.[ sz 4 ] <: i32 + ) zeta in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 4) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) -! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 0) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) +! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 4) + ((simd_unit.[ sz 0 ] <: i32) -! t <: i32) + in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 0) + ((simd_unit.[ sz 0 ] <: i32) +! t <: i32) in let t:i32 = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] - <: - i32) + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit.[ sz 5 ] <: i32 + ) zeta in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 5) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) -! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 1) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) +! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 5) + ((simd_unit.[ sz 1 ] <: i32) -! t <: i32) + in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 1) + ((simd_unit.[ sz 1 ] <: i32) +! t <: i32) in let t:i32 = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] - <: - i32) + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit.[ sz 6 ] <: i32 + ) zeta in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 6) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) -! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 2) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) +! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 6) + ((simd_unit.[ sz 2 ] <: i32) -! t <: i32) + in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 2) + ((simd_unit.[ sz 2 ] <: i32) +! t <: i32) in let t:i32 = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] - <: - i32) + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit.[ sz 7 ] <: i32 + ) zeta in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 7) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) -! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 3) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) +! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 7) + ((simd_unit.[ sz 3 ] <: i32) -! t <: i32) + in + let simd_unit:t_Array i32 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + (sz 3) + ((simd_unit.[ sz 3 ] <: i32) +! t <: i32) in simd_unit -let ntt_at_layer_2___round - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - (index: usize) - (zeta: i32) - = - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = +let ntt_at_layer_2___round (re: t_Array (t_Array i32 (sz 8)) (sz 32)) (index: usize) (zeta: i32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re index - (simd_unit_ntt_at_layer_2_ (re.[ index ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - zeta - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (simd_unit_ntt_at_layer_2_ (re.[ index ] <: t_Array i32 (sz 8)) zeta <: t_Array i32 (sz 8)) in re -let ntt_at_layer_2_ - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - = - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - ntt_at_layer_2___round re (sz 0) 2706023l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - ntt_at_layer_2___round re (sz 1) 95776l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - ntt_at_layer_2___round re (sz 2) 3077325l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - ntt_at_layer_2___round re (sz 3) 3530437l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - ntt_at_layer_2___round re (sz 4) (-1661693l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - ntt_at_layer_2___round re (sz 5) (-3592148l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - ntt_at_layer_2___round re (sz 6) (-2537516l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - ntt_at_layer_2___round re (sz 7) 3915439l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - ntt_at_layer_2___round re (sz 8) (-3861115l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - ntt_at_layer_2___round re (sz 9) (-3043716l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - ntt_at_layer_2___round re (sz 10) 3574422l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - ntt_at_layer_2___round re (sz 11) (-2867647l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - ntt_at_layer_2___round re (sz 12) 3539968l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - ntt_at_layer_2___round re (sz 13) (-300467l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - ntt_at_layer_2___round re (sz 14) 2348700l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - ntt_at_layer_2___round re (sz 15) (-539299l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - ntt_at_layer_2___round re (sz 16) (-1699267l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - ntt_at_layer_2___round re (sz 17) (-1643818l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - ntt_at_layer_2___round re (sz 18) 3505694l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - ntt_at_layer_2___round re (sz 19) (-3821735l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - ntt_at_layer_2___round re (sz 20) 3507263l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - ntt_at_layer_2___round re (sz 21) (-2140649l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - ntt_at_layer_2___round re (sz 22) (-1600420l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - ntt_at_layer_2___round re (sz 23) 3699596l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - ntt_at_layer_2___round re (sz 24) 811944l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - ntt_at_layer_2___round re (sz 25) 531354l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - ntt_at_layer_2___round re (sz 26) 954230l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - ntt_at_layer_2___round re (sz 27) 3881043l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - ntt_at_layer_2___round re (sz 28) 3900724l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - ntt_at_layer_2___round re (sz 29) (-2556880l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - ntt_at_layer_2___round re (sz 30) 2071892l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - ntt_at_layer_2___round re (sz 31) (-2797779l) - in +let ntt_at_layer_2_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 0) 2706023l in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 1) 95776l in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 2) 3077325l in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 3) 3530437l in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 4) (-1661693l) in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 5) (-3592148l) in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 6) (-2537516l) in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 7) 3915439l in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 8) (-3861115l) in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 9) (-3043716l) in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 10) 3574422l in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 11) (-2867647l) in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 12) 3539968l in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 13) (-300467l) in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 14) 2348700l in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 15) (-539299l) in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 16) (-1699267l) in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 17) (-1643818l) in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 18) 3505694l in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 19) (-3821735l) in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 20) 3507263l in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 21) (-2140649l) in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 22) (-1600420l) in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 23) 3699596l in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 24) 811944l in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 25) 531354l in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 26) 954230l in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 27) 3881043l in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 28) 3900724l in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 29) (-2556880l) in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 30) 2071892l in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 31) (-2797779l) in re let outer_3_plus (v_OFFSET v_STEP_BY: usize) (v_ZETA: i32) - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + (re: t_Array (t_Array i32 (sz 8)) (sz 32)) = - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = Rust_primitives.Hax.Folds.fold_range v_OFFSET (v_OFFSET +! v_STEP_BY <: usize) (fun re temp_1_ -> - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = re in let _:usize = temp_1_ in true) re (fun re j -> - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = re in let j:usize = j in - let t:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_by_constant (re.[ j +! - v_STEP_BY - <: - usize ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - v_ZETA + let tmp:t_Array i32 (sz 8) = re.[ j +! v_STEP_BY <: usize ] in + let tmp:t_Array i32 (sz 8) = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_by_constant tmp v_ZETA in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (j +! v_STEP_BY <: usize) - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.subtract (re.[ j ] + (re.[ j ] <: t_Array i32 (sz 8)) + in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! v_STEP_BY <: usize) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.subtract (re.[ j +! v_STEP_BY <: usize ] <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - t + t_Array i32 (sz 8)) + tmp <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + t_Array i32 (sz 8)) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re j - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.add (re.[ j ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - t + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.add (re.[ j ] <: t_Array i32 (sz 8)) tmp <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + t_Array i32 (sz 8)) in re) in let hax_temp_output:Prims.unit = () <: Prims.unit in re -let ntt_at_layer_3_ - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - = - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 0) (sz 1) 2725464l re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 2) (sz 1) 1024112l re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 4) (sz 1) (-1079900l) re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 6) (sz 1) 3585928l re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 8) (sz 1) (-549488l) re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 10) (sz 1) (-1119584l) re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 12) (sz 1) 2619752l re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 14) (sz 1) (-2108549l) re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 16) (sz 1) (-2118186l) re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 18) (sz 1) (-3859737l) re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 20) (sz 1) (-1399561l) re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 22) (sz 1) (-3277672l) re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 24) (sz 1) 1757237l re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 26) (sz 1) (-19422l) re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 28) (sz 1) 4010497l re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 30) (sz 1) 280005l re - in +let ntt_at_layer_3_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 0) (sz 1) 2725464l re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 2) (sz 1) 1024112l re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 4) (sz 1) (-1079900l) re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 6) (sz 1) 3585928l re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 8) (sz 1) (-549488l) re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 10) (sz 1) (-1119584l) re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 12) (sz 1) 2619752l re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 14) (sz 1) (-2108549l) re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 16) (sz 1) (-2118186l) re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 18) (sz 1) (-3859737l) re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 20) (sz 1) (-1399561l) re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 22) (sz 1) (-3277672l) re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 24) (sz 1) 1757237l re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 26) (sz 1) (-19422l) re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 28) (sz 1) 4010497l re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 30) (sz 1) 280005l re in re -let ntt_at_layer_4_ - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - = - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 0) (sz 2) 1826347l re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 4) (sz 2) 2353451l re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 8) (sz 2) (-359251l) re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 12) (sz 2) (-2091905l) re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 16) (sz 2) 3119733l re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 20) (sz 2) (-2884855l) re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 24) (sz 2) 3111497l re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 28) (sz 2) 2680103l re - in +let ntt_at_layer_4_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 0) (sz 2) 1826347l re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 4) (sz 2) 2353451l re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 8) (sz 2) (-359251l) re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 12) (sz 2) (-2091905l) re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 16) (sz 2) 3119733l re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 20) (sz 2) (-2884855l) re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 24) (sz 2) 3111497l re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 28) (sz 2) 2680103l re in re -let ntt_at_layer_5_ - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - = - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 0) (sz 4) 237124l re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 8) (sz 4) (-777960l) re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 16) (sz 4) (-876248l) re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 24) (sz 4) 466468l re - in +let ntt_at_layer_5_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 0) (sz 4) 237124l re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 8) (sz 4) (-777960l) re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 16) (sz 4) (-876248l) re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 24) (sz 4) 466468l re in re -let ntt_at_layer_6_ - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - = - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 0) (sz 8) (-2608894l) re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 16) (sz 8) (-518909l) re - in +let ntt_at_layer_6_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 0) (sz 8) (-2608894l) re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 16) (sz 8) (-518909l) re in re -let ntt_at_layer_7_ - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - = - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - outer_3_plus (sz 0) (sz 16) 25847l re - in +let ntt_at_layer_7_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 0) (sz 16) 25847l re in re -let ntt (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - ntt_at_layer_7_ re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - ntt_at_layer_6_ re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - ntt_at_layer_5_ re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - ntt_at_layer_4_ re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - ntt_at_layer_3_ re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - ntt_at_layer_2_ re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - ntt_at_layer_1_ re - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - ntt_at_layer_0_ re - in +let ntt (re: t_Array (t_Array i32 (sz 8)) (sz 32)) = + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_7_ re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_6_ re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_5_ re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_4_ re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_3_ re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2_ re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_1_ re in + let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_0_ re in re diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti index 08682c48d..350089b14 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti @@ -23,108 +23,59 @@ let ntt_at_layer_7___STEP: usize = sz 128 let ntt_at_layer_7___STEP_BY: usize = sz 16 -val simd_unit_ntt_at_layer_0_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (zeta0 zeta1 zeta2 zeta3: i32) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) +val simd_unit_ntt_at_layer_0_ (simd_unit: t_Array i32 (sz 8)) (zeta0 zeta1 zeta2 zeta3: i32) + : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) val ntt_at_layer_0___round - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + (re: t_Array (t_Array i32 (sz 8)) (sz 32)) (index: usize) (zeta_0_ zeta_1_ zeta_2_ zeta_3_: i32) - : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -val ntt_at_layer_0_ - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -val simd_unit_ntt_at_layer_1_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (zeta1 zeta2: i32) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) + : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +val ntt_at_layer_0_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) + : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +val simd_unit_ntt_at_layer_1_ (simd_unit: t_Array i32 (sz 8)) (zeta1 zeta2: i32) + : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) val ntt_at_layer_1___round - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + (re: t_Array (t_Array i32 (sz 8)) (sz 32)) (index: usize) (zeta_0_ zeta_1_: i32) - : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -val ntt_at_layer_1_ - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -val simd_unit_ntt_at_layer_2_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (zeta: i32) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) - -val ntt_at_layer_2___round - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - (index: usize) - (zeta: i32) - : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) + : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +val ntt_at_layer_1_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) + : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +val simd_unit_ntt_at_layer_2_ (simd_unit: t_Array i32 (sz 8)) (zeta: i32) + : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) + +val ntt_at_layer_2___round (re: t_Array (t_Array i32 (sz 8)) (sz 32)) (index: usize) (zeta: i32) + : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -val ntt_at_layer_2_ - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) +val ntt_at_layer_2_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) + : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) val outer_3_plus (v_OFFSET v_STEP_BY: usize) (v_ZETA: i32) - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -val ntt_at_layer_3_ - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -val ntt_at_layer_4_ - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -val ntt_at_layer_5_ - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -val ntt_at_layer_6_ - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -val ntt_at_layer_7_ - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -val ntt (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) + (re: t_Array (t_Array i32 (sz 8)) (sz 32)) + : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +val ntt_at_layer_3_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) + : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +val ntt_at_layer_4_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) + : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +val ntt_at_layer_5_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) + : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +val ntt_at_layer_6_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) + : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +val ntt_at_layer_7_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) + : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +val ntt (re: t_Array (t_Array i32 (sz 8)) (sz 32)) + : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fst index cf5cb8df2..81ce54423 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fst @@ -3,28 +3,6 @@ module Libcrux_ml_dsa.Simd.Portable.Vector_type open Core open FStar.Mul -let from_coefficient_array (array: t_Slice i32) = - { - f_coefficients - = - Core.Result.impl__unwrap #(t_Array i32 (sz 8)) - #Core.Array.t_TryFromSliceError - (Core.Convert.f_try_into #(t_Slice i32) - #(t_Array i32 (sz 8)) - #FStar.Tactics.Typeclasses.solve - (array.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 8 } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice i32) - <: - Core.Result.t_Result (t_Array i32 (sz 8)) Core.Array.t_TryFromSliceError) - } - <: - t_PortableSIMDUnit - -let to_coefficient_array (x: t_PortableSIMDUnit) = x.f_coefficients - [@@ FStar.Tactics.Typeclasses.tcinstance] assume val impl': Core.Clone.t_Clone t_PortableSIMDUnit @@ -37,5 +15,26 @@ val impl_1': Core.Marker.t_Copy t_PortableSIMDUnit let impl_1 = impl_1' -let v_ZERO (_: Prims.unit) = - { f_coefficients = Rust_primitives.Hax.repeat 0l (sz 8) } <: t_PortableSIMDUnit +let zero (_: Prims.unit) = Rust_primitives.Hax.repeat 0l (sz 8) + +let from_coefficient_array (array: t_Slice i32) (out: t_Array i32 (sz 8)) = + let hax_temp_output, out:(Prims.unit & t_Array i32 (sz 8)) = + (), + Core.Slice.impl__copy_from_slice #i32 + out + (array.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i32) + <: + (Prims.unit & t_Array i32 (sz 8)) + in + out + +let to_coefficient_array (value: t_Array i32 (sz 8)) (out: t_Slice i32) = + let out:t_Slice i32 = Core.Slice.impl__copy_from_slice #i32 out (value <: t_Slice i32) in + out diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fsti index f30200b21..688159e96 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fsti @@ -3,13 +3,7 @@ module Libcrux_ml_dsa.Simd.Portable.Vector_type open Core open FStar.Mul -type t_PortableSIMDUnit = { f_coefficients:t_Array i32 (sz 8) } - -val from_coefficient_array (array: t_Slice i32) - : Prims.Pure t_PortableSIMDUnit Prims.l_True (fun _ -> Prims.l_True) - -val to_coefficient_array (x: t_PortableSIMDUnit) - : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) +type t_PortableSIMDUnit = | PortableSIMDUnit : t_PortableSIMDUnit [@@ FStar.Tactics.Typeclasses.tcinstance] val impl:Core.Clone.t_Clone t_PortableSIMDUnit @@ -17,4 +11,10 @@ val impl:Core.Clone.t_Clone t_PortableSIMDUnit [@@ FStar.Tactics.Typeclasses.tcinstance] val impl_1:Core.Marker.t_Copy t_PortableSIMDUnit -val v_ZERO: Prims.unit -> Prims.Pure t_PortableSIMDUnit Prims.l_True (fun _ -> Prims.l_True) +val zero: Prims.unit -> Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) + +val from_coefficient_array (array: t_Slice i32) (out: t_Array i32 (sz 8)) + : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) + +val to_coefficient_array (value: t_Array i32 (sz 8)) (out: t_Slice i32) + : Prims.Pure (t_Slice i32) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fst deleted file mode 100644 index a997fecc8..000000000 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fst +++ /dev/null @@ -1,486 +0,0 @@ -module Libcrux_ml_dsa.Simd.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" -open Core -open FStar.Mul - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_dsa.Simd.Portable.Vector_type in - () - -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl: Libcrux_ml_dsa.Simd.Traits.t_Operations -Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve; - _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve; - f_ZERO_pre = (fun (_: Prims.unit) -> true); - f_ZERO_post - = - (fun (_: Prims.unit) (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> true); - f_ZERO = (fun (_: Prims.unit) -> Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO ()); - f_from_coefficient_array_pre = (fun (array: t_Slice i32) -> true); - f_from_coefficient_array_post - = - (fun (array: t_Slice i32) (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> - true); - f_from_coefficient_array - = - (fun (array: t_Slice i32) -> - Libcrux_ml_dsa.Simd.Portable.Vector_type.from_coefficient_array array); - f_to_coefficient_array_pre - = - (fun (self: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> true); - f_to_coefficient_array_post - = - (fun - (self: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (out: t_Array i32 (sz 8)) - -> - true); - f_to_coefficient_array - = - (fun (self: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> - Libcrux_ml_dsa.Simd.Portable.Vector_type.to_coefficient_array self); - f_add_pre - = - (fun - (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - -> - true); - f_add_post - = - (fun - (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - -> - true); - f_add - = - (fun - (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - -> - Libcrux_ml_dsa.Simd.Portable.Arithmetic.add lhs rhs); - f_subtract_pre - = - (fun - (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - -> - true); - f_subtract_post - = - (fun - (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - -> - true); - f_subtract - = - (fun - (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - -> - Libcrux_ml_dsa.Simd.Portable.Arithmetic.subtract lhs rhs); - f_montgomery_multiply_pre - = - (fun - (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - -> - true); - f_montgomery_multiply_post - = - (fun - (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - -> - true); - f_montgomery_multiply - = - (fun - (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - -> - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply lhs rhs); - f_shift_left_then_reduce_pre - = - (fun - (v_SHIFT_BY: i32) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - -> - true); - f_shift_left_then_reduce_post - = - (fun - (v_SHIFT_BY: i32) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - -> - true); - f_shift_left_then_reduce - = - (fun - (v_SHIFT_BY: i32) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - -> - Libcrux_ml_dsa.Simd.Portable.Arithmetic.shift_left_then_reduce v_SHIFT_BY simd_unit); - f_power2round_pre - = - (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> true); - f_power2round_post - = - (fun - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (out: - (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)) - -> - true); - f_power2round - = - (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> - Libcrux_ml_dsa.Simd.Portable.Arithmetic.power2round simd_unit); - f_infinity_norm_exceeds_pre - = - (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (bound: i32) -> - true); - f_infinity_norm_exceeds_post - = - (fun - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (bound: i32) - (out: bool) - -> - true); - f_infinity_norm_exceeds - = - (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (bound: i32) -> - Libcrux_ml_dsa.Simd.Portable.Arithmetic.infinity_norm_exceeds simd_unit bound); - f_decompose_pre - = - (fun (v_GAMMA2: i32) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> - true); - f_decompose_post - = - (fun - (v_GAMMA2: i32) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (out: - (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)) - -> - true); - f_decompose - = - (fun (v_GAMMA2: i32) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> - Libcrux_ml_dsa.Simd.Portable.Arithmetic.decompose v_GAMMA2 simd_unit); - f_compute_hint_pre - = - (fun - (v_GAMMA2: i32) - (low: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - -> - true); - f_compute_hint_post - = - (fun - (v_GAMMA2: i32) - (low: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (out: (usize & Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)) - -> - true); - f_compute_hint - = - (fun - (v_GAMMA2: i32) - (low: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - -> - Libcrux_ml_dsa.Simd.Portable.Arithmetic.compute_hint v_GAMMA2 low high); - f_use_hint_pre - = - (fun - (v_GAMMA2: i32) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - -> - true); - f_use_hint_post - = - (fun - (v_GAMMA2: i32) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - -> - true); - f_use_hint - = - (fun - (v_GAMMA2: i32) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - -> - Libcrux_ml_dsa.Simd.Portable.Arithmetic.use_hint v_GAMMA2 simd_unit hint); - f_rejection_sample_less_than_field_modulus_pre - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); - f_rejection_sample_less_than_field_modulus_post - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); - f_rejection_sample_less_than_field_modulus - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) -> - let tmp0, out1:(t_Slice i32 & usize) = - Libcrux_ml_dsa.Simd.Portable.Sample.rejection_sample_less_than_field_modulus randomness - out - in - let out:t_Slice i32 = tmp0 in - let hax_temp_output:usize = out1 in - out, hax_temp_output <: (t_Slice i32 & usize)); - f_rejection_sample_less_than_eta_equals_2_pre - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); - f_rejection_sample_less_than_eta_equals_2_post - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); - f_rejection_sample_less_than_eta_equals_2_ - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) -> - let tmp0, out1:(t_Slice i32 & usize) = - Libcrux_ml_dsa.Simd.Portable.Sample.rejection_sample_less_than_eta_equals_2_ randomness - out - in - let out:t_Slice i32 = tmp0 in - let hax_temp_output:usize = out1 in - out, hax_temp_output <: (t_Slice i32 & usize)); - f_rejection_sample_less_than_eta_equals_4_pre - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); - f_rejection_sample_less_than_eta_equals_4_post - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); - f_rejection_sample_less_than_eta_equals_4_ - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) -> - let tmp0, out1:(t_Slice i32 & usize) = - Libcrux_ml_dsa.Simd.Portable.Sample.rejection_sample_less_than_eta_equals_4_ randomness - out - in - let out:t_Slice i32 = tmp0 in - let hax_temp_output:usize = out1 in - out, hax_temp_output <: (t_Slice i32 & usize)); - f_gamma1_serialize_pre - = - (fun - (v_GAMMA1_EXPONENT: usize) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (serialized: t_Slice u8) - -> - true); - f_gamma1_serialize_post - = - (fun - (v_GAMMA1_EXPONENT: usize) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (serialized: t_Slice u8) - (out: t_Slice u8) - -> - true); - f_gamma1_serialize - = - (fun - (v_GAMMA1_EXPONENT: usize) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (serialized: t_Slice u8) - -> - let hax_temp_output, serialized:(Prims.unit & t_Slice u8) = - (), - Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.serialize v_GAMMA1_EXPONENT - simd_unit - serialized - <: - (Prims.unit & t_Slice u8) - in - serialized); - f_gamma1_deserialize_pre = (fun (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) -> true); - f_gamma1_deserialize_post - = - (fun - (v_GAMMA1_EXPONENT: usize) - (serialized: t_Slice u8) - (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - -> - true); - f_gamma1_deserialize - = - (fun (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) -> - Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.deserialize v_GAMMA1_EXPONENT serialized); - f_commitment_serialize_pre - = - (fun - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (serialized: t_Slice u8) - -> - true); - f_commitment_serialize_post - = - (fun - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (serialized: t_Slice u8) - (out: t_Slice u8) - -> - true); - f_commitment_serialize - = - (fun - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (serialized: t_Slice u8) - -> - let hax_temp_output, serialized:(Prims.unit & t_Slice u8) = - (), Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.serialize simd_unit serialized - <: - (Prims.unit & t_Slice u8) - in - serialized); - f_error_serialize_pre - = - (fun - (v_ETA: usize) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (serialized: t_Slice u8) - -> - true); - f_error_serialize_post - = - (fun - (v_ETA: usize) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (serialized: t_Slice u8) - (out: t_Slice u8) - -> - true); - f_error_serialize - = - (fun - (v_ETA: usize) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (serialized: t_Slice u8) - -> - let hax_temp_output, serialized:(Prims.unit & t_Slice u8) = - (), Libcrux_ml_dsa.Simd.Portable.Encoding.Error.serialize v_ETA simd_unit serialized - <: - (Prims.unit & t_Slice u8) - in - serialized); - f_error_deserialize_pre = (fun (v_ETA: usize) (serialized: t_Slice u8) -> true); - f_error_deserialize_post - = - (fun - (v_ETA: usize) - (serialized: t_Slice u8) - (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - -> - true); - f_error_deserialize - = - (fun (v_ETA: usize) (serialized: t_Slice u8) -> - Libcrux_ml_dsa.Simd.Portable.Encoding.Error.deserialize v_ETA serialized); - f_t0_serialize_pre - = - (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> true); - f_t0_serialize_post - = - (fun - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (out: t_Array u8 (sz 13)) - -> - true); - f_t0_serialize - = - (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> - Libcrux_ml_dsa.Simd.Portable.Encoding.T0.serialize simd_unit); - f_t0_deserialize_pre = (fun (serialized: t_Slice u8) -> true); - f_t0_deserialize_post - = - (fun - (serialized: t_Slice u8) - (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - -> - true); - f_t0_deserialize - = - (fun (serialized: t_Slice u8) -> Libcrux_ml_dsa.Simd.Portable.Encoding.T0.deserialize serialized - ); - f_t1_serialize_pre - = - (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> true); - f_t1_serialize_post - = - (fun - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (out: t_Array u8 (sz 10)) - -> - true); - f_t1_serialize - = - (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> - Libcrux_ml_dsa.Simd.Portable.Encoding.T1.serialize simd_unit); - f_t1_deserialize_pre = (fun (serialized: t_Slice u8) -> true); - f_t1_deserialize_post - = - (fun - (serialized: t_Slice u8) - (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - -> - true); - f_t1_deserialize - = - (fun (serialized: t_Slice u8) -> Libcrux_ml_dsa.Simd.Portable.Encoding.T1.deserialize serialized - ); - f_ntt_pre - = - (fun - (simd_units: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - -> - true); - f_ntt_post - = - (fun - (simd_units: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - (out: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - -> - true); - f_ntt - = - (fun - (simd_units: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - -> - Libcrux_ml_dsa.Simd.Portable.Ntt.ntt simd_units); - f_invert_ntt_montgomery_pre - = - (fun - (simd_units: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - -> - true); - f_invert_ntt_montgomery_post - = - (fun - (simd_units: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - (out: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - -> - true); - f_invert_ntt_montgomery - = - fun (simd_units: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) -> - Libcrux_ml_dsa.Simd.Portable.Invntt.invert_ntt_montgomery simd_units - } diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fsti index c3bcf3d6d..561061007 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fsti @@ -10,5 +10,451 @@ let _ = () [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl:Libcrux_ml_dsa.Simd.Traits.t_Operations -Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit +let impl: Libcrux_ml_dsa.Simd.Traits.t_Operations +Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve; + _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve; + f_Coefficient = t_Array i32 (sz 8); + f_Coefficient_11316922548682728705 = FStar.Tactics.Typeclasses.solve; + f_zero_pre = (fun (_: Prims.unit) -> true); + f_zero_post = (fun (_: Prims.unit) (out: t_Array i32 (sz 8)) -> true); + f_zero = (fun (_: Prims.unit) -> Libcrux_ml_dsa.Simd.Portable.Vector_type.zero ()); + f_from_coefficient_array_pre = (fun (array: t_Slice i32) (out: t_Array i32 (sz 8)) -> true); + f_from_coefficient_array_post + = + (fun (array: t_Slice i32) (out: t_Array i32 (sz 8)) (out1: t_Array i32 (sz 8)) -> true); + f_from_coefficient_array + = + (fun (array: t_Slice i32) (out: t_Array i32 (sz 8)) -> + let hax_temp_output, out:(Prims.unit & t_Array i32 (sz 8)) = + (), Libcrux_ml_dsa.Simd.Portable.Vector_type.from_coefficient_array array out + <: + (Prims.unit & t_Array i32 (sz 8)) + in + out); + f_to_coefficient_array_pre = (fun (value: t_Array i32 (sz 8)) (out: t_Slice i32) -> true); + f_to_coefficient_array_post + = + (fun (value: t_Array i32 (sz 8)) (out: t_Slice i32) (out1: t_Slice i32) -> true); + f_to_coefficient_array + = + (fun (value: t_Array i32 (sz 8)) (out: t_Slice i32) -> + let hax_temp_output, out:(Prims.unit & t_Slice i32) = + (), Libcrux_ml_dsa.Simd.Portable.Vector_type.to_coefficient_array value out + <: + (Prims.unit & t_Slice i32) + in + out); + f_add_pre = (fun (lhs: t_Array i32 (sz 8)) (rhs: t_Array i32 (sz 8)) -> true); + f_add_post + = + (fun (lhs: t_Array i32 (sz 8)) (rhs: t_Array i32 (sz 8)) (out: t_Array i32 (sz 8)) -> true); + f_add + = + (fun (lhs: t_Array i32 (sz 8)) (rhs: t_Array i32 (sz 8)) -> + let hax_temp_output, lhs:(Prims.unit & t_Array i32 (sz 8)) = + (), Libcrux_ml_dsa.Simd.Portable.Arithmetic.add lhs rhs + <: + (Prims.unit & t_Array i32 (sz 8)) + in + lhs); + f_subtract_pre = (fun (lhs: t_Array i32 (sz 8)) (rhs: t_Array i32 (sz 8)) -> true); + f_subtract_post + = + (fun (lhs: t_Array i32 (sz 8)) (rhs: t_Array i32 (sz 8)) (out: t_Array i32 (sz 8)) -> true); + f_subtract + = + (fun (lhs: t_Array i32 (sz 8)) (rhs: t_Array i32 (sz 8)) -> + let hax_temp_output, lhs:(Prims.unit & t_Array i32 (sz 8)) = + (), Libcrux_ml_dsa.Simd.Portable.Arithmetic.subtract lhs rhs + <: + (Prims.unit & t_Array i32 (sz 8)) + in + lhs); + f_montgomery_multiply_pre = (fun (lhs: t_Array i32 (sz 8)) (rhs: t_Array i32 (sz 8)) -> true); + f_montgomery_multiply_post + = + (fun (lhs: t_Array i32 (sz 8)) (rhs: t_Array i32 (sz 8)) (out: t_Array i32 (sz 8)) -> true); + f_montgomery_multiply + = + (fun (lhs: t_Array i32 (sz 8)) (rhs: t_Array i32 (sz 8)) -> + let lhs:t_Array i32 (sz 8) = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply lhs rhs + in + lhs); + f_shift_left_then_reduce_pre = (fun (v_SHIFT_BY: i32) (simd_unit: t_Array i32 (sz 8)) -> true); + f_shift_left_then_reduce_post + = + (fun (v_SHIFT_BY: i32) (simd_unit: t_Array i32 (sz 8)) (out: t_Array i32 (sz 8)) -> true); + f_shift_left_then_reduce + = + (fun (v_SHIFT_BY: i32) (simd_unit: t_Array i32 (sz 8)) -> + let simd_unit:t_Array i32 (sz 8) = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.shift_left_then_reduce v_SHIFT_BY simd_unit + in + simd_unit); + f_power2round_pre = (fun (t0: t_Array i32 (sz 8)) (t1: t_Array i32 (sz 8)) -> true); + f_power2round_post + = + (fun + (t0: t_Array i32 (sz 8)) + (t1: t_Array i32 (sz 8)) + (out: (t_Array i32 (sz 8) & t_Array i32 (sz 8))) + -> + true); + f_power2round + = + (fun (t0: t_Array i32 (sz 8)) (t1: t_Array i32 (sz 8)) -> + let tmp0, tmp1:(t_Array i32 (sz 8) & t_Array i32 (sz 8)) = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.power2round t0 t1 + in + let t0:t_Array i32 (sz 8) = tmp0 in + let t1:t_Array i32 (sz 8) = tmp1 in + let hax_temp_output:Prims.unit = () in + t0, t1 <: (t_Array i32 (sz 8) & t_Array i32 (sz 8))); + f_infinity_norm_exceeds_pre = (fun (simd_unit: t_Array i32 (sz 8)) (bound: i32) -> true); + f_infinity_norm_exceeds_post + = + (fun (simd_unit: t_Array i32 (sz 8)) (bound: i32) (out: bool) -> true); + f_infinity_norm_exceeds + = + (fun (simd_unit: t_Array i32 (sz 8)) (bound: i32) -> + Libcrux_ml_dsa.Simd.Portable.Arithmetic.infinity_norm_exceeds simd_unit bound); + f_decompose_pre + = + (fun + (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) + (simd_unit: t_Array i32 (sz 8)) + (low: t_Array i32 (sz 8)) + (high: t_Array i32 (sz 8)) + -> + true); + f_decompose_post + = + (fun + (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) + (simd_unit: t_Array i32 (sz 8)) + (low: t_Array i32 (sz 8)) + (high: t_Array i32 (sz 8)) + (out: (t_Array i32 (sz 8) & t_Array i32 (sz 8))) + -> + true); + f_decompose + = + (fun + (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) + (simd_unit: t_Array i32 (sz 8)) + (low: t_Array i32 (sz 8)) + (high: t_Array i32 (sz 8)) + -> + let tmp0, tmp1:(t_Array i32 (sz 8) & t_Array i32 (sz 8)) = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.decompose gamma2 simd_unit low high + in + let low:t_Array i32 (sz 8) = tmp0 in + let high:t_Array i32 (sz 8) = tmp1 in + let hax_temp_output:Prims.unit = () in + low, high <: (t_Array i32 (sz 8) & t_Array i32 (sz 8))); + f_compute_hint_pre + = + (fun + (v_GAMMA2: i32) + (low: t_Array i32 (sz 8)) + (high: t_Array i32 (sz 8)) + (hint: t_Array i32 (sz 8)) + -> + true); + f_compute_hint_post + = + (fun + (v_GAMMA2: i32) + (low: t_Array i32 (sz 8)) + (high: t_Array i32 (sz 8)) + (hint: t_Array i32 (sz 8)) + (out2: (t_Array i32 (sz 8) & usize)) + -> + true); + f_compute_hint + = + (fun + (v_GAMMA2: i32) + (low: t_Array i32 (sz 8)) + (high: t_Array i32 (sz 8)) + (hint: t_Array i32 (sz 8)) + -> + let tmp0, out1:(t_Array i32 (sz 8) & usize) = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.compute_hint v_GAMMA2 low high hint + in + let hint:t_Array i32 (sz 8) = tmp0 in + let hax_temp_output:usize = out1 in + hint, hax_temp_output <: (t_Array i32 (sz 8) & usize)); + f_use_hint_pre + = + (fun + (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) + (simd_unit: t_Array i32 (sz 8)) + (hint: t_Array i32 (sz 8)) + -> + true); + f_use_hint_post + = + (fun + (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) + (simd_unit: t_Array i32 (sz 8)) + (hint: t_Array i32 (sz 8)) + (out: t_Array i32 (sz 8)) + -> + true); + f_use_hint + = + (fun + (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) + (simd_unit: t_Array i32 (sz 8)) + (hint: t_Array i32 (sz 8)) + -> + let hax_temp_output, hint:(Prims.unit & t_Array i32 (sz 8)) = + (), Libcrux_ml_dsa.Simd.Portable.Arithmetic.use_hint gamma2 simd_unit hint + <: + (Prims.unit & t_Array i32 (sz 8)) + in + hint); + f_rejection_sample_less_than_field_modulus_pre + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); + f_rejection_sample_less_than_field_modulus_post + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); + f_rejection_sample_less_than_field_modulus + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Portable.Sample.rejection_sample_less_than_field_modulus randomness + out + in + let out:t_Slice i32 = tmp0 in + let hax_temp_output:usize = out1 in + out, hax_temp_output <: (t_Slice i32 & usize)); + f_rejection_sample_less_than_eta_equals_2_pre + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); + f_rejection_sample_less_than_eta_equals_2_post + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); + f_rejection_sample_less_than_eta_equals_2_ + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Portable.Sample.rejection_sample_less_than_eta_equals_2_ randomness + out + in + let out:t_Slice i32 = tmp0 in + let hax_temp_output:usize = out1 in + out, hax_temp_output <: (t_Slice i32 & usize)); + f_rejection_sample_less_than_eta_equals_4_pre + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); + f_rejection_sample_less_than_eta_equals_4_post + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); + f_rejection_sample_less_than_eta_equals_4_ + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Portable.Sample.rejection_sample_less_than_eta_equals_4_ randomness + out + in + let out:t_Slice i32 = tmp0 in + let hax_temp_output:usize = out1 in + out, hax_temp_output <: (t_Slice i32 & usize)); + f_gamma1_serialize_pre + = + (fun (simd_unit: t_Array i32 (sz 8)) (serialized: t_Slice u8) (gamma1_exponent: usize) -> true); + f_gamma1_serialize_post + = + (fun + (simd_unit: t_Array i32 (sz 8)) + (serialized: t_Slice u8) + (gamma1_exponent: usize) + (out: t_Slice u8) + -> + true); + f_gamma1_serialize + = + (fun (simd_unit: t_Array i32 (sz 8)) (serialized: t_Slice u8) (gamma1_exponent: usize) -> + let hax_temp_output, serialized:(Prims.unit & t_Slice u8) = + (), + Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.serialize simd_unit + serialized + gamma1_exponent + <: + (Prims.unit & t_Slice u8) + in + serialized); + f_gamma1_deserialize_pre + = + (fun (serialized: t_Slice u8) (out: t_Array i32 (sz 8)) (gamma1_exponent: usize) -> true); + f_gamma1_deserialize_post + = + (fun + (serialized: t_Slice u8) + (out: t_Array i32 (sz 8)) + (gamma1_exponent: usize) + (out1: t_Array i32 (sz 8)) + -> + true); + f_gamma1_deserialize + = + (fun (serialized: t_Slice u8) (out: t_Array i32 (sz 8)) (gamma1_exponent: usize) -> + let hax_temp_output, out:(Prims.unit & t_Array i32 (sz 8)) = + (), + Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.deserialize serialized out gamma1_exponent + <: + (Prims.unit & t_Array i32 (sz 8)) + in + out); + f_commitment_serialize_pre + = + (fun (simd_unit: t_Array i32 (sz 8)) (serialized: t_Slice u8) -> true); + f_commitment_serialize_post + = + (fun (simd_unit: t_Array i32 (sz 8)) (serialized: t_Slice u8) (out: t_Slice u8) -> true); + f_commitment_serialize + = + (fun (simd_unit: t_Array i32 (sz 8)) (serialized: t_Slice u8) -> + let hax_temp_output, serialized:(Prims.unit & t_Slice u8) = + (), Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.serialize simd_unit serialized + <: + (Prims.unit & t_Slice u8) + in + serialized); + f_error_serialize_pre + = + (fun + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (simd_unit: t_Array i32 (sz 8)) + (serialized: t_Slice u8) + -> + true); + f_error_serialize_post + = + (fun + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (simd_unit: t_Array i32 (sz 8)) + (serialized: t_Slice u8) + (out: t_Slice u8) + -> + true); + f_error_serialize + = + (fun + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (simd_unit: t_Array i32 (sz 8)) + (serialized: t_Slice u8) + -> + let hax_temp_output, serialized:(Prims.unit & t_Slice u8) = + (), Libcrux_ml_dsa.Simd.Portable.Encoding.Error.serialize eta simd_unit serialized + <: + (Prims.unit & t_Slice u8) + in + serialized); + f_error_deserialize_pre + = + (fun (eta: Libcrux_ml_dsa.Constants.t_Eta) (serialized: t_Slice u8) (out: t_Array i32 (sz 8)) -> + true); + f_error_deserialize_post + = + (fun + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (serialized: t_Slice u8) + (out: t_Array i32 (sz 8)) + (out1: t_Array i32 (sz 8)) + -> + true); + f_error_deserialize + = + (fun (eta: Libcrux_ml_dsa.Constants.t_Eta) (serialized: t_Slice u8) (out: t_Array i32 (sz 8)) -> + let out:t_Array i32 (sz 8) = + Libcrux_ml_dsa.Simd.Portable.Encoding.Error.deserialize eta serialized out + in + out); + f_t0_serialize_pre = (fun (simd_unit: t_Array i32 (sz 8)) (out: t_Slice u8) -> true); + f_t0_serialize_post + = + (fun (simd_unit: t_Array i32 (sz 8)) (out: t_Slice u8) (out1: t_Slice u8) -> true); + f_t0_serialize + = + (fun (simd_unit: t_Array i32 (sz 8)) (out: t_Slice u8) -> + let hax_temp_output, out:(Prims.unit & t_Slice u8) = + (), Libcrux_ml_dsa.Simd.Portable.Encoding.T0.serialize simd_unit out + <: + (Prims.unit & t_Slice u8) + in + out); + f_t0_deserialize_pre = (fun (serialized: t_Slice u8) (out: t_Array i32 (sz 8)) -> true); + f_t0_deserialize_post + = + (fun (serialized: t_Slice u8) (out: t_Array i32 (sz 8)) (out1: t_Array i32 (sz 8)) -> true); + f_t0_deserialize + = + (fun (serialized: t_Slice u8) (out: t_Array i32 (sz 8)) -> + let hax_temp_output, out:(Prims.unit & t_Array i32 (sz 8)) = + (), Libcrux_ml_dsa.Simd.Portable.Encoding.T0.deserialize serialized out + <: + (Prims.unit & t_Array i32 (sz 8)) + in + out); + f_t1_serialize_pre = (fun (simd_unit: t_Array i32 (sz 8)) (out: t_Slice u8) -> true); + f_t1_serialize_post + = + (fun (simd_unit: t_Array i32 (sz 8)) (out: t_Slice u8) (out1: t_Slice u8) -> true); + f_t1_serialize + = + (fun (simd_unit: t_Array i32 (sz 8)) (out: t_Slice u8) -> + let out:t_Slice u8 = Libcrux_ml_dsa.Simd.Portable.Encoding.T1.serialize simd_unit out in + out); + f_t1_deserialize_pre = (fun (serialized: t_Slice u8) (out: t_Array i32 (sz 8)) -> true); + f_t1_deserialize_post + = + (fun (serialized: t_Slice u8) (out: t_Array i32 (sz 8)) (out1: t_Array i32 (sz 8)) -> true); + f_t1_deserialize + = + (fun (serialized: t_Slice u8) (out: t_Array i32 (sz 8)) -> + let out:t_Array i32 (sz 8) = + Libcrux_ml_dsa.Simd.Portable.Encoding.T1.deserialize serialized out + in + out); + f_ntt_pre = (fun (simd_units: t_Array (t_Array i32 (sz 8)) (sz 32)) -> true); + f_ntt_post + = + (fun + (simd_units: t_Array (t_Array i32 (sz 8)) (sz 32)) + (out: t_Array (t_Array i32 (sz 8)) (sz 32)) + -> + true); + f_ntt + = + (fun (simd_units: t_Array (t_Array i32 (sz 8)) (sz 32)) -> + let hax_temp_output, simd_units:(Prims.unit & t_Array (t_Array i32 (sz 8)) (sz 32)) = + (), Libcrux_ml_dsa.Simd.Portable.Ntt.ntt simd_units + <: + (Prims.unit & t_Array (t_Array i32 (sz 8)) (sz 32)) + in + simd_units); + f_invert_ntt_montgomery_pre = (fun (simd_units: t_Array (t_Array i32 (sz 8)) (sz 32)) -> true); + f_invert_ntt_montgomery_post + = + (fun + (simd_units: t_Array (t_Array i32 (sz 8)) (sz 32)) + (out: t_Array (t_Array i32 (sz 8)) (sz 32)) + -> + true); + f_invert_ntt_montgomery + = + fun (simd_units: t_Array (t_Array i32 (sz 8)) (sz 32)) -> + let hax_temp_output, simd_units:(Prims.unit & t_Array (t_Array i32 (sz 8)) (sz 32)) = + (), Libcrux_ml_dsa.Simd.Portable.Invntt.invert_ntt_montgomery simd_units + <: + (Prims.unit & t_Array (t_Array i32 (sz 8)) (sz 32)) + in + simd_units + } diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti index 9b879cee0..ce4ad8616 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti @@ -3,74 +3,112 @@ module Libcrux_ml_dsa.Simd.Traits open Core open FStar.Mul +let v_COEFFICIENTS_IN_SIMD_UNIT: usize = sz 8 + +let v_FIELD_MODULUS: i32 = 8380417l + +let v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R: u64 = 58728449uL + +let v_SIMD_UNITS_IN_RING_ELEMENT: usize = + Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /! v_COEFFICIENTS_IN_SIMD_UNIT + class t_Operations (v_Self: Type0) = { [@@@ FStar.Tactics.Typeclasses.no_method]_super_11581440318597584651:Core.Marker.t_Copy v_Self; [@@@ FStar.Tactics.Typeclasses.no_method]_super_9442900250278684536:Core.Clone.t_Clone v_Self; - f_ZERO_pre:Prims.unit -> Type0; - f_ZERO_post:Prims.unit -> v_Self -> Type0; - f_ZERO:x0: Prims.unit -> Prims.Pure v_Self (f_ZERO_pre x0) (fun result -> f_ZERO_post x0 result); - f_from_coefficient_array_pre:t_Slice i32 -> Type0; - f_from_coefficient_array_post:t_Slice i32 -> v_Self -> Type0; - f_from_coefficient_array:x0: t_Slice i32 - -> Prims.Pure v_Self - (f_from_coefficient_array_pre x0) - (fun result -> f_from_coefficient_array_post x0 result); - f_to_coefficient_array_pre:v_Self -> Type0; - f_to_coefficient_array_post:v_Self -> t_Array i32 (sz 8) -> Type0; - f_to_coefficient_array:x0: v_Self - -> Prims.Pure (t_Array i32 (sz 8)) - (f_to_coefficient_array_pre x0) - (fun result -> f_to_coefficient_array_post x0 result); - f_add_pre:v_Self -> v_Self -> Type0; - f_add_post:v_Self -> v_Self -> v_Self -> Type0; - f_add:x0: v_Self -> x1: v_Self - -> Prims.Pure v_Self (f_add_pre x0 x1) (fun result -> f_add_post x0 x1 result); - f_subtract_pre:v_Self -> v_Self -> Type0; - f_subtract_post:v_Self -> v_Self -> v_Self -> Type0; - f_subtract:x0: v_Self -> x1: v_Self - -> Prims.Pure v_Self (f_subtract_pre x0 x1) (fun result -> f_subtract_post x0 x1 result); - f_infinity_norm_exceeds_pre:v_Self -> i32 -> Type0; - f_infinity_norm_exceeds_post:v_Self -> i32 -> bool -> Type0; - f_infinity_norm_exceeds:x0: v_Self -> x1: i32 + f_Coefficient:Type0; + f_Coefficient_11316922548682728705:Core.Marker.t_Copy f_Coefficient; + f_zero_pre:Prims.unit -> Type0; + f_zero_post:Prims.unit -> f_Coefficient -> Type0; + f_zero:x0: Prims.unit + -> Prims.Pure f_Coefficient (f_zero_pre x0) (fun result -> f_zero_post x0 result); + f_from_coefficient_array_pre:t_Slice i32 -> f_Coefficient -> Type0; + f_from_coefficient_array_post:t_Slice i32 -> f_Coefficient -> f_Coefficient -> Type0; + f_from_coefficient_array:x0: t_Slice i32 -> x1: f_Coefficient + -> Prims.Pure f_Coefficient + (f_from_coefficient_array_pre x0 x1) + (fun result -> f_from_coefficient_array_post x0 x1 result); + f_to_coefficient_array_pre:f_Coefficient -> t_Slice i32 -> Type0; + f_to_coefficient_array_post:f_Coefficient -> t_Slice i32 -> t_Slice i32 -> Type0; + f_to_coefficient_array:x0: f_Coefficient -> x1: t_Slice i32 + -> Prims.Pure (t_Slice i32) + (f_to_coefficient_array_pre x0 x1) + (fun result -> f_to_coefficient_array_post x0 x1 result); + f_add_pre:f_Coefficient -> f_Coefficient -> Type0; + f_add_post:f_Coefficient -> f_Coefficient -> f_Coefficient -> Type0; + f_add:x0: f_Coefficient -> x1: f_Coefficient + -> Prims.Pure f_Coefficient (f_add_pre x0 x1) (fun result -> f_add_post x0 x1 result); + f_subtract_pre:f_Coefficient -> f_Coefficient -> Type0; + f_subtract_post:f_Coefficient -> f_Coefficient -> f_Coefficient -> Type0; + f_subtract:x0: f_Coefficient -> x1: f_Coefficient + -> Prims.Pure f_Coefficient (f_subtract_pre x0 x1) (fun result -> f_subtract_post x0 x1 result); + f_infinity_norm_exceeds_pre:f_Coefficient -> i32 -> Type0; + f_infinity_norm_exceeds_post:f_Coefficient -> i32 -> bool -> Type0; + f_infinity_norm_exceeds:x0: f_Coefficient -> x1: i32 -> Prims.Pure bool (f_infinity_norm_exceeds_pre x0 x1) (fun result -> f_infinity_norm_exceeds_post x0 x1 result); - f_decompose_pre:v_GAMMA2: i32 -> v_Self -> Type0; - f_decompose_post:v_GAMMA2: i32 -> v_Self -> (v_Self & v_Self) -> Type0; - f_decompose:v_GAMMA2: i32 -> x0: v_Self - -> Prims.Pure (v_Self & v_Self) - (f_decompose_pre v_GAMMA2 x0) - (fun result -> f_decompose_post v_GAMMA2 x0 result); - f_compute_hint_pre:v_GAMMA2: i32 -> v_Self -> v_Self -> Type0; - f_compute_hint_post:v_GAMMA2: i32 -> v_Self -> v_Self -> (usize & v_Self) -> Type0; - f_compute_hint:v_GAMMA2: i32 -> x0: v_Self -> x1: v_Self - -> Prims.Pure (usize & v_Self) - (f_compute_hint_pre v_GAMMA2 x0 x1) - (fun result -> f_compute_hint_post v_GAMMA2 x0 x1 result); - f_use_hint_pre:v_GAMMA2: i32 -> v_Self -> v_Self -> Type0; - f_use_hint_post:v_GAMMA2: i32 -> v_Self -> v_Self -> v_Self -> Type0; - f_use_hint:v_GAMMA2: i32 -> x0: v_Self -> x1: v_Self - -> Prims.Pure v_Self - (f_use_hint_pre v_GAMMA2 x0 x1) - (fun result -> f_use_hint_post v_GAMMA2 x0 x1 result); - f_montgomery_multiply_pre:v_Self -> v_Self -> Type0; - f_montgomery_multiply_post:v_Self -> v_Self -> v_Self -> Type0; - f_montgomery_multiply:x0: v_Self -> x1: v_Self - -> Prims.Pure v_Self + f_decompose_pre: + Libcrux_ml_dsa.Constants.t_Gamma2 -> + f_Coefficient -> + f_Coefficient -> + f_Coefficient + -> Type0; + f_decompose_post: + Libcrux_ml_dsa.Constants.t_Gamma2 -> + f_Coefficient -> + f_Coefficient -> + f_Coefficient -> + (f_Coefficient & f_Coefficient) + -> Type0; + f_decompose: + x0: Libcrux_ml_dsa.Constants.t_Gamma2 -> + x1: f_Coefficient -> + x2: f_Coefficient -> + x3: f_Coefficient + -> Prims.Pure (f_Coefficient & f_Coefficient) + (f_decompose_pre x0 x1 x2 x3) + (fun result -> f_decompose_post x0 x1 x2 x3 result); + f_compute_hint_pre:v_GAMMA2: i32 -> f_Coefficient -> f_Coefficient -> f_Coefficient -> Type0; + f_compute_hint_post: + v_GAMMA2: i32 -> + f_Coefficient -> + f_Coefficient -> + f_Coefficient -> + (f_Coefficient & usize) + -> Type0; + f_compute_hint:v_GAMMA2: i32 -> x0: f_Coefficient -> x1: f_Coefficient -> x2: f_Coefficient + -> Prims.Pure (f_Coefficient & usize) + (f_compute_hint_pre v_GAMMA2 x0 x1 x2) + (fun result -> f_compute_hint_post v_GAMMA2 x0 x1 x2 result); + f_use_hint_pre:Libcrux_ml_dsa.Constants.t_Gamma2 -> f_Coefficient -> f_Coefficient -> Type0; + f_use_hint_post: + Libcrux_ml_dsa.Constants.t_Gamma2 -> + f_Coefficient -> + f_Coefficient -> + f_Coefficient + -> Type0; + f_use_hint:x0: Libcrux_ml_dsa.Constants.t_Gamma2 -> x1: f_Coefficient -> x2: f_Coefficient + -> Prims.Pure f_Coefficient + (f_use_hint_pre x0 x1 x2) + (fun result -> f_use_hint_post x0 x1 x2 result); + f_montgomery_multiply_pre:f_Coefficient -> f_Coefficient -> Type0; + f_montgomery_multiply_post:f_Coefficient -> f_Coefficient -> f_Coefficient -> Type0; + f_montgomery_multiply:x0: f_Coefficient -> x1: f_Coefficient + -> Prims.Pure f_Coefficient (f_montgomery_multiply_pre x0 x1) (fun result -> f_montgomery_multiply_post x0 x1 result); - f_shift_left_then_reduce_pre:v_SHIFT_BY: i32 -> v_Self -> Type0; - f_shift_left_then_reduce_post:v_SHIFT_BY: i32 -> v_Self -> v_Self -> Type0; - f_shift_left_then_reduce:v_SHIFT_BY: i32 -> x0: v_Self - -> Prims.Pure v_Self + f_shift_left_then_reduce_pre:v_SHIFT_BY: i32 -> f_Coefficient -> Type0; + f_shift_left_then_reduce_post:v_SHIFT_BY: i32 -> f_Coefficient -> f_Coefficient -> Type0; + f_shift_left_then_reduce:v_SHIFT_BY: i32 -> x0: f_Coefficient + -> Prims.Pure f_Coefficient (f_shift_left_then_reduce_pre v_SHIFT_BY x0) (fun result -> f_shift_left_then_reduce_post v_SHIFT_BY x0 result); - f_power2round_pre:v_Self -> Type0; - f_power2round_post:v_Self -> (v_Self & v_Self) -> Type0; - f_power2round:x0: v_Self - -> Prims.Pure (v_Self & v_Self) - (f_power2round_pre x0) - (fun result -> f_power2round_post x0 result); + f_power2round_pre:f_Coefficient -> f_Coefficient -> Type0; + f_power2round_post:f_Coefficient -> f_Coefficient -> (f_Coefficient & f_Coefficient) -> Type0; + f_power2round:x0: f_Coefficient -> x1: f_Coefficient + -> Prims.Pure (f_Coefficient & f_Coefficient) + (f_power2round_pre x0 x1) + (fun result -> f_power2round_post x0 x1 result); f_rejection_sample_less_than_field_modulus_pre:t_Slice u8 -> t_Slice i32 -> Type0; f_rejection_sample_less_than_field_modulus_post:t_Slice u8 -> t_Slice i32 -> (t_Slice i32 & usize) -> Type0; @@ -92,73 +130,77 @@ class t_Operations (v_Self: Type0) = { -> Prims.Pure (t_Slice i32 & usize) (f_rejection_sample_less_than_eta_equals_4_pre x0 x1) (fun result -> f_rejection_sample_less_than_eta_equals_4_post x0 x1 result); - f_gamma1_serialize_pre:v_GAMMA1_EXPONENT: usize -> v_Self -> t_Slice u8 -> Type0; - f_gamma1_serialize_post:v_GAMMA1_EXPONENT: usize -> v_Self -> t_Slice u8 -> t_Slice u8 -> Type0; - f_gamma1_serialize:v_GAMMA1_EXPONENT: usize -> x0: v_Self -> x1: t_Slice u8 + f_gamma1_serialize_pre:f_Coefficient -> t_Slice u8 -> usize -> Type0; + f_gamma1_serialize_post:f_Coefficient -> t_Slice u8 -> usize -> t_Slice u8 -> Type0; + f_gamma1_serialize:x0: f_Coefficient -> x1: t_Slice u8 -> x2: usize -> Prims.Pure (t_Slice u8) - (f_gamma1_serialize_pre v_GAMMA1_EXPONENT x0 x1) - (fun result -> f_gamma1_serialize_post v_GAMMA1_EXPONENT x0 x1 result); - f_gamma1_deserialize_pre:v_GAMMA1_EXPONENT: usize -> t_Slice u8 -> Type0; - f_gamma1_deserialize_post:v_GAMMA1_EXPONENT: usize -> t_Slice u8 -> v_Self -> Type0; - f_gamma1_deserialize:v_GAMMA1_EXPONENT: usize -> x0: t_Slice u8 - -> Prims.Pure v_Self - (f_gamma1_deserialize_pre v_GAMMA1_EXPONENT x0) - (fun result -> f_gamma1_deserialize_post v_GAMMA1_EXPONENT x0 result); - f_commitment_serialize_pre:v_Self -> t_Slice u8 -> Type0; - f_commitment_serialize_post:v_Self -> t_Slice u8 -> t_Slice u8 -> Type0; - f_commitment_serialize:x0: v_Self -> x1: t_Slice u8 + (f_gamma1_serialize_pre x0 x1 x2) + (fun result -> f_gamma1_serialize_post x0 x1 x2 result); + f_gamma1_deserialize_pre:t_Slice u8 -> f_Coefficient -> usize -> Type0; + f_gamma1_deserialize_post:t_Slice u8 -> f_Coefficient -> usize -> f_Coefficient -> Type0; + f_gamma1_deserialize:x0: t_Slice u8 -> x1: f_Coefficient -> x2: usize + -> Prims.Pure f_Coefficient + (f_gamma1_deserialize_pre x0 x1 x2) + (fun result -> f_gamma1_deserialize_post x0 x1 x2 result); + f_commitment_serialize_pre:f_Coefficient -> t_Slice u8 -> Type0; + f_commitment_serialize_post:f_Coefficient -> t_Slice u8 -> t_Slice u8 -> Type0; + f_commitment_serialize:x0: f_Coefficient -> x1: t_Slice u8 -> Prims.Pure (t_Slice u8) (f_commitment_serialize_pre x0 x1) (fun result -> f_commitment_serialize_post x0 x1 result); - f_error_serialize_pre:v_ETA: usize -> v_Self -> t_Slice u8 -> Type0; - f_error_serialize_post:v_ETA: usize -> v_Self -> t_Slice u8 -> t_Slice u8 -> Type0; - f_error_serialize:v_ETA: usize -> x0: v_Self -> x1: t_Slice u8 + f_error_serialize_pre:Libcrux_ml_dsa.Constants.t_Eta -> f_Coefficient -> t_Slice u8 -> Type0; + f_error_serialize_post:Libcrux_ml_dsa.Constants.t_Eta -> f_Coefficient -> t_Slice u8 -> t_Slice u8 + -> Type0; + f_error_serialize:x0: Libcrux_ml_dsa.Constants.t_Eta -> x1: f_Coefficient -> x2: t_Slice u8 -> Prims.Pure (t_Slice u8) - (f_error_serialize_pre v_ETA x0 x1) - (fun result -> f_error_serialize_post v_ETA x0 x1 result); - f_error_deserialize_pre:v_ETA: usize -> t_Slice u8 -> Type0; - f_error_deserialize_post:v_ETA: usize -> t_Slice u8 -> v_Self -> Type0; - f_error_deserialize:v_ETA: usize -> x0: t_Slice u8 - -> Prims.Pure v_Self - (f_error_deserialize_pre v_ETA x0) - (fun result -> f_error_deserialize_post v_ETA x0 result); - f_t0_serialize_pre:v_Self -> Type0; - f_t0_serialize_post:v_Self -> t_Array u8 (sz 13) -> Type0; - f_t0_serialize:x0: v_Self - -> Prims.Pure (t_Array u8 (sz 13)) - (f_t0_serialize_pre x0) - (fun result -> f_t0_serialize_post x0 result); - f_t0_deserialize_pre:t_Slice u8 -> Type0; - f_t0_deserialize_post:t_Slice u8 -> v_Self -> Type0; - f_t0_deserialize:x0: t_Slice u8 - -> Prims.Pure v_Self (f_t0_deserialize_pre x0) (fun result -> f_t0_deserialize_post x0 result); - f_t1_serialize_pre:v_Self -> Type0; - f_t1_serialize_post:v_Self -> t_Array u8 (sz 10) -> Type0; - f_t1_serialize:x0: v_Self - -> Prims.Pure (t_Array u8 (sz 10)) - (f_t1_serialize_pre x0) - (fun result -> f_t1_serialize_post x0 result); - f_t1_deserialize_pre:t_Slice u8 -> Type0; - f_t1_deserialize_post:t_Slice u8 -> v_Self -> Type0; - f_t1_deserialize:x0: t_Slice u8 - -> Prims.Pure v_Self (f_t1_deserialize_pre x0) (fun result -> f_t1_deserialize_post x0 result); - f_ntt_pre:t_Array v_Self (sz 32) -> Type0; - f_ntt_post:t_Array v_Self (sz 32) -> t_Array v_Self (sz 32) -> Type0; - f_ntt:x0: t_Array v_Self (sz 32) - -> Prims.Pure (t_Array v_Self (sz 32)) (f_ntt_pre x0) (fun result -> f_ntt_post x0 result); - f_invert_ntt_montgomery_pre:t_Array v_Self (sz 32) -> Type0; - f_invert_ntt_montgomery_post:t_Array v_Self (sz 32) -> t_Array v_Self (sz 32) -> Type0; - f_invert_ntt_montgomery:x0: t_Array v_Self (sz 32) - -> Prims.Pure (t_Array v_Self (sz 32)) + (f_error_serialize_pre x0 x1 x2) + (fun result -> f_error_serialize_post x0 x1 x2 result); + f_error_deserialize_pre:Libcrux_ml_dsa.Constants.t_Eta -> t_Slice u8 -> f_Coefficient -> Type0; + f_error_deserialize_post: + Libcrux_ml_dsa.Constants.t_Eta -> + t_Slice u8 -> + f_Coefficient -> + f_Coefficient + -> Type0; + f_error_deserialize:x0: Libcrux_ml_dsa.Constants.t_Eta -> x1: t_Slice u8 -> x2: f_Coefficient + -> Prims.Pure f_Coefficient + (f_error_deserialize_pre x0 x1 x2) + (fun result -> f_error_deserialize_post x0 x1 x2 result); + f_t0_serialize_pre:f_Coefficient -> t_Slice u8 -> Type0; + f_t0_serialize_post:f_Coefficient -> t_Slice u8 -> t_Slice u8 -> Type0; + f_t0_serialize:x0: f_Coefficient -> x1: t_Slice u8 + -> Prims.Pure (t_Slice u8) + (f_t0_serialize_pre x0 x1) + (fun result -> f_t0_serialize_post x0 x1 result); + f_t0_deserialize_pre:t_Slice u8 -> f_Coefficient -> Type0; + f_t0_deserialize_post:t_Slice u8 -> f_Coefficient -> f_Coefficient -> Type0; + f_t0_deserialize:x0: t_Slice u8 -> x1: f_Coefficient + -> Prims.Pure f_Coefficient + (f_t0_deserialize_pre x0 x1) + (fun result -> f_t0_deserialize_post x0 x1 result); + f_t1_serialize_pre:f_Coefficient -> t_Slice u8 -> Type0; + f_t1_serialize_post:f_Coefficient -> t_Slice u8 -> t_Slice u8 -> Type0; + f_t1_serialize:x0: f_Coefficient -> x1: t_Slice u8 + -> Prims.Pure (t_Slice u8) + (f_t1_serialize_pre x0 x1) + (fun result -> f_t1_serialize_post x0 x1 result); + f_t1_deserialize_pre:t_Slice u8 -> f_Coefficient -> Type0; + f_t1_deserialize_post:t_Slice u8 -> f_Coefficient -> f_Coefficient -> Type0; + f_t1_deserialize:x0: t_Slice u8 -> x1: f_Coefficient + -> Prims.Pure f_Coefficient + (f_t1_deserialize_pre x0 x1) + (fun result -> f_t1_deserialize_post x0 x1 result); + f_ntt_pre:t_Array f_Coefficient (sz 32) -> Type0; + f_ntt_post:t_Array f_Coefficient (sz 32) -> t_Array f_Coefficient (sz 32) -> Type0; + f_ntt:x0: t_Array f_Coefficient (sz 32) + -> Prims.Pure (t_Array f_Coefficient (sz 32)) + (f_ntt_pre x0) + (fun result -> f_ntt_post x0 result); + f_invert_ntt_montgomery_pre:t_Array f_Coefficient (sz 32) -> Type0; + f_invert_ntt_montgomery_post:t_Array f_Coefficient (sz 32) -> t_Array f_Coefficient (sz 32) + -> Type0; + f_invert_ntt_montgomery:x0: t_Array f_Coefficient (sz 32) + -> Prims.Pure (t_Array f_Coefficient (sz 32)) (f_invert_ntt_montgomery_pre x0) (fun result -> f_invert_ntt_montgomery_post x0 result) } - -let v_COEFFICIENTS_IN_SIMD_UNIT: usize = sz 8 - -let v_FIELD_MODULUS: i32 = 8380417l - -let v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R: u64 = 58728449uL - -let v_SIMD_UNITS_IN_RING_ELEMENT: usize = - Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /! v_COEFFICIENTS_IN_SIMD_UNIT diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst index eee5c0b42..bf68637e5 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst @@ -25,12 +25,12 @@ let impl_2__new (v_SIZE: usize) (value: t_Array u8 v_SIZE) = { f_value = value } <: t_MLDSAVerificationKey v_SIZE let t_SigningError_cast_to_repr (x: t_SigningError) = - match x with + match x <: t_SigningError with | SigningError_RejectionSamplingError -> isz 0 | SigningError_ContextTooLongError -> isz 1 let t_VerificationError_cast_to_repr (x: t_VerificationError) = - match x with + match x <: t_VerificationError with | VerificationError_MalformedHintError -> isz 0 | VerificationError_SignerResponseExceedsBoundError -> isz 1 | VerificationError_CommitmentHashesDontMatchError -> isz 3 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Utils.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Utils.fst deleted file mode 100644 index 82aa84965..000000000 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Utils.fst +++ /dev/null @@ -1,37 +0,0 @@ -module Libcrux_ml_dsa.Utils -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" -open Core -open FStar.Mul - -let into_padded_array (v_LEN: usize) (slice: t_Slice u8) = - let _:Prims.unit = - if true - then - let _:Prims.unit = - Hax_lib.v_assert ((Core.Slice.impl__len #u8 slice <: usize) <=. v_LEN <: bool) - in - () - in - let out:t_Array u8 v_LEN = Rust_primitives.Hax.repeat 0uy v_LEN in - let out:t_Array u8 v_LEN = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range out - ({ - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = Core.Slice.impl__len #u8 slice <: usize - } - <: - Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 - (out.[ { - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = Core.Slice.impl__len #u8 slice <: usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - slice - <: - t_Slice u8) - in - out diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Utils.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Utils.fsti deleted file mode 100644 index 112de368e..000000000 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Utils.fsti +++ /dev/null @@ -1,8 +0,0 @@ -module Libcrux_ml_dsa.Utils -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" -open Core -open FStar.Mul - -/// Pad the `slice` with `0`s at the end. -val into_padded_array (v_LEN: usize) (slice: t_Slice u8) - : Prims.Pure (t_Array u8 v_LEN) Prims.l_True (fun _ -> Prims.l_True) From e98cba86bfe8c98a50abef355f694deab163fb8c Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Fri, 3 Jan 2025 12:52:35 +0000 Subject: [PATCH 35/58] mldsa: work around eurydice bugs --- libcrux-ml-dsa/src/arithmetic.rs | 2 +- libcrux-ml-dsa/src/constants.rs | 16 +-- libcrux-ml-dsa/src/ml_dsa_generic.rs | 17 +--- .../src/ml_dsa_generic/instantiations.rs | 11 ++- .../src/ml_dsa_generic/instantiations/avx2.rs | 94 +++++++----------- libcrux-ml-dsa/src/samplex4.rs | 39 ++++---- libcrux-ml-dsa/src/simd/avx2/arithmetic.rs | 97 ++++++++++--------- .../src/simd/avx2/encoding/error.rs | 7 +- .../src/simd/portable/arithmetic.rs | 24 +++-- libcrux-ml-dsa/src/simd/tests.rs | 9 +- 10 files changed, 156 insertions(+), 160 deletions(-) diff --git a/libcrux-ml-dsa/src/arithmetic.rs b/libcrux-ml-dsa/src/arithmetic.rs index 28d9d3e8a..4b2d14a7e 100644 --- a/libcrux-ml-dsa/src/arithmetic.rs +++ b/libcrux-ml-dsa/src/arithmetic.rs @@ -14,7 +14,7 @@ pub(crate) fn vector_infinity_norm_exceeds( cloop! { for ring_element in vector.iter() { if !result && ring_element.infinity_norm_exceeds(bound) { - result = result || true; + result = true; } } } diff --git a/libcrux-ml-dsa/src/constants.rs b/libcrux-ml-dsa/src/constants.rs index ae907fc70..cdcb8d6a8 100644 --- a/libcrux-ml-dsa/src/constants.rs +++ b/libcrux-ml-dsa/src/constants.rs @@ -31,19 +31,23 @@ pub(crate) const REJECTION_SAMPLE_BOUND_SIGN: usize = 814; /// The length of `context` is serialized to a single `u8`. pub(crate) const CONTEXT_MAX_LEN: usize = 255; +// Handling of enums in eurydice is very limited. +// We therefore don't sue them here in all the places we could. +// See +// - https://github.com/AeneasVerif/eurydice/issues/123 +// - https://github.com/AeneasVerif/eurydice/issues/122 + /// Eta values -#[derive(Debug, Clone, Copy)] +#[derive(Clone, Copy)] pub(crate) enum Eta { Two = 2, Four = 4, } /// Gamma2 values -#[derive(Debug, Clone, Copy)] -pub(crate) enum Gamma2 { - V95_232 = 95_232, - V261_888 = 261_888, -} +pub(crate) type Gamma2 = i32; +pub(crate) const GAMMA2_V261_888: Gamma2 = 261_888; +pub(crate) const GAMMA2_V95_232: Gamma2 = 95_232; /// ML-DSA-44-specific parameters #[cfg(feature = "mldsa44")] diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index bcc4967fd..5081401dd 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -302,12 +302,6 @@ pub(crate) fn sign_internal< _ => unreachable!(), }; - let gamma2 = match GAMMA2 { - 95_232 => Gamma2::V95_232, - 261_888 => Gamma2::V261_888, - _ => unreachable!(), - }; - // Split the signing key into its parts. let (seed_for_a, remaining_serialized) = signing_key.split_at(SEED_FOR_A_SIZE); let (seed_for_signing, remaining_serialized) = @@ -405,7 +399,7 @@ pub(crate) fn sign_internal< &mask_ntt, &mut a_x_mask, ); - decompose_vector::(ROWS_IN_A, gamma2, &a_x_mask, &mut w0, &mut commitment); + decompose_vector::(ROWS_IN_A, GAMMA2, &a_x_mask, &mut w0, &mut commitment); } let mut commitment_hash_candidate = [0; COMMITMENT_HASH_SIZE]; @@ -590,13 +584,6 @@ pub(crate) fn verify_internal< domain_separation_context: Option, signature_serialized: &[u8; SIGNATURE_SIZE], ) -> Result<(), VerificationError> { - let gamma2 = match GAMMA2 { - // FIXME: pass this in as enum instead - 95_232 => Gamma2::V95_232, - 261_888 => Gamma2::V261_888, - _ => unreachable!(), - }; - let (seed_for_a, t1_serialized) = verification_key.split_at(SEED_FOR_A_SIZE); let mut t1 = [PolynomialRingElement::::zero(); ROWS_IN_A]; encoding::verification_key::deserialize::( @@ -672,7 +659,7 @@ pub(crate) fn verify_internal< // Compute the commitment hash again to validate the signature. let mut recomputed_commitment_hash = [0; COMMITMENT_HASH_SIZE]; { - use_hint::(gamma2, &deserialized_hint, &mut t1); + use_hint::(GAMMA2, &deserialized_hint, &mut t1); let mut commitment_serialized = [0u8; COMMITMENT_VECTOR_SIZE]; encoding::commitment::serialize_vector::( COMMITMENT_RING_ELEMENT_SIZE, diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs index 2a47d10ec..a714540de 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs @@ -1,5 +1,14 @@ macro_rules! instantiate { - ($modp:ident, $simdunit:path, $shake128:path, $shake128x4:path, $shake256:path, $shake256xof:path, $shake256x4:path, $sampler:path) => { + ( + $modp:ident, // name for the module + $simdunit:path, // paths to the platform specific implementations ... + $shake128:path, + $shake128x4:path, + $shake256:path, + $shake256xof:path, + $shake256x4:path, + $sampler:path + ) => { pub mod $modp { use crate::{ constants::*, diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs index 473337d0d..af2638a12 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs @@ -8,37 +8,6 @@ use crate::{ mod avx2_feature { use super::*; - macro_rules! generate_key_pair { - ($name:ident) => { - /// Generate key pair. - #[cfg_attr(not(hax), target_feature(enable = "avx2"))] - #[allow(unsafe_code)] - pub(super) unsafe fn $name( - randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], - signing_key: &mut [u8], - verification_key: &mut [u8], - ) { - crate::ml_dsa_generic::$name::< - crate::simd::avx2::AVX2SIMDUnit, - crate::samplex4::avx2::AVX2Sampler, - crate::hash_functions::simd256::Shake128x4, - crate::hash_functions::simd256::Shake256, - // We use the portable version here. - // It doesn' make sense to do these in parallel. - crate::hash_functions::portable::Shake256Xof, - crate::hash_functions::simd256::Shake256x4, - >(randomness, signing_key, verification_key) - } - }; - } - - #[cfg(feature = "mldsa44")] - generate_key_pair!(generate_key_pair_v44); - #[cfg(feature = "mldsa65")] - generate_key_pair!(generate_key_pair_v65); - #[cfg(feature = "mldsa87")] - generate_key_pair!(generate_key_pair_v87); - /// Sign. #[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] @@ -353,38 +322,45 @@ mod avx2_feature { } } -#[cfg(feature = "mldsa44")] -/// Generate key pair. -#[allow(unsafe_code)] -pub(crate) fn generate_key_pair_v44( - randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], - signing_key: &mut [u8], - verification_key: &mut [u8], -) { - unsafe { avx2_feature::generate_key_pair_v44(randomness, signing_key, verification_key) } -} +macro_rules! impl_generate_key_pair { + ($name:ident) => { + /// Generate key pair. + #[allow(unsafe_code)] + pub(crate) fn $name( + randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], + signing_key: &mut [u8], + verification_key: &mut [u8], + ) { + #[allow(unsafe_code)] + #[cfg_attr(not(hax), target_feature(enable = "avx2"))] + unsafe fn _inner( + randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], + signing_key: &mut [u8], + verification_key: &mut [u8], + ) { + crate::ml_dsa_generic::$name::< + crate::simd::avx2::AVX2SIMDUnit, + crate::samplex4::avx2::AVX2Sampler, + crate::hash_functions::simd256::Shake128x4, + crate::hash_functions::simd256::Shake256, + crate::hash_functions::portable::Shake256Xof, + crate::hash_functions::simd256::Shake256x4, + >(randomness, signing_key, verification_key); + } -#[cfg(feature = "mldsa65")] -/// Generate key pair. -#[allow(unsafe_code)] -pub(crate) fn generate_key_pair_v65( - randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], - signing_key: &mut [u8], - verification_key: &mut [u8], -) { - unsafe { avx2_feature::generate_key_pair_v65(randomness, signing_key, verification_key) } + unsafe { + _inner(randomness, signing_key, verification_key); + } + } + }; } +#[cfg(feature = "mldsa44")] +impl_generate_key_pair!(generate_key_pair_v44); +#[cfg(feature = "mldsa65")] +impl_generate_key_pair!(generate_key_pair_v65); #[cfg(feature = "mldsa87")] -/// Generate key pair. -#[allow(unsafe_code)] -pub(crate) fn generate_key_pair_v87( - randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], - signing_key: &mut [u8], - verification_key: &mut [u8], -) { - unsafe { avx2_feature::generate_key_pair_v87(randomness, signing_key, verification_key) } -} +impl_generate_key_pair!(generate_key_pair_v87); /// Sign. #[allow(unsafe_code)] diff --git a/libcrux-ml-dsa/src/samplex4.rs b/libcrux-ml-dsa/src/samplex4.rs index c800c3465..827c8b993 100644 --- a/libcrux-ml-dsa/src/samplex4.rs +++ b/libcrux-ml-dsa/src/samplex4.rs @@ -1,6 +1,7 @@ use crate::{ constants::Eta, hash_functions::{shake128, shake256}, + helper::cloop, polynomial::PolynomialRingElement, sample::{sample_four_error_ring_elements, sample_up_to_four_ring_elements_flat}, simd::traits::Operations, @@ -28,24 +29,26 @@ pub(crate) fn matrix_flat( let mut rand_stack3 = [0u8; shake128::FIVE_BLOCKS_SIZE]; let mut tmp_stack = [[0i32; 263], [0i32; 263], [0i32; 263], [0i32; 263]]; - for start_index in (0..matrix.len()).step_by(4) { - let elements_requested = if start_index + 4 <= matrix.len() { - 4 - } else { - matrix.len() - start_index - }; - sample_up_to_four_ring_elements_flat::( - columns, - seed, - matrix, - &mut rand_stack0, - &mut rand_stack1, - &mut rand_stack2, - &mut rand_stack3, - &mut tmp_stack, - start_index, - elements_requested, - ); + cloop! { + for start_index in (0..matrix.len()).step_by(4) { + let elements_requested = if start_index + 4 <= matrix.len() { + 4 + } else { + matrix.len() - start_index + }; + sample_up_to_four_ring_elements_flat::( + columns, + seed, + matrix, + &mut rand_stack0, + &mut rand_stack1, + &mut rand_stack2, + &mut rand_stack3, + &mut tmp_stack, + start_index, + elements_requested, + ); + } } // [hax] https://github.com/hacspec/hax/issues/720 diff --git a/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs b/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs index 65d1148b0..22d8ed078 100644 --- a/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs +++ b/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs @@ -1,5 +1,5 @@ use crate::{ - constants::BITS_IN_LOWER_PART_OF_T, + constants::{BITS_IN_LOWER_PART_OF_T, GAMMA2_V261_888, GAMMA2_V95_232}, simd::traits::{FIELD_MODULUS, INVERSE_OF_MODULUS_MOD_MONTGOMERY_R}, }; @@ -8,11 +8,16 @@ use libcrux_intrinsics::avx2::*; use super::{vector_type::zero, Gamma2}; #[inline(always)] -fn to_unsigned_representatives(t: &mut Vec256) { +fn to_unsigned_representatives_ret(t: &Vec256) -> Vec256 { let signs = mm256_srai_epi32::<31>(*t); let conditional_add_field_modulus = mm256_and_si256(signs, mm256_set1_epi32(FIELD_MODULUS)); - *t = mm256_add_epi32(*t, conditional_add_field_modulus); + mm256_add_epi32(*t, conditional_add_field_modulus) +} + +#[inline(always)] +fn to_unsigned_representatives(t: &mut Vec256) { + *t = to_unsigned_representatives_ret(t); } #[inline(always)] @@ -119,61 +124,59 @@ pub(super) fn power2round(r0: &mut Vec256, r1: &mut Vec256) { *r0 = mm256_sub_epi32(*r0, tmp); } -#[allow(non_snake_case)] #[inline(always)] pub(super) fn decompose(gamma2: Gamma2, r: &Vec256, r0: &mut Vec256, r1: &mut Vec256) { - let mut r = r.clone(); - to_unsigned_representatives(&mut r); + let r = to_unsigned_representatives_ret(r); - let field_modulus_halved = mm256_set1_epi32((FIELD_MODULUS - 1) / 2); + let ceil_of_r_by_128 = mm256_add_epi32(r, mm256_set1_epi32(127)); + let ceil_of_r_by_128 = mm256_srai_epi32::<7>(ceil_of_r_by_128); + + match gamma2 { + GAMMA2_V95_232 => { + // We approximate 1 / 1488 as: + // ⌊2²⁴ / 1488⌋ / 2²⁴ = 11,275 / 2²⁴ + let result = mm256_mullo_epi32(ceil_of_r_by_128, mm256_set1_epi32(11_275)); + let result = mm256_add_epi32(result, mm256_set1_epi32(1 << 23)); + let result = mm256_srai_epi32::<24>(result); + + // For the corner-case a₁ = (q-1)/α = 44, we have to set a₁=0. + let mask = mm256_sub_epi32(mm256_set1_epi32(43), result); + let mask = mm256_srai_epi32::<31>(mask); - *r1 = { - let ceil_of_r_by_128 = mm256_add_epi32(r, mm256_set1_epi32(127)); - let ceil_of_r_by_128 = mm256_srai_epi32::<7>(ceil_of_r_by_128); - - match gamma2 { - Gamma2::V95_232 => { - // We approximate 1 / 1488 as: - // ⌊2²⁴ / 1488⌋ / 2²⁴ = 11,275 / 2²⁴ - let result = mm256_mullo_epi32(ceil_of_r_by_128, mm256_set1_epi32(11_275)); - let result = mm256_add_epi32(result, mm256_set1_epi32(1 << 23)); - let result = mm256_srai_epi32::<24>(result); - - // For the corner-case a₁ = (q-1)/α = 44, we have to set a₁=0. - let mask = mm256_sub_epi32(mm256_set1_epi32(43), result); - let mask = mm256_srai_epi32::<31>(mask); - - let not_result = mm256_xor_si256(result, mask); - - mm256_and_si256(result, not_result) - } - - Gamma2::V261_888 => { - // We approximate 1 / 4092 as: - // ⌊2²² / 4092⌋ / 2²² = 1025 / 2²² - let result = mm256_mullo_epi32(ceil_of_r_by_128, mm256_set1_epi32(1025)); - let result = mm256_add_epi32(result, mm256_set1_epi32(1 << 21)); - let result = mm256_srai_epi32::<22>(result); - - // For the corner-case a₁ = (q-1)/α = 16, we have to set a₁=0. - mm256_and_si256(result, mm256_set1_epi32(15)) - } + let not_result = mm256_xor_si256(result, mask); + + *r1 = mm256_and_si256(result, not_result); } - }; + + GAMMA2_V261_888 => { + // We approximate 1 / 4092 as: + // ⌊2²² / 4092⌋ / 2²² = 1025 / 2²² + let result = mm256_mullo_epi32(ceil_of_r_by_128, mm256_set1_epi32(1025)); + let result = mm256_add_epi32(result, mm256_set1_epi32(1 << 21)); + let result = mm256_srai_epi32::<22>(result); + + // For the corner-case a₁ = (q-1)/α = 16, we have to set a₁=0. + *r1 = mm256_and_si256(result, mm256_set1_epi32(15)); + } + + _ => unreachable!(), + } // In the corner-case, when we set a₁=0, we will incorrectly // have a₀ > (q-1)/2 and we'll need to subtract q. As we // return a₀ + q, that comes down to adding q if a₀ < (q-1)/2. - let alpha = gamma2 as i32 * 2; - *r0 = mm256_mullo_epi32(*r1, mm256_set1_epi32(alpha)); - *r0 = mm256_sub_epi32(r, *r0); - let mask = mm256_sub_epi32(field_modulus_halved, *r0); + let alpha = gamma2 * 2; + let r0_tmp = mm256_mullo_epi32(*r1, mm256_set1_epi32(alpha)); + let r0_tmp = mm256_sub_epi32(r, r0_tmp); + + let field_modulus_halved = mm256_set1_epi32((FIELD_MODULUS - 1) / 2); + let mask = mm256_sub_epi32(field_modulus_halved, r0_tmp); let mask = mm256_srai_epi32::<31>(mask); let field_modulus_and_mask = mm256_and_si256(mask, mm256_set1_epi32(FIELD_MODULUS)); - *r0 = mm256_sub_epi32(*r0, field_modulus_and_mask); + *r0 = mm256_sub_epi32(r0_tmp, field_modulus_and_mask); } #[inline(always)] @@ -230,7 +233,7 @@ pub(super) fn use_hint(gamma2: Gamma2, r: &Vec256, hint: &mut Vec256) { let mut r1_plus_hints = mm256_add_epi32(r1, hints); match gamma2 { - Gamma2::V95_232 => { + GAMMA2_V95_232 => { let max = mm256_set1_epi32(43); // If |r1_plus_hints[i]| is negative, it must be that |r1[i]| is @@ -242,8 +245,10 @@ pub(super) fn use_hint(gamma2: Gamma2, r: &Vec256, hint: &mut Vec256) { // If r1 is greater than equal to 43, we need to set the result to 0. *hint = vec256_blendv_epi32(r1_plus_hints, all_zeros, greater_than_or_equal_to_max); } - Gamma2::V261_888 => { + GAMMA2_V261_888 => { *hint = mm256_and_si256(r1_plus_hints, mm256_set1_epi32(15)); } + + _ => unreachable!(), } } diff --git a/libcrux-ml-dsa/src/simd/avx2/encoding/error.rs b/libcrux-ml-dsa/src/simd/avx2/encoding/error.rs index 54c59e20d..e66e75b83 100644 --- a/libcrux-ml-dsa/src/simd/avx2/encoding/error.rs +++ b/libcrux-ml-dsa/src/simd/avx2/encoding/error.rs @@ -132,5 +132,10 @@ pub(crate) fn deserialize_to_unsigned(eta: Eta, serialized: &[u8]) -> Vec256 { pub(crate) fn deserialize(eta: Eta, serialized: &[u8], out: &mut Vec256) { let unsigned = deserialize_to_unsigned(eta, serialized); - *out = mm256_sub_epi32(mm256_set1_epi32(eta as i32), unsigned); + // [eurydice]: https://github.com/AeneasVerif/eurydice/issues/122 + let eta = match eta { + Eta::Two => 2, + Eta::Four => 4, + }; + *out = mm256_sub_epi32(mm256_set1_epi32(eta), unsigned); } diff --git a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs index ac4e9393b..6a179acbb 100644 --- a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs +++ b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs @@ -1,6 +1,6 @@ use super::vector_type::{Coefficients, FieldElement}; use crate::{ - constants::{Gamma2, BITS_IN_LOWER_PART_OF_T}, + constants::{Gamma2, BITS_IN_LOWER_PART_OF_T, GAMMA2_V261_888, GAMMA2_V95_232}, helper::cloop, simd::traits::{ FieldElementTimesMontgomeryR, FIELD_MODULUS, INVERSE_OF_MODULUS_MOD_MONTGOMERY_R, @@ -213,7 +213,7 @@ fn decompose_element(gamma2: Gamma2, r: i32) -> (i32, i32) { let ceil_of_r_by_128 = (r + 127) >> 7; match gamma2 { - Gamma2::V95_232 => { + GAMMA2_V95_232 => { // We approximate 1 / 1488 as: // ⌊2²⁴ / 1488⌋ / 2²⁴ = 11,275 / 2²⁴ let result = ((ceil_of_r_by_128 * 11_275) + (1 << 23)) >> 24; @@ -221,7 +221,7 @@ fn decompose_element(gamma2: Gamma2, r: i32) -> (i32, i32) { // For the corner-case a₁ = (q-1)/α = 44, we have to set a₁=0. (result ^ (43 - result) >> 31) & result } - Gamma2::V261_888 => { + GAMMA2_V261_888 => { // We approximate 1 / 4092 as: // ⌊2²² / 4092⌋ / 2²² = 1025 / 2²² let result = (ceil_of_r_by_128 * 1025 + (1 << 21)) >> 22; @@ -229,10 +229,12 @@ fn decompose_element(gamma2: Gamma2, r: i32) -> (i32, i32) { // For the corner-case a₁ = (q-1)/α = 16, we have to set a₁=0. result & 15 } + + _ => unreachable!(), } }; - let alpha = gamma2 as i32 * 2; + let alpha = gamma2 * 2; let mut r0 = r - (r1 * alpha); // In the corner-case, when we set a₁=0, we will incorrectly @@ -252,7 +254,7 @@ pub(crate) fn use_one_hint(gamma2: Gamma2, r: i32, hint: i32) -> i32 { } match gamma2 { - Gamma2::V95_232 => { + GAMMA2_V95_232 => { if r0 > 0 { if r1 == 43 { 0 @@ -266,13 +268,15 @@ pub(crate) fn use_one_hint(gamma2: Gamma2, r: i32, hint: i32) -> i32 { } } - Gamma2::V261_888 => { + GAMMA2_V261_888 => { if r0 > 0 { (r1 + hint) & 15 } else { (r1 - hint) & 15 } } + + _ => unreachable!(), } } @@ -315,10 +319,10 @@ mod tests { #[test] fn test_use_one_hint() { - assert_eq!(use_one_hint(Gamma2::V95_232, 7622170, 0), 40); - assert_eq!(use_one_hint(Gamma2::V95_232, 2332762, 1), 13); + assert_eq!(use_one_hint(GAMMA2_V95_232, 7622170, 0), 40); + assert_eq!(use_one_hint(GAMMA2_V95_232, 2332762, 1), 13); - assert_eq!(use_one_hint(Gamma2::V261_888, 7691572, 0), 15); - assert_eq!(use_one_hint(Gamma2::V261_888, 6635697, 1), 12); + assert_eq!(use_one_hint(GAMMA2_V261_888, 7691572, 0), 15); + assert_eq!(use_one_hint(GAMMA2_V261_888, 6635697, 1), 12); } } diff --git a/libcrux-ml-dsa/src/simd/tests.rs b/libcrux-ml-dsa/src/simd/tests.rs index 387cf52fc..ec1e514e9 100644 --- a/libcrux-ml-dsa/src/simd/tests.rs +++ b/libcrux-ml-dsa/src/simd/tests.rs @@ -1,4 +1,7 @@ -use crate::{constants::Gamma2, simd::traits::*}; +use crate::{ + constants::{GAMMA2_V261_888, GAMMA2_V95_232}, + simd::traits::*, +}; fn test_decompose_generic() { // When GAMMA2 = 95,232 @@ -14,7 +17,7 @@ fn test_decompose_generic() { let expected_high = [29, 28, 1, 43, 27, 29, 18, 21]; let (mut low, mut high) = (SIMDUnit::zero(), SIMDUnit::zero()); - SIMDUnit::decompose(Gamma2::V95_232, &input, &mut low, &mut high); + SIMDUnit::decompose(GAMMA2_V95_232, &input, &mut low, &mut high); let mut out = [0i32; COEFFICIENTS_IN_SIMD_UNIT]; SIMDUnit::to_coefficient_array(&low, &mut out); @@ -38,7 +41,7 @@ fn test_decompose_generic() { ]; let expected_high = [4, 14, 12, 15, 4, 0, 1, 4]; - SIMDUnit::decompose(Gamma2::V261_888, &input, &mut low, &mut high); + SIMDUnit::decompose(GAMMA2_V261_888, &input, &mut low, &mut high); let mut out = [0i32; COEFFICIENTS_IN_SIMD_UNIT]; SIMDUnit::to_coefficient_array(&low, &mut out); From bcc7d0b38d9b38bbff44b81c78b56bed79e4f9eb Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Fri, 3 Jan 2025 14:05:54 +0000 Subject: [PATCH 36/58] mldsa: minor cleanup --- libcrux-ml-dsa/src/ml_dsa_65.rs | 20 ++++++++++++-------- libcrux-ml-dsa/src/simd/traits.rs | 2 +- libcrux-ml-dsa/src/types.rs | 5 +++++ 3 files changed, 18 insertions(+), 9 deletions(-) diff --git a/libcrux-ml-dsa/src/ml_dsa_65.rs b/libcrux-ml-dsa/src/ml_dsa_65.rs index 2f6ac408f..2bd396070 100644 --- a/libcrux-ml-dsa/src/ml_dsa_65.rs +++ b/libcrux-ml-dsa/src/ml_dsa_65.rs @@ -75,14 +75,18 @@ macro_rules! instantiate { pub fn generate_key_pair( randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], ) -> MLDSA65KeyPair { - let mut signing_key = [0u8; SIGNING_KEY_SIZE]; - let mut verification_key = [0u8; VERIFICATION_KEY_SIZE]; - p::generate_key_pair_v65(randomness, &mut signing_key, &mut verification_key); - - MLDSA65KeyPair { - signing_key: MLDSASigningKey::new(signing_key), - verification_key: MLDSAVerificationKey::new(verification_key), - } + let mut kp = MLDSA65KeyPair { + signing_key: MLDSASigningKey::zero(), + verification_key: MLDSAVerificationKey::zero(), + }; + + p::generate_key_pair_v65( + randomness, + &mut kp.signing_key.value, + &mut kp.verification_key.value, + ); + + kp } /// Generate an ML-DSA-65 Signature (Algorithm 7 in FIPS 204) /// diff --git a/libcrux-ml-dsa/src/simd/traits.rs b/libcrux-ml-dsa/src/simd/traits.rs index fb70c9f92..08cfa8678 100644 --- a/libcrux-ml-dsa/src/simd/traits.rs +++ b/libcrux-ml-dsa/src/simd/traits.rs @@ -17,7 +17,7 @@ pub const INVERSE_OF_MODULUS_MOD_MONTGOMERY_R: u64 = 58_728_449; pub(crate) type FieldElementTimesMontgomeryR = i32; pub(crate) trait Operations: Copy + Clone { - type Coefficient: Copy; // XXX: make generic? drop copy? + type Coefficient: Copy; // XXX: make generic? fn zero() -> Self::Coefficient; diff --git a/libcrux-ml-dsa/src/types.rs b/libcrux-ml-dsa/src/types.rs index b31c9c7b8..576492fec 100644 --- a/libcrux-ml-dsa/src/types.rs +++ b/libcrux-ml-dsa/src/types.rs @@ -9,6 +9,11 @@ macro_rules! impl_struct { } impl $name { + /// Init with zero + pub fn zero() -> Self { + Self { value: [0u8; SIZE] } + } + /// Build pub fn new(value: [u8; SIZE]) -> Self { Self { value } From 93e5ae635435d0f5e08641dba5c15cdeb7ed94c5 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Fri, 3 Jan 2025 19:44:25 +0000 Subject: [PATCH 37/58] mldsa: enable more tests --- libcrux-ml-dsa/src/encoding/commitment.rs | 1 - libcrux-ml-dsa/src/encoding/error.rs | 1 - libcrux-ml-dsa/src/encoding/gamma1.rs | 1 - libcrux-ml-dsa/src/encoding/t0.rs | 3 +-- libcrux-ml-dsa/src/encoding/t1.rs | 4 ++-- libcrux-ml-dsa/src/polynomial.rs | 4 +--- libcrux-ml-dsa/src/simd/portable/arithmetic.rs | 4 +--- 7 files changed, 5 insertions(+), 13 deletions(-) diff --git a/libcrux-ml-dsa/src/encoding/commitment.rs b/libcrux-ml-dsa/src/encoding/commitment.rs index 148373b57..f123ab670 100644 --- a/libcrux-ml-dsa/src/encoding/commitment.rs +++ b/libcrux-ml-dsa/src/encoding/commitment.rs @@ -109,7 +109,6 @@ mod tests { assert_eq!(result, serialized); } - #[cfg(not(feature = "simd256"))] #[test] fn test_serialize_portable() { test_serialize_generic::(); diff --git a/libcrux-ml-dsa/src/encoding/error.rs b/libcrux-ml-dsa/src/encoding/error.rs index 989721423..8d464ffe2 100644 --- a/libcrux-ml-dsa/src/encoding/error.rs +++ b/libcrux-ml-dsa/src/encoding/error.rs @@ -134,7 +134,6 @@ mod tests { assert_eq!(deserialized.to_i32_array(), expected_coefficients); } - #[cfg(not(feature = "simd256"))] #[test] fn test_deserialize_portable() { test_deserialize_generic::(); diff --git a/libcrux-ml-dsa/src/encoding/gamma1.rs b/libcrux-ml-dsa/src/encoding/gamma1.rs index fc1cc5c3b..433c3fd8c 100644 --- a/libcrux-ml-dsa/src/encoding/gamma1.rs +++ b/libcrux-ml-dsa/src/encoding/gamma1.rs @@ -251,7 +251,6 @@ mod tests { assert_eq!(result.to_i32_array(), expected_coefficients); } - #[cfg(not(feature = "simd256"))] mod portable { use super::*; diff --git a/libcrux-ml-dsa/src/encoding/t0.rs b/libcrux-ml-dsa/src/encoding/t0.rs index 2a3600d1d..d2b434d5d 100644 --- a/libcrux-ml-dsa/src/encoding/t0.rs +++ b/libcrux-ml-dsa/src/encoding/t0.rs @@ -165,12 +165,11 @@ mod tests { assert_eq!(deserialized.to_i32_array(), expected_coefficients); } - #[cfg(not(feature = "simd256"))] #[test] fn test_serialize_portable() { test_serialize_generic::(); } - #[cfg(not(feature = "simd256"))] + #[test] fn test_deserialize_portable() { test_deserialize_generic::(); diff --git a/libcrux-ml-dsa/src/encoding/t1.rs b/libcrux-ml-dsa/src/encoding/t1.rs index 8c52e02b7..2af54926e 100644 --- a/libcrux-ml-dsa/src/encoding/t1.rs +++ b/libcrux-ml-dsa/src/encoding/t1.rs @@ -130,12 +130,11 @@ mod tests { assert_eq!(deserialized.to_i32_array(), expected_coefficients); } - #[cfg(not(feature = "simd256"))] #[test] fn test_serialize_portable() { test_serialize_generic::(); } - #[cfg(not(feature = "simd256"))] + #[test] fn test_deserialize_portable() { test_deserialize_generic::(); @@ -146,6 +145,7 @@ mod tests { fn test_serialize_simd256() { test_serialize_generic::(); } + #[cfg(feature = "simd256")] #[test] fn test_deserialize_simd256() { diff --git a/libcrux-ml-dsa/src/polynomial.rs b/libcrux-ml-dsa/src/polynomial.rs index bae18d3bc..50f48ad94 100644 --- a/libcrux-ml-dsa/src/polynomial.rs +++ b/libcrux-ml-dsa/src/polynomial.rs @@ -52,9 +52,7 @@ impl PolynomialRingElement { pub(crate) fn infinity_norm_exceeds(&self, bound: i32) -> bool { let mut result = false; for i in 0..self.simd_units.len() { - if !result && SIMDUnit::infinity_norm_exceeds(&self.simd_units[i], bound) { - result = result || true; - } + result = result || SIMDUnit::infinity_norm_exceeds(&self.simd_units[i], bound); } result diff --git a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs index 6a179acbb..eb4a0434e 100644 --- a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs +++ b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs @@ -136,9 +136,7 @@ pub(super) fn infinity_norm_exceeds(simd_unit: &Coefficients, bound: i32) -> boo // FIXME: return // [hax] https://github.com/hacspec/hax/issues/1204 - if normalized >= bound { - result = true; - } + result = result ||normalized >= bound; } } From 607bd6c1c792980e9fc55f66291a8d8ca584d1ef Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Tue, 7 Jan 2025 12:03:56 +0000 Subject: [PATCH 38/58] update F* extraction --- .../extraction/Libcrux_ml_dsa.Arithmetic.fst | 6 +- .../extraction/Libcrux_ml_dsa.Arithmetic.fsti | 4 +- .../extraction/Libcrux_ml_dsa.Constants.fst | 33 +- .../extraction/Libcrux_ml_dsa.Constants.fsti | 31 +- .../Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst | 49 ++- .../Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst | 49 ++- .../Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst | 49 ++- ...neric.Instantiations.Avx2.Avx2_feature.fst | 60 --- ...eric.Instantiations.Avx2.Avx2_feature.fsti | 18 - ...dsa.Ml_dsa_generic.Instantiations.Avx2.fst | 82 ++++- ...sa.Ml_dsa_generic.Instantiations.Avx2.fsti | 28 ++ .../Libcrux_ml_dsa.Ml_dsa_generic.fst | 24 +- .../extraction/Libcrux_ml_dsa.Polynomial.fst | 87 ++--- .../extraction/Libcrux_ml_dsa.Polynomial.fsti | 28 +- .../Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst | 344 +++++++++--------- .../Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fsti | 31 +- ...ibcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst | 7 +- .../extraction/Libcrux_ml_dsa.Simd.Avx2.fsti | 18 +- ...ibcrux_ml_dsa.Simd.Portable.Arithmetic.fst | 42 ++- ...bcrux_ml_dsa.Simd.Portable.Arithmetic.fsti | 10 +- .../Libcrux_ml_dsa.Simd.Portable.fsti | 27 +- .../Libcrux_ml_dsa.Simd.Traits.fsti | 32 +- .../fstar/extraction/Libcrux_ml_dsa.Types.fst | 9 + .../extraction/Libcrux_ml_dsa.Types.fsti | 12 + 24 files changed, 543 insertions(+), 537 deletions(-) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst index 999126874..5154e697d 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst @@ -15,7 +15,7 @@ let decompose_vector i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (dimension: usize) - (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) + (gamma2: i32) (t low high: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) = let high, low:(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & @@ -323,7 +323,7 @@ let vector_infinity_norm_exceeds <: bool) then - let result:bool = result || true in + let result:bool = true in result else result) in @@ -447,7 +447,7 @@ let use_hint (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) + (gamma2: i32) (hint: t_Slice (t_Array i32 (sz 256))) (re_vector: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) = diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fsti index 162c31133..b3c33c15c 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fsti @@ -13,7 +13,7 @@ val decompose_vector (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} (dimension: usize) - (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) + (gamma2: i32) (t low high: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) : Prims.Pure (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & @@ -61,7 +61,7 @@ val make_hint val use_hint (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) + (gamma2: i32) (hint: t_Slice (t_Array i32 (sz 256))) (re_vector: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) : Prims.Pure (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fst index a8b6eebb7..4bd1b2888 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fst @@ -8,11 +8,6 @@ let t_Eta_cast_to_repr (x: t_Eta) = | Eta_Two -> discriminant_Eta_Two | Eta_Four -> discriminant_Eta_Four -let t_Gamma2_cast_to_repr (x: t_Gamma2) = - match x <: t_Gamma2 with - | Gamma2_V95_232_ -> discriminant_Gamma2_V95_232_ - | Gamma2_V261_888_ -> discriminant_Gamma2_V261_888_ - let error_ring_element_size (bits_per_error_coefficient: usize) = (bits_per_error_coefficient *! v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! sz 8 @@ -37,36 +32,12 @@ let verification_key_size (rows_in_a: usize) = [@@ FStar.Tactics.Typeclasses.tcinstance] assume -val impl': Core.Fmt.t_Debug t_Eta +val impl': Core.Clone.t_Clone t_Eta let impl = impl' [@@ FStar.Tactics.Typeclasses.tcinstance] assume -val impl_1': Core.Clone.t_Clone t_Eta +val impl_1': Core.Marker.t_Copy t_Eta let impl_1 = impl_1' - -[@@ FStar.Tactics.Typeclasses.tcinstance] -assume -val impl_2': Core.Marker.t_Copy t_Eta - -let impl_2 = impl_2' - -[@@ FStar.Tactics.Typeclasses.tcinstance] -assume -val impl_3': Core.Fmt.t_Debug t_Gamma2 - -let impl_3 = impl_3' - -[@@ FStar.Tactics.Typeclasses.tcinstance] -assume -val impl_4': Core.Clone.t_Clone t_Gamma2 - -let impl_4 = impl_4' - -[@@ FStar.Tactics.Typeclasses.tcinstance] -assume -val impl_5': Core.Marker.t_Copy t_Gamma2 - -let impl_5 = impl_5' diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fsti index e94db3904..0b03b8cd6 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fsti @@ -14,17 +14,6 @@ let discriminant_Eta_Two: isize = isz 2 val t_Eta_cast_to_repr (x: t_Eta) : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True) -let discriminant_Gamma2_V261_888_: isize = isz 261888 - -/// Gamma2 values -type t_Gamma2 = - | Gamma2_V95_232_ : t_Gamma2 - | Gamma2_V261_888_ : t_Gamma2 - -let discriminant_Gamma2_V95_232_: isize = isz 95232 - -val t_Gamma2_cast_to_repr (x: t_Gamma2) : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True) - let v_BITS_IN_LOWER_PART_OF_T: usize = sz 13 let v_BYTES_FOR_VERIFICATION_KEY_HASH: usize = sz 64 @@ -41,6 +30,10 @@ let v_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH: usize = sz 23 let v_BITS_IN_UPPER_PART_OF_T: usize = v_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH -! v_BITS_IN_LOWER_PART_OF_T +let v_GAMMA2_V261_888_: i32 = 261888l + +let v_GAMMA2_V95_232_: i32 = 95232l + /// Number of bytes of entropy required for key generation. let v_KEY_GENERATION_RANDOMNESS_SIZE: usize = sz 32 @@ -74,19 +67,7 @@ val signing_key_size (rows_in_a columns_in_a error_ring_element_size: usize) val verification_key_size (rows_in_a: usize) : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl:Core.Fmt.t_Debug t_Eta - -[@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_1:Core.Clone.t_Clone t_Eta - -[@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_2:Core.Marker.t_Copy t_Eta - -[@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_3:Core.Fmt.t_Debug t_Gamma2 - -[@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_4:Core.Clone.t_Clone t_Gamma2 +val impl:Core.Clone.t_Clone t_Eta [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_5:Core.Marker.t_Copy t_Gamma2 +val impl_1:Core.Marker.t_Copy t_Eta diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst index a7e1441c6..dd13a28ce 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst @@ -4,24 +4,45 @@ open Core open FStar.Mul let generate_key_pair (randomness: t_Array u8 (sz 32)) = - let signing_key:t_Array u8 (sz 4032) = Rust_primitives.Hax.repeat 0uy (sz 4032) in - let verification_key:t_Array u8 (sz 1952) = Rust_primitives.Hax.repeat 0uy (sz 1952) in + let kp:Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) = + { + Libcrux_ml_dsa.Types.f_signing_key = Libcrux_ml_dsa.Types.impl__zero (sz 4032) (); + Libcrux_ml_dsa.Types.f_verification_key = Libcrux_ml_dsa.Types.impl_2__zero (sz 1952) () + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) + in let tmp0, tmp1:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.generate_key_pair_v65 randomness - signing_key - verification_key + kp.Libcrux_ml_dsa.Types.f_signing_key.Libcrux_ml_dsa.Types.f_value + kp.Libcrux_ml_dsa.Types.f_verification_key.Libcrux_ml_dsa.Types.f_value + in + let kp:Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) = + { + kp with + Libcrux_ml_dsa.Types.f_signing_key + = + { kp.Libcrux_ml_dsa.Types.f_signing_key with Libcrux_ml_dsa.Types.f_value = tmp0 } + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) + in + let kp:Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) = + { + kp with + Libcrux_ml_dsa.Types.f_verification_key + = + { kp.Libcrux_ml_dsa.Types.f_verification_key with Libcrux_ml_dsa.Types.f_value = tmp1 } + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) in - let signing_key:t_Array u8 (sz 4032) = tmp0 in - let verification_key:t_Array u8 (sz 1952) = tmp1 in let _:Prims.unit = () in - { - Libcrux_ml_dsa.Types.f_signing_key = Libcrux_ml_dsa.Types.impl__new (sz 4032) signing_key; - Libcrux_ml_dsa.Types.f_verification_key - = - Libcrux_ml_dsa.Types.impl_2__new (sz 1952) verification_key - } - <: - Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) + kp let sign (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst index a2f7a77d7..4d3b60483 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst @@ -4,24 +4,45 @@ open Core open FStar.Mul let generate_key_pair (randomness: t_Array u8 (sz 32)) = - let signing_key:t_Array u8 (sz 4032) = Rust_primitives.Hax.repeat 0uy (sz 4032) in - let verification_key:t_Array u8 (sz 1952) = Rust_primitives.Hax.repeat 0uy (sz 1952) in + let kp:Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) = + { + Libcrux_ml_dsa.Types.f_signing_key = Libcrux_ml_dsa.Types.impl__zero (sz 4032) (); + Libcrux_ml_dsa.Types.f_verification_key = Libcrux_ml_dsa.Types.impl_2__zero (sz 1952) () + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) + in let tmp0, tmp1:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.generate_key_pair_v65 randomness - signing_key - verification_key + kp.Libcrux_ml_dsa.Types.f_signing_key.Libcrux_ml_dsa.Types.f_value + kp.Libcrux_ml_dsa.Types.f_verification_key.Libcrux_ml_dsa.Types.f_value + in + let kp:Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) = + { + kp with + Libcrux_ml_dsa.Types.f_signing_key + = + { kp.Libcrux_ml_dsa.Types.f_signing_key with Libcrux_ml_dsa.Types.f_value = tmp0 } + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) + in + let kp:Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) = + { + kp with + Libcrux_ml_dsa.Types.f_verification_key + = + { kp.Libcrux_ml_dsa.Types.f_verification_key with Libcrux_ml_dsa.Types.f_value = tmp1 } + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) in - let signing_key:t_Array u8 (sz 4032) = tmp0 in - let verification_key:t_Array u8 (sz 1952) = tmp1 in let _:Prims.unit = () in - { - Libcrux_ml_dsa.Types.f_signing_key = Libcrux_ml_dsa.Types.impl__new (sz 4032) signing_key; - Libcrux_ml_dsa.Types.f_verification_key - = - Libcrux_ml_dsa.Types.impl_2__new (sz 1952) verification_key - } - <: - Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) + kp let sign (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst index 0bd7ed8ab..eb7539a48 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst @@ -4,24 +4,45 @@ open Core open FStar.Mul let generate_key_pair (randomness: t_Array u8 (sz 32)) = - let signing_key:t_Array u8 (sz 4032) = Rust_primitives.Hax.repeat 0uy (sz 4032) in - let verification_key:t_Array u8 (sz 1952) = Rust_primitives.Hax.repeat 0uy (sz 1952) in + let kp:Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) = + { + Libcrux_ml_dsa.Types.f_signing_key = Libcrux_ml_dsa.Types.impl__zero (sz 4032) (); + Libcrux_ml_dsa.Types.f_verification_key = Libcrux_ml_dsa.Types.impl_2__zero (sz 1952) () + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) + in let tmp0, tmp1:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair_v65 randomness - signing_key - verification_key + kp.Libcrux_ml_dsa.Types.f_signing_key.Libcrux_ml_dsa.Types.f_value + kp.Libcrux_ml_dsa.Types.f_verification_key.Libcrux_ml_dsa.Types.f_value + in + let kp:Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) = + { + kp with + Libcrux_ml_dsa.Types.f_signing_key + = + { kp.Libcrux_ml_dsa.Types.f_signing_key with Libcrux_ml_dsa.Types.f_value = tmp0 } + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) + in + let kp:Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) = + { + kp with + Libcrux_ml_dsa.Types.f_verification_key + = + { kp.Libcrux_ml_dsa.Types.f_verification_key with Libcrux_ml_dsa.Types.f_value = tmp1 } + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) in - let signing_key:t_Array u8 (sz 4032) = tmp0 in - let verification_key:t_Array u8 (sz 1952) = tmp1 in let _:Prims.unit = () in - { - Libcrux_ml_dsa.Types.f_signing_key = Libcrux_ml_dsa.Types.impl__new (sz 4032) signing_key; - Libcrux_ml_dsa.Types.f_verification_key - = - Libcrux_ml_dsa.Types.impl_2__new (sz 1952) verification_key - } - <: - Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) + kp let sign (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fst index a991b1cd8..26a7dcb2f 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fst @@ -17,66 +17,6 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let generate_key_pair_v44 - (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - = - let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = - Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair_v44 #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit - #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 - randomness - signing_key - verification_key - in - let signing_key:t_Slice u8 = tmp0 in - let verification_key:t_Slice u8 = tmp1 in - let hax_temp_output:Prims.unit = () in - signing_key, verification_key <: (t_Slice u8 & t_Slice u8) - -let generate_key_pair_v65 - (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - = - let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = - Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair_v65 #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit - #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 - randomness - signing_key - verification_key - in - let signing_key:t_Slice u8 = tmp0 in - let verification_key:t_Slice u8 = tmp1 in - let hax_temp_output:Prims.unit = () in - signing_key, verification_key <: (t_Slice u8 & t_Slice u8) - -let generate_key_pair_v87 - (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - = - let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = - Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair_v87 #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit - #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 - randomness - signing_key - verification_key - in - let signing_key:t_Slice u8 = tmp0 in - let verification_key:t_Slice u8 = tmp1 in - let hax_temp_output:Prims.unit = () in - signing_key, verification_key <: (t_Slice u8 & t_Slice u8) - let sign (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fsti index 513d33c88..7e8486fde 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fsti @@ -17,24 +17,6 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -/// Generate key pair. -val generate_key_pair_v44 - (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) - -/// Generate key pair. -val generate_key_pair_v65 - (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) - -/// Generate key pair. -val generate_key_pair_v87 - (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) - /// Sign. val sign (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst index b2566a4a0..e2b4c9833 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst @@ -3,45 +3,115 @@ module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2 open Core open FStar.Mul -let generate_key_pair_v44 +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Hash_functions.Simd256 in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Samplex4.Avx2 in + let open Libcrux_ml_dsa.Simd.Avx2 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let generate_key_pair_v44___inner (randomness: t_Array u8 (sz 32)) (signing_key verification_key: t_Slice u8) = let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.generate_key_pair_v44 randomness + Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair_v44 #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 + randomness signing_key verification_key in let signing_key:t_Slice u8 = tmp0 in let verification_key:t_Slice u8 = tmp1 in + let _:Prims.unit = () in + signing_key, verification_key <: (t_Slice u8 & t_Slice u8) + +let generate_key_pair_v44 + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + = + let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = + generate_key_pair_v44___inner randomness signing_key verification_key + in + let signing_key:t_Slice u8 = tmp0 in + let verification_key:t_Slice u8 = tmp1 in + let _:Prims.unit = () in let hax_temp_output:Prims.unit = () in signing_key, verification_key <: (t_Slice u8 & t_Slice u8) -let generate_key_pair_v65 +let generate_key_pair_v65___inner (randomness: t_Array u8 (sz 32)) (signing_key verification_key: t_Slice u8) = let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.generate_key_pair_v65 randomness + Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair_v65 #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 + randomness signing_key verification_key in let signing_key:t_Slice u8 = tmp0 in let verification_key:t_Slice u8 = tmp1 in + let _:Prims.unit = () in + signing_key, verification_key <: (t_Slice u8 & t_Slice u8) + +let generate_key_pair_v65 + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + = + let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = + generate_key_pair_v65___inner randomness signing_key verification_key + in + let signing_key:t_Slice u8 = tmp0 in + let verification_key:t_Slice u8 = tmp1 in + let _:Prims.unit = () in let hax_temp_output:Prims.unit = () in signing_key, verification_key <: (t_Slice u8 & t_Slice u8) -let generate_key_pair_v87 +let generate_key_pair_v87___inner (randomness: t_Array u8 (sz 32)) (signing_key verification_key: t_Slice u8) = let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.generate_key_pair_v87 randomness + Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair_v87 #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 + randomness signing_key verification_key in let signing_key:t_Slice u8 = tmp0 in let verification_key:t_Slice u8 = tmp1 in + let _:Prims.unit = () in + signing_key, verification_key <: (t_Slice u8 & t_Slice u8) + +let generate_key_pair_v87 + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + = + let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = + generate_key_pair_v87___inner randomness signing_key verification_key + in + let signing_key:t_Slice u8 = tmp0 in + let verification_key:t_Slice u8 = tmp1 in + let _:Prims.unit = () in let hax_temp_output:Prims.unit = () in signing_key, verification_key <: (t_Slice u8 & t_Slice u8) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti index 8a692ac3d..17a043f5b 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti @@ -3,18 +3,46 @@ module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2 open Core open FStar.Mul +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Hash_functions.Simd256 in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Samplex4.Avx2 in + let open Libcrux_ml_dsa.Simd.Avx2 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +val generate_key_pair_v44___inner + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + /// Generate key pair. val generate_key_pair_v44 (randomness: t_Array u8 (sz 32)) (signing_key verification_key: t_Slice u8) : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) +val generate_key_pair_v65___inner + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + /// Generate key pair. val generate_key_pair_v65 (randomness: t_Array u8 (sz 32)) (signing_key verification_key: t_Slice u8) : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) +val generate_key_pair_v87___inner + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + /// Generate key pair. val generate_key_pair_v87 (randomness: t_Array u8 (sz 32)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst index f0ca1cbc1..c9a3bdca6 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst @@ -167,16 +167,6 @@ let sign_internal <: Rust_primitives.Hax.t_Never) in - let gamma2:Libcrux_ml_dsa.Constants.t_Gamma2 = - match v_GAMMA2 <: i32 with - | 95232l -> Libcrux_ml_dsa.Constants.Gamma2_V95_232_ <: Libcrux_ml_dsa.Constants.t_Gamma2 - | 261888l -> Libcrux_ml_dsa.Constants.Gamma2_V261_888_ <: Libcrux_ml_dsa.Constants.t_Gamma2 - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - - <: - Rust_primitives.Hax.t_Never) - in let seed_for_a, remaining_serialized:(t_Slice u8 & t_Slice u8) = Core.Slice.impl__split_at #u8 (signing_key <: t_Slice u8) @@ -446,7 +436,7 @@ let sign_internal t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) = Libcrux_ml_dsa.Arithmetic.decompose_vector #v_SIMDUnit v_ROWS_IN_A - gamma2 + v_GAMMA2 (a_x_mask <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) w0 commitment @@ -888,16 +878,6 @@ let verify_internal Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) = - let gamma2:Libcrux_ml_dsa.Constants.t_Gamma2 = - match v_GAMMA2 <: i32 with - | 95232l -> Libcrux_ml_dsa.Constants.Gamma2_V95_232_ <: Libcrux_ml_dsa.Constants.t_Gamma2 - | 261888l -> Libcrux_ml_dsa.Constants.Gamma2_V261_888_ <: Libcrux_ml_dsa.Constants.t_Gamma2 - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - - <: - Rust_primitives.Hax.t_Never) - in let seed_for_a, t1_serialized:(t_Slice u8 & t_Slice u8) = Core.Slice.impl__split_at #u8 (verification_key <: t_Slice u8) @@ -1057,7 +1037,7 @@ let verify_internal in let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = Libcrux_ml_dsa.Arithmetic.use_hint #v_SIMDUnit - gamma2 + v_GAMMA2 (deserialized_hint <: t_Slice (t_Array i32 (sz 256))) t1 in diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst index 7f0a7f910..247b0feb9 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst @@ -134,18 +134,13 @@ let impl__infinity_norm_exceeds (fun result i -> let result:bool = result in let i:usize = i in - if - (~.result <: bool) && - (Libcrux_ml_dsa.Simd.Traits.f_infinity_norm_exceeds #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (self.f_simd_units.[ i ] <: i1.f_Coefficient) - bound - <: - bool) - then - let result:bool = result || true in - result - else result) + result || + (Libcrux_ml_dsa.Simd.Traits.f_infinity_norm_exceeds #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (self.f_simd_units.[ i ] <: i1.f_Coefficient) + bound + <: + bool)) in result @@ -265,42 +260,38 @@ let impl__zero <: t_PolynomialRingElement v_SIMDUnit -// [@@ FStar.Tactics.Typeclasses.tcinstance] -// assume -// val impl_1': -// #v_SIMDUnit: Type0 -> -// {| i1: Core.Clone.t_Clone v_SIMDUnit |} -> -// {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} -> -// {| i3: Core.Clone.t_Clone v_7494601369702794077.f_Coefficient |} -// -> Core.Clone.t_Clone (t_PolynomialRingElement v_SIMDUnit) +[@@ FStar.Tactics.Typeclasses.tcinstance] +assume +val impl_1': + #v_SIMDUnit: Type0 -> + {| i1: Core.Clone.t_Clone v_SIMDUnit |} -> + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} -> + {| i3: Core.Clone.t_Clone i2.f_Coefficient |} + -> Core.Clone.t_Clone (t_PolynomialRingElement v_SIMDUnit) -// let impl_1 -// (#v_SIMDUnit: Type0) -// (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Core.Clone.t_Clone v_SIMDUnit) -// (#[FStar.Tactics.Typeclasses.tcresolve ()] -// i2: -// Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) -// (#[FStar.Tactics.Typeclasses.tcresolve ()] -// i3: -// Core.Clone.t_Clone v_7494601369702794077.f_Coefficient) -// = impl_1' #v_SIMDUnit #i1 #i2 #i3 +let impl_1 + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Core.Clone.t_Clone v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i3: Core.Clone.t_Clone i2.f_Coefficient) + = impl_1' #v_SIMDUnit #i1 #i2 #i3 -// [@@ FStar.Tactics.Typeclasses.tcinstance] -// assume -// val impl_2': -// #v_SIMDUnit: Type0 -> -// {| i1: Core.Marker.t_Copy v_SIMDUnit |} -> -// {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} -> -// {| i3: Core.Marker.t_Copy v_7494601369702794077.f_Coefficient |} -// -> Core.Marker.t_Copy (t_PolynomialRingElement v_SIMDUnit) +[@@ FStar.Tactics.Typeclasses.tcinstance] +assume +val impl_2': + #v_SIMDUnit: Type0 -> + {| i1: Core.Marker.t_Copy v_SIMDUnit |} -> + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} -> + {| i3: Core.Marker.t_Copy i2.f_Coefficient |} + -> Core.Marker.t_Copy (t_PolynomialRingElement v_SIMDUnit) -// let impl_2 -// (#v_SIMDUnit: Type0) -// (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Core.Marker.t_Copy v_SIMDUnit) -// (#[FStar.Tactics.Typeclasses.tcresolve ()] -// i2: -// Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) -// (#[FStar.Tactics.Typeclasses.tcresolve ()] -// i3: -// Core.Marker.t_Copy v_7494601369702794077.f_Coefficient) -// = impl_2' #v_SIMDUnit #i1 #i2 #i3 +let impl_2 + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Core.Marker.t_Copy v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i3: Core.Marker.t_Copy i2.f_Coefficient) + = impl_2' #v_SIMDUnit #i1 #i2 #i3 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fsti index b35ca6810..b626583c2 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fsti @@ -51,18 +51,18 @@ val impl__zero: Prims.unit -> Prims.Pure (t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) -// [@@ FStar.Tactics.Typeclasses.tcinstance] -// val impl_1 -// (#v_SIMDUnit: Type0) -// {| i1: Core.Clone.t_Clone v_SIMDUnit |} -// {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} -// {| i3: Core.Clone.t_Clone v_7494601369702794077.f_Coefficient |} -// : Core.Clone.t_Clone (t_PolynomialRingElement v_SIMDUnit) +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl_1 + (#v_SIMDUnit: Type0) + {| i1: Core.Clone.t_Clone v_SIMDUnit |} + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Core.Clone.t_Clone i2.f_Coefficient |} + : Core.Clone.t_Clone (t_PolynomialRingElement v_SIMDUnit) -// [@@ FStar.Tactics.Typeclasses.tcinstance] -// val impl_2 -// (#v_SIMDUnit: Type0) -// {| i1: Core.Marker.t_Copy v_SIMDUnit |} -// {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} -// {| i3: Core.Marker.t_Copy v_7494601369702794077.f_Coefficient |} -// : Core.Marker.t_Copy (t_PolynomialRingElement v_SIMDUnit) +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl_2 + (#v_SIMDUnit: Type0) + {| i1: Core.Marker.t_Copy v_SIMDUnit |} + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Core.Marker.t_Copy i2.f_Coefficient |} + : Core.Marker.t_Copy (t_PolynomialRingElement v_SIMDUnit) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst index ed263e9c6..a4bb19249 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst @@ -3,12 +3,6 @@ module Libcrux_ml_dsa.Simd.Avx2.Arithmetic open Core open FStar.Mul -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_intrinsics.Avx2_extract in - () - let add (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let hax_temp_output, lhs:(Prims.unit & Libcrux_intrinsics.Avx2_extract.t_Vec256) = (), Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 lhs rhs @@ -103,7 +97,7 @@ let shift_left_then_reduce (v_SHIFT_BY: i32) (simd_unit: Libcrux_intrinsics.Avx2 in simd_unit -let to_unsigned_representatives (t: Libcrux_intrinsics.Avx2_extract.t_Vec256) = +let to_unsigned_representatives_ret (t: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let signs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 31l t in @@ -113,28 +107,139 @@ let to_unsigned_representatives (t: Libcrux_intrinsics.Avx2_extract.t_Vec256) = <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in - let t:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 t conditional_add_field_modulus - in + Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 t conditional_add_field_modulus + +let to_unsigned_representatives (t: Libcrux_intrinsics.Avx2_extract.t_Vec256) = + let t:Libcrux_intrinsics.Avx2_extract.t_Vec256 = to_unsigned_representatives_ret t in t -let decompose - (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) - (r r0 r1: Libcrux_intrinsics.Avx2_extract.t_Vec256) - = - let r:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Core.Clone.f_clone #Libcrux_intrinsics.Avx2_extract.t_Vec256 #FStar.Tactics.Typeclasses.solve r - in - let r:Libcrux_intrinsics.Avx2_extract.t_Vec256 = to_unsigned_representatives r in - let field_modulus_halved:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 ((Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS -! - 1l - <: - i32) /! - 2l +let power2round (r0 r1: Libcrux_intrinsics.Avx2_extract.t_Vec256) = + let r0:Libcrux_intrinsics.Avx2_extract.t_Vec256 = to_unsigned_representatives r0 in + let r1:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 r0 + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 ((1l < + match gamma2 <: i32 with + | 95232l -> let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 ceil_of_r_by_128_ (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 11275l @@ -175,8 +280,11 @@ let decompose let not_result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_xor_si256 result mask in - Libcrux_intrinsics.Avx2_extract.mm256_and_si256 result not_result - | Libcrux_ml_dsa.Constants.Gamma2_V261_888_ -> + let r1:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_and_si256 result not_result + in + r1 + | 261888l -> let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 ceil_of_r_by_128_ (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 1025l @@ -192,25 +300,36 @@ let decompose let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 22l result in - Libcrux_intrinsics.Avx2_extract.mm256_and_si256 result - (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 15l - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - let alpha:i32 = - (cast (Libcrux_ml_dsa.Constants.t_Gamma2_cast_to_repr gamma2 <: isize) <: i32) *! 2l + let r1:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_and_si256 result + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 15l + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + r1 + | _ -> r1 in - let r0:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let alpha:i32 = gamma2 *! 2l in + let r0_tmp:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 r1 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 alpha <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in - let r0:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 r r0 + let r0_tmp:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 r r0_tmp + in + let field_modulus_halved:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 ((Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS -! + 1l + <: + i32) /! + 2l + <: + i32) in let mask:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 field_modulus_halved r0 + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 field_modulus_halved r0_tmp in let mask:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 31l mask @@ -222,39 +341,11 @@ let decompose Libcrux_intrinsics.Avx2_extract.t_Vec256) in let r0:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 r0 field_modulus_and_mask - in - r0, r1 <: (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) - -let power2round (r0 r1: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let r0:Libcrux_intrinsics.Avx2_extract.t_Vec256 = to_unsigned_representatives r0 in - let r1:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 r0 - (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 ((1l < + match gamma2 <: i32 with + | 95232l -> let max:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 43l in @@ -308,7 +399,7 @@ let use_hint <: ((Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) & Prims.unit) - | Libcrux_ml_dsa.Constants.Gamma2_V261_888_ -> + | 261888l -> let hint:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_and_si256 r1_plus_hints (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 15l @@ -322,105 +413,16 @@ let use_hint <: ((Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) & Prims.unit) - in - hint - -let montgomery_multiply (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS - in - let inverse_of_modulus_mod_montgomery_r:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (cast (Libcrux_ml_dsa.Simd.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R - <: - u64) - <: - i32) - in - let prod02:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 lhs rhs - in - let prod13:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 - 245l - lhs - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l rhs + | _ -> + (hint, r1_plus_hints <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - let k02:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r - in - let k13:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r - in - let c02:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus - in - let c13:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus - in - let res02:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 - in - let res13:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 - in - let res02_shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 - in - let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 - in - lhs + (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256)), + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" -let montgomery_multiply_by_constant (lhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) (constant: i32) = - let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 constant - in - let field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS - in - let inverse_of_modulus_mod_montgomery_r:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (cast (Libcrux_ml_dsa.Simd.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R - <: - u64) - <: - i32) - in - let prod02:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 lhs rhs - in - let prod13:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 - 245l - lhs - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l rhs - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - let k02:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r - in - let k13:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r - in - let c02:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus - in - let c13:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus - in - let res02:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 - in - let res13:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 - in - let res02_shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 + <: + Rust_primitives.Hax.t_Never) + <: + ((Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) & + Prims.unit) in - Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 + hint diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fsti index 368816f48..d8830444f 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fsti @@ -3,12 +3,6 @@ module Libcrux_ml_dsa.Simd.Avx2.Arithmetic open Core open FStar.Mul -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_intrinsics.Avx2_extract in - () - val add (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) @@ -26,16 +20,11 @@ val subtract (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) val shift_left_then_reduce (v_SHIFT_BY: i32) (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) -val to_unsigned_representatives (t: Libcrux_intrinsics.Avx2_extract.t_Vec256) +val to_unsigned_representatives_ret (t: Libcrux_intrinsics.Avx2_extract.t_Vec256) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) -val decompose - (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) - (r r0 r1: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure - (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) - Prims.l_True - (fun _ -> Prims.l_True) +val to_unsigned_representatives (t: Libcrux_intrinsics.Avx2_extract.t_Vec256) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) val power2round (r0 r1: Libcrux_intrinsics.Avx2_extract.t_Vec256) : Prims.Pure @@ -43,13 +32,17 @@ val power2round (r0 r1: Libcrux_intrinsics.Avx2_extract.t_Vec256) Prims.l_True (fun _ -> Prims.l_True) -val use_hint - (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) - (r hint: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) - val montgomery_multiply (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) val montgomery_multiply_by_constant (lhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) (constant: i32) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + +val decompose (gamma2: i32) (r r0 r1: Libcrux_intrinsics.Avx2_extract.t_Vec256) + : Prims.Pure + (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) + Prims.l_True + (fun _ -> Prims.l_True) + +val use_hint (gamma2: i32) (r hint: Libcrux_intrinsics.Avx2_extract.t_Vec256) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst index b42de31f4..833930c84 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst @@ -80,9 +80,14 @@ let deserialize (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let unsigned:Libcrux_intrinsics.Avx2_extract.t_Vec256 = deserialize_to_unsigned eta serialized in + let eta:i32 = + match eta <: Libcrux_ml_dsa.Constants.t_Eta with + | Libcrux_ml_dsa.Constants.Eta_Two -> 2l + | Libcrux_ml_dsa.Constants.Eta_Four -> 4l + in let out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 - (cast (Libcrux_ml_dsa.Constants.t_Eta_cast_to_repr eta <: isize) <: i32) + eta <: Libcrux_intrinsics.Avx2_extract.t_Vec256) unsigned diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fsti index ab1a4cc34..c01940791 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fsti @@ -15,10 +15,10 @@ let _ = let impl: Libcrux_ml_dsa.Simd.Traits.t_Operations Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = { - _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve; - _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve; + _super_13011033735201511749 = FStar.Tactics.Typeclasses.solve; + _super_9529721400157967266 = FStar.Tactics.Typeclasses.solve; f_Coefficient = Libcrux_intrinsics.Avx2_extract.t_Vec256; - f_Coefficient_11316922548682728705 = FStar.Tactics.Typeclasses.solve; + f_Coefficient_2030105210046411076 = FStar.Tactics.Typeclasses.solve; f_zero_pre = (fun (_: Prims.unit) -> true); f_zero_post = (fun (_: Prims.unit) (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) -> true); f_zero = (fun (_: Prims.unit) -> Libcrux_ml_dsa.Simd.Avx2.Vector_type.zero ()); @@ -201,7 +201,7 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = f_decompose_pre = (fun - (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) + (gamma2: i32) (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (low: Libcrux_intrinsics.Avx2_extract.t_Vec256) (high: Libcrux_intrinsics.Avx2_extract.t_Vec256) @@ -210,7 +210,7 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = f_decompose_post = (fun - (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) + (gamma2: i32) (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (low: Libcrux_intrinsics.Avx2_extract.t_Vec256) (high: Libcrux_intrinsics.Avx2_extract.t_Vec256) @@ -220,7 +220,7 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = f_decompose = (fun - (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) + (gamma2: i32) (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (low: Libcrux_intrinsics.Avx2_extract.t_Vec256) (high: Libcrux_intrinsics.Avx2_extract.t_Vec256) @@ -271,7 +271,7 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = f_use_hint_pre = (fun - (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) + (gamma2: i32) (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (hint: Libcrux_intrinsics.Avx2_extract.t_Vec256) -> @@ -279,7 +279,7 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = f_use_hint_post = (fun - (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) + (gamma2: i32) (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (hint: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) @@ -288,7 +288,7 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = f_use_hint = (fun - (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) + (gamma2: i32) (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (hint: Libcrux_intrinsics.Avx2_extract.t_Vec256) -> diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst index bbaaa296e..2e36713a6 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst @@ -32,7 +32,7 @@ let montgomery_reduce_element (value: i64) = let montgomery_multiply_fe_by_fer (fe fer: i32) = montgomery_reduce_element ((cast (fe <: i32) <: i64) *! (cast (fer <: i32) <: i64) <: i64) -let decompose_element (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) (r: i32) = +let decompose_element (gamma2 r: i32) = let _:Prims.unit = if true then @@ -48,21 +48,24 @@ let decompose_element (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) (r: i32) = let r:i32 = r +! ((r >>! 31l <: i32) &. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) in let ceil_of_r_by_128_:i32 = (r +! 127l <: i32) >>! 7l in let r1:i32 = - match gamma2 <: Libcrux_ml_dsa.Constants.t_Gamma2 with - | Libcrux_ml_dsa.Constants.Gamma2_V95_232_ -> + match gamma2 <: i32 with + | 95232l -> let result:i32 = ((ceil_of_r_by_128_ *! 11275l <: i32) +! (1l <>! 24l in (result ^. ((43l -! result <: i32) >>! 31l <: i32) <: i32) &. result - | Libcrux_ml_dsa.Constants.Gamma2_V261_888_ -> + | 261888l -> let result:i32 = ((ceil_of_r_by_128_ *! 1025l <: i32) +! (1l <>! 22l in result &. 15l + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) in - let alpha:i32 = - (cast (Libcrux_ml_dsa.Constants.t_Gamma2_cast_to_repr gamma2 <: isize) <: i32) *! 2l - in + let alpha:i32 = gamma2 *! 2l in let r0:i32 = r -! (r1 *! alpha <: i32) in let r0:i32 = r0 -! @@ -100,18 +103,22 @@ let power2round_element (t: i32) = let t0:i32 = t -! (t1 < + match gamma2 <: i32 with + | 95232l -> if r0 >. 0l then if r1 =. 43l then 0l else r1 +! hint else if r1 =. 0l then 43l else r1 -! hint - | Libcrux_ml_dsa.Constants.Gamma2_V261_888_ -> - if r0 >. 0l then (r1 +! hint <: i32) &. 15l else (r1 -! hint <: i32) &. 15l + | 261888l -> if r0 >. 0l then (r1 +! hint <: i32) &. 15l else (r1 -! hint <: i32) &. 15l + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) let add (lhs rhs: t_Array i32 (sz 8)) = let lhs:t_Array i32 (sz 8) = @@ -158,7 +165,7 @@ let compute_hint (v_GAMMA2: i32) (low high hint: t_Array i32 (sz 8)) = let hax_temp_output:usize = one_hints_count in hint, hax_temp_output <: (t_Array i32 (sz 8) & usize) -let decompose (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) (simd_unit low high: t_Array i32 (sz 8)) = +let decompose (gamma2: i32) (simd_unit low high: t_Array i32 (sz 8)) = let high, low:(t_Array i32 (sz 8) & t_Array i32 (sz 8)) = Rust_primitives.Hax.Folds.fold_range (sz 0) (Core.Slice.impl__len #i32 (low <: t_Slice i32) <: usize) @@ -209,11 +216,8 @@ let infinity_norm_exceeds (simd_unit: t_Array i32 (sz 8)) (bound: i32) = in let sign:i32 = coefficient >>! 31l in let normalized:i32 = coefficient -! (sign &. (2l *! coefficient <: i32) <: i32) in - if normalized >=. bound - then - let result:bool = true in - result - else result) + let result:bool = result || normalized >=. bound in + result) in result @@ -335,7 +339,7 @@ let subtract (lhs rhs: t_Array i32 (sz 8)) = let hax_temp_output:Prims.unit = () <: Prims.unit in lhs -let use_hint (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) (simd_unit hint: t_Array i32 (sz 8)) = +let use_hint (gamma2: i32) (simd_unit hint: t_Array i32 (sz 8)) = let hint:t_Array i32 (sz 8) = Rust_primitives.Hax.Folds.fold_range (sz 0) (Core.Slice.impl__len #i32 (hint <: t_Slice i32) <: usize) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti index de990a150..0a75f3d22 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti @@ -17,13 +17,11 @@ val montgomery_reduce_element (value: i64) : Prims.Pure i32 Prims.l_True (fun _ val montgomery_multiply_fe_by_fer (fe fer: i32) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) -val decompose_element (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) (r: i32) - : Prims.Pure (i32 & i32) Prims.l_True (fun _ -> Prims.l_True) +val decompose_element (gamma2 r: i32) : Prims.Pure (i32 & i32) Prims.l_True (fun _ -> Prims.l_True) val power2round_element (t: i32) : Prims.Pure (i32 & i32) Prims.l_True (fun _ -> Prims.l_True) -val use_one_hint (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) (r hint: i32) - : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) +val use_one_hint (gamma2 r hint: i32) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) val add (lhs rhs: t_Array i32 (sz 8)) : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) @@ -31,7 +29,7 @@ val add (lhs rhs: t_Array i32 (sz 8)) val compute_hint (v_GAMMA2: i32) (low high hint: t_Array i32 (sz 8)) : Prims.Pure (t_Array i32 (sz 8) & usize) Prims.l_True (fun _ -> Prims.l_True) -val decompose (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) (simd_unit low high: t_Array i32 (sz 8)) +val decompose (gamma2: i32) (simd_unit low high: t_Array i32 (sz 8)) : Prims.Pure (t_Array i32 (sz 8) & t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) val infinity_norm_exceeds (simd_unit: t_Array i32 (sz 8)) (bound: i32) @@ -52,5 +50,5 @@ val shift_left_then_reduce (v_SHIFT_BY: i32) (simd_unit: t_Array i32 (sz 8)) val subtract (lhs rhs: t_Array i32 (sz 8)) : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) -val use_hint (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) (simd_unit hint: t_Array i32 (sz 8)) +val use_hint (gamma2: i32) (simd_unit hint: t_Array i32 (sz 8)) : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fsti index 561061007..dce1635e5 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fsti @@ -13,10 +13,10 @@ let _ = let impl: Libcrux_ml_dsa.Simd.Traits.t_Operations Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { - _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve; - _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve; + _super_13011033735201511749 = FStar.Tactics.Typeclasses.solve; + _super_9529721400157967266 = FStar.Tactics.Typeclasses.solve; f_Coefficient = t_Array i32 (sz 8); - f_Coefficient_11316922548682728705 = FStar.Tactics.Typeclasses.solve; + f_Coefficient_2030105210046411076 = FStar.Tactics.Typeclasses.solve; f_zero_pre = (fun (_: Prims.unit) -> true); f_zero_post = (fun (_: Prims.unit) (out: t_Array i32 (sz 8)) -> true); f_zero = (fun (_: Prims.unit) -> Libcrux_ml_dsa.Simd.Portable.Vector_type.zero ()); @@ -124,7 +124,7 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = f_decompose_pre = (fun - (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) + (gamma2: i32) (simd_unit: t_Array i32 (sz 8)) (low: t_Array i32 (sz 8)) (high: t_Array i32 (sz 8)) @@ -133,7 +133,7 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = f_decompose_post = (fun - (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) + (gamma2: i32) (simd_unit: t_Array i32 (sz 8)) (low: t_Array i32 (sz 8)) (high: t_Array i32 (sz 8)) @@ -143,7 +143,7 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = f_decompose = (fun - (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) + (gamma2: i32) (simd_unit: t_Array i32 (sz 8)) (low: t_Array i32 (sz 8)) (high: t_Array i32 (sz 8)) @@ -190,16 +190,11 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = hint, hax_temp_output <: (t_Array i32 (sz 8) & usize)); f_use_hint_pre = - (fun - (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) - (simd_unit: t_Array i32 (sz 8)) - (hint: t_Array i32 (sz 8)) - -> - true); + (fun (gamma2: i32) (simd_unit: t_Array i32 (sz 8)) (hint: t_Array i32 (sz 8)) -> true); f_use_hint_post = (fun - (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) + (gamma2: i32) (simd_unit: t_Array i32 (sz 8)) (hint: t_Array i32 (sz 8)) (out: t_Array i32 (sz 8)) @@ -207,11 +202,7 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = true); f_use_hint = - (fun - (gamma2: Libcrux_ml_dsa.Constants.t_Gamma2) - (simd_unit: t_Array i32 (sz 8)) - (hint: t_Array i32 (sz 8)) - -> + (fun (gamma2: i32) (simd_unit: t_Array i32 (sz 8)) (hint: t_Array i32 (sz 8)) -> let hax_temp_output, hint:(Prims.unit & t_Array i32 (sz 8)) = (), Libcrux_ml_dsa.Simd.Portable.Arithmetic.use_hint gamma2 simd_unit hint <: diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti index ce4ad8616..b97243e72 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti @@ -13,10 +13,10 @@ let v_SIMD_UNITS_IN_RING_ELEMENT: usize = Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /! v_COEFFICIENTS_IN_SIMD_UNIT class t_Operations (v_Self: Type0) = { - [@@@ FStar.Tactics.Typeclasses.no_method]_super_11581440318597584651:Core.Marker.t_Copy v_Self; - [@@@ FStar.Tactics.Typeclasses.no_method]_super_9442900250278684536:Core.Clone.t_Clone v_Self; + [@@@ FStar.Tactics.Typeclasses.no_method]_super_13011033735201511749:Core.Marker.t_Copy v_Self; + [@@@ FStar.Tactics.Typeclasses.no_method]_super_9529721400157967266:Core.Clone.t_Clone v_Self; f_Coefficient:Type0; - f_Coefficient_11316922548682728705:Core.Marker.t_Copy f_Coefficient; + f_Coefficient_2030105210046411076:Core.Marker.t_Copy f_Coefficient; f_zero_pre:Prims.unit -> Type0; f_zero_post:Prims.unit -> f_Coefficient -> Type0; f_zero:x0: Prims.unit @@ -47,24 +47,15 @@ class t_Operations (v_Self: Type0) = { -> Prims.Pure bool (f_infinity_norm_exceeds_pre x0 x1) (fun result -> f_infinity_norm_exceeds_post x0 x1 result); - f_decompose_pre: - Libcrux_ml_dsa.Constants.t_Gamma2 -> - f_Coefficient -> - f_Coefficient -> - f_Coefficient - -> Type0; + f_decompose_pre:i32 -> f_Coefficient -> f_Coefficient -> f_Coefficient -> Type0; f_decompose_post: - Libcrux_ml_dsa.Constants.t_Gamma2 -> + i32 -> f_Coefficient -> f_Coefficient -> f_Coefficient -> (f_Coefficient & f_Coefficient) -> Type0; - f_decompose: - x0: Libcrux_ml_dsa.Constants.t_Gamma2 -> - x1: f_Coefficient -> - x2: f_Coefficient -> - x3: f_Coefficient + f_decompose:x0: i32 -> x1: f_Coefficient -> x2: f_Coefficient -> x3: f_Coefficient -> Prims.Pure (f_Coefficient & f_Coefficient) (f_decompose_pre x0 x1 x2 x3) (fun result -> f_decompose_post x0 x1 x2 x3 result); @@ -80,14 +71,9 @@ class t_Operations (v_Self: Type0) = { -> Prims.Pure (f_Coefficient & usize) (f_compute_hint_pre v_GAMMA2 x0 x1 x2) (fun result -> f_compute_hint_post v_GAMMA2 x0 x1 x2 result); - f_use_hint_pre:Libcrux_ml_dsa.Constants.t_Gamma2 -> f_Coefficient -> f_Coefficient -> Type0; - f_use_hint_post: - Libcrux_ml_dsa.Constants.t_Gamma2 -> - f_Coefficient -> - f_Coefficient -> - f_Coefficient - -> Type0; - f_use_hint:x0: Libcrux_ml_dsa.Constants.t_Gamma2 -> x1: f_Coefficient -> x2: f_Coefficient + f_use_hint_pre:i32 -> f_Coefficient -> f_Coefficient -> Type0; + f_use_hint_post:i32 -> f_Coefficient -> f_Coefficient -> f_Coefficient -> Type0; + f_use_hint:x0: i32 -> x1: f_Coefficient -> x2: f_Coefficient -> Prims.Pure f_Coefficient (f_use_hint_pre x0 x1 x2) (fun result -> f_use_hint_post x0 x1 x2 result); diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst index bf68637e5..18c957ce8 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst @@ -66,6 +66,15 @@ val impl_7': Core.Fmt.t_Debug t_SigningError let impl_7 = impl_7' +let impl__zero (v_SIZE: usize) (_: Prims.unit) = + { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MLDSASigningKey v_SIZE + +let impl_2__zero (v_SIZE: usize) (_: Prims.unit) = + { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MLDSAVerificationKey v_SIZE + +let impl_4__zero (v_SIZE: usize) (_: Prims.unit) = + { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MLDSASignature v_SIZE + let impl__as_slice (v_SIZE: usize) (self: t_MLDSASigningKey v_SIZE) = self.f_value <: t_Slice u8 let impl_2__as_slice (v_SIZE: usize) (self: t_MLDSAVerificationKey v_SIZE) = diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fsti index ee4a22f89..03b14dde4 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fsti @@ -84,6 +84,18 @@ val impl_6:Core.Fmt.t_Debug t_VerificationError [@@ FStar.Tactics.Typeclasses.tcinstance] val impl_7:Core.Fmt.t_Debug t_SigningError +/// Init with zero +val impl__zero: v_SIZE: usize -> Prims.unit + -> Prims.Pure (t_MLDSASigningKey v_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +/// Init with zero +val impl_2__zero: v_SIZE: usize -> Prims.unit + -> Prims.Pure (t_MLDSAVerificationKey v_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +/// Init with zero +val impl_4__zero: v_SIZE: usize -> Prims.unit + -> Prims.Pure (t_MLDSASignature v_SIZE) Prims.l_True (fun _ -> Prims.l_True) + /// A reference to the raw byte slice. val impl__as_slice (v_SIZE: usize) (self: t_MLDSASigningKey v_SIZE) : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) From 326c837a3312216350b547678452aa662185e425 Mon Sep 17 00:00:00 2001 From: Jonas Schneider-Bensch Date: Tue, 7 Jan 2025 13:47:10 +0100 Subject: [PATCH 39/58] Further macro monomorphization of parameter sets Includes refactoring of constants and restructured plumbing --- libcrux-ml-dsa/src/constants.rs | 98 +- libcrux-ml-dsa/src/ml_dsa_44.rs | 330 +---- libcrux-ml-dsa/src/ml_dsa_65.rs | 424 ++---- libcrux-ml-dsa/src/ml_dsa_87.rs | 411 ++---- libcrux-ml-dsa/src/ml_dsa_generic.rs | 1205 +++++++---------- .../src/ml_dsa_generic/instantiations.rs | 434 ++---- .../src/ml_dsa_generic/instantiations/avx2.rs | 816 +++-------- .../src/ml_dsa_generic/multiplexing.rs | 824 +++-------- macros/src/lib.rs | 124 +- 9 files changed, 1489 insertions(+), 3177 deletions(-) diff --git a/libcrux-ml-dsa/src/constants.rs b/libcrux-ml-dsa/src/constants.rs index cdcb8d6a8..e47f10840 100644 --- a/libcrux-ml-dsa/src/constants.rs +++ b/libcrux-ml-dsa/src/constants.rs @@ -51,8 +51,9 @@ pub(crate) const GAMMA2_V95_232: Gamma2 = 95_232; /// ML-DSA-44-specific parameters #[cfg(feature = "mldsa44")] -pub(crate) mod v44 { +pub(crate) mod ml_dsa_44 { use super::Eta; + use crate::constants::*; pub(crate) const ROWS_IN_A: usize = 4; pub(crate) const COLUMNS_IN_A: usize = 4; @@ -63,12 +64,32 @@ pub(crate) mod v44 { // in the interval [0, 2 * ETA] and then compute ETA - v. This can be done in // 3 bits when ETA is 2. pub(crate) const BITS_PER_ERROR_COEFFICIENT: usize = 3; + + pub(crate) const GAMMA1_EXPONENT: usize = 17; + pub(crate) const GAMMA2: i32 = (FIELD_MODULUS - 1) / 88; + + // To sample a value in the interval [-(GAMMA - 1), GAMMA], we can sample a + // value (say 'v') in the interval [0, (2 * GAMMA) - 1] and then compute + // GAMMA - v. This can be done in 18 bits when GAMMA is 2^{17}. + pub(crate) const BITS_PER_GAMMA1_COEFFICIENT: usize = 18; + + pub(crate) const MAX_ONES_IN_HINT: usize = 80; + + pub(crate) const ONES_IN_VERIFIER_CHALLENGE: usize = 39; + + pub(crate) const COMMITMENT_HASH_SIZE: usize = 32; + + // Commitment coefficients are in the interval: [0, ((FIELD_MODULUS − 1)/2γ2) − 1] + // ((FIELD_MODULUS − 1)/2γ2) − 1 = 43, which means we need 6 bits to represent a + // coefficient. + pub(crate) const BITS_PER_COMMITMENT_COEFFICIENT: usize = 6; } /// ML-DSA-65-specific parameters #[cfg(feature = "mldsa65")] -pub(crate) mod v65 { +pub(crate) mod ml_dsa_65 { use super::Eta; + use crate::constants::*; pub(crate) const ROWS_IN_A: usize = 6; pub(crate) const COLUMNS_IN_A: usize = 5; @@ -79,12 +100,32 @@ pub(crate) mod v65 { // in the interval [0, 2 * ETA] and then compute ETA - v. This can be done in // 4 bits when ETA is 4. pub(crate) const BITS_PER_ERROR_COEFFICIENT: usize = 4; + + pub(crate) const GAMMA1_EXPONENT: usize = 19; + pub(crate) const GAMMA2: i32 = (FIELD_MODULUS - 1) / 32; + + // To sample a value in the interval [-(GAMMA - 1), GAMMA], we can sample a + // value (say 'v') in the interval [0, (2 * GAMMA) - 1] and then compute + // GAMMA - v. This can be done in 20 bits when GAMMA is 2^{19}. + pub(crate) const BITS_PER_GAMMA1_COEFFICIENT: usize = 20; + + pub(crate) const MAX_ONES_IN_HINT: usize = 55; + + pub(crate) const ONES_IN_VERIFIER_CHALLENGE: usize = 49; + + pub(crate) const COMMITMENT_HASH_SIZE: usize = 48; + + // Commitment coefficients are in the interval: [0, ((FIELD_MODULUS − 1)/2γ2) − 1] + // ((FIELD_MODULUS − 1)/2γ2) − 1 = 15, which means we need 4 bits to represent a + // coefficient. + pub(crate) const BITS_PER_COMMITMENT_COEFFICIENT: usize = 4; } /// ML-DSA-87-specific parameters #[cfg(feature = "mldsa87")] -pub(crate) mod v87 { +pub(crate) mod ml_dsa_87 { use super::Eta; + use crate::constants::*; pub(crate) const ROWS_IN_A: usize = 8; pub(crate) const COLUMNS_IN_A: usize = 7; @@ -95,12 +136,50 @@ pub(crate) mod v87 { // in the interval [0, 2 * ETA] and then compute ETA - v. This can be done in // 3 bits when ETA is 2. pub(crate) const BITS_PER_ERROR_COEFFICIENT: usize = 3; + + pub(crate) const GAMMA1_EXPONENT: usize = 19; + // To sample a value in the interval [-(GAMMA - 1), GAMMA], we can sample a + // value (say 'v') in the interval [0, (2 * GAMMA) - 1] and then compute + // GAMMA - v. This can be done in 20 bits when GAMMA is 2^{19}. + pub(crate) const BITS_PER_GAMMA1_COEFFICIENT: usize = 20; + + pub(crate) const MAX_ONES_IN_HINT: usize = 75; + + pub(crate) const ONES_IN_VERIFIER_CHALLENGE: usize = 60; + + pub(crate) const GAMMA2: i32 = (FIELD_MODULUS - 1) / 32; + + // Commitment coefficients are in the interval: [0, ((FIELD_MODULUS − 1)/2γ2) − 1] + // ((FIELD_MODULUS − 1)/2γ2) − 1 = 15, which means we need 4 bits to represent a + // coefficient. + pub(crate) const BITS_PER_COMMITMENT_COEFFICIENT: usize = 4; + + pub(crate) const COMMITMENT_HASH_SIZE: usize = 64; +} + +pub(crate) const fn beta(ones_in_verifier_challenge: usize, eta: Eta) -> i32 { + (ones_in_verifier_challenge * (eta as usize)) as i32 } pub(crate) const fn error_ring_element_size(bits_per_error_coefficient: usize) -> usize { (bits_per_error_coefficient * COEFFICIENTS_IN_RING_ELEMENT) / 8 } +pub(crate) const fn gamma1_ring_element_size(bits_per_gamma1_coefficient: usize) -> usize { + (bits_per_gamma1_coefficient * COEFFICIENTS_IN_RING_ELEMENT) / 8 +} + +pub(crate) const fn commitment_ring_element_size(bits_per_commitment_coefficient: usize) -> usize { + (bits_per_commitment_coefficient * COEFFICIENTS_IN_RING_ELEMENT) / 8 +} + +pub(crate) const fn commitment_vector_size( + bits_per_commitment_coefficient: usize, + rows_in_a: usize, +) -> usize { + commitment_ring_element_size(bits_per_commitment_coefficient) * rows_in_a +} + pub(crate) const fn signing_key_size( rows_in_a: usize, columns_in_a: usize, @@ -120,3 +199,16 @@ pub(crate) const fn verification_key_size(rows_in_a: usize) -> usize { * (FIELD_MODULUS_MINUS_ONE_BIT_LENGTH - BITS_IN_LOWER_PART_OF_T)) / 8 } + +pub(crate) const fn signature_size( + rows_in_a: usize, + columns_in_a: usize, + max_ones_in_hint: usize, + commitment_hash_size: usize, + bits_per_gamma1_coefficient: usize, +) -> usize { + commitment_hash_size + + (columns_in_a * gamma1_ring_element_size(bits_per_gamma1_coefficient)) + + max_ones_in_hint + + rows_in_a +} diff --git a/libcrux-ml-dsa/src/ml_dsa_44.rs b/libcrux-ml-dsa/src/ml_dsa_44.rs index f45e9f55a..8a2b11dcc 100644 --- a/libcrux-ml-dsa/src/ml_dsa_44.rs +++ b/libcrux-ml-dsa/src/ml_dsa_44.rs @@ -1,73 +1,16 @@ -use crate::{constants::*, ml_dsa_generic, types::*, SigningError, VerificationError}; +use crate::ml_dsa_generic::ml_dsa_44::*; +use crate::{constants::*, types::*, SigningError, VerificationError}; -// ML-DSA-44-specific parameters - -const ROWS_IN_A: usize = 4; -const COLUMNS_IN_A: usize = 4; -const ROWS_X_COLUMNS: usize = ROWS_IN_A * COLUMNS_IN_A; - -const ETA: usize = 2; -// To sample a value in the interval [-ETA, ETA], we can sample a value (say 'v') -// in the interval [0, 2 * ETA] and then compute ETA - v. This can be done in -// 3 bits when ETA is 2. -const BITS_PER_ERROR_COEFFICIENT: usize = 3; - -const ERROR_RING_ELEMENT_SIZE: usize = - (BITS_PER_ERROR_COEFFICIENT * COEFFICIENTS_IN_RING_ELEMENT) / 8; - -const GAMMA1_EXPONENT: usize = 17; -const GAMMA2: i32 = (FIELD_MODULUS - 1) / 88; - -const BETA: i32 = (ONES_IN_VERIFIER_CHALLENGE * ETA) as i32; - -// To sample a value in the interval [-(GAMMA - 1), GAMMA], we can sample a -// value (say 'v') in the interval [0, (2 * GAMMA) - 1] and then compute -// GAMMA - v. This can be done in 18 bits when GAMMA is 2^{17}. -const BITS_PER_GAMMA1_COEFFICIENT: usize = 18; -const GAMMA1_RING_ELEMENT_SIZE: usize = - (BITS_PER_GAMMA1_COEFFICIENT * COEFFICIENTS_IN_RING_ELEMENT) / 8; - -const MAX_ONES_IN_HINT: usize = 80; - -const ONES_IN_VERIFIER_CHALLENGE: usize = 39; - -const COMMITMENT_HASH_SIZE: usize = 32; - -// Commitment coefficients are in the interval: [0, ((FIELD_MODULUS − 1)/2γ2) − 1] -// ((FIELD_MODULUS − 1)/2γ2) − 1 = 43, which means we need 6 bits to represent a -// coefficient. -const BITS_PER_COMMITMENT_COEFFICIENT: usize = 6; -const COMMITMENT_RING_ELEMENT_SIZE: usize = - (BITS_PER_COMMITMENT_COEFFICIENT * COEFFICIENTS_IN_RING_ELEMENT) / 8; -const COMMITMENT_VECTOR_SIZE: usize = COMMITMENT_RING_ELEMENT_SIZE * ROWS_IN_A; - -const VERIFICATION_KEY_SIZE: usize = SEED_FOR_A_SIZE - + (COEFFICIENTS_IN_RING_ELEMENT - * ROWS_IN_A - * (FIELD_MODULUS_MINUS_ONE_BIT_LENGTH - BITS_IN_LOWER_PART_OF_T)) - / 8; - -const SIGNING_KEY_SIZE: usize = SEED_FOR_A_SIZE - + SEED_FOR_SIGNING_SIZE - + BYTES_FOR_VERIFICATION_KEY_HASH - + (ROWS_IN_A + COLUMNS_IN_A) * ERROR_RING_ELEMENT_SIZE - + ROWS_IN_A * RING_ELEMENT_OF_T0S_SIZE; - -const SIGNATURE_SIZE: usize = - COMMITMENT_HASH_SIZE + (COLUMNS_IN_A * GAMMA1_RING_ELEMENT_SIZE) + MAX_ONES_IN_HINT + ROWS_IN_A; - -pub type MLDSA44SigningKey = MLDSASigningKey; -pub type MLDSA44VerificationKey = MLDSAVerificationKey; -pub type MLDSA44KeyPair = MLDSAKeyPair; -pub type MLDSA44Signature = MLDSASignature; +pub use crate::ml_dsa_generic::ml_dsa_44::{ + MLDSA44KeyPair, MLDSA44Signature, MLDSA44SigningKey, MLDSA44VerificationKey, +}; // Instantiate the different functions. macro_rules! instantiate { - ($modp:ident, $p:path, $doc:expr) => { + ($modp:ident, $doc:expr) => { #[doc = $doc] pub mod $modp { use super::*; - use $p as p; /// Generate an ML-DSA-44 Key Pair pub fn generate_key_pair( @@ -75,7 +18,11 @@ macro_rules! instantiate { ) -> MLDSA44KeyPair { let mut signing_key = [0u8; SIGNING_KEY_SIZE]; let mut verification_key = [0u8; VERIFICATION_KEY_SIZE]; - p::generate_key_pair_v44(randomness, &mut signing_key, &mut verification_key); + crate::ml_dsa_generic::instantiations::$modp::ml_dsa_44::generate_key_pair( + randomness, + &mut signing_key, + &mut verification_key, + ); MLDSA44KeyPair { signing_key: MLDSASigningKey::new(signing_key), @@ -94,23 +41,12 @@ macro_rules! instantiate { context: &[u8], randomness: [u8; SIGNING_RANDOMNESS_SIZE], ) -> Result { - p::sign::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - ETA, - ERROR_RING_ELEMENT_SIZE, - GAMMA1_EXPONENT, - GAMMA2, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - GAMMA1_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - SIGNATURE_SIZE, - >(signing_key.as_ref(), message, context, randomness) + crate::ml_dsa_generic::instantiations::$modp::ml_dsa_44::sign( + signing_key.as_ref(), + message, + context, + randomness, + ) } /// Generate an ML-DSA-44 Signature (Algorithm 7 in FIPS204) @@ -122,23 +58,11 @@ macro_rules! instantiate { message: &[u8], randomness: [u8; SIGNING_RANDOMNESS_SIZE], ) -> Result { - p::sign_internal::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - ETA, - ERROR_RING_ELEMENT_SIZE, - GAMMA1_EXPONENT, - GAMMA2, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - GAMMA1_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - SIGNATURE_SIZE, - >(signing_key.as_ref(), message, randomness) + crate::ml_dsa_generic::instantiations::$modp::ml_dsa_44::sign_internal( + signing_key.as_ref(), + message, + randomness, + ) } /// Verify an ML-DSA-44 Signature (Algorithm 8 in FIPS204) @@ -150,22 +74,11 @@ macro_rules! instantiate { message: &[u8], signature: &MLDSA44Signature, ) -> Result<(), VerificationError> { - p::verify_internal::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - SIGNATURE_SIZE, - VERIFICATION_KEY_SIZE, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - GAMMA2, - BETA, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - >(verification_key.as_ref(), message, signature.as_ref()) + crate::ml_dsa_generic::instantiations::$modp::ml_dsa_44::verify_internal( + verification_key.as_ref(), + message, + signature.as_ref(), + ) } /// Generate a HashML-DSA-44 Signature, with a SHAKE128 pre-hashing @@ -179,23 +92,12 @@ macro_rules! instantiate { context: &[u8], randomness: [u8; SIGNING_RANDOMNESS_SIZE], ) -> Result { - p::sign_pre_hashed_shake128::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - ETA, - ERROR_RING_ELEMENT_SIZE, - GAMMA1_EXPONENT, - GAMMA2, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - GAMMA1_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - SIGNATURE_SIZE, - >(signing_key.as_ref(), message, context, randomness) + crate::ml_dsa_generic::instantiations::$modp::ml_dsa_44::sign_pre_hashed_shake128( + signing_key.as_ref(), + message, + context, + randomness, + ) } /// Verify an ML-DSA-44 Signature @@ -209,22 +111,7 @@ macro_rules! instantiate { context: &[u8], signature: &MLDSA44Signature, ) -> Result<(), VerificationError> { - p::verify::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - SIGNATURE_SIZE, - VERIFICATION_KEY_SIZE, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - GAMMA2, - BETA, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - >( + crate::ml_dsa_generic::instantiations::$modp::ml_dsa_44::verify( verification_key.as_ref(), message, context, @@ -243,22 +130,7 @@ macro_rules! instantiate { context: &[u8], signature: &MLDSA44Signature, ) -> Result<(), VerificationError> { - p::verify_pre_hashed_shake128::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - SIGNATURE_SIZE, - VERIFICATION_KEY_SIZE, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - GAMMA2, - BETA, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - >( + crate::ml_dsa_generic::instantiations::$modp::ml_dsa_44::verify_pre_hashed_shake128( verification_key.as_ref(), message, context, @@ -270,12 +142,11 @@ macro_rules! instantiate { } // Instantiations - -instantiate! {portable, ml_dsa_generic::instantiations::portable, "Portable ML-DSA 44"} +instantiate! {portable, "Portable ML-DSA 44"} #[cfg(feature = "simd256")] -instantiate! {avx2, ml_dsa_generic::instantiations::avx2, "AVX2 Optimised ML-DSA 44"} +instantiate! {avx2, "AVX2 Optimised ML-DSA 44"} #[cfg(feature = "simd128")] -instantiate! {neon, ml_dsa_generic::instantiations::neon, "Neon Optimised ML-DSA 44"} +instantiate! {neon, "Neon Optimised ML-DSA 44"} /// Generate an ML-DSA 44 Key Pair /// @@ -287,7 +158,7 @@ instantiate! {neon, ml_dsa_generic::instantiations::neon, "Neon Optimised ML-DSA pub fn generate_key_pair(randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE]) -> MLDSA44KeyPair { let mut signing_key = [0u8; SIGNING_KEY_SIZE]; let mut verification_key = [0u8; VERIFICATION_KEY_SIZE]; - ml_dsa_generic::multiplexing::generate_key_pair_v44( + crate::ml_dsa_generic::multiplexing::ml_dsa_44::generate_key_pair( randomness, &mut signing_key, &mut verification_key, @@ -315,23 +186,12 @@ pub fn sign( context: &[u8], randomness: [u8; SIGNING_RANDOMNESS_SIZE], ) -> Result { - ml_dsa_generic::multiplexing::sign::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - ETA, - ERROR_RING_ELEMENT_SIZE, - GAMMA1_EXPONENT, - GAMMA2, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - GAMMA1_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - SIGNATURE_SIZE, - >(signing_key.as_ref(), message, context, randomness) + crate::ml_dsa_generic::multiplexing::ml_dsa_44::sign( + signing_key.as_ref(), + message, + context, + randomness, + ) } /// Sign with ML-DSA 44 (Algorithm 7 in FIPS204) @@ -345,23 +205,11 @@ pub fn sign_internal( message: &[u8], randomness: [u8; SIGNING_RANDOMNESS_SIZE], ) -> Result { - ml_dsa_generic::multiplexing::sign_internal::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - ETA, - ERROR_RING_ELEMENT_SIZE, - GAMMA1_EXPONENT, - GAMMA2, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - GAMMA1_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - SIGNATURE_SIZE, - >(signing_key.as_ref(), message, randomness) + crate::ml_dsa_generic::multiplexing::ml_dsa_44::sign_internal( + signing_key.as_ref(), + message, + randomness, + ) } /// Verify an ML-DSA-44 Signature (Algorithm 8 in FIPS204) @@ -374,22 +222,11 @@ pub fn verify_internal( message: &[u8], signature: &MLDSA44Signature, ) -> Result<(), VerificationError> { - ml_dsa_generic::multiplexing::verify_internal::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - SIGNATURE_SIZE, - VERIFICATION_KEY_SIZE, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - GAMMA2, - BETA, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - >(verification_key.as_ref(), message, signature.as_ref()) + crate::ml_dsa_generic::multiplexing::ml_dsa_44::verify_internal( + verification_key.as_ref(), + message, + signature.as_ref(), + ) } /// Verify an ML-DSA-44 Signature @@ -407,22 +244,7 @@ pub fn verify( context: &[u8], signature: &MLDSA44Signature, ) -> Result<(), VerificationError> { - ml_dsa_generic::multiplexing::verify::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - SIGNATURE_SIZE, - VERIFICATION_KEY_SIZE, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - GAMMA2, - BETA, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - >( + crate::ml_dsa_generic::multiplexing::ml_dsa_44::verify( verification_key.as_ref(), message, context, @@ -447,23 +269,12 @@ pub fn sign_pre_hashed_shake128( context: &[u8], randomness: [u8; SIGNING_RANDOMNESS_SIZE], ) -> Result { - ml_dsa_generic::multiplexing::sign_pre_hashed_shake128::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - ETA, - ERROR_RING_ELEMENT_SIZE, - GAMMA1_EXPONENT, - GAMMA2, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - GAMMA1_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - SIGNATURE_SIZE, - >(signing_key.as_ref(), message, context, randomness) + crate::ml_dsa_generic::multiplexing::ml_dsa_44::sign_pre_hashed_shake128( + signing_key.as_ref(), + message, + context, + randomness, + ) } /// Verify a HashML-DSA-44 Signature, with a SHAKE128 pre-hashing @@ -481,22 +292,7 @@ pub fn verify_pre_hashed_shake128( context: &[u8], signature: &MLDSA44Signature, ) -> Result<(), VerificationError> { - ml_dsa_generic::multiplexing::verify_pre_hashed_shake128::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - SIGNATURE_SIZE, - VERIFICATION_KEY_SIZE, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - GAMMA2, - BETA, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - >( + crate::ml_dsa_generic::multiplexing::ml_dsa_44::verify_pre_hashed_shake128( verification_key.as_ref(), message, context, diff --git a/libcrux-ml-dsa/src/ml_dsa_65.rs b/libcrux-ml-dsa/src/ml_dsa_65.rs index 2bd396070..337754bc8 100644 --- a/libcrux-ml-dsa/src/ml_dsa_65.rs +++ b/libcrux-ml-dsa/src/ml_dsa_65.rs @@ -1,94 +1,55 @@ -use crate::{constants::*, ml_dsa_generic, types::*, SigningError, VerificationError}; +use crate::ml_dsa_generic::ml_dsa_65::*; +use crate::{constants::*, types::*, SigningError, VerificationError}; -// ML-DSA-65-specific parameters - -const ROWS_IN_A: usize = 6; -const COLUMNS_IN_A: usize = 5; -const ROWS_X_COLUMNS: usize = ROWS_IN_A * COLUMNS_IN_A; - -const ETA: usize = 4; - -// To sample a value in the interval [-ETA, ETA], we can sample a value (say 'v') -// in the interval [0, 2 * ETA] and then compute ETA - v. This can be done in -// 4 bits when ETA is 4. -const BITS_PER_ERROR_COEFFICIENT: usize = 4; - -const ERROR_RING_ELEMENT_SIZE: usize = - (BITS_PER_ERROR_COEFFICIENT * COEFFICIENTS_IN_RING_ELEMENT) / 8; - -const GAMMA1_EXPONENT: usize = 19; -// To sample a value in the interval [-(GAMMA - 1), GAMMA], we can sample a -// value (say 'v') in the interval [0, (2 * GAMMA) - 1] and then compute -// GAMMA - v. This can be done in 20 bits when GAMMA is 2^{19}. -const BITS_PER_GAMMA1_COEFFICIENT: usize = 20; -const GAMMA1_RING_ELEMENT_SIZE: usize = - (BITS_PER_GAMMA1_COEFFICIENT * COEFFICIENTS_IN_RING_ELEMENT) / 8; - -const MAX_ONES_IN_HINT: usize = 55; - -const ONES_IN_VERIFIER_CHALLENGE: usize = 49; - -const GAMMA2: i32 = (FIELD_MODULUS - 1) / 32; - -const BETA: i32 = (ONES_IN_VERIFIER_CHALLENGE * ETA) as i32; - -// Commitment coefficients are in the interval: [0, ((FIELD_MODULUS − 1)/2γ2) − 1] -// ((FIELD_MODULUS − 1)/2γ2) − 1 = 15, which means we need 4 bits to represent a -// coefficient. -const BITS_PER_COMMITMENT_COEFFICIENT: usize = 4; - -const COMMITMENT_RING_ELEMENT_SIZE: usize = - (BITS_PER_COMMITMENT_COEFFICIENT * COEFFICIENTS_IN_RING_ELEMENT) / 8; -const COMMITMENT_VECTOR_SIZE: usize = COMMITMENT_RING_ELEMENT_SIZE * ROWS_IN_A; - -const COMMITMENT_HASH_SIZE: usize = 48; - -const VERIFICATION_KEY_SIZE: usize = SEED_FOR_A_SIZE - + (COEFFICIENTS_IN_RING_ELEMENT - * ROWS_IN_A - * (FIELD_MODULUS_MINUS_ONE_BIT_LENGTH - BITS_IN_LOWER_PART_OF_T)) - / 8; - -const SIGNING_KEY_SIZE: usize = SEED_FOR_A_SIZE - + SEED_FOR_SIGNING_SIZE - + BYTES_FOR_VERIFICATION_KEY_HASH - + (ROWS_IN_A + COLUMNS_IN_A) * ERROR_RING_ELEMENT_SIZE - + ROWS_IN_A * RING_ELEMENT_OF_T0S_SIZE; - -const SIGNATURE_SIZE: usize = - COMMITMENT_HASH_SIZE + (COLUMNS_IN_A * GAMMA1_RING_ELEMENT_SIZE) + MAX_ONES_IN_HINT + ROWS_IN_A; - -pub type MLDSA65SigningKey = MLDSASigningKey; -pub type MLDSA65VerificationKey = MLDSAVerificationKey; -pub type MLDSA65KeyPair = MLDSAKeyPair; -pub type MLDSA65Signature = MLDSASignature; +pub use crate::ml_dsa_generic::ml_dsa_65::{ + MLDSA65KeyPair, MLDSA65Signature, MLDSA65SigningKey, MLDSA65VerificationKey, +}; // Instantiate the different functions. macro_rules! instantiate { - ($modp:ident, $p:path, $doc:expr) => { + ($modp:ident, $doc:expr) => { #[doc = $doc] pub mod $modp { use super::*; - use $p as p; /// Generate an ML-DSA-65 Key Pair pub fn generate_key_pair( randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], ) -> MLDSA65KeyPair { - let mut kp = MLDSA65KeyPair { - signing_key: MLDSASigningKey::zero(), - verification_key: MLDSAVerificationKey::zero(), - }; - - p::generate_key_pair_v65( + let mut signing_key = [0u8; SIGNING_KEY_SIZE]; + let mut verification_key = [0u8; VERIFICATION_KEY_SIZE]; + crate::ml_dsa_generic::instantiations::$modp::ml_dsa_65::generate_key_pair( randomness, - &mut kp.signing_key.value, - &mut kp.verification_key.value, + &mut signing_key, + &mut verification_key, ); - kp + MLDSA65KeyPair { + signing_key: MLDSASigningKey::new(signing_key), + verification_key: MLDSAVerificationKey::new(verification_key), + } } - /// Generate an ML-DSA-65 Signature (Algorithm 7 in FIPS 204) + + /// Generate an ML-DSA-65 Signature + /// + /// The parameter `context` is used for domain separation + /// and is a byte string of length at most 255 bytes. It + /// may also be empty. + pub fn sign( + signing_key: &MLDSA65SigningKey, + message: &[u8], + context: &[u8], + randomness: [u8; SIGNING_RANDOMNESS_SIZE], + ) -> Result { + crate::ml_dsa_generic::instantiations::$modp::ml_dsa_65::sign( + signing_key.as_ref(), + message, + context, + randomness, + ) + } + + /// Generate an ML-DSA-65 Signature (Algorithm 7 in FIPS204) /// /// The message is assumed to be domain-separated. #[cfg(feature = "acvp")] @@ -97,26 +58,14 @@ macro_rules! instantiate { message: &[u8], randomness: [u8; SIGNING_RANDOMNESS_SIZE], ) -> Result { - p::sign_internal::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - ETA, - ERROR_RING_ELEMENT_SIZE, - GAMMA1_EXPONENT, - GAMMA2, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - GAMMA1_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - SIGNATURE_SIZE, - >(signing_key.as_ref(), message, randomness) + crate::ml_dsa_generic::instantiations::$modp::ml_dsa_65::sign_internal( + signing_key.as_ref(), + message, + randomness, + ) } - /// Verify an ML-DSA-65 Signature (Algorithm 8 in FIPS 204) + /// Verify an ML-DSA-65 Signature (Algorithm 8 in FIPS204) /// /// The message is assumed to be domain-separated. #[cfg(feature = "acvp")] @@ -125,52 +74,11 @@ macro_rules! instantiate { message: &[u8], signature: &MLDSA65Signature, ) -> Result<(), VerificationError> { - p::verify_internal::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - SIGNATURE_SIZE, - VERIFICATION_KEY_SIZE, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - GAMMA2, - BETA, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - >(verification_key.as_ref(), message, signature.as_ref()) - } - - /// Generate an ML-DSA-65 Signature - /// - /// The parameter `context` is used for domain separation - /// and is a byte string of length at most 255 bytes. It - /// may also be empty. - pub fn sign( - signing_key: &MLDSA65SigningKey, - message: &[u8], - context: &[u8], - randomness: [u8; SIGNING_RANDOMNESS_SIZE], - ) -> Result { - p::sign::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - ETA, - ERROR_RING_ELEMENT_SIZE, - GAMMA1_EXPONENT, - GAMMA2, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - GAMMA1_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - SIGNATURE_SIZE, - >(signing_key.as_ref(), message, context, randomness) + crate::ml_dsa_generic::instantiations::$modp::ml_dsa_65::verify_internal( + verification_key.as_ref(), + message, + signature.as_ref(), + ) } /// Generate a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing @@ -184,23 +92,12 @@ macro_rules! instantiate { context: &[u8], randomness: [u8; SIGNING_RANDOMNESS_SIZE], ) -> Result { - p::sign_pre_hashed_shake128::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - ETA, - ERROR_RING_ELEMENT_SIZE, - GAMMA1_EXPONENT, - GAMMA2, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - GAMMA1_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - SIGNATURE_SIZE, - >(signing_key.as_ref(), message, context, randomness) + crate::ml_dsa_generic::instantiations::$modp::ml_dsa_65::sign_pre_hashed_shake128( + signing_key.as_ref(), + message, + context, + randomness, + ) } /// Verify an ML-DSA-65 Signature @@ -214,22 +111,7 @@ macro_rules! instantiate { context: &[u8], signature: &MLDSA65Signature, ) -> Result<(), VerificationError> { - p::verify::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - SIGNATURE_SIZE, - VERIFICATION_KEY_SIZE, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - GAMMA2, - BETA, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - >( + crate::ml_dsa_generic::instantiations::$modp::ml_dsa_65::verify( verification_key.as_ref(), message, context, @@ -248,22 +130,7 @@ macro_rules! instantiate { context: &[u8], signature: &MLDSA65Signature, ) -> Result<(), VerificationError> { - p::verify_pre_hashed_shake128::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - SIGNATURE_SIZE, - VERIFICATION_KEY_SIZE, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - GAMMA2, - BETA, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - >( + crate::ml_dsa_generic::instantiations::$modp::ml_dsa_65::verify_pre_hashed_shake128( verification_key.as_ref(), message, context, @@ -275,12 +142,11 @@ macro_rules! instantiate { } // Instantiations - -instantiate! {portable, ml_dsa_generic::instantiations::portable, "Portable ML-DSA 65"} +instantiate! {portable, "Portable ML-DSA 65"} #[cfg(feature = "simd256")] -instantiate! {avx2, ml_dsa_generic::instantiations::avx2, "AVX2 Optimised ML-DSA 65"} +instantiate! {avx2, "AVX2 Optimised ML-DSA 65"} #[cfg(feature = "simd128")] -instantiate! {neon, ml_dsa_generic::instantiations::neon, "Neon Optimised ML-DSA 65"} +instantiate! {neon, "Neon Optimised ML-DSA 65"} /// Generate an ML-DSA 65 Key Pair /// @@ -292,7 +158,7 @@ instantiate! {neon, ml_dsa_generic::instantiations::neon, "Neon Optimised ML-DSA pub fn generate_key_pair(randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE]) -> MLDSA65KeyPair { let mut signing_key = [0u8; SIGNING_KEY_SIZE]; let mut verification_key = [0u8; VERIFICATION_KEY_SIZE]; - ml_dsa_generic::multiplexing::generate_key_pair_v65( + crate::ml_dsa_generic::multiplexing::ml_dsa_65::generate_key_pair( randomness, &mut signing_key, &mut verification_key, @@ -320,23 +186,47 @@ pub fn sign( context: &[u8], randomness: [u8; SIGNING_RANDOMNESS_SIZE], ) -> Result { - ml_dsa_generic::multiplexing::sign::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - ETA, - ERROR_RING_ELEMENT_SIZE, - GAMMA1_EXPONENT, - GAMMA2, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - GAMMA1_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - SIGNATURE_SIZE, - >(signing_key.as_ref(), message, context, randomness) + crate::ml_dsa_generic::multiplexing::ml_dsa_65::sign( + signing_key.as_ref(), + message, + context, + randomness, + ) +} + +/// Sign with ML-DSA 65 (Algorithm 7 in FIPS204) +/// +/// Sign a `message` (assumed to be domain-separated) with the ML-DSA `signing_key`. +/// +/// This function returns an [`MLDSA65Signature`]. +#[cfg(all(not(eurydice), feature = "acvp"))] +pub fn sign_internal( + signing_key: &MLDSA65SigningKey, + message: &[u8], + randomness: [u8; SIGNING_RANDOMNESS_SIZE], +) -> Result { + crate::ml_dsa_generic::multiplexing::ml_dsa_65::sign_internal( + signing_key.as_ref(), + message, + randomness, + ) +} + +/// Verify an ML-DSA-65 Signature (Algorithm 8 in FIPS204) +/// +/// Returns `Ok` when the `signature` is valid for the `message` (assumed to be domain-separated) and +/// `verification_key`, and a [`VerificationError`] otherwise. +#[cfg(all(not(eurydice), feature = "acvp"))] +pub fn verify_internal( + verification_key: &MLDSA65VerificationKey, + message: &[u8], + signature: &MLDSA65Signature, +) -> Result<(), VerificationError> { + crate::ml_dsa_generic::multiplexing::ml_dsa_65::verify_internal( + verification_key.as_ref(), + message, + signature.as_ref(), + ) } /// Verify an ML-DSA-65 Signature @@ -354,22 +244,7 @@ pub fn verify( context: &[u8], signature: &MLDSA65Signature, ) -> Result<(), VerificationError> { - ml_dsa_generic::multiplexing::verify::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - SIGNATURE_SIZE, - VERIFICATION_KEY_SIZE, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - GAMMA2, - BETA, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - >( + crate::ml_dsa_generic::multiplexing::ml_dsa_65::verify( verification_key.as_ref(), message, context, @@ -394,23 +269,12 @@ pub fn sign_pre_hashed_shake128( context: &[u8], randomness: [u8; SIGNING_RANDOMNESS_SIZE], ) -> Result { - ml_dsa_generic::multiplexing::sign_pre_hashed_shake128::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - ETA, - ERROR_RING_ELEMENT_SIZE, - GAMMA1_EXPONENT, - GAMMA2, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - GAMMA1_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - SIGNATURE_SIZE, - >(signing_key.as_ref(), message, context, randomness) + crate::ml_dsa_generic::multiplexing::ml_dsa_65::sign_pre_hashed_shake128( + signing_key.as_ref(), + message, + context, + randomness, + ) } /// Verify a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing @@ -428,82 +292,10 @@ pub fn verify_pre_hashed_shake128( context: &[u8], signature: &MLDSA65Signature, ) -> Result<(), VerificationError> { - ml_dsa_generic::multiplexing::verify_pre_hashed_shake128::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - SIGNATURE_SIZE, - VERIFICATION_KEY_SIZE, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - GAMMA2, - BETA, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - >( + crate::ml_dsa_generic::multiplexing::ml_dsa_65::verify_pre_hashed_shake128( verification_key.as_ref(), message, context, signature.as_ref(), ) } -/// Sign with ML-DSA 65 (Algorithm 7 in FIPS 204) -/// -/// Sign a `message` (assumed to be domain-separated) with the ML-DSA `signing_key`. -/// -/// This function returns an [`MLDSA65Signature`]. -#[cfg(all(not(eurydice), feature = "acvp"))] -pub fn sign_internal( - signing_key: &MLDSA65SigningKey, - message: &[u8], - randomness: [u8; SIGNING_RANDOMNESS_SIZE], -) -> Result { - ml_dsa_generic::multiplexing::sign_internal::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - ETA, - ERROR_RING_ELEMENT_SIZE, - GAMMA1_EXPONENT, - GAMMA2, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - GAMMA1_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - SIGNATURE_SIZE, - >(signing_key.as_ref(), message, randomness) -} - -/// Verify an ML-DSA-65 Signature (Algorithm 8 in FIPS204) -/// -/// Returns `Ok` when the `signature` is valid for the `message` (assumed to be domain-separated) and -/// `verification_key`, and a [`VerificationError`] otherwise. -#[cfg(all(not(eurydice), feature = "acvp"))] -pub fn verify_internal( - verification_key: &MLDSA65VerificationKey, - message: &[u8], - signature: &MLDSA65Signature, -) -> Result<(), VerificationError> { - ml_dsa_generic::multiplexing::verify_internal::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - SIGNATURE_SIZE, - VERIFICATION_KEY_SIZE, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - GAMMA2, - BETA, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - >(verification_key.as_ref(), message, signature.as_ref()) -} diff --git a/libcrux-ml-dsa/src/ml_dsa_87.rs b/libcrux-ml-dsa/src/ml_dsa_87.rs index 3ed0ac8e2..b60b21905 100644 --- a/libcrux-ml-dsa/src/ml_dsa_87.rs +++ b/libcrux-ml-dsa/src/ml_dsa_87.rs @@ -1,78 +1,16 @@ -use crate::{constants::*, ml_dsa_generic, types::*, SigningError, VerificationError}; +use crate::ml_dsa_generic::ml_dsa_87::*; +use crate::{constants::*, types::*, SigningError, VerificationError}; -// ML-DSA-87 parameters - -// TODO: -// - factor out the math for the constants across the three variants. - -const ROWS_IN_A: usize = 8; -const COLUMNS_IN_A: usize = 7; -const ROWS_X_COLUMNS: usize = ROWS_IN_A * COLUMNS_IN_A; - -const ETA: usize = 2; - -// To sample a value in the interval [-ETA, ETA], we can sample a value (say 'v') -// in the interval [0, 2 * ETA] and then compute ETA - v. This can be done in -// 3 bits when ETA is 2. -const BITS_PER_ERROR_COEFFICIENT: usize = 3; - -const ERROR_RING_ELEMENT_SIZE: usize = - (BITS_PER_ERROR_COEFFICIENT * COEFFICIENTS_IN_RING_ELEMENT) / 8; - -const GAMMA1_EXPONENT: usize = 19; -// To sample a value in the interval [-(GAMMA - 1), GAMMA], we can sample a -// value (say 'v') in the interval [0, (2 * GAMMA) - 1] and then compute -// GAMMA - v. This can be done in 20 bits when GAMMA is 2^{19}. -const BITS_PER_GAMMA1_COEFFICIENT: usize = 20; -const GAMMA1_RING_ELEMENT_SIZE: usize = - (BITS_PER_GAMMA1_COEFFICIENT * COEFFICIENTS_IN_RING_ELEMENT) / 8; - -const MAX_ONES_IN_HINT: usize = 75; - -const ONES_IN_VERIFIER_CHALLENGE: usize = 60; - -const GAMMA2: i32 = (FIELD_MODULUS - 1) / 32; - -const BETA: i32 = (ONES_IN_VERIFIER_CHALLENGE * ETA) as i32; - -// Commitment coefficients are in the interval: [0, ((FIELD_MODULUS − 1)/2γ2) − 1] -// ((FIELD_MODULUS − 1)/2γ2) − 1 = 15, which means we need 4 bits to represent a -// coefficient. -const BITS_PER_COMMITMENT_COEFFICIENT: usize = 4; - -const COMMITMENT_RING_ELEMENT_SIZE: usize = - (BITS_PER_COMMITMENT_COEFFICIENT * COEFFICIENTS_IN_RING_ELEMENT) / 8; -const COMMITMENT_VECTOR_SIZE: usize = COMMITMENT_RING_ELEMENT_SIZE * ROWS_IN_A; - -const COMMITMENT_HASH_SIZE: usize = 64; - -const VERIFICATION_KEY_SIZE: usize = SEED_FOR_A_SIZE - + (COEFFICIENTS_IN_RING_ELEMENT - * ROWS_IN_A - * (FIELD_MODULUS_MINUS_ONE_BIT_LENGTH - BITS_IN_LOWER_PART_OF_T)) - / 8; - -const SIGNING_KEY_SIZE: usize = SEED_FOR_A_SIZE - + SEED_FOR_SIGNING_SIZE - + BYTES_FOR_VERIFICATION_KEY_HASH - + (ROWS_IN_A + COLUMNS_IN_A) * ERROR_RING_ELEMENT_SIZE - + ROWS_IN_A * RING_ELEMENT_OF_T0S_SIZE; - -const SIGNATURE_SIZE: usize = - COMMITMENT_HASH_SIZE + (COLUMNS_IN_A * GAMMA1_RING_ELEMENT_SIZE) + MAX_ONES_IN_HINT + ROWS_IN_A; - -pub type MLDSA87SigningKey = MLDSASigningKey; -pub type MLDSA87VerificationKey = MLDSAVerificationKey; -pub type MLDSA87KeyPair = MLDSAKeyPair; -pub type MLDSA87Signature = MLDSASignature; +pub use crate::ml_dsa_generic::ml_dsa_87::{ + MLDSA87KeyPair, MLDSA87Signature, MLDSA87SigningKey, MLDSA87VerificationKey, +}; // Instantiate the different functions. macro_rules! instantiate { - ($modp:ident, $p:path, $doc:expr) => { + ($modp:ident, $doc:expr) => { #[doc = $doc] pub mod $modp { use super::*; - use $p as p; /// Generate an ML-DSA-87 Key Pair pub fn generate_key_pair( @@ -80,7 +18,11 @@ macro_rules! instantiate { ) -> MLDSA87KeyPair { let mut signing_key = [0u8; SIGNING_KEY_SIZE]; let mut verification_key = [0u8; VERIFICATION_KEY_SIZE]; - p::generate_key_pair_v87(randomness, &mut signing_key, &mut verification_key); + crate::ml_dsa_generic::instantiations::$modp::ml_dsa_87::generate_key_pair( + randomness, + &mut signing_key, + &mut verification_key, + ); MLDSA87KeyPair { signing_key: MLDSASigningKey::new(signing_key), @@ -88,6 +30,25 @@ macro_rules! instantiate { } } + /// Generate an ML-DSA-87 Signature + /// + /// The parameter `context` is used for domain separation + /// and is a byte string of length at most 255 bytes. It + /// may also be empty. + pub fn sign( + signing_key: &MLDSA87SigningKey, + message: &[u8], + context: &[u8], + randomness: [u8; SIGNING_RANDOMNESS_SIZE], + ) -> Result { + crate::ml_dsa_generic::instantiations::$modp::ml_dsa_87::sign( + signing_key.as_ref(), + message, + context, + randomness, + ) + } + /// Generate an ML-DSA-87 Signature (Algorithm 7 in FIPS204) /// /// The message is assumed to be domain-separated. @@ -97,23 +58,11 @@ macro_rules! instantiate { message: &[u8], randomness: [u8; SIGNING_RANDOMNESS_SIZE], ) -> Result { - p::sign_internal::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - ETA, - ERROR_RING_ELEMENT_SIZE, - GAMMA1_EXPONENT, - GAMMA2, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - GAMMA1_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - SIGNATURE_SIZE, - >(signing_key.as_ref(), message, randomness) + crate::ml_dsa_generic::instantiations::$modp::ml_dsa_87::sign_internal( + signing_key.as_ref(), + message, + randomness, + ) } /// Verify an ML-DSA-87 Signature (Algorithm 8 in FIPS204) @@ -125,52 +74,11 @@ macro_rules! instantiate { message: &[u8], signature: &MLDSA87Signature, ) -> Result<(), VerificationError> { - p::verify_internal::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - SIGNATURE_SIZE, - VERIFICATION_KEY_SIZE, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - GAMMA2, - BETA, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - >(verification_key.as_ref(), message, signature.as_ref()) - } - - /// Generate an ML-DSA-87 Signature - /// - /// The parameter `context` is used for domain separation - /// and is a byte string of length at most 255 bytes. It - /// may also be empty. - pub fn sign( - signing_key: &MLDSA87SigningKey, - message: &[u8], - context: &[u8], - randomness: [u8; SIGNING_RANDOMNESS_SIZE], - ) -> Result { - p::sign::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - ETA, - ERROR_RING_ELEMENT_SIZE, - GAMMA1_EXPONENT, - GAMMA2, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - GAMMA1_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - SIGNATURE_SIZE, - >(signing_key.as_ref(), message, context, randomness) + crate::ml_dsa_generic::instantiations::$modp::ml_dsa_87::verify_internal( + verification_key.as_ref(), + message, + signature.as_ref(), + ) } /// Generate a HashML-DSA-87 Signature, with a SHAKE128 pre-hashing @@ -184,23 +92,12 @@ macro_rules! instantiate { context: &[u8], randomness: [u8; SIGNING_RANDOMNESS_SIZE], ) -> Result { - p::sign_pre_hashed_shake128::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - ETA, - ERROR_RING_ELEMENT_SIZE, - GAMMA1_EXPONENT, - GAMMA2, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - GAMMA1_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - SIGNATURE_SIZE, - >(signing_key.as_ref(), message, context, randomness) + crate::ml_dsa_generic::instantiations::$modp::ml_dsa_87::sign_pre_hashed_shake128( + signing_key.as_ref(), + message, + context, + randomness, + ) } /// Verify an ML-DSA-87 Signature @@ -214,22 +111,7 @@ macro_rules! instantiate { context: &[u8], signature: &MLDSA87Signature, ) -> Result<(), VerificationError> { - p::verify::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - SIGNATURE_SIZE, - VERIFICATION_KEY_SIZE, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - GAMMA2, - BETA, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - >( + crate::ml_dsa_generic::instantiations::$modp::ml_dsa_87::verify( verification_key.as_ref(), message, context, @@ -248,22 +130,7 @@ macro_rules! instantiate { context: &[u8], signature: &MLDSA87Signature, ) -> Result<(), VerificationError> { - p::verify_pre_hashed_shake128::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - SIGNATURE_SIZE, - VERIFICATION_KEY_SIZE, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - GAMMA2, - BETA, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - >( + crate::ml_dsa_generic::instantiations::$modp::ml_dsa_87::verify_pre_hashed_shake128( verification_key.as_ref(), message, context, @@ -275,12 +142,11 @@ macro_rules! instantiate { } // Instantiations - -instantiate! {portable, ml_dsa_generic::instantiations::portable, "Portable ML-DSA 87"} +instantiate! {portable, "Portable ML-DSA 87"} #[cfg(feature = "simd256")] -instantiate! {avx2, ml_dsa_generic::instantiations::avx2, "AVX2 Optimised ML-DSA 87"} +instantiate! {avx2, "AVX2 Optimised ML-DSA 87"} #[cfg(feature = "simd128")] -instantiate! {neon, ml_dsa_generic::instantiations::neon, "Neon Optimised ML-DSA 87"} +instantiate! {neon, "Neon Optimised ML-DSA 87"} /// Generate an ML-DSA 87 Key Pair /// @@ -292,7 +158,7 @@ instantiate! {neon, ml_dsa_generic::instantiations::neon, "Neon Optimised ML-DSA pub fn generate_key_pair(randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE]) -> MLDSA87KeyPair { let mut signing_key = [0u8; SIGNING_KEY_SIZE]; let mut verification_key = [0u8; VERIFICATION_KEY_SIZE]; - ml_dsa_generic::multiplexing::generate_key_pair_v87( + crate::ml_dsa_generic::multiplexing::ml_dsa_87::generate_key_pair( randomness, &mut signing_key, &mut verification_key, @@ -320,23 +186,47 @@ pub fn sign( context: &[u8], randomness: [u8; SIGNING_RANDOMNESS_SIZE], ) -> Result { - ml_dsa_generic::multiplexing::sign::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - ETA, - ERROR_RING_ELEMENT_SIZE, - GAMMA1_EXPONENT, - GAMMA2, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - GAMMA1_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - SIGNATURE_SIZE, - >(signing_key.as_ref(), message, context, randomness) + crate::ml_dsa_generic::multiplexing::ml_dsa_87::sign( + signing_key.as_ref(), + message, + context, + randomness, + ) +} + +/// Sign with ML-DSA 87 (Algorithm 7 in FIPS204) +/// +/// Sign a `message` (assumed to be domain-separated) with the ML-DSA `signing_key`. +/// +/// This function returns an [`MLDSA87Signature`]. +#[cfg(all(not(eurydice), feature = "acvp"))] +pub fn sign_internal( + signing_key: &MLDSA87SigningKey, + message: &[u8], + randomness: [u8; SIGNING_RANDOMNESS_SIZE], +) -> Result { + crate::ml_dsa_generic::multiplexing::ml_dsa_87::sign_internal( + signing_key.as_ref(), + message, + randomness, + ) +} + +/// Verify an ML-DSA-87 Signature (Algorithm 8 in FIPS204) +/// +/// Returns `Ok` when the `signature` is valid for the `message` (assumed to be domain-separated) and +/// `verification_key`, and a [`VerificationError`] otherwise. +#[cfg(all(not(eurydice), feature = "acvp"))] +pub fn verify_internal( + verification_key: &MLDSA87VerificationKey, + message: &[u8], + signature: &MLDSA87Signature, +) -> Result<(), VerificationError> { + crate::ml_dsa_generic::multiplexing::ml_dsa_87::verify_internal( + verification_key.as_ref(), + message, + signature.as_ref(), + ) } /// Verify an ML-DSA-87 Signature @@ -354,22 +244,7 @@ pub fn verify( context: &[u8], signature: &MLDSA87Signature, ) -> Result<(), VerificationError> { - ml_dsa_generic::multiplexing::verify::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - SIGNATURE_SIZE, - VERIFICATION_KEY_SIZE, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - GAMMA2, - BETA, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - >( + crate::ml_dsa_generic::multiplexing::ml_dsa_87::verify( verification_key.as_ref(), message, context, @@ -394,23 +269,12 @@ pub fn sign_pre_hashed_shake128( context: &[u8], randomness: [u8; SIGNING_RANDOMNESS_SIZE], ) -> Result { - ml_dsa_generic::multiplexing::sign_pre_hashed_shake128::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - ETA, - ERROR_RING_ELEMENT_SIZE, - GAMMA1_EXPONENT, - GAMMA2, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - GAMMA1_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - SIGNATURE_SIZE, - >(signing_key.as_ref(), message, context, randomness) + crate::ml_dsa_generic::multiplexing::ml_dsa_87::sign_pre_hashed_shake128( + signing_key.as_ref(), + message, + context, + randomness, + ) } /// Verify a HashML-DSA-87 Signature, with a SHAKE128 pre-hashing @@ -428,83 +292,10 @@ pub fn verify_pre_hashed_shake128( context: &[u8], signature: &MLDSA87Signature, ) -> Result<(), VerificationError> { - ml_dsa_generic::multiplexing::verify_pre_hashed_shake128::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - SIGNATURE_SIZE, - VERIFICATION_KEY_SIZE, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - GAMMA2, - BETA, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - >( + crate::ml_dsa_generic::multiplexing::ml_dsa_87::verify_pre_hashed_shake128( verification_key.as_ref(), message, context, signature.as_ref(), ) } - -/// Sign with ML-DSA 87 (Algorithm 7 in FIPS204) -/// -/// Sign a `message` (assumed to be domain-separated) with the ML-DSA `signing_key`. -/// -/// This function returns an [`MLDSA87Signature`]. -#[cfg(all(not(eurydice), feature = "acvp"))] -pub fn sign_internal( - signing_key: &MLDSA87SigningKey, - message: &[u8], - randomness: [u8; SIGNING_RANDOMNESS_SIZE], -) -> Result { - ml_dsa_generic::multiplexing::sign_internal::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - ETA, - ERROR_RING_ELEMENT_SIZE, - GAMMA1_EXPONENT, - GAMMA2, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - GAMMA1_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - SIGNATURE_SIZE, - >(signing_key.as_ref(), message, randomness) -} - -/// Verify an ML-DSA-87 Signature (Algorithm 8 in FIPS204) -/// -/// Returns `Ok` when the `signature` is valid for the `message` (assumed to be domain-separated) and -/// `verification_key`, and a [`VerificationError`] otherwise. -#[cfg(all(not(eurydice), feature = "acvp"))] -pub fn verify_internal( - verification_key: &MLDSA87VerificationKey, - message: &[u8], - signature: &MLDSA87Signature, -) -> Result<(), VerificationError> { - ml_dsa_generic::multiplexing::verify_internal::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - SIGNATURE_SIZE, - VERIFICATION_KEY_SIZE, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - GAMMA2, - BETA, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - >(verification_key.as_ref(), message, signature.as_ref()) -} diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index 5081401dd..cbbc5b94c 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -2,7 +2,7 @@ use crate::{ arithmetic::{ decompose_vector, make_hint, power2round_vector, use_hint, vector_infinity_norm_exceeds, }, - constants::{self, *}, + constants::*, encoding::{self}, hash_functions::{shake128, shake256}, matrix::{ @@ -15,7 +15,7 @@ use crate::{ sample::{sample_challenge_ring_element, sample_mask_vector}, samplex4::{self, X4Sampler}, simd::traits::Operations, - types::{SigningError, VerificationError}, + types::*, MLDSASignature, }; @@ -24,488 +24,573 @@ pub(crate) mod instantiations; #[cfg(not(eurydice))] pub(crate) mod multiplexing; -/// Generate a key pair. -#[libcrux_macros::consts( - // Key size specific constants - v44 { - #[cfg(feature = "mldsa44")] - const ROWS_IN_A: usize = constants::v44::ROWS_IN_A; - const COLUMNS_IN_A: usize = constants::v44::COLUMNS_IN_A; - const ETA: Eta = constants::v44::ETA; - const BITS_PER_ERROR_COEFFICIENT: usize = constants::v44::BITS_PER_ERROR_COEFFICIENT; - }, - v65 { - #[cfg(feature = "mldsa65")] - const ROWS_IN_A: usize = constants::v65::ROWS_IN_A; - const COLUMNS_IN_A: usize = constants::v65::COLUMNS_IN_A; - const ETA: Eta = constants::v65::ETA; - const BITS_PER_ERROR_COEFFICIENT: usize = constants::v65::BITS_PER_ERROR_COEFFICIENT; - }, - v87 { - #[cfg(feature = "mldsa87")] - const ROWS_IN_A: usize = constants::v87::ROWS_IN_A; - const COLUMNS_IN_A: usize = constants::v87::COLUMNS_IN_A; - const ETA: Eta = constants::v87::ETA; - const BITS_PER_ERROR_COEFFICIENT: usize = constants::v87::BITS_PER_ERROR_COEFFICIENT; - }, -)] -#[inline(always)] -pub(crate) fn generate_key_pair< - SIMDUnit: Operations, - Sampler: X4Sampler, - Shake128X4: shake128::XofX4, - Shake256: shake256::DsaXof, - Shake256Xof: shake256::Xof, - Shake256X4: shake256::XofX4, ->( - randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], - signing_key: &mut [u8], - verification_key: &mut [u8], -) { +#[libcrux_macros::ml_dsa_parameter_sets(44, 65, 87)] +pub(crate) mod generic { + use super::*; + // Derived constants const ROW_COLUMN: usize = ROWS_IN_A + COLUMNS_IN_A; const ROW_X_COLUMN: usize = ROWS_IN_A * COLUMNS_IN_A; const ERROR_RING_ELEMENT_SIZE: usize = error_ring_element_size(BITS_PER_ERROR_COEFFICIENT); - const SIGNING_KEY_SIZE: usize = + const GAMMA1_RING_ELEMENT_SIZE: usize = gamma1_ring_element_size(BITS_PER_GAMMA1_COEFFICIENT); + const COMMITMENT_RING_ELEMENT_SIZE: usize = + commitment_ring_element_size(BITS_PER_COMMITMENT_COEFFICIENT); + + const BETA: i32 = beta(ONES_IN_VERIFIER_CHALLENGE, ETA); + const COMMITMENT_VECTOR_SIZE: usize = + commitment_vector_size(BITS_PER_COMMITMENT_COEFFICIENT, ROWS_IN_A); + pub(crate) const SIGNING_KEY_SIZE: usize = signing_key_size(ROWS_IN_A, COLUMNS_IN_A, ERROR_RING_ELEMENT_SIZE); - const VERIFICATION_KEY_SIZE: usize = verification_key_size(ROWS_IN_A); - - // Check key sizes - debug_assert!(signing_key.len() == SIGNING_KEY_SIZE); - debug_assert!(verification_key.len() == VERIFICATION_KEY_SIZE); - - // 128 = SEED_FOR_A_SIZE + SEED_FOR_ERROR_VECTORS_SIZE + SEED_FOR_SIGNING_SIZE - let mut seed_expanded = [0; 128]; - { - let mut shake = Shake256Xof::init(); - shake.absorb(&randomness); - shake.absorb_final(&[ROWS_IN_A as u8, COLUMNS_IN_A as u8]); - shake.squeeze(&mut seed_expanded); - } - - let (seed_for_a, seed_expanded) = seed_expanded.split_at(SEED_FOR_A_SIZE); - let (seed_for_error_vectors, seed_for_signing) = - seed_expanded.split_at(SEED_FOR_ERROR_VECTORS_SIZE); - - let mut a_as_ntt = [PolynomialRingElement::::zero(); ROW_X_COLUMN]; - Sampler::matrix_flat::(COLUMNS_IN_A, seed_for_a, &mut a_as_ntt); - - let mut s1_s2 = [PolynomialRingElement::::zero(); ROW_COLUMN]; - samplex4::sample_s1_and_s2::(ETA, seed_for_error_vectors, &mut s1_s2); - - let mut t0 = [PolynomialRingElement::::zero(); ROWS_IN_A]; - { - let mut s1_ntt = [PolynomialRingElement::::zero(); COLUMNS_IN_A]; - s1_ntt.copy_from_slice(&s1_s2[0..COLUMNS_IN_A]); - for i in 0..s1_ntt.len() { - ntt(&mut s1_ntt[i]); - } - compute_as1_plus_s2::( - ROWS_IN_A, - COLUMNS_IN_A, - &a_as_ntt, - &s1_ntt, - &s1_s2, - &mut t0, - ); - } - - let mut t1 = [PolynomialRingElement::::zero(); ROWS_IN_A]; - power2round_vector::(&mut t0, &mut t1); - - // Write out the keys - encoding::verification_key::generate_serialized::(seed_for_a, &t1, verification_key); - encoding::signing_key::generate_serialized::( - ETA, - ERROR_RING_ELEMENT_SIZE, - seed_for_a, - seed_for_signing, - verification_key, - &s1_s2, - &t0, - signing_key, - ); -} - -#[allow(non_snake_case)] -#[inline(always)] -pub(crate) fn sign_pre_hashed< - SIMDUnit: Operations, - Sampler: X4Sampler, - Shake128: shake128::Xof, - Shake128X4: shake128::XofX4, - Shake256: shake256::DsaXof, - Shake256Xof: shake256::Xof, - Shake256X4: shake256::XofX4, - PH: PreHash, - const PH_DIGEST_LEN: usize, - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, - const ROWS_X_COLUMNS: usize, - const ETA: usize, - const ERROR_RING_ELEMENT_SIZE: usize, - const GAMMA1_EXPONENT: usize, - const GAMMA2: i32, - const COMMITMENT_RING_ELEMENT_SIZE: usize, - const COMMITMENT_VECTOR_SIZE: usize, - const COMMITMENT_HASH_SIZE: usize, - const ONES_IN_VERIFIER_CHALLENGE: usize, - const MAX_ONES_IN_HINT: usize, - const GAMMA1_RING_ELEMENT_SIZE: usize, - const SIGNING_KEY_SIZE: usize, - const SIGNATURE_SIZE: usize, ->( - signing_key: &[u8; SIGNING_KEY_SIZE], - message: &[u8], - context: &[u8], - randomness: [u8; SIGNING_RANDOMNESS_SIZE], -) -> Result, SigningError> { - if context.len() > CONTEXT_MAX_LEN { - return Err(SigningError::ContextTooLongError); - } - let pre_hashed_message = PH::hash::(message); - let domain_separation_context = match DomainSeparationContext::new(context, Some(PH::oid())) { - Ok(dsc) => dsc, - Err(_) => return Err(SigningError::ContextTooLongError), - }; - sign_internal::< - SIMDUnit, - Sampler, - Shake128X4, - Shake256, - Shake256Xof, - Shake256X4, + pub(crate) const VERIFICATION_KEY_SIZE: usize = verification_key_size(ROWS_IN_A); + pub(crate) const SIGNATURE_SIZE: usize = signature_size( ROWS_IN_A, COLUMNS_IN_A, - ROWS_X_COLUMNS, - ETA, - ERROR_RING_ELEMENT_SIZE, - GAMMA1_EXPONENT, - GAMMA2, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, MAX_ONES_IN_HINT, - GAMMA1_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - SIGNATURE_SIZE, - >( - &signing_key, - &pre_hashed_message, - Some(domain_separation_context), - randomness, - ) -} - -#[inline(always)] -pub(crate) fn sign< - SIMDUnit: Operations, - Sampler: X4Sampler, - Shake128X4: shake128::XofX4, - Shake256: shake256::DsaXof, - Shake256Xof: shake256::Xof, - Shake256X4: shake256::XofX4, - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, - const ROWS_X_COLUMNS: usize, - const ETA: usize, - const ERROR_RING_ELEMENT_SIZE: usize, - const GAMMA1_EXPONENT: usize, - const GAMMA2: i32, - const COMMITMENT_RING_ELEMENT_SIZE: usize, - const COMMITMENT_VECTOR_SIZE: usize, - const COMMITMENT_HASH_SIZE: usize, - const ONES_IN_VERIFIER_CHALLENGE: usize, - const MAX_ONES_IN_HINT: usize, - const GAMMA1_RING_ELEMENT_SIZE: usize, - const SIGNING_KEY_SIZE: usize, - const SIGNATURE_SIZE: usize, ->( - signing_key: &[u8; SIGNING_KEY_SIZE], - message: &[u8], - context: &[u8], - randomness: [u8; SIGNING_RANDOMNESS_SIZE], -) -> Result, SigningError> { - let domain_separation_context = match DomainSeparationContext::new(context, None) { - Ok(dsc) => dsc, - Err(_) => return Err(SigningError::ContextTooLongError), - }; - sign_internal::< - SIMDUnit, - Sampler, - Shake128X4, - Shake256, - Shake256Xof, - Shake256X4, - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - ETA, - ERROR_RING_ELEMENT_SIZE, - GAMMA1_EXPONENT, - GAMMA2, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - GAMMA1_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - SIGNATURE_SIZE, - >( - &signing_key, - message, - Some(domain_separation_context), - randomness, - ) -} + BITS_PER_GAMMA1_COEFFICIENT, + ); -/// The internal signing API. -/// -/// If no `domain_separation_context` is supplied, it is assumed that -/// `message` already contains the domain separation. + #[inline(always)] + pub(crate) fn generate_key_pair< + SIMDUnit: Operations, + Sampler: X4Sampler, + Shake128X4: shake128::XofX4, + Shake256: shake256::DsaXof, + Shake256Xof: shake256::Xof, + Shake256X4: shake256::XofX4, + >( + randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], + signing_key: &mut [u8], + verification_key: &mut [u8], + ) { + // Check key sizes + debug_assert!(signing_key.len() == SIGNING_KEY_SIZE); + debug_assert!(verification_key.len() == VERIFICATION_KEY_SIZE); -#[inline(always)] -pub(crate) fn sign_internal< - SIMDUnit: Operations, - Sampler: X4Sampler, - Shake128X4: shake128::XofX4, - Shake256: shake256::DsaXof, - Shake256Xof: shake256::Xof, - Shake256X4: shake256::XofX4, - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, - const ROWS_X_COLUMNS: usize, - const ETA: usize, - const ERROR_RING_ELEMENT_SIZE: usize, - const GAMMA1_EXPONENT: usize, - const GAMMA2: i32, - const COMMITMENT_RING_ELEMENT_SIZE: usize, - const COMMITMENT_VECTOR_SIZE: usize, - const COMMITMENT_HASH_SIZE: usize, - const ONES_IN_VERIFIER_CHALLENGE: usize, - const MAX_ONES_IN_HINT: usize, - const GAMMA1_RING_ELEMENT_SIZE: usize, - const SIGNING_KEY_SIZE: usize, - const SIGNATURE_SIZE: usize, ->( - signing_key: &[u8; SIGNING_KEY_SIZE], - message: &[u8], - domain_separation_context: Option, - randomness: [u8; SIGNING_RANDOMNESS_SIZE], -) -> Result, SigningError> { - // FIXME: pass these in as enums instead - let eta = match ETA as u8 { - 2 => Eta::Two, - 4 => Eta::Four, - _ => unreachable!(), - }; - - // Split the signing key into its parts. - let (seed_for_a, remaining_serialized) = signing_key.split_at(SEED_FOR_A_SIZE); - let (seed_for_signing, remaining_serialized) = - remaining_serialized.split_at(SEED_FOR_SIGNING_SIZE); - let (verification_key_hash, remaining_serialized) = - remaining_serialized.split_at(BYTES_FOR_VERIFICATION_KEY_HASH); - - let (s1_serialized, remaining_serialized) = - remaining_serialized.split_at(ERROR_RING_ELEMENT_SIZE * COLUMNS_IN_A); - let (s2_serialized, t0_serialized) = - remaining_serialized.split_at(ERROR_RING_ELEMENT_SIZE * ROWS_IN_A); - - // Deserialize s1, s2, and t0. - let mut s1_as_ntt = [PolynomialRingElement::zero(); COLUMNS_IN_A]; - let mut s2_as_ntt = [PolynomialRingElement::zero(); ROWS_IN_A]; - let mut t0_as_ntt = [PolynomialRingElement::zero(); ROWS_IN_A]; - - encoding::error::deserialize_to_vector_then_ntt::( - eta, - ERROR_RING_ELEMENT_SIZE, - s1_serialized, - &mut s1_as_ntt, - ); - encoding::error::deserialize_to_vector_then_ntt::( - eta, - ERROR_RING_ELEMENT_SIZE, - s2_serialized, - &mut s2_as_ntt, - ); - encoding::t0::deserialize_to_vector_then_ntt::(t0_serialized, &mut t0_as_ntt); - - // Sample matrix A. - let mut matrix = [PolynomialRingElement::::zero(); ROWS_X_COLUMNS]; - Sampler::matrix_flat::(COLUMNS_IN_A, &seed_for_a, &mut matrix); - - let mut message_representative = [0; MESSAGE_REPRESENTATIVE_SIZE]; - derive_message_representative::( - verification_key_hash, - &domain_separation_context, - message, - &mut message_representative, - ); + // 128 = SEED_FOR_A_SIZE + SEED_FOR_ERROR_VECTORS_SIZE + SEED_FOR_SIGNING_SIZE + let mut seed_expanded = [0; 128]; + { + let mut shake = Shake256Xof::init(); + shake.absorb(&randomness); + shake.absorb_final(&[ROWS_IN_A as u8, COLUMNS_IN_A as u8]); + shake.squeeze(&mut seed_expanded); + } - let mut mask_seed = [0; MASK_SEED_SIZE]; - { - let mut shake = Shake256Xof::init(); - shake.absorb(&seed_for_signing); - shake.absorb(&randomness); - shake.absorb_final(&message_representative); + let (seed_for_a, seed_expanded) = seed_expanded.split_at(SEED_FOR_A_SIZE); + let (seed_for_error_vectors, seed_for_signing) = + seed_expanded.split_at(SEED_FOR_ERROR_VECTORS_SIZE); - shake.squeeze(&mut mask_seed); - } + let mut a_as_ntt = [PolynomialRingElement::::zero(); ROW_X_COLUMN]; + Sampler::matrix_flat::(COLUMNS_IN_A, seed_for_a, &mut a_as_ntt); - let mut domain_separator_for_mask: u16 = 0; - let beta = (ONES_IN_VERIFIER_CHALLENGE * ETA) as i32; - let mut attempt = 0; - - // Return values. - // Required because we can't return early. - // See https://github.com/hacspec/hax/issues/1171 - let mut commitment_hash = None; - let mut signer_response = None; - let mut hint = None; - - // As specified in [FIPS 204, Appendix C], the minimum number of - // attempts in this rejection sampling loop is 814. This puts the - // probability of failure at 2⁻²⁵⁶ or less. - // - // [FIPS 204, Appendix C]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf#appendix.C - while attempt < REJECTION_SAMPLE_BOUND_SIGN { - attempt += 1; - - let mut mask = [PolynomialRingElement::zero(); COLUMNS_IN_A]; - let mut w0 = [PolynomialRingElement::zero(); ROWS_IN_A]; - let mut commitment = [PolynomialRingElement::zero(); ROWS_IN_A]; - - sample_mask_vector::( - COLUMNS_IN_A, - GAMMA1_EXPONENT, - &mask_seed, - &mut domain_separator_for_mask, - &mut mask, - ); + let mut s1_s2 = [PolynomialRingElement::::zero(); ROW_COLUMN]; + samplex4::sample_s1_and_s2::(ETA, seed_for_error_vectors, &mut s1_s2); + let mut t0 = [PolynomialRingElement::::zero(); ROWS_IN_A]; { - let mut a_x_mask = [PolynomialRingElement::zero(); ROWS_IN_A]; - let mut mask_ntt = mask.clone(); - for i in 0..mask_ntt.len() { - ntt(&mut mask_ntt[i]); + let mut s1_ntt = [PolynomialRingElement::::zero(); COLUMNS_IN_A]; + s1_ntt.copy_from_slice(&s1_s2[0..COLUMNS_IN_A]); + for i in 0..s1_ntt.len() { + ntt(&mut s1_ntt[i]); } - compute_matrix_x_mask::( + compute_as1_plus_s2::( ROWS_IN_A, COLUMNS_IN_A, - &matrix, - &mask_ntt, - &mut a_x_mask, + &a_as_ntt, + &s1_ntt, + &s1_s2, + &mut t0, ); - decompose_vector::(ROWS_IN_A, GAMMA2, &a_x_mask, &mut w0, &mut commitment); } - let mut commitment_hash_candidate = [0; COMMITMENT_HASH_SIZE]; - { - let mut commitment_serialized = [0u8; COMMITMENT_VECTOR_SIZE]; - encoding::commitment::serialize_vector::( - COMMITMENT_RING_ELEMENT_SIZE, - &commitment, - &mut commitment_serialized, - ); + let mut t1 = [PolynomialRingElement::::zero(); ROWS_IN_A]; + power2round_vector::(&mut t0, &mut t1); + // Write out the keys + encoding::verification_key::generate_serialized::( + seed_for_a, + &t1, + verification_key, + ); + encoding::signing_key::generate_serialized::( + ETA, + ERROR_RING_ELEMENT_SIZE, + seed_for_a, + seed_for_signing, + verification_key, + &s1_s2, + &t0, + signing_key, + ); + } + + #[inline(always)] + pub(crate) fn sign_internal< + SIMDUnit: Operations, + Sampler: X4Sampler, + Shake128X4: shake128::XofX4, + Shake256: shake256::DsaXof, + Shake256Xof: shake256::Xof, + Shake256X4: shake256::XofX4, + >( + signing_key: &[u8], + message: &[u8], + domain_separation_context: Option, + randomness: [u8; SIGNING_RANDOMNESS_SIZE], + ) -> Result, SigningError> { + // FIXME: pass these in as enums instead + let eta = match ETA as u8 { + 2 => Eta::Two, + 4 => Eta::Four, + _ => unreachable!(), + }; + + // Split the signing key into its parts. + let (seed_for_a, remaining_serialized) = signing_key.split_at(SEED_FOR_A_SIZE); + let (seed_for_signing, remaining_serialized) = + remaining_serialized.split_at(SEED_FOR_SIGNING_SIZE); + let (verification_key_hash, remaining_serialized) = + remaining_serialized.split_at(BYTES_FOR_VERIFICATION_KEY_HASH); + + let (s1_serialized, remaining_serialized) = + remaining_serialized.split_at(ERROR_RING_ELEMENT_SIZE * COLUMNS_IN_A); + let (s2_serialized, t0_serialized) = + remaining_serialized.split_at(ERROR_RING_ELEMENT_SIZE * ROWS_IN_A); + + // Deserialize s1, s2, and t0. + let mut s1_as_ntt = [PolynomialRingElement::zero(); COLUMNS_IN_A]; + let mut s2_as_ntt = [PolynomialRingElement::zero(); ROWS_IN_A]; + let mut t0_as_ntt = [PolynomialRingElement::zero(); ROWS_IN_A]; + + encoding::error::deserialize_to_vector_then_ntt::( + eta, + ERROR_RING_ELEMENT_SIZE, + s1_serialized, + &mut s1_as_ntt, + ); + encoding::error::deserialize_to_vector_then_ntt::( + eta, + ERROR_RING_ELEMENT_SIZE, + s2_serialized, + &mut s2_as_ntt, + ); + encoding::t0::deserialize_to_vector_then_ntt::(t0_serialized, &mut t0_as_ntt); + + // Sample matrix A. + let mut matrix = [PolynomialRingElement::::zero(); ROW_X_COLUMN]; + Sampler::matrix_flat::(COLUMNS_IN_A, &seed_for_a, &mut matrix); + + let mut message_representative = [0; MESSAGE_REPRESENTATIVE_SIZE]; + derive_message_representative::( + verification_key_hash, + &domain_separation_context, + message, + &mut message_representative, + ); + + let mut mask_seed = [0; MASK_SEED_SIZE]; + { let mut shake = Shake256Xof::init(); - shake.absorb(&message_representative); - shake.absorb_final(&commitment_serialized); + shake.absorb(&seed_for_signing); + shake.absorb(&randomness); + shake.absorb_final(&message_representative); - shake.squeeze(&mut commitment_hash_candidate); + shake.squeeze(&mut mask_seed); } - let mut verifier_challenge = PolynomialRingElement::zero(); - sample_challenge_ring_element::( - &commitment_hash_candidate, - ONES_IN_VERIFIER_CHALLENGE, - &mut verifier_challenge, - ); - ntt(&mut verifier_challenge); + let mut domain_separator_for_mask: u16 = 0; + let mut attempt = 0; + + // Return values. + // Required because we can't return early. + // See https://github.com/hacspec/hax/issues/1171 + let mut commitment_hash = None; + let mut signer_response = None; + let mut hint = None; + + // As specified in [FIPS 204, Appendix C], the minimum number of + // attempts in this rejection sampling loop is 814. This puts the + // probability of failure at 2⁻²⁵⁶ or less. + // + // [FIPS 204, Appendix C]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf#appendix.C + while attempt < REJECTION_SAMPLE_BOUND_SIGN { + attempt += 1; + + let mut mask = [PolynomialRingElement::zero(); COLUMNS_IN_A]; + let mut w0 = [PolynomialRingElement::zero(); ROWS_IN_A]; + let mut commitment = [PolynomialRingElement::zero(); ROWS_IN_A]; + + sample_mask_vector::( + COLUMNS_IN_A, + GAMMA1_EXPONENT, + &mask_seed, + &mut domain_separator_for_mask, + &mut mask, + ); - // We need to clone here in case we need s1_as_ntt or s2_as_ntt again in - // another iteration of the loop. - let mut challenge_times_s1 = s1_as_ntt.clone(); - let mut challenge_times_s2 = s2_as_ntt.clone(); + { + let mut a_x_mask = [PolynomialRingElement::zero(); ROWS_IN_A]; + let mut mask_ntt = mask.clone(); + for i in 0..mask_ntt.len() { + ntt(&mut mask_ntt[i]); + } + compute_matrix_x_mask::( + ROWS_IN_A, + COLUMNS_IN_A, + &matrix, + &mask_ntt, + &mut a_x_mask, + ); + decompose_vector::( + ROWS_IN_A, + GAMMA2, + &a_x_mask, + &mut w0, + &mut commitment, + ); + } + + let mut commitment_hash_candidate = [0; COMMITMENT_HASH_SIZE]; + { + let mut commitment_serialized = [0u8; COMMITMENT_VECTOR_SIZE]; + encoding::commitment::serialize_vector::( + COMMITMENT_RING_ELEMENT_SIZE, + &commitment, + &mut commitment_serialized, + ); - vector_times_ring_element::(&mut challenge_times_s1, &verifier_challenge); - vector_times_ring_element::(&mut challenge_times_s2, &verifier_challenge); + let mut shake = Shake256Xof::init(); + shake.absorb(&message_representative); + shake.absorb_final(&commitment_serialized); - add_vectors::(COLUMNS_IN_A, &mut mask, &challenge_times_s1); - subtract_vectors::(ROWS_IN_A, &mut w0, &challenge_times_s2); + shake.squeeze(&mut commitment_hash_candidate); + } - if vector_infinity_norm_exceeds::(&mask, (1 << GAMMA1_EXPONENT) - beta) { - // XXX: https://github.com/hacspec/hax/issues/1171 - // continue; - } else { - if vector_infinity_norm_exceeds::(&w0, GAMMA2 - beta) { + let mut verifier_challenge = PolynomialRingElement::zero(); + sample_challenge_ring_element::( + &commitment_hash_candidate, + ONES_IN_VERIFIER_CHALLENGE, + &mut verifier_challenge, + ); + ntt(&mut verifier_challenge); + + // We need to clone here in case we need s1_as_ntt or s2_as_ntt again in + // another iteration of the loop. + let mut challenge_times_s1 = s1_as_ntt.clone(); + let mut challenge_times_s2 = s2_as_ntt.clone(); + + vector_times_ring_element::(&mut challenge_times_s1, &verifier_challenge); + vector_times_ring_element::(&mut challenge_times_s2, &verifier_challenge); + + add_vectors::(COLUMNS_IN_A, &mut mask, &challenge_times_s1); + subtract_vectors::(ROWS_IN_A, &mut w0, &challenge_times_s2); + + if vector_infinity_norm_exceeds::(&mask, (1 << GAMMA1_EXPONENT) - BETA) { // XXX: https://github.com/hacspec/hax/issues/1171 // continue; } else { - // We need to clone here in case we need t0_as_ntt again in another iteration - // of the loop. - let mut challenge_times_t0 = t0_as_ntt.clone(); - vector_times_ring_element::(&mut challenge_times_t0, &verifier_challenge); - if vector_infinity_norm_exceeds::(&challenge_times_t0, GAMMA2) { + if vector_infinity_norm_exceeds::(&w0, GAMMA2 - BETA) { // XXX: https://github.com/hacspec/hax/issues/1171 // continue; } else { - add_vectors::(ROWS_IN_A, &mut w0, &challenge_times_t0); - let mut hint_candidate = [[0; COEFFICIENTS_IN_RING_ELEMENT]; ROWS_IN_A]; - let ones_in_hint = make_hint::( - &w0, - &commitment, - &mut hint_candidate, + // We need to clone here in case we need t0_as_ntt again in another iteration + // of the loop. + let mut challenge_times_t0 = t0_as_ntt.clone(); + vector_times_ring_element::( + &mut challenge_times_t0, + &verifier_challenge, ); - - if ones_in_hint > MAX_ONES_IN_HINT { + if vector_infinity_norm_exceeds::(&challenge_times_t0, GAMMA2) { // XXX: https://github.com/hacspec/hax/issues/1171 // continue; } else { - attempt = REJECTION_SAMPLE_BOUND_SIGN; // exit loop now - commitment_hash = Some(commitment_hash_candidate); - signer_response = Some(mask); - hint = Some(hint_candidate); + add_vectors::(ROWS_IN_A, &mut w0, &challenge_times_t0); + let mut hint_candidate = [[0; COEFFICIENTS_IN_RING_ELEMENT]; ROWS_IN_A]; + let ones_in_hint = make_hint::( + &w0, + &commitment, + &mut hint_candidate, + ); + + if ones_in_hint > MAX_ONES_IN_HINT { + // XXX: https://github.com/hacspec/hax/issues/1171 + // continue; + } else { + attempt = REJECTION_SAMPLE_BOUND_SIGN; // exit loop now + commitment_hash = Some(commitment_hash_candidate); + signer_response = Some(mask); + hint = Some(hint_candidate); + } } } } } + + let commitment_hash = match commitment_hash { + Some(commitment_hash) => commitment_hash, + None => return Err(SigningError::RejectionSamplingError), + }; + + let signer_response = match signer_response { + Some(signer_response) => signer_response, + None => return Err(SigningError::RejectionSamplingError), + }; + + let hint = match hint { + Some(hint) => hint, + None => return Err(SigningError::RejectionSamplingError), + }; + + let mut signature = [0u8; SIGNATURE_SIZE]; + + encoding::signature::serialize::( + &commitment_hash, + &signer_response, + &hint, + COMMITMENT_HASH_SIZE, + COLUMNS_IN_A, + ROWS_IN_A, + GAMMA1_EXPONENT, + GAMMA1_RING_ELEMENT_SIZE, + MAX_ONES_IN_HINT, + &mut signature, + ); + + Ok(MLDSASignature::new(signature)) } - let commitment_hash = match commitment_hash { - Some(commitment_hash) => commitment_hash, - None => return Err(SigningError::RejectionSamplingError), - }; + /// The internal verification API. + /// + /// If no `domain_separation_context` is supplied, it is assumed that + /// `message` already contains the domain separation. + #[allow(non_snake_case)] + #[inline(always)] + pub(crate) fn verify_internal< + SIMDUnit: Operations, + Sampler: X4Sampler, + Shake128X4: shake128::XofX4, + Shake256: shake256::DsaXof, + Shake256Xof: shake256::Xof, + >( + verification_key: &[u8; VERIFICATION_KEY_SIZE], + message: &[u8], + domain_separation_context: Option, + signature_serialized: &[u8; SIGNATURE_SIZE], + ) -> Result<(), VerificationError> { + let (seed_for_a, t1_serialized) = verification_key.split_at(SEED_FOR_A_SIZE); + let mut t1 = [PolynomialRingElement::::zero(); ROWS_IN_A]; + encoding::verification_key::deserialize::( + ROWS_IN_A, + VERIFICATION_KEY_SIZE, + t1_serialized, + &mut t1, + ); + + let mut deserialized_commitment_hash = [0u8; COMMITMENT_HASH_SIZE]; + let mut deserialized_signer_response = [PolynomialRingElement::zero(); COLUMNS_IN_A]; + let mut deserialized_hint = [[0i32; COEFFICIENTS_IN_RING_ELEMENT]; ROWS_IN_A]; - let signer_response = match signer_response { - Some(signer_response) => signer_response, - None => return Err(SigningError::RejectionSamplingError), - }; + match encoding::signature::deserialize::( + COLUMNS_IN_A, + ROWS_IN_A, + COMMITMENT_HASH_SIZE, + GAMMA1_EXPONENT, + GAMMA1_RING_ELEMENT_SIZE, + MAX_ONES_IN_HINT, + SIGNATURE_SIZE, + signature_serialized, + &mut deserialized_commitment_hash, + &mut deserialized_signer_response, + &mut deserialized_hint, + ) { + Ok(_) => (), + Err(e) => return Err(e), + }; + + // We use if-else branches because early returns will not go through hax. + if vector_infinity_norm_exceeds::( + &deserialized_signer_response, + (2 << GAMMA1_EXPONENT) - BETA, + ) { + return Err(VerificationError::SignerResponseExceedsBoundError); + } + let mut matrix = [PolynomialRingElement::::zero(); ROW_X_COLUMN]; + Sampler::matrix_flat::(COLUMNS_IN_A, &seed_for_a, &mut matrix); + + let mut verification_key_hash = [0; BYTES_FOR_VERIFICATION_KEY_HASH]; + Shake256::shake256(verification_key, &mut verification_key_hash); + + let mut message_representative = [0; MESSAGE_REPRESENTATIVE_SIZE]; + derive_message_representative::( + &verification_key_hash, + &domain_separation_context, + message, + &mut message_representative, + ); - let hint = match hint { - Some(hint) => hint, - None => return Err(SigningError::RejectionSamplingError), - }; + let mut verifier_challenge = PolynomialRingElement::zero(); + sample_challenge_ring_element::( + &deserialized_commitment_hash, + ONES_IN_VERIFIER_CHALLENGE, + &mut verifier_challenge, + ); + ntt(&mut verifier_challenge); - let mut signature = [0u8; SIGNATURE_SIZE]; + // Move signer response into ntt + for i in 0..deserialized_signer_response.len() { + ntt(&mut deserialized_signer_response[i]); + } + compute_w_approx::( + ROWS_IN_A, + COLUMNS_IN_A, + &matrix, + &deserialized_signer_response, + &verifier_challenge, + &mut t1, + ); - encoding::signature::serialize::( - &commitment_hash, - &signer_response, - &hint, - COMMITMENT_HASH_SIZE, - COLUMNS_IN_A, - ROWS_IN_A, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - MAX_ONES_IN_HINT, - &mut signature, - ); + // Compute the commitment hash again to validate the signature. + let mut recomputed_commitment_hash = [0; COMMITMENT_HASH_SIZE]; + { + use_hint::(GAMMA2, &deserialized_hint, &mut t1); + let mut commitment_serialized = [0u8; COMMITMENT_VECTOR_SIZE]; + encoding::commitment::serialize_vector::( + COMMITMENT_RING_ELEMENT_SIZE, + &t1, + &mut commitment_serialized, + ); - Ok(MLDSASignature::new(signature)) + let mut shake = Shake256Xof::init(); + shake.absorb(&message_representative); + shake.absorb_final(&commitment_serialized); + + shake.squeeze(&mut recomputed_commitment_hash); + } + + // Check if this is a valid signature by comparing the hashes. + if deserialized_commitment_hash == recomputed_commitment_hash { + return Ok(()); + } + + return Err(VerificationError::CommitmentHashesDontMatchError); + } + + #[allow(non_snake_case)] + #[inline(always)] + pub(crate) fn sign_pre_hashed< + SIMDUnit: Operations, + Sampler: X4Sampler, + Shake128: shake128::Xof, + Shake128X4: shake128::XofX4, + Shake256: shake256::DsaXof, + Shake256Xof: shake256::Xof, + Shake256X4: shake256::XofX4, + PH: PreHash, + const PH_DIGEST_LEN: usize, + >( + signing_key: &[u8], + message: &[u8], + context: &[u8], + randomness: [u8; SIGNING_RANDOMNESS_SIZE], + ) -> Result, SigningError> { + if context.len() > CONTEXT_MAX_LEN { + return Err(SigningError::ContextTooLongError); + } + let pre_hashed_message = PH::hash::(message); + let domain_separation_context = match DomainSeparationContext::new(context, Some(PH::oid())) + { + Ok(dsc) => dsc, + Err(_) => return Err(SigningError::ContextTooLongError), + }; + sign_internal::( + signing_key, + &pre_hashed_message, + Some(domain_separation_context), + randomness, + ) + } + #[inline(always)] + pub(crate) fn sign< + SIMDUnit: Operations, + Sampler: X4Sampler, + Shake128X4: shake128::XofX4, + Shake256: shake256::DsaXof, + Shake256Xof: shake256::Xof, + Shake256X4: shake256::XofX4, + >( + signing_key: &[u8], + message: &[u8], + context: &[u8], + randomness: [u8; SIGNING_RANDOMNESS_SIZE], + ) -> Result, SigningError> { + let domain_separation_context = match DomainSeparationContext::new(context, None) { + Ok(dsc) => dsc, + Err(_) => return Err(SigningError::ContextTooLongError), + }; + sign_internal::( + signing_key, + message, + Some(domain_separation_context), + randomness, + ) + } + #[allow(non_snake_case)] + #[inline(always)] + pub(crate) fn verify< + SIMDUnit: Operations, + Sampler: X4Sampler, + Shake128X4: shake128::XofX4, + Shake256: shake256::DsaXof, + Shake256Xof: shake256::Xof, + >( + verification_key_serialized: &[u8; VERIFICATION_KEY_SIZE], + message: &[u8], + context: &[u8], + signature_serialized: &[u8; SIGNATURE_SIZE], + ) -> Result<(), VerificationError> { + // We manually do the matching here to make Eurydice happy. + let domain_separation_context = match DomainSeparationContext::new(context, None) { + Ok(dsc) => dsc, + Err(_) => return Err(VerificationError::VerificationContextTooLongError), + }; + verify_internal::( + &verification_key_serialized, + message, + Some(domain_separation_context), + &signature_serialized, + ) + } + + #[allow(non_snake_case)] + #[inline(always)] + pub(crate) fn verify_pre_hashed< + SIMDUnit: Operations, + Sampler: X4Sampler, + Shake128: shake128::Xof, + Shake128X4: shake128::XofX4, + Shake256: shake256::DsaXof, + Shake256Xof: shake256::Xof, + PH: PreHash, + const PH_DIGEST_LEN: usize, + >( + verification_key_serialized: &[u8; VERIFICATION_KEY_SIZE], + message: &[u8], + context: &[u8], + signature_serialized: &[u8; SIGNATURE_SIZE], + ) -> Result<(), VerificationError> { + let pre_hashed_message = PH::hash::(message); + let domain_separation_context = match DomainSeparationContext::new(context, Some(PH::oid())) + { + Ok(dsc) => dsc, + Err(_) => return Err(VerificationError::VerificationContextTooLongError), + }; + verify_internal::( + &verification_key_serialized, + &pre_hashed_message, + Some(domain_separation_context), + &signature_serialized, + ) + } } /// This corresponds to line 6 in algorithm 7 in FIPS 204 (line 7 in algorithm @@ -551,259 +636,3 @@ fn derive_message_representative( shake.absorb_final(message); shake.squeeze(message_representative); } - -/// The internal verification API. -/// -/// If no `domain_separation_context` is supplied, it is assumed that -/// `message` already contains the domain separation. -#[allow(non_snake_case)] -#[inline(always)] -pub(crate) fn verify_internal< - SIMDUnit: Operations, - Sampler: X4Sampler, - Shake128X4: shake128::XofX4, - Shake256: shake256::DsaXof, - Shake256Xof: shake256::Xof, - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, - const ROWS_X_COLUMNS: usize, - const SIGNATURE_SIZE: usize, - const VERIFICATION_KEY_SIZE: usize, - const GAMMA1_EXPONENT: usize, - const GAMMA1_RING_ELEMENT_SIZE: usize, - const GAMMA2: i32, - const BETA: i32, - const COMMITMENT_RING_ELEMENT_SIZE: usize, - const COMMITMENT_VECTOR_SIZE: usize, - const COMMITMENT_HASH_SIZE: usize, - const ONES_IN_VERIFIER_CHALLENGE: usize, - const MAX_ONES_IN_HINT: usize, ->( - verification_key: &[u8; VERIFICATION_KEY_SIZE], - message: &[u8], - domain_separation_context: Option, - signature_serialized: &[u8; SIGNATURE_SIZE], -) -> Result<(), VerificationError> { - let (seed_for_a, t1_serialized) = verification_key.split_at(SEED_FOR_A_SIZE); - let mut t1 = [PolynomialRingElement::::zero(); ROWS_IN_A]; - encoding::verification_key::deserialize::( - ROWS_IN_A, - VERIFICATION_KEY_SIZE, - t1_serialized, - &mut t1, - ); - - let mut deserialized_commitment_hash = [0u8; COMMITMENT_HASH_SIZE]; - let mut deserialized_signer_response = [PolynomialRingElement::zero(); COLUMNS_IN_A]; - let mut deserialized_hint = [[0i32; COEFFICIENTS_IN_RING_ELEMENT]; ROWS_IN_A]; - - match encoding::signature::deserialize::( - COLUMNS_IN_A, - ROWS_IN_A, - COMMITMENT_HASH_SIZE, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - MAX_ONES_IN_HINT, - SIGNATURE_SIZE, - signature_serialized, - &mut deserialized_commitment_hash, - &mut deserialized_signer_response, - &mut deserialized_hint, - ) { - Ok(_) => (), - Err(e) => return Err(e), - }; - - // We use if-else branches because early returns will not go through hax. - if vector_infinity_norm_exceeds::( - &deserialized_signer_response, - (2 << GAMMA1_EXPONENT) - BETA, - ) { - return Err(VerificationError::SignerResponseExceedsBoundError); - } - let mut matrix = [PolynomialRingElement::::zero(); ROWS_X_COLUMNS]; - Sampler::matrix_flat::(COLUMNS_IN_A, &seed_for_a, &mut matrix); - - let mut verification_key_hash = [0; BYTES_FOR_VERIFICATION_KEY_HASH]; - Shake256::shake256(verification_key, &mut verification_key_hash); - - let mut message_representative = [0; MESSAGE_REPRESENTATIVE_SIZE]; - derive_message_representative::( - &verification_key_hash, - &domain_separation_context, - message, - &mut message_representative, - ); - - let mut verifier_challenge = PolynomialRingElement::zero(); - sample_challenge_ring_element::( - &deserialized_commitment_hash, - ONES_IN_VERIFIER_CHALLENGE, - &mut verifier_challenge, - ); - ntt(&mut verifier_challenge); - - // Move signer response into ntt - for i in 0..deserialized_signer_response.len() { - ntt(&mut deserialized_signer_response[i]); - } - compute_w_approx::( - ROWS_IN_A, - COLUMNS_IN_A, - &matrix, - &deserialized_signer_response, - &verifier_challenge, - &mut t1, - ); - - // Compute the commitment hash again to validate the signature. - let mut recomputed_commitment_hash = [0; COMMITMENT_HASH_SIZE]; - { - use_hint::(GAMMA2, &deserialized_hint, &mut t1); - let mut commitment_serialized = [0u8; COMMITMENT_VECTOR_SIZE]; - encoding::commitment::serialize_vector::( - COMMITMENT_RING_ELEMENT_SIZE, - &t1, - &mut commitment_serialized, - ); - - let mut shake = Shake256Xof::init(); - shake.absorb(&message_representative); - shake.absorb_final(&commitment_serialized); - - shake.squeeze(&mut recomputed_commitment_hash); - } - - // Check if this is a valid signature by comparing the hashes. - if deserialized_commitment_hash == recomputed_commitment_hash { - return Ok(()); - } - - return Err(VerificationError::CommitmentHashesDontMatchError); -} - -#[allow(non_snake_case)] -#[inline(always)] -pub(crate) fn verify< - SIMDUnit: Operations, - Sampler: X4Sampler, - Shake128X4: shake128::XofX4, - Shake256: shake256::DsaXof, - Shake256Xof: shake256::Xof, - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, - const ROWS_X_COLUMNS: usize, - const SIGNATURE_SIZE: usize, - const VERIFICATION_KEY_SIZE: usize, - const GAMMA1_EXPONENT: usize, - const GAMMA1_RING_ELEMENT_SIZE: usize, - const GAMMA2: i32, - const BETA: i32, - const COMMITMENT_RING_ELEMENT_SIZE: usize, - const COMMITMENT_VECTOR_SIZE: usize, - const COMMITMENT_HASH_SIZE: usize, - const ONES_IN_VERIFIER_CHALLENGE: usize, - const MAX_ONES_IN_HINT: usize, ->( - verification_key_serialized: &[u8; VERIFICATION_KEY_SIZE], - message: &[u8], - context: &[u8], - signature_serialized: &[u8; SIGNATURE_SIZE], -) -> Result<(), VerificationError> { - // We manually do the matching here to make Eurydice happy. - let domain_separation_context = match DomainSeparationContext::new(context, None) { - Ok(dsc) => dsc, - Err(_) => return Err(VerificationError::VerificationContextTooLongError), - }; - verify_internal::< - SIMDUnit, - Sampler, - Shake128X4, - Shake256, - Shake256Xof, - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - SIGNATURE_SIZE, - VERIFICATION_KEY_SIZE, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - GAMMA2, - BETA, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - >( - &verification_key_serialized, - message, - Some(domain_separation_context), - &signature_serialized, - ) -} - -#[allow(non_snake_case)] -#[inline(always)] -pub(crate) fn verify_pre_hashed< - SIMDUnit: Operations, - Sampler: X4Sampler, - Shake128: shake128::Xof, - Shake128X4: shake128::XofX4, - Shake256: shake256::DsaXof, - Shake256Xof: shake256::Xof, - PH: PreHash, - const PH_DIGEST_LEN: usize, - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, - const ROWS_X_COLUMNS: usize, - const SIGNATURE_SIZE: usize, - const VERIFICATION_KEY_SIZE: usize, - const GAMMA1_EXPONENT: usize, - const GAMMA1_RING_ELEMENT_SIZE: usize, - const GAMMA2: i32, - const BETA: i32, - const COMMITMENT_RING_ELEMENT_SIZE: usize, - const COMMITMENT_VECTOR_SIZE: usize, - const COMMITMENT_HASH_SIZE: usize, - const ONES_IN_VERIFIER_CHALLENGE: usize, - const MAX_ONES_IN_HINT: usize, ->( - verification_key_serialized: &[u8; VERIFICATION_KEY_SIZE], - message: &[u8], - context: &[u8], - signature_serialized: &[u8; SIGNATURE_SIZE], -) -> Result<(), VerificationError> { - let pre_hashed_message = PH::hash::(message); - let domain_separation_context = match DomainSeparationContext::new(context, Some(PH::oid())) { - Ok(dsc) => dsc, - Err(_) => return Err(VerificationError::VerificationContextTooLongError), - }; - - verify_internal::< - SIMDUnit, - Sampler, - Shake128X4, - Shake256, - Shake256Xof, - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - SIGNATURE_SIZE, - VERIFICATION_KEY_SIZE, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - GAMMA2, - BETA, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - >( - &verification_key_serialized, - &pre_hashed_message, - Some(domain_separation_context), - &signature_serialized, - ) -} diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs index a714540de..ebe64bd77 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs @@ -1,6 +1,6 @@ macro_rules! instantiate { ( - $modp:ident, // name for the module + $platform:ident, // name for the module $simdunit:path, // paths to the platform specific implementations ... $shake128:path, $shake128x4:path, @@ -9,7 +9,7 @@ macro_rules! instantiate { $shake256x4:path, $sampler:path ) => { - pub mod $modp { + pub mod $platform { use crate::{ constants::*, pre_hash::SHAKE128_PH, @@ -17,317 +17,141 @@ macro_rules! instantiate { types::{SigningError, VerificationError}, }; - macro_rules! generate_key_pair { - ($name:ident) => { - /// Generate key pair. - pub(crate) fn $name( - randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], - signing_key: &mut [u8], - verification_key: &mut [u8], - ) { - crate::ml_dsa_generic::$name::< - $simdunit, - $sampler, - $shake128x4, - $shake256, - $shake256xof, - $shake256x4, - >(randomness, signing_key, verification_key) - } - }; - } + macro_rules! parameter_set { + ($parameter_module:ident, $feature:literal) => { + #[cfg(feature = $feature)] + pub(crate) mod $parameter_module { + use super::*; + use crate::ml_dsa_generic::$parameter_module::{ + SIGNATURE_SIZE, SIGNING_KEY_SIZE, VERIFICATION_KEY_SIZE, + }; - #[cfg(feature = "mldsa44")] - generate_key_pair!(generate_key_pair_v44); - #[cfg(feature = "mldsa65")] - generate_key_pair!(generate_key_pair_v65); - #[cfg(feature = "mldsa87")] - generate_key_pair!(generate_key_pair_v87); + /// Generate key pair. + pub fn generate_key_pair( + randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], + signing_key: &mut [u8; SIGNING_KEY_SIZE], + verification_key: &mut [u8; VERIFICATION_KEY_SIZE], + ) { + crate::ml_dsa_generic::$parameter_module::generate_key_pair::< + $simdunit, + $sampler, + $shake128x4, + $shake256, + $shake256xof, + $shake256x4, + >(randomness, signing_key, verification_key) + } - /// Sign. - pub(crate) fn sign< - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, - const ROWS_X_COLUMNS: usize, - const ETA: usize, - const ERROR_RING_ELEMENT_SIZE: usize, - const GAMMA1_EXPONENT: usize, - const GAMMA2: i32, - const COMMITMENT_RING_ELEMENT_SIZE: usize, - const COMMITMENT_VECTOR_SIZE: usize, - const COMMITMENT_HASH_SIZE: usize, - const ONES_IN_VERIFIER_CHALLENGE: usize, - const MAX_ONES_IN_HINT: usize, - const GAMMA1_RING_ELEMENT_SIZE: usize, - const SIGNING_KEY_SIZE: usize, - const SIGNATURE_SIZE: usize, - >( - signing_key: &[u8; SIGNING_KEY_SIZE], - message: &[u8], - context: &[u8], - randomness: [u8; SIGNING_RANDOMNESS_SIZE], - ) -> Result, SigningError> { - crate::ml_dsa_generic::sign::< - $simdunit, - $sampler, - $shake128x4, - $shake256, - $shake256xof, - $shake256x4, - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - ETA, - ERROR_RING_ELEMENT_SIZE, - GAMMA1_EXPONENT, - GAMMA2, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - GAMMA1_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - SIGNATURE_SIZE, - >(&signing_key, message, context, randomness) - } + /// Sign. + pub fn sign( + signing_key: &[u8; SIGNING_KEY_SIZE], + message: &[u8], + context: &[u8], + randomness: [u8; SIGNING_RANDOMNESS_SIZE], + ) -> Result, SigningError> { + crate::ml_dsa_generic::$parameter_module::sign::< + $simdunit, + $sampler, + $shake128x4, + $shake256, + $shake256xof, + $shake256x4, + >(signing_key, message, context, randomness) + } - /// Sign (internal API) - #[cfg(feature = "acvp")] - pub(crate) fn sign_internal< - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, - const ROWS_X_COLUMNS: usize, - const ETA: usize, - const ERROR_RING_ELEMENT_SIZE: usize, - const GAMMA1_EXPONENT: usize, - const GAMMA2: i32, - const COMMITMENT_RING_ELEMENT_SIZE: usize, - const COMMITMENT_VECTOR_SIZE: usize, - const COMMITMENT_HASH_SIZE: usize, - const ONES_IN_VERIFIER_CHALLENGE: usize, - const MAX_ONES_IN_HINT: usize, - const GAMMA1_RING_ELEMENT_SIZE: usize, - const SIGNING_KEY_SIZE: usize, - const SIGNATURE_SIZE: usize, - >( - signing_key: &[u8; SIGNING_KEY_SIZE], - message: &[u8], - randomness: [u8; SIGNING_RANDOMNESS_SIZE], - ) -> Result, SigningError> { - crate::ml_dsa_generic::sign_internal::< - $simdunit, - $sampler, - $shake128x4, - $shake256, - $shake256xof, - $shake256x4, - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - ETA, - ERROR_RING_ELEMENT_SIZE, - GAMMA1_EXPONENT, - GAMMA2, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - GAMMA1_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - SIGNATURE_SIZE, - >(&signing_key, message, None, randomness) - } + #[cfg(feature = "acvp")] + pub fn sign_internal( + signing_key: &[u8; SIGNING_KEY_SIZE], + message: &[u8], + randomness: [u8; SIGNING_RANDOMNESS_SIZE], + ) -> Result, SigningError> { + crate::ml_dsa_generic::$parameter_module::sign_internal::< + $simdunit, + $sampler, + $shake128x4, + $shake256, + $shake256xof, + $shake256x4, + >(signing_key, message, None, randomness) + } - /// Sign (pre-hashed). - pub(crate) fn sign_pre_hashed_shake128< - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, - const ROWS_X_COLUMNS: usize, - const ETA: usize, - const ERROR_RING_ELEMENT_SIZE: usize, - const GAMMA1_EXPONENT: usize, - const GAMMA2: i32, - const COMMITMENT_RING_ELEMENT_SIZE: usize, - const COMMITMENT_VECTOR_SIZE: usize, - const COMMITMENT_HASH_SIZE: usize, - const ONES_IN_VERIFIER_CHALLENGE: usize, - const MAX_ONES_IN_HINT: usize, - const GAMMA1_RING_ELEMENT_SIZE: usize, - const SIGNING_KEY_SIZE: usize, - const SIGNATURE_SIZE: usize, - >( - signing_key: &[u8; SIGNING_KEY_SIZE], - message: &[u8], - context: &[u8], - randomness: [u8; SIGNING_RANDOMNESS_SIZE], - ) -> Result, SigningError> { - crate::ml_dsa_generic::sign_pre_hashed::< - $simdunit, - $sampler, - $shake128, - $shake128x4, - $shake256, - $shake256xof, - $shake256x4, - SHAKE128_PH, - 256, - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - ETA, - ERROR_RING_ELEMENT_SIZE, - GAMMA1_EXPONENT, - GAMMA2, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - GAMMA1_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - SIGNATURE_SIZE, - >(&signing_key, message, context, randomness) - } + /// Sign (pre-hashed). + pub(crate) fn sign_pre_hashed_shake128( + signing_key: &[u8; SIGNING_KEY_SIZE], + message: &[u8], + context: &[u8], + randomness: [u8; SIGNING_RANDOMNESS_SIZE], + ) -> Result, SigningError> { + crate::ml_dsa_generic::$parameter_module::sign_pre_hashed::< + $simdunit, + $sampler, + $shake128, + $shake128x4, + $shake256, + $shake256xof, + $shake256x4, + SHAKE128_PH, + 256, + >(signing_key, message, context, randomness) + } - /// Verify. - pub(crate) fn verify< - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, - const ROWS_X_COLUMNS: usize, - const SIGNATURE_SIZE: usize, - const VERIFICATION_KEY_SIZE: usize, - const GAMMA1_EXPONENT: usize, - const GAMMA1_RING_ELEMENT_SIZE: usize, - const GAMMA2: i32, - const BETA: i32, - const COMMITMENT_RING_ELEMENT_SIZE: usize, - const COMMITMENT_VECTOR_SIZE: usize, - const COMMITMENT_HASH_SIZE: usize, - const ONES_IN_VERIFIER_CHALLENGE: usize, - const MAX_ONES_IN_HINT: usize, - >( - verification_key: &[u8; VERIFICATION_KEY_SIZE], - message: &[u8], - context: &[u8], - signature: &[u8; SIGNATURE_SIZE], - ) -> Result<(), VerificationError> { - crate::ml_dsa_generic::verify::< - $simdunit, - $sampler, - $shake128x4, - $shake256, - $shake256xof, - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - SIGNATURE_SIZE, - VERIFICATION_KEY_SIZE, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - GAMMA2, - BETA, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - >(verification_key, message, context, signature) - } + /// Verify. + pub(crate) fn verify( + verification_key: &[u8; VERIFICATION_KEY_SIZE], + message: &[u8], + context: &[u8], + signature: &[u8; SIGNATURE_SIZE], + ) -> Result<(), VerificationError> { + crate::ml_dsa_generic::$parameter_module::verify::< + $simdunit, + $sampler, + $shake128x4, + $shake256, + $shake256xof, + >(verification_key, message, context, signature) + } - /// Verify (internal API). - #[cfg(feature = "acvp")] - pub(crate) fn verify_internal< - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, - const ROWS_X_COLUMNS: usize, - const SIGNATURE_SIZE: usize, - const VERIFICATION_KEY_SIZE: usize, - const GAMMA1_EXPONENT: usize, - const GAMMA1_RING_ELEMENT_SIZE: usize, - const GAMMA2: i32, - const BETA: i32, - const COMMITMENT_RING_ELEMENT_SIZE: usize, - const COMMITMENT_VECTOR_SIZE: usize, - const COMMITMENT_HASH_SIZE: usize, - const ONES_IN_VERIFIER_CHALLENGE: usize, - const MAX_ONES_IN_HINT: usize, - >( - verification_key: &[u8; VERIFICATION_KEY_SIZE], - message: &[u8], - signature: &[u8; SIGNATURE_SIZE], - ) -> Result<(), VerificationError> { - crate::ml_dsa_generic::verify_internal::< - $simdunit, - $sampler, - $shake128x4, - $shake256, - $shake256xof, - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - SIGNATURE_SIZE, - VERIFICATION_KEY_SIZE, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - GAMMA2, - BETA, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - >(verification_key, message, None, signature) - } + /// Verify (internal API). + #[cfg(feature = "acvp")] + pub(crate) fn verify_internal( + verification_key: &[u8; VERIFICATION_KEY_SIZE], + message: &[u8], + signature: &[u8; SIGNATURE_SIZE], + ) -> Result<(), VerificationError> { + crate::ml_dsa_generic::$parameter_module::verify_internal::< + $simdunit, + $sampler, + $shake128x4, + $shake256, + $shake256xof, + >(verification_key, message, None, signature) + } - /// Verify (pre-hashed with SHAKE-128). - pub(crate) fn verify_pre_hashed_shake128< - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, - const ROWS_X_COLUMNS: usize, - const SIGNATURE_SIZE: usize, - const VERIFICATION_KEY_SIZE: usize, - const GAMMA1_EXPONENT: usize, - const GAMMA1_RING_ELEMENT_SIZE: usize, - const GAMMA2: i32, - const BETA: i32, - const COMMITMENT_RING_ELEMENT_SIZE: usize, - const COMMITMENT_VECTOR_SIZE: usize, - const COMMITMENT_HASH_SIZE: usize, - const ONES_IN_VERIFIER_CHALLENGE: usize, - const MAX_ONES_IN_HINT: usize, - >( - verification_key: &[u8; VERIFICATION_KEY_SIZE], - message: &[u8], - context: &[u8], - signature: &[u8; SIGNATURE_SIZE], - ) -> Result<(), VerificationError> { - crate::ml_dsa_generic::verify_pre_hashed::< - $simdunit, - $sampler, - $shake128, - $shake128x4, - $shake256, - $shake256xof, - SHAKE128_PH, - 256, - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - SIGNATURE_SIZE, - VERIFICATION_KEY_SIZE, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - GAMMA2, - BETA, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - >(verification_key, message, context, signature) + /// Verify (pre-hashed with SHAKE-128). + pub(crate) fn verify_pre_hashed_shake128( + verification_key: &[u8; VERIFICATION_KEY_SIZE], + message: &[u8], + context: &[u8], + signature: &[u8; SIGNATURE_SIZE], + ) -> Result<(), VerificationError> { + crate::ml_dsa_generic::$parameter_module::verify_pre_hashed::< + $simdunit, + $sampler, + $shake128, + $shake128x4, + $shake256, + $shake256xof, + SHAKE128_PH, + 256, + >(verification_key, message, context, signature) + } + } + }; } + + parameter_set!(ml_dsa_44, "mldsa44"); + parameter_set!(ml_dsa_65, "mldsa65"); + parameter_set!(ml_dsa_87, "mldsa87"); } }; } diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs index af2638a12..cc34c1fac 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs @@ -5,624 +5,230 @@ use crate::{ types::*, }; -mod avx2_feature { - use super::*; +macro_rules! parameter_set { + ($parameter_module:ident, $feature:literal) => { + #[cfg(feature = $feature)] + pub(crate) mod $parameter_module { + use super::*; + use crate::ml_dsa_generic::$parameter_module::{ + SIGNATURE_SIZE, SIGNING_KEY_SIZE, VERIFICATION_KEY_SIZE, + }; - /// Sign. - #[cfg_attr(not(hax), target_feature(enable = "avx2"))] - #[allow(unsafe_code)] - pub(super) unsafe fn sign< - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, - const ROWS_X_COLUMNS: usize, - const ETA: usize, - const ERROR_RING_ELEMENT_SIZE: usize, - const GAMMA1_EXPONENT: usize, - const GAMMA2: i32, - const COMMITMENT_RING_ELEMENT_SIZE: usize, - const COMMITMENT_VECTOR_SIZE: usize, - const COMMITMENT_HASH_SIZE: usize, - const ONES_IN_VERIFIER_CHALLENGE: usize, - const MAX_ONES_IN_HINT: usize, - const GAMMA1_RING_ELEMENT_SIZE: usize, - const SIGNING_KEY_SIZE: usize, - const SIGNATURE_SIZE: usize, - >( - signing_key: &[u8; SIGNING_KEY_SIZE], - message: &[u8], - context: &[u8], - randomness: [u8; SIGNING_RANDOMNESS_SIZE], - ) -> Result, SigningError> { - crate::ml_dsa_generic::sign::< - crate::simd::avx2::AVX2SIMDUnit, - crate::samplex4::avx2::AVX2Sampler, - crate::hash_functions::simd256::Shake128x4, - crate::hash_functions::simd256::Shake256, - // We use the portable version here. - // It doesn' make sense to do these in parallel. - crate::hash_functions::portable::Shake256Xof, - crate::hash_functions::simd256::Shake256x4, - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - ETA, - ERROR_RING_ELEMENT_SIZE, - GAMMA1_EXPONENT, - GAMMA2, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - GAMMA1_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - SIGNATURE_SIZE, - >(&signing_key, message, context, randomness) - } - - /// Sign (internal API) - #[cfg(feature = "acvp")] - #[cfg_attr(not(hax), target_feature(enable = "avx2"))] - #[allow(unsafe_code)] - pub(super) unsafe fn sign_internal< - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, - const ROWS_X_COLUMNS: usize, - const ETA: usize, - const ERROR_RING_ELEMENT_SIZE: usize, - const GAMMA1_EXPONENT: usize, - const GAMMA2: i32, - const COMMITMENT_RING_ELEMENT_SIZE: usize, - const COMMITMENT_VECTOR_SIZE: usize, - const COMMITMENT_HASH_SIZE: usize, - const ONES_IN_VERIFIER_CHALLENGE: usize, - const MAX_ONES_IN_HINT: usize, - const GAMMA1_RING_ELEMENT_SIZE: usize, - const SIGNING_KEY_SIZE: usize, - const SIGNATURE_SIZE: usize, - >( - signing_key: &[u8; SIGNING_KEY_SIZE], - message: &[u8], - randomness: [u8; SIGNING_RANDOMNESS_SIZE], - ) -> Result, SigningError> { - crate::ml_dsa_generic::sign_internal::< - crate::simd::avx2::AVX2SIMDUnit, - crate::samplex4::avx2::AVX2Sampler, - crate::hash_functions::simd256::Shake128x4, - crate::hash_functions::simd256::Shake256, - // We use the portable version here. - // It doesn' make sense to do these in parallel. - crate::hash_functions::portable::Shake256Xof, - crate::hash_functions::simd256::Shake256x4, - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - ETA, - ERROR_RING_ELEMENT_SIZE, - GAMMA1_EXPONENT, - GAMMA2, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - GAMMA1_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - SIGNATURE_SIZE, - >(&signing_key, message, None, randomness) - } - - /// Sign (pre-hashed). - #[cfg_attr(not(hax), target_feature(enable = "avx2"))] - #[allow(unsafe_code)] - pub(super) unsafe fn sign_pre_hashed_shake128< - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, - const ROWS_X_COLUMNS: usize, - const ETA: usize, - const ERROR_RING_ELEMENT_SIZE: usize, - const GAMMA1_EXPONENT: usize, - const GAMMA2: i32, - const COMMITMENT_RING_ELEMENT_SIZE: usize, - const COMMITMENT_VECTOR_SIZE: usize, - const COMMITMENT_HASH_SIZE: usize, - const ONES_IN_VERIFIER_CHALLENGE: usize, - const MAX_ONES_IN_HINT: usize, - const GAMMA1_RING_ELEMENT_SIZE: usize, - const SIGNING_KEY_SIZE: usize, - const SIGNATURE_SIZE: usize, - >( - signing_key: &[u8; SIGNING_KEY_SIZE], - message: &[u8], - context: &[u8], - randomness: [u8; SIGNING_RANDOMNESS_SIZE], - ) -> Result, SigningError> { - crate::ml_dsa_generic::sign_pre_hashed::< - crate::simd::avx2::AVX2SIMDUnit, - crate::samplex4::avx2::AVX2Sampler, - // We use the portable version here. - // It doesn' make sense to do these in parallel. - crate::hash_functions::portable::Shake128, - crate::hash_functions::simd256::Shake128x4, - crate::hash_functions::simd256::Shake256, - // We use the portable version here. - // It doesn' make sense to do these in parallel. - crate::hash_functions::portable::Shake256Xof, - crate::hash_functions::simd256::Shake256x4, - SHAKE128_PH, - 256, - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - ETA, - ERROR_RING_ELEMENT_SIZE, - GAMMA1_EXPONENT, - GAMMA2, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - GAMMA1_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - SIGNATURE_SIZE, - >(&signing_key, message, context, randomness) - } - - /// Verify. - #[cfg_attr(not(hax), target_feature(enable = "avx2"))] - #[allow(unsafe_code)] - pub(super) unsafe fn verify< - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, - const ROWS_X_COLUMNS: usize, - const SIGNATURE_SIZE: usize, - const VERIFICATION_KEY_SIZE: usize, - const GAMMA1_EXPONENT: usize, - const GAMMA1_RING_ELEMENT_SIZE: usize, - const GAMMA2: i32, - const BETA: i32, - const COMMITMENT_RING_ELEMENT_SIZE: usize, - const COMMITMENT_VECTOR_SIZE: usize, - const COMMITMENT_HASH_SIZE: usize, - const ONES_IN_VERIFIER_CHALLENGE: usize, - const MAX_ONES_IN_HINT: usize, - >( - verification_key: &[u8; VERIFICATION_KEY_SIZE], - message: &[u8], - context: &[u8], - signature: &[u8; SIGNATURE_SIZE], - ) -> Result<(), VerificationError> { - crate::ml_dsa_generic::verify::< - crate::simd::avx2::AVX2SIMDUnit, - crate::samplex4::avx2::AVX2Sampler, - crate::hash_functions::simd256::Shake128x4, - crate::hash_functions::simd256::Shake256, - // We use the portable version here. - // It doesn' make sense to do these in parallel. - crate::hash_functions::portable::Shake256Xof, - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - SIGNATURE_SIZE, - VERIFICATION_KEY_SIZE, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - GAMMA2, - BETA, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - >(verification_key, message, context, signature) - } - - /// Verify (internal API). - #[cfg(feature = "acvp")] - #[cfg_attr(not(hax), target_feature(enable = "avx2"))] - #[allow(unsafe_code)] - pub(super) unsafe fn verify_internal< - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, - const ROWS_X_COLUMNS: usize, - const SIGNATURE_SIZE: usize, - const VERIFICATION_KEY_SIZE: usize, - const GAMMA1_EXPONENT: usize, - const GAMMA1_RING_ELEMENT_SIZE: usize, - const GAMMA2: i32, - const BETA: i32, - const COMMITMENT_RING_ELEMENT_SIZE: usize, - const COMMITMENT_VECTOR_SIZE: usize, - const COMMITMENT_HASH_SIZE: usize, - const ONES_IN_VERIFIER_CHALLENGE: usize, - const MAX_ONES_IN_HINT: usize, - >( - verification_key: &[u8; VERIFICATION_KEY_SIZE], - message: &[u8], - signature: &[u8; SIGNATURE_SIZE], - ) -> Result<(), VerificationError> { - crate::ml_dsa_generic::verify_internal::< - crate::simd::avx2::AVX2SIMDUnit, - crate::samplex4::avx2::AVX2Sampler, - crate::hash_functions::simd256::Shake128x4, - crate::hash_functions::simd256::Shake256, - // We use the portable version here. - // It doesn' make sense to do these in parallel. - crate::hash_functions::portable::Shake256Xof, - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - SIGNATURE_SIZE, - VERIFICATION_KEY_SIZE, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - GAMMA2, - BETA, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - >(verification_key, message, None, signature) - } - - /// Verify (pre-hashed with SHAKE-128). - #[cfg_attr(not(hax), target_feature(enable = "avx2"))] - #[allow(unsafe_code)] - pub(super) unsafe fn verify_pre_hashed_shake128< - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, - const ROWS_X_COLUMNS: usize, - const SIGNATURE_SIZE: usize, - const VERIFICATION_KEY_SIZE: usize, - const GAMMA1_EXPONENT: usize, - const GAMMA1_RING_ELEMENT_SIZE: usize, - const GAMMA2: i32, - const BETA: i32, - const COMMITMENT_RING_ELEMENT_SIZE: usize, - const COMMITMENT_VECTOR_SIZE: usize, - const COMMITMENT_HASH_SIZE: usize, - const ONES_IN_VERIFIER_CHALLENGE: usize, - const MAX_ONES_IN_HINT: usize, - >( - verification_key: &[u8; VERIFICATION_KEY_SIZE], - message: &[u8], - context: &[u8], - signature: &[u8; SIGNATURE_SIZE], - ) -> Result<(), VerificationError> { - crate::ml_dsa_generic::verify_pre_hashed::< - crate::simd::avx2::AVX2SIMDUnit, - crate::samplex4::avx2::AVX2Sampler, - // We use the portable version here. - // It doesn' make sense to do these in parallel. - crate::hash_functions::portable::Shake128, - crate::hash_functions::simd256::Shake128x4, - crate::hash_functions::simd256::Shake256, - // We use the portable version here. - // It doesn' make sense to do these in parallel. - crate::hash_functions::portable::Shake256Xof, - SHAKE128_PH, - 256, - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - SIGNATURE_SIZE, - VERIFICATION_KEY_SIZE, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - GAMMA2, - BETA, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - >(verification_key, message, context, signature) - } -} - -macro_rules! impl_generate_key_pair { - ($name:ident) => { - /// Generate key pair. - #[allow(unsafe_code)] - pub(crate) fn $name( - randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], - signing_key: &mut [u8], - verification_key: &mut [u8], - ) { #[allow(unsafe_code)] - #[cfg_attr(not(hax), target_feature(enable = "avx2"))] - unsafe fn _inner( + pub fn generate_key_pair( randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], signing_key: &mut [u8], verification_key: &mut [u8], ) { - crate::ml_dsa_generic::$name::< - crate::simd::avx2::AVX2SIMDUnit, - crate::samplex4::avx2::AVX2Sampler, - crate::hash_functions::simd256::Shake128x4, - crate::hash_functions::simd256::Shake256, - crate::hash_functions::portable::Shake256Xof, - crate::hash_functions::simd256::Shake256x4, - >(randomness, signing_key, verification_key); + /// Key Generation. + #[allow(unsafe_code)] + #[cfg_attr(not(hax), target_feature(enable = "avx2"))] + unsafe fn _inner( + randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], + signing_key: &mut [u8], + verification_key: &mut [u8], + ) { + crate::ml_dsa_generic::$parameter_module::generate_key_pair::< + crate::simd::avx2::AVX2SIMDUnit, + crate::samplex4::avx2::AVX2Sampler, + crate::hash_functions::simd256::Shake128x4, + crate::hash_functions::simd256::Shake256, + crate::hash_functions::portable::Shake256Xof, + crate::hash_functions::simd256::Shake256x4, + >(randomness, signing_key, verification_key); + } + + unsafe { _inner(randomness, signing_key, verification_key) } } - unsafe { - _inner(randomness, signing_key, verification_key); + #[allow(unsafe_code)] + /// Sign. + pub fn sign( + signing_key: &[u8; SIGNING_KEY_SIZE], + message: &[u8], + context: &[u8], + randomness: [u8; SIGNING_RANDOMNESS_SIZE], + ) -> Result, SigningError> { + #[cfg_attr(not(hax), target_feature(enable = "avx2"))] + #[allow(unsafe_code)] + unsafe fn _inner( + signing_key: &[u8; SIGNING_KEY_SIZE], + message: &[u8], + context: &[u8], + randomness: [u8; SIGNING_RANDOMNESS_SIZE], + ) -> Result, SigningError> { + crate::ml_dsa_generic::$parameter_module::sign::< + crate::simd::avx2::AVX2SIMDUnit, + crate::samplex4::avx2::AVX2Sampler, + crate::hash_functions::simd256::Shake128x4, + crate::hash_functions::simd256::Shake256, + // We use the portable version here. + // It doesn' make sense to do these in parallel. + crate::hash_functions::portable::Shake256Xof, + crate::hash_functions::simd256::Shake256x4, + >(signing_key, message, context, randomness) + } + unsafe { _inner(signing_key, message, context, randomness) } } - } - }; -} - -#[cfg(feature = "mldsa44")] -impl_generate_key_pair!(generate_key_pair_v44); -#[cfg(feature = "mldsa65")] -impl_generate_key_pair!(generate_key_pair_v65); -#[cfg(feature = "mldsa87")] -impl_generate_key_pair!(generate_key_pair_v87); -/// Sign. -#[allow(unsafe_code)] -#[inline(always)] -pub(crate) fn sign< - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, - const ROWS_X_COLUMNS: usize, - const ETA: usize, - const ERROR_RING_ELEMENT_SIZE: usize, - const GAMMA1_EXPONENT: usize, - const GAMMA2: i32, - const COMMITMENT_RING_ELEMENT_SIZE: usize, - const COMMITMENT_VECTOR_SIZE: usize, - const COMMITMENT_HASH_SIZE: usize, - const ONES_IN_VERIFIER_CHALLENGE: usize, - const MAX_ONES_IN_HINT: usize, - const GAMMA1_RING_ELEMENT_SIZE: usize, - const SIGNING_KEY_SIZE: usize, - const SIGNATURE_SIZE: usize, ->( - signing_key: &[u8; SIGNING_KEY_SIZE], - message: &[u8], - context: &[u8], - randomness: [u8; SIGNING_RANDOMNESS_SIZE], -) -> Result, SigningError> { - unsafe { - avx2_feature::sign::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - ETA, - ERROR_RING_ELEMENT_SIZE, - GAMMA1_EXPONENT, - GAMMA2, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - GAMMA1_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - SIGNATURE_SIZE, - >(signing_key, message, context, randomness) - } -} + /// Sign (internal API) + #[allow(unsafe_code)] + #[cfg(feature = "acvp")] + pub fn sign_internal( + signing_key: &[u8; SIGNING_KEY_SIZE], + message: &[u8], + randomness: [u8; SIGNING_RANDOMNESS_SIZE], + ) -> Result, SigningError> { + #[cfg_attr(not(hax), target_feature(enable = "avx2"))] + #[allow(unsafe_code)] + unsafe fn _inner( + signing_key: &[u8; SIGNING_KEY_SIZE], + message: &[u8], + randomness: [u8; SIGNING_RANDOMNESS_SIZE], + ) -> Result, SigningError> { + crate::ml_dsa_generic::$parameter_module::sign_internal::< + crate::simd::avx2::AVX2SIMDUnit, + crate::samplex4::avx2::AVX2Sampler, + crate::hash_functions::simd256::Shake128x4, + crate::hash_functions::simd256::Shake256, + // We use the portable version here. + // It doesn' make sense to do these in parallel. + crate::hash_functions::portable::Shake256Xof, + crate::hash_functions::simd256::Shake256x4, + >(signing_key, message, None, randomness) + } + unsafe { _inner(&signing_key, message, randomness) } + } -/// Sign (internal API) -#[cfg(feature = "acvp")] -#[allow(unsafe_code)] -pub(crate) fn sign_internal< - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, - const ROWS_X_COLUMNS: usize, - const ETA: usize, - const ERROR_RING_ELEMENT_SIZE: usize, - const GAMMA1_EXPONENT: usize, - const GAMMA2: i32, - const COMMITMENT_RING_ELEMENT_SIZE: usize, - const COMMITMENT_VECTOR_SIZE: usize, - const COMMITMENT_HASH_SIZE: usize, - const ONES_IN_VERIFIER_CHALLENGE: usize, - const MAX_ONES_IN_HINT: usize, - const GAMMA1_RING_ELEMENT_SIZE: usize, - const SIGNING_KEY_SIZE: usize, - const SIGNATURE_SIZE: usize, ->( - signing_key: &[u8; SIGNING_KEY_SIZE], - message: &[u8], - randomness: [u8; SIGNING_RANDOMNESS_SIZE], -) -> Result, SigningError> { - unsafe { - avx2_feature::sign_internal::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - ETA, - ERROR_RING_ELEMENT_SIZE, - GAMMA1_EXPONENT, - GAMMA2, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - GAMMA1_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - SIGNATURE_SIZE, - >(signing_key, message, randomness) - } -} + /// Sign (pre-hashed). + #[allow(unsafe_code)] + pub fn sign_pre_hashed_shake128( + signing_key: &[u8; SIGNING_KEY_SIZE], + message: &[u8], + context: &[u8], + randomness: [u8; SIGNING_RANDOMNESS_SIZE], + ) -> Result, SigningError> { + #[cfg_attr(not(hax), target_feature(enable = "avx2"))] + #[allow(unsafe_code)] + unsafe fn _inner( + signing_key: &[u8; SIGNING_KEY_SIZE], + message: &[u8], + context: &[u8], + randomness: [u8; SIGNING_RANDOMNESS_SIZE], + ) -> Result, SigningError> { + crate::ml_dsa_generic::$parameter_module::sign_pre_hashed::< + crate::simd::avx2::AVX2SIMDUnit, + crate::samplex4::avx2::AVX2Sampler, + // We use the portable version here. + // It doesn' make sense to do these in parallel. + crate::hash_functions::portable::Shake128, + crate::hash_functions::simd256::Shake128x4, + crate::hash_functions::simd256::Shake256, + // We use the portable version here. + // It doesn' make sense to do these in parallel. + crate::hash_functions::portable::Shake256Xof, + crate::hash_functions::simd256::Shake256x4, + SHAKE128_PH, + 256, + >(signing_key, message, context, randomness) + } + unsafe { _inner(signing_key, message, context, randomness) } + } -/// Sign (pre-hashed). -#[allow(unsafe_code)] -pub(crate) fn sign_pre_hashed_shake128< - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, - const ROWS_X_COLUMNS: usize, - const ETA: usize, - const ERROR_RING_ELEMENT_SIZE: usize, - const GAMMA1_EXPONENT: usize, - const GAMMA2: i32, - const COMMITMENT_RING_ELEMENT_SIZE: usize, - const COMMITMENT_VECTOR_SIZE: usize, - const COMMITMENT_HASH_SIZE: usize, - const ONES_IN_VERIFIER_CHALLENGE: usize, - const MAX_ONES_IN_HINT: usize, - const GAMMA1_RING_ELEMENT_SIZE: usize, - const SIGNING_KEY_SIZE: usize, - const SIGNATURE_SIZE: usize, ->( - signing_key: &[u8; SIGNING_KEY_SIZE], - message: &[u8], - context: &[u8], - randomness: [u8; SIGNING_RANDOMNESS_SIZE], -) -> Result, SigningError> { - unsafe { - avx2_feature::sign_pre_hashed_shake128::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - ETA, - ERROR_RING_ELEMENT_SIZE, - GAMMA1_EXPONENT, - GAMMA2, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - GAMMA1_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - SIGNATURE_SIZE, - >(signing_key, message, context, randomness) - } -} + /// Verify. + #[allow(unsafe_code)] + pub fn verify( + verification_key: &[u8; VERIFICATION_KEY_SIZE], + message: &[u8], + context: &[u8], + signature: &[u8; SIGNATURE_SIZE], + ) -> Result<(), VerificationError> { + #[cfg_attr(not(hax), target_feature(enable = "avx2"))] + #[allow(unsafe_code)] + unsafe fn _inner( + verification_key: &[u8; VERIFICATION_KEY_SIZE], + message: &[u8], + context: &[u8], + signature: &[u8; SIGNATURE_SIZE], + ) -> Result<(), VerificationError> { + crate::ml_dsa_generic::$parameter_module::verify::< + crate::simd::avx2::AVX2SIMDUnit, + crate::samplex4::avx2::AVX2Sampler, + crate::hash_functions::simd256::Shake128x4, + crate::hash_functions::simd256::Shake256, + // We use the portable version here. + // It doesn' make sense to do these in parallel. + crate::hash_functions::portable::Shake256Xof, + >(verification_key, message, context, signature) + } + unsafe { _inner(verification_key, message, context, signature) } + } -/// Verify. -#[allow(unsafe_code)] -pub(crate) fn verify< - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, - const ROWS_X_COLUMNS: usize, - const SIGNATURE_SIZE: usize, - const VERIFICATION_KEY_SIZE: usize, - const GAMMA1_EXPONENT: usize, - const GAMMA1_RING_ELEMENT_SIZE: usize, - const GAMMA2: i32, - const BETA: i32, - const COMMITMENT_RING_ELEMENT_SIZE: usize, - const COMMITMENT_VECTOR_SIZE: usize, - const COMMITMENT_HASH_SIZE: usize, - const ONES_IN_VERIFIER_CHALLENGE: usize, - const MAX_ONES_IN_HINT: usize, ->( - verification_key: &[u8; VERIFICATION_KEY_SIZE], - message: &[u8], - context: &[u8], - signature: &[u8; SIGNATURE_SIZE], -) -> Result<(), VerificationError> { - unsafe { - avx2_feature::verify::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - SIGNATURE_SIZE, - VERIFICATION_KEY_SIZE, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - GAMMA2, - BETA, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - >(verification_key, message, context, signature) - } -} + /// Verify (internal API). + #[cfg(feature = "acvp")] + #[allow(unsafe_code)] + pub fn verify_internal( + verification_key: &[u8; VERIFICATION_KEY_SIZE], + message: &[u8], + signature: &[u8; SIGNATURE_SIZE], + ) -> Result<(), VerificationError> { + #[cfg_attr(not(hax), target_feature(enable = "avx2"))] + #[allow(unsafe_code)] + unsafe fn _inner( + verification_key: &[u8; VERIFICATION_KEY_SIZE], + message: &[u8], + signature: &[u8; SIGNATURE_SIZE], + ) -> Result<(), VerificationError> { + crate::ml_dsa_generic::$parameter_module::verify_internal::< + crate::simd::avx2::AVX2SIMDUnit, + crate::samplex4::avx2::AVX2Sampler, + crate::hash_functions::simd256::Shake128x4, + crate::hash_functions::simd256::Shake256, + // We use the portable version here. + // It doesn' make sense to do these in parallel. + crate::hash_functions::portable::Shake256Xof, + >(verification_key, message, None, signature) + } + unsafe { _inner(verification_key, message, signature) } + } -/// Verify (internal API). -#[cfg(feature = "acvp")] -#[allow(unsafe_code)] -pub(crate) fn verify_internal< - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, - const ROWS_X_COLUMNS: usize, - const SIGNATURE_SIZE: usize, - const VERIFICATION_KEY_SIZE: usize, - const GAMMA1_EXPONENT: usize, - const GAMMA1_RING_ELEMENT_SIZE: usize, - const GAMMA2: i32, - const BETA: i32, - const COMMITMENT_RING_ELEMENT_SIZE: usize, - const COMMITMENT_VECTOR_SIZE: usize, - const COMMITMENT_HASH_SIZE: usize, - const ONES_IN_VERIFIER_CHALLENGE: usize, - const MAX_ONES_IN_HINT: usize, ->( - verification_key: &[u8; VERIFICATION_KEY_SIZE], - message: &[u8], - signature: &[u8; SIGNATURE_SIZE], -) -> Result<(), VerificationError> { - unsafe { - avx2_feature::verify_internal::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - SIGNATURE_SIZE, - VERIFICATION_KEY_SIZE, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - GAMMA2, - BETA, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - >(verification_key, message, signature) - } + /// Verify (pre-hashed with SHAKE-128). + #[allow(unsafe_code)] + pub fn verify_pre_hashed_shake128( + verification_key: &[u8; VERIFICATION_KEY_SIZE], + message: &[u8], + context: &[u8], + signature: &[u8; SIGNATURE_SIZE], + ) -> Result<(), VerificationError> { + #[cfg_attr(not(hax), target_feature(enable = "avx2"))] + #[allow(unsafe_code)] + unsafe fn _inner( + verification_key: &[u8; VERIFICATION_KEY_SIZE], + message: &[u8], + context: &[u8], + signature: &[u8; SIGNATURE_SIZE], + ) -> Result<(), VerificationError> { + crate::ml_dsa_generic::$parameter_module::verify_pre_hashed::< + crate::simd::avx2::AVX2SIMDUnit, + crate::samplex4::avx2::AVX2Sampler, + // We use the portable version here. + // It doesn' make sense to do these in parallel. + crate::hash_functions::portable::Shake128, + crate::hash_functions::simd256::Shake128x4, + crate::hash_functions::simd256::Shake256, + // We use the portable version here. + // It doesn' make sense to do these in parallel. + crate::hash_functions::portable::Shake256Xof, + SHAKE128_PH, + 256, + >(verification_key, message, context, signature) + } + unsafe { _inner(verification_key, message, context, signature) } + } + } + }; } -/// Verify (pre-hashed with SHAKE-128). -#[allow(unsafe_code)] -pub(crate) fn verify_pre_hashed_shake128< - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, - const ROWS_X_COLUMNS: usize, - const SIGNATURE_SIZE: usize, - const VERIFICATION_KEY_SIZE: usize, - const GAMMA1_EXPONENT: usize, - const GAMMA1_RING_ELEMENT_SIZE: usize, - const GAMMA2: i32, - const BETA: i32, - const COMMITMENT_RING_ELEMENT_SIZE: usize, - const COMMITMENT_VECTOR_SIZE: usize, - const COMMITMENT_HASH_SIZE: usize, - const ONES_IN_VERIFIER_CHALLENGE: usize, - const MAX_ONES_IN_HINT: usize, ->( - verification_key: &[u8; VERIFICATION_KEY_SIZE], - message: &[u8], - context: &[u8], - signature: &[u8; SIGNATURE_SIZE], -) -> Result<(), VerificationError> { - unsafe { - avx2_feature::verify_pre_hashed_shake128::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - SIGNATURE_SIZE, - VERIFICATION_KEY_SIZE, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - GAMMA2, - BETA, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - >(verification_key, message, context, signature) - } -} +parameter_set!(ml_dsa_44, "mldsa44"); +parameter_set!(ml_dsa_65, "mldsa65"); +parameter_set!(ml_dsa_87, "mldsa87"); diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/multiplexing.rs b/libcrux-ml-dsa/src/ml_dsa_generic/multiplexing.rs index 550aa2ab6..e759be57b 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic/multiplexing.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic/multiplexing.rs @@ -1,609 +1,225 @@ use super::*; use libcrux_platform; -// For the case where we didn't compile with the simd128/simd256 features but -// have a CPU that has it and thus tries to call the simd128/simd256 version, -// we fall back to the portable version in this case. - -#[cfg(feature = "simd256")] -use instantiations::avx2::{ - sign as sign_avx2, sign_pre_hashed_shake128 as sign_pre_hashed_shake128_avx2, - verify as verify_avx2, verify_pre_hashed_shake128 as verify_pre_hashed_shake128_avx2, -}; - -#[cfg(all(feature = "simd256", feature = "mldsa44"))] -use instantiations::portable::generate_key_pair_v44 as generate_key_pair_v44_avx2; -#[cfg(all(feature = "simd256", feature = "mldsa65"))] -use instantiations::portable::generate_key_pair_v65 as generate_key_pair_v65_avx2; -#[cfg(all(feature = "simd256", feature = "mldsa87"))] -use instantiations::portable::generate_key_pair_v87 as generate_key_pair_v87_avx2; - -#[cfg(all(feature = "simd256", feature = "acvp"))] -use instantiations::avx2::{ - sign_internal as sign_internal_avx2, verify_internal as verify_internal_avx2, -}; - -#[cfg(feature = "simd128")] -use instantiations::neon::{ - sign as sign_neon, sign_pre_hashed_shake128 as sign_pre_hashed_shake128_neon, - verify as verify_neon, verify_pre_hashed_shake128 as verify_pre_hashed_shake128_neon, -}; - -#[cfg(all(feature = "simd128", feature = "mldsa44"))] -use instantiations::neon::generate_key_pair_v44 as generate_key_pair_v44_neon; -#[cfg(all(feature = "simd128", feature = "mldsa65"))] -use instantiations::neon::generate_key_pair_v65 as generate_key_pair_v65_neon; -#[cfg(all(feature = "simd128", feature = "mldsa87"))] -use instantiations::neon::generate_key_pair_v87 as generate_key_pair_v87_neon; - -#[cfg(all(feature = "simd128", feature = "acvp"))] -use instantiations::neon::{ - sign_internal as sign_internal_neon, verify_internal as verify_internal_neon, -}; - -#[cfg(not(feature = "simd256"))] -use instantiations::portable::{ - generate_key_pair as generate_key_pair_avx2, sign as sign_avx2, - sign_pre_hashed_shake128 as sign_pre_hashed_shake128_avx2, verify as verify_avx2, - verify_pre_hashed_shake128 as verify_pre_hashed_shake128_avx2, -}; - -#[cfg(all(not(feature = "simd256"), feature = "acvp"))] -use instantiations::portable::{ - sign_internal as sign_internal_avx2, verify_internal as verify_internal_avx2, -}; - -#[cfg(all(not(feature = "simd128"), feature = "acvp"))] -use instantiations::portable::{ - sign_internal as sign_internal_neon, verify_internal as verify_internal_neon, -}; - -#[cfg(not(feature = "simd128"))] -use instantiations::portable::{ - sign as sign_neon, sign_pre_hashed_shake128 as sign_pre_hashed_shake128_neon, - verify as verify_neon, verify_pre_hashed_shake128 as verify_pre_hashed_shake128_neon, -}; - -#[cfg(all(not(feature = "simd128"), feature = "mldsa44"))] -use instantiations::portable::generate_key_pair_v44 as generate_key_pair_v44_neon; -#[cfg(all(not(feature = "simd128"), feature = "mldsa65"))] -use instantiations::portable::generate_key_pair_v65 as generate_key_pair_v65_neon; -#[cfg(all(not(feature = "simd128"), feature = "mldsa87"))] -use instantiations::portable::generate_key_pair_v87 as generate_key_pair_v87_neon; - -#[cfg(feature = "mldsa44")] -pub(crate) fn generate_key_pair_v44( - randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], - signing_key: &mut [u8], - verification_key: &mut [u8], -) { - if libcrux_platform::simd256_support() { - generate_key_pair_v44_avx2(randomness, signing_key, verification_key); - } else if libcrux_platform::simd128_support() { - generate_key_pair_v44_neon(randomness, signing_key, verification_key); - } else { - instantiations::portable::generate_key_pair_v44(randomness, signing_key, verification_key); - } -} - -#[cfg(feature = "mldsa65")] -pub(crate) fn generate_key_pair_v65( - randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], - signing_key: &mut [u8], - verification_key: &mut [u8], -) { - if libcrux_platform::simd256_support() { - generate_key_pair_v65_avx2(randomness, signing_key, verification_key); - } else if libcrux_platform::simd128_support() { - generate_key_pair_v65_neon(randomness, signing_key, verification_key); - } else { - instantiations::portable::generate_key_pair_v65(randomness, signing_key, verification_key); - } +macro_rules! parameter_set { + ($parameter_module:ident, $feature:literal) => { + #[cfg(feature = $feature)] + pub mod $parameter_module { + use super::*; + use crate::ml_dsa_generic::$parameter_module::{ + SIGNATURE_SIZE, SIGNING_KEY_SIZE, VERIFICATION_KEY_SIZE, + }; + + #[cfg(all(feature = "simd256", feature = $feature))] + use instantiations::avx2::$parameter_module::{ + generate_key_pair as generate_key_pair_avx2, sign as sign_avx2, + sign_pre_hashed_shake128 as sign_pre_hashed_shake128_avx2, verify as verify_avx2, + verify_pre_hashed_shake128 as verify_pre_hashed_shake128_avx2, + }; + + #[cfg(all(feature = "simd256", feature = "acvp", feature = $feature))] + use instantiations::avx2::$parameter_module::{ + sign_internal as sign_internal_avx2, verify_internal as verify_internal_avx2, + }; + + #[cfg(all(feature = "simd128", feature = $feature))] + use instantiations::neon::$parameter_module::{ + generate_key_pair as generate_key_pair_neon, sign as sign_neon, + sign_pre_hashed_shake128 as sign_pre_hashed_shake128_neon, verify as verify_neon, + verify_pre_hashed_shake128 as verify_pre_hashed_shake128_neon, + }; + + #[cfg(all(feature = "simd128", feature = "acvp", feature = $feature))] + use instantiations::neon::$parameter_module::{ + sign_internal as sign_internal_neon, verify_internal as verify_internal_neon, + }; + + // For the case where we didn't compile with the simd128/simd256 features but + // have a CPU that has it and thus tries to call the simd128/simd256 version, + // we fall back to the portable version in this case. + #[cfg(all(not(feature = "simd256"), feature = $feature))] + use instantiations::portable::$parameter_module::{ + generate_key_pair as generate_key_pair_avx2, sign as sign_avx2, + sign_pre_hashed_shake128 as sign_pre_hashed_shake128_avx2, verify as verify_avx2, + verify_pre_hashed_shake128 as verify_pre_hashed_shake128_avx2, + }; + + #[cfg(all(not(feature = "simd256"), feature = "acvp", feature = $feature))] + use instantiations::portable::{ + sign_internal as sign_internal_avx2, verify_internal as verify_internal_avx2, + }; + + #[cfg(all(not(feature = "simd128"), feature = $feature))] + use instantiations::portable::$parameter_module::{ + generate_key_pair as generate_key_pair_neon, sign as sign_neon, + sign_pre_hashed_shake128 as sign_pre_hashed_shake128_neon, verify as verify_neon, + verify_pre_hashed_shake128 as verify_pre_hashed_shake128_neon, + }; + + #[cfg(all(not(feature = "simd128"), feature = "acvp", feature = $feature))] + use instantiations::portable::$parameter_module::{ + sign_internal as sign_internal_neon, verify_internal as verify_internal_neon, + }; + + pub(crate) fn generate_key_pair( + randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], + signing_key: &mut [u8; SIGNING_KEY_SIZE], + verification_key: &mut [u8; VERIFICATION_KEY_SIZE], + ) { + if libcrux_platform::simd256_support() { + generate_key_pair_avx2(randomness, signing_key, verification_key); + } else if libcrux_platform::simd128_support() { + generate_key_pair_neon(randomness, signing_key, verification_key); + } else { + instantiations::portable::$parameter_module::generate_key_pair( + randomness, + signing_key, + verification_key, + ); + } + } + + #[cfg(feature = "acvp")] + pub(crate) fn sign_internal( + signing_key: &[u8; SIGNING_KEY_SIZE], + message: &[u8], + randomness: [u8; SIGNING_RANDOMNESS_SIZE], + ) -> Result, SigningError> { + if libcrux_platform::simd256_support() { + sign_internal_avx2(signing_key, message, randomness) + } else if libcrux_platform::simd128_support() { + sign_internal_neon(signing_key, message, randomness) + } else { + instantiations::portable::$parameter_module::sign_internal( + signing_key, + message, + randomness, + ) + } + } + + pub(crate) fn sign( + signing_key: &[u8; SIGNING_KEY_SIZE], + message: &[u8], + context: &[u8], + randomness: [u8; SIGNING_RANDOMNESS_SIZE], + ) -> Result, SigningError> { + if libcrux_platform::simd256_support() { + sign_avx2(signing_key, message, context, randomness) + } else if libcrux_platform::simd128_support() { + sign_neon(signing_key, message, context, randomness) + } else { + instantiations::portable::$parameter_module::sign( + signing_key, + message, + context, + randomness, + ) + } + } + + pub(crate) fn sign_pre_hashed_shake128( + signing_key: &[u8; SIGNING_KEY_SIZE], + message: &[u8], + context: &[u8], + randomness: [u8; SIGNING_RANDOMNESS_SIZE], + ) -> Result, SigningError> { + if libcrux_platform::simd256_support() { + sign_pre_hashed_shake128_avx2(signing_key, message, context, randomness) + } else if libcrux_platform::simd128_support() { + sign_pre_hashed_shake128_neon(signing_key, message, context, randomness) + } else { + instantiations::portable::$parameter_module::sign_pre_hashed_shake128( + signing_key, + message, + context, + randomness, + ) + } + } + + #[cfg(feature = "acvp")] + pub(crate) fn verify_internal( + verification_key_serialized: &[u8; VERIFICATION_KEY_SIZE], + message: &[u8], + signature_serialized: &[u8; SIGNATURE_SIZE], + ) -> Result<(), VerificationError> { + if libcrux_platform::simd256_support() { + verify_internal_avx2(verification_key_serialized, message, signature_serialized) + } else if libcrux_platform::simd128_support() { + verify_internal_neon(verification_key_serialized, message, signature_serialized) + } else { + instantiations::portable::$parameter_module::verify_internal( + verification_key_serialized, + message, + signature_serialized, + ) + } + } + + pub(crate) fn verify( + verification_key_serialized: &[u8; VERIFICATION_KEY_SIZE], + message: &[u8], + context: &[u8], + signature_serialized: &[u8; SIGNATURE_SIZE], + ) -> Result<(), VerificationError> { + if libcrux_platform::simd256_support() { + verify_avx2( + verification_key_serialized, + message, + context, + signature_serialized, + ) + } else if libcrux_platform::simd128_support() { + verify_neon( + verification_key_serialized, + message, + context, + signature_serialized, + ) + } else { + instantiations::portable::$parameter_module::verify( + verification_key_serialized, + message, + context, + signature_serialized, + ) + } + } + + pub(crate) fn verify_pre_hashed_shake128( + verification_key_serialized: &[u8; VERIFICATION_KEY_SIZE], + message: &[u8], + context: &[u8], + signature_serialized: &[u8; SIGNATURE_SIZE], + ) -> Result<(), VerificationError> { + if libcrux_platform::simd256_support() { + verify_pre_hashed_shake128_avx2( + verification_key_serialized, + message, + context, + signature_serialized, + ) + } else if libcrux_platform::simd128_support() { + verify_pre_hashed_shake128_neon( + verification_key_serialized, + message, + context, + signature_serialized, + ) + } else { + instantiations::portable::$parameter_module::verify_pre_hashed_shake128( + verification_key_serialized, + message, + context, + signature_serialized, + ) + } + } + } + }; } -#[cfg(feature = "mldsa87")] -pub(crate) fn generate_key_pair_v87( - randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], - signing_key: &mut [u8], - verification_key: &mut [u8], -) { - if libcrux_platform::simd256_support() { - generate_key_pair_v87_avx2(randomness, signing_key, verification_key); - } else if libcrux_platform::simd128_support() { - generate_key_pair_v87_neon(randomness, signing_key, verification_key); - } else { - instantiations::portable::generate_key_pair_v87(randomness, signing_key, verification_key); - } -} - -#[cfg(feature = "acvp")] -pub(crate) fn sign_internal< - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, - const ROWS_X_COLUMNS: usize, - const ETA: usize, - const ERROR_RING_ELEMENT_SIZE: usize, - const GAMMA1_EXPONENT: usize, - const GAMMA2: i32, - const COMMITMENT_RING_ELEMENT_SIZE: usize, - const COMMITMENT_VECTOR_SIZE: usize, - const COMMITMENT_HASH_SIZE: usize, - const ONES_IN_VERIFIER_CHALLENGE: usize, - const MAX_ONES_IN_HINT: usize, - const GAMMA1_RING_ELEMENT_SIZE: usize, - const SIGNING_KEY_SIZE: usize, - const SIGNATURE_SIZE: usize, ->( - signing_key: &[u8; SIGNING_KEY_SIZE], - message: &[u8], - randomness: [u8; SIGNING_RANDOMNESS_SIZE], -) -> Result, SigningError> { - if libcrux_platform::simd256_support() { - sign_internal_avx2::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - ETA, - ERROR_RING_ELEMENT_SIZE, - GAMMA1_EXPONENT, - GAMMA2, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - GAMMA1_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - SIGNATURE_SIZE, - >(signing_key, message, randomness) - } else if libcrux_platform::simd128_support() { - sign_internal_neon::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - ETA, - ERROR_RING_ELEMENT_SIZE, - GAMMA1_EXPONENT, - GAMMA2, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - GAMMA1_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - SIGNATURE_SIZE, - >(signing_key, message, randomness) - } else { - instantiations::portable::sign_internal::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - ETA, - ERROR_RING_ELEMENT_SIZE, - GAMMA1_EXPONENT, - GAMMA2, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - GAMMA1_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - SIGNATURE_SIZE, - >(signing_key, message, randomness) - } -} - -pub(crate) fn sign< - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, - const ROWS_X_COLUMNS: usize, - const ETA: usize, - const ERROR_RING_ELEMENT_SIZE: usize, - const GAMMA1_EXPONENT: usize, - const GAMMA2: i32, - const COMMITMENT_RING_ELEMENT_SIZE: usize, - const COMMITMENT_VECTOR_SIZE: usize, - const COMMITMENT_HASH_SIZE: usize, - const ONES_IN_VERIFIER_CHALLENGE: usize, - const MAX_ONES_IN_HINT: usize, - const GAMMA1_RING_ELEMENT_SIZE: usize, - const SIGNING_KEY_SIZE: usize, - const SIGNATURE_SIZE: usize, ->( - signing_key: &[u8; SIGNING_KEY_SIZE], - message: &[u8], - context: &[u8], - randomness: [u8; SIGNING_RANDOMNESS_SIZE], -) -> Result, SigningError> { - if libcrux_platform::simd256_support() { - sign_avx2::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - ETA, - ERROR_RING_ELEMENT_SIZE, - GAMMA1_EXPONENT, - GAMMA2, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - GAMMA1_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - SIGNATURE_SIZE, - >(signing_key, message, context, randomness) - } else if libcrux_platform::simd128_support() { - sign_neon::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - ETA, - ERROR_RING_ELEMENT_SIZE, - GAMMA1_EXPONENT, - GAMMA2, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - GAMMA1_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - SIGNATURE_SIZE, - >(signing_key, message, context, randomness) - } else { - instantiations::portable::sign::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - ETA, - ERROR_RING_ELEMENT_SIZE, - GAMMA1_EXPONENT, - GAMMA2, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - GAMMA1_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - SIGNATURE_SIZE, - >(signing_key, message, context, randomness) - } -} - -pub(crate) fn sign_pre_hashed_shake128< - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, - const ROWS_X_COLUMNS: usize, - const ETA: usize, - const ERROR_RING_ELEMENT_SIZE: usize, - const GAMMA1_EXPONENT: usize, - const GAMMA2: i32, - const COMMITMENT_RING_ELEMENT_SIZE: usize, - const COMMITMENT_VECTOR_SIZE: usize, - const COMMITMENT_HASH_SIZE: usize, - const ONES_IN_VERIFIER_CHALLENGE: usize, - const MAX_ONES_IN_HINT: usize, - const GAMMA1_RING_ELEMENT_SIZE: usize, - const SIGNING_KEY_SIZE: usize, - const SIGNATURE_SIZE: usize, ->( - signing_key: &[u8; SIGNING_KEY_SIZE], - message: &[u8], - context: &[u8], - randomness: [u8; SIGNING_RANDOMNESS_SIZE], -) -> Result, SigningError> { - if libcrux_platform::simd256_support() { - sign_pre_hashed_shake128_avx2::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - ETA, - ERROR_RING_ELEMENT_SIZE, - GAMMA1_EXPONENT, - GAMMA2, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - GAMMA1_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - SIGNATURE_SIZE, - >(signing_key, message, context, randomness) - } else if libcrux_platform::simd128_support() { - sign_pre_hashed_shake128_neon::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - ETA, - ERROR_RING_ELEMENT_SIZE, - GAMMA1_EXPONENT, - GAMMA2, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - GAMMA1_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - SIGNATURE_SIZE, - >(signing_key, message, context, randomness) - } else { - instantiations::portable::sign_pre_hashed_shake128::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - ETA, - ERROR_RING_ELEMENT_SIZE, - GAMMA1_EXPONENT, - GAMMA2, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - GAMMA1_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - SIGNATURE_SIZE, - >(signing_key, message, context, randomness) - } -} - -#[cfg(feature = "acvp")] -pub(crate) fn verify_internal< - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, - const ROWS_X_COLUMNS: usize, - const SIGNATURE_SIZE: usize, - const VERIFICATION_KEY_SIZE: usize, - const GAMMA1_EXPONENT: usize, - const GAMMA1_RING_ELEMENT_SIZE: usize, - const GAMMA2: i32, - const BETA: i32, - const COMMITMENT_RING_ELEMENT_SIZE: usize, - const COMMITMENT_VECTOR_SIZE: usize, - const COMMITMENT_HASH_SIZE: usize, - const ONES_IN_VERIFIER_CHALLENGE: usize, - const MAX_ONES_IN_HINT: usize, ->( - verification_key_serialized: &[u8; VERIFICATION_KEY_SIZE], - message: &[u8], - signature_serialized: &[u8; SIGNATURE_SIZE], -) -> Result<(), VerificationError> { - if libcrux_platform::simd256_support() { - verify_internal_avx2::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - SIGNATURE_SIZE, - VERIFICATION_KEY_SIZE, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - GAMMA2, - BETA, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - >(verification_key_serialized, message, signature_serialized) - } else if libcrux_platform::simd128_support() { - verify_internal_neon::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - SIGNATURE_SIZE, - VERIFICATION_KEY_SIZE, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - GAMMA2, - BETA, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - >(verification_key_serialized, message, signature_serialized) - } else { - instantiations::portable::verify_internal::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - SIGNATURE_SIZE, - VERIFICATION_KEY_SIZE, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - GAMMA2, - BETA, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - >(verification_key_serialized, message, signature_serialized) - } -} - -pub(crate) fn verify< - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, - const ROWS_X_COLUMNS: usize, - const SIGNATURE_SIZE: usize, - const VERIFICATION_KEY_SIZE: usize, - const GAMMA1_EXPONENT: usize, - const GAMMA1_RING_ELEMENT_SIZE: usize, - const GAMMA2: i32, - const BETA: i32, - const COMMITMENT_RING_ELEMENT_SIZE: usize, - const COMMITMENT_VECTOR_SIZE: usize, - const COMMITMENT_HASH_SIZE: usize, - const ONES_IN_VERIFIER_CHALLENGE: usize, - const MAX_ONES_IN_HINT: usize, ->( - verification_key_serialized: &[u8; VERIFICATION_KEY_SIZE], - message: &[u8], - context: &[u8], - signature_serialized: &[u8; SIGNATURE_SIZE], -) -> Result<(), VerificationError> { - if libcrux_platform::simd256_support() { - verify_avx2::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - SIGNATURE_SIZE, - VERIFICATION_KEY_SIZE, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - GAMMA2, - BETA, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - >( - verification_key_serialized, - message, - context, - signature_serialized, - ) - } else if libcrux_platform::simd128_support() { - verify_neon::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - SIGNATURE_SIZE, - VERIFICATION_KEY_SIZE, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - GAMMA2, - BETA, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - >( - verification_key_serialized, - message, - context, - signature_serialized, - ) - } else { - instantiations::portable::verify::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - SIGNATURE_SIZE, - VERIFICATION_KEY_SIZE, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - GAMMA2, - BETA, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - >( - verification_key_serialized, - message, - context, - signature_serialized, - ) - } -} - -pub(crate) fn verify_pre_hashed_shake128< - const ROWS_IN_A: usize, - const COLUMNS_IN_A: usize, - const ROWS_X_COLUMNS: usize, - const SIGNATURE_SIZE: usize, - const VERIFICATION_KEY_SIZE: usize, - const GAMMA1_EXPONENT: usize, - const GAMMA1_RING_ELEMENT_SIZE: usize, - const GAMMA2: i32, - const BETA: i32, - const COMMITMENT_RING_ELEMENT_SIZE: usize, - const COMMITMENT_VECTOR_SIZE: usize, - const COMMITMENT_HASH_SIZE: usize, - const ONES_IN_VERIFIER_CHALLENGE: usize, - const MAX_ONES_IN_HINT: usize, ->( - verification_key_serialized: &[u8; VERIFICATION_KEY_SIZE], - message: &[u8], - context: &[u8], - signature_serialized: &[u8; SIGNATURE_SIZE], -) -> Result<(), VerificationError> { - if libcrux_platform::simd256_support() { - verify_pre_hashed_shake128_avx2::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - SIGNATURE_SIZE, - VERIFICATION_KEY_SIZE, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - GAMMA2, - BETA, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - >( - verification_key_serialized, - message, - context, - signature_serialized, - ) - } else if libcrux_platform::simd128_support() { - verify_pre_hashed_shake128_neon::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - SIGNATURE_SIZE, - VERIFICATION_KEY_SIZE, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - GAMMA2, - BETA, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - >( - verification_key_serialized, - message, - context, - signature_serialized, - ) - } else { - instantiations::portable::verify_pre_hashed_shake128::< - ROWS_IN_A, - COLUMNS_IN_A, - ROWS_X_COLUMNS, - SIGNATURE_SIZE, - VERIFICATION_KEY_SIZE, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - GAMMA2, - BETA, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - >( - verification_key_serialized, - message, - context, - signature_serialized, - ) - } -} +parameter_set!(ml_dsa_44, "mldsa44"); +parameter_set!(ml_dsa_65, "mldsa65"); +parameter_set!(ml_dsa_87, "mldsa87"); diff --git a/macros/src/lib.rs b/macros/src/lib.rs index 595f5403a..d67f7aaa7 100644 --- a/macros/src/lib.rs +++ b/macros/src/lib.rs @@ -1,9 +1,8 @@ //! This is a collection of libcrux internal proc macros. use proc_macro::{Delimiter, TokenStream, TokenTree}; -use quote::quote; -use std::collections::HashMap; -use syn::{parse_macro_input, Attribute, Ident, ItemFn, Stmt}; +use quote::{format_ident, quote}; +use syn::{parse::Parser, parse_macro_input, ItemMod, LitInt, Token}; fn skip_comma>(ts: &mut T) { match ts.next() { @@ -50,92 +49,59 @@ pub fn unroll_for(ts: TokenStream) -> TokenStream { // "{ let i = 0; println!(\"FROM MACRO{}\", i); }".parse().unwrap() } -/// For an annotated function `f`, parse an attribute list of the type -/// ``` -/// #[consts( -/// variant_a{const X: usize = 4; const Y: usize = 4;}, -/// variant_b{const X: usize = 5; const Y: usize = 6;}, -/// ... -/// )] -/// ``` -/// and generate variants `f_variant_a`, `f_variant_b` of `f` with the given -/// constants injected into the function as constants. The variant -/// attribute lists can in turn contain attributes, -/// e.g. `#[cfg(feature = "variant_a")]`, which will be applied to the -/// generated function variant. +/// Annotation for a generic ML-DSA implementation, which pulls in +/// parameter-set specific constants. +/// +/// Given a list of parameter set identifiers, i.e. `44,65,87`, for +/// each identifier $id a feature-gated module `ml_dsa_$id` is generated, which +/// pulls in the parameter specific constants, assumed to be specified +/// in `crate::constants::ml_dsa_$id`. Further, type aliases for for +/// signing, and verification keys, whole keypairs and signatures are +/// created. #[proc_macro_attribute] -pub fn consts(args: TokenStream, item: TokenStream) -> TokenStream { - let ItemFn { +pub fn ml_dsa_parameter_sets(args: TokenStream, item: TokenStream) -> TokenStream { + let ItemMod { attrs, vis, - sig, - block, + content, + semi, .. - } = parse_macro_input!(item as ItemFn); - - let mut variants_map: HashMap = HashMap::new(); - - // Parse an attribute list of the type - // #[consts( - // v44{const X: usize = 4; const Y: usize = 4;}, - // v44{const X: usize = 4; const Y: usize = 4;}, - // )] - let parser = syn::meta::parser(|meta| { - let ident = meta.path.clone(); - - let content; - syn::braced!(content in meta.input); - - let mut const_vec = Vec::new(); - let mut attributes: Option> = None; - while !content.is_empty() { - // There may be a config flag here. - if let Ok(new_attributes) = Attribute::parse_outer(&content) { - if let Some(attributes) = &mut attributes { - attributes.extend(new_attributes); - } else { - attributes = Some(new_attributes); - } - } - - const_vec.push(content.parse::().unwrap()); - } - - variants_map.insert(quote! {#ident}.to_string(), (attributes, const_vec)); - Ok(()) - }); - parse_macro_input!(args with parser); + } = parse_macro_input!(item as ItemMod); + let variants_vec = syn::punctuated::Punctuated::::parse_terminated + .parse(args) + .unwrap(); let mut expanded = quote! {}; - for (variant, (attributes, consts)) in variants_map.iter() { - // add the variant at the end of the function name - let mut this_sig = sig.clone(); - this_sig.ident = Ident::new( - &format!("{}_{}", this_sig.ident, variant), - this_sig.ident.span(), - ); + for parameter_set in variants_vec { + let parameter_set_string = quote! {#parameter_set}.to_string(); + let feature_name = format!("mldsa{}", parameter_set_string); + let modpath = format_ident!("ml_dsa_{}", parameter_set_string); - let mut attribute_tokens = quote! {}; - if let Some(av) = attributes { - for a in av { - attribute_tokens.extend(quote! { - #a - }); - } - } + let sk_ident = format_ident!("MLDSA{}SigningKey", parameter_set_string); + let vk_ident = format_ident!("MLDSA{}VerificationKey", parameter_set_string); + let keypair_ident = format_ident!("MLDSA{}KeyPair", parameter_set_string); + let sig_ident = format_ident!("MLDSA{}Signature", parameter_set_string); - let fun = quote! { - #attribute_tokens + // add the variant at the end of the function name + if let Some((_, ref content)) = content { + let this_content = content.clone(); + let fun = quote! { #(#attrs)* - #vis #this_sig { - #(#consts)* - - #block - } - }; - expanded.extend(fun); + #[cfg(feature = #feature_name)] + #vis mod #modpath { + use crate::constants::#modpath::*; + + pub type #sk_ident = MLDSASigningKey; + pub type #vk_ident = MLDSAVerificationKey; + pub type #keypair_ident = MLDSAKeyPair; + pub type #sig_ident = MLDSASignature; + + #(#this_content)* + } #semi + }; + expanded.extend(fun); + } } - expanded.into() } From 70e05fc9a6d81ea0b718a7bf924ccc66da4f7c22 Mon Sep 17 00:00:00 2001 From: Jonas Schneider-Bensch Date: Tue, 7 Jan 2025 14:04:08 +0100 Subject: [PATCH 40/58] Some clippy lints --- libcrux-ml-dsa/src/encoding/error.rs | 5 ++--- libcrux-ml-dsa/src/hash_functions.rs | 12 ++++++------ libcrux-ml-dsa/src/ml_dsa_generic.rs | 16 ++++++++-------- .../src/ml_dsa_generic/multiplexing.rs | 1 - libcrux-ml-dsa/src/polynomial.rs | 2 +- .../rejection_sample/less_than_field_modulus.rs | 2 +- 6 files changed, 18 insertions(+), 20 deletions(-) diff --git a/libcrux-ml-dsa/src/encoding/error.rs b/libcrux-ml-dsa/src/encoding/error.rs index 8d464ffe2..ad3aecbde 100644 --- a/libcrux-ml-dsa/src/encoding/error.rs +++ b/libcrux-ml-dsa/src/encoding/error.rs @@ -28,11 +28,10 @@ pub(crate) fn serialize( #[inline(always)] fn chunk_size(eta: Eta) -> usize { - let output_bytes_per_simd_unit = match eta { + match eta { Eta::Two => 3, Eta::Four => 4, - }; - output_bytes_per_simd_unit + } } #[inline(always)] diff --git a/libcrux-ml-dsa/src/hash_functions.rs b/libcrux-ml-dsa/src/hash_functions.rs index 1100fb11b..1dea67ca7 100644 --- a/libcrux-ml-dsa/src/hash_functions.rs +++ b/libcrux-ml-dsa/src/hash_functions.rs @@ -114,16 +114,16 @@ pub(crate) mod portable { #[inline(always)] fn init_absorb(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Shake128X4 { let mut state0 = incremental::shake128_init(); - incremental::shake128_absorb_final(&mut state0, &input0); + incremental::shake128_absorb_final(&mut state0, input0); let mut state1 = incremental::shake128_init(); - incremental::shake128_absorb_final(&mut state1, &input1); + incremental::shake128_absorb_final(&mut state1, input1); let mut state2 = incremental::shake128_init(); - incremental::shake128_absorb_final(&mut state2, &input2); + incremental::shake128_absorb_final(&mut state2, input2); let mut state3 = incremental::shake128_init(); - incremental::shake128_absorb_final(&mut state3, &input3); + incremental::shake128_absorb_final(&mut state3, input3); Shake128X4 { state0, @@ -437,7 +437,7 @@ pub(crate) mod simd256 { #[inline(always)] fn init_absorb(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Shake128x4 { let mut state = x4::incremental::init(); - x4::incremental::shake128_absorb_final(&mut state, &input0, &input1, &input2, &input3); + x4::incremental::shake128_absorb_final(&mut state, input0, input1, input2, input3); Shake128x4 { state } } @@ -583,7 +583,7 @@ pub(crate) mod simd256 { #[inline(always)] fn init_absorb_x4(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Shake256x4 { let mut state = x4::incremental::init(); - x4::incremental::shake256_absorb_final(&mut state, &input0, &input1, &input2, &input3); + x4::incremental::shake256_absorb_final(&mut state, input0, input1, input2, input3); Shake256x4 { state } } diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index cbbc5b94c..c5476802a 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -178,7 +178,7 @@ pub(crate) mod generic { // Sample matrix A. let mut matrix = [PolynomialRingElement::::zero(); ROW_X_COLUMN]; - Sampler::matrix_flat::(COLUMNS_IN_A, &seed_for_a, &mut matrix); + Sampler::matrix_flat::(COLUMNS_IN_A, seed_for_a, &mut matrix); let mut message_representative = [0; MESSAGE_REPRESENTATIVE_SIZE]; derive_message_representative::( @@ -191,7 +191,7 @@ pub(crate) mod generic { let mut mask_seed = [0; MASK_SEED_SIZE]; { let mut shake = Shake256Xof::init(); - shake.absorb(&seed_for_signing); + shake.absorb(seed_for_signing); shake.absorb(&randomness); shake.absorb_final(&message_representative); @@ -415,7 +415,7 @@ pub(crate) mod generic { return Err(VerificationError::SignerResponseExceedsBoundError); } let mut matrix = [PolynomialRingElement::::zero(); ROW_X_COLUMN]; - Sampler::matrix_flat::(COLUMNS_IN_A, &seed_for_a, &mut matrix); + Sampler::matrix_flat::(COLUMNS_IN_A, seed_for_a, &mut matrix); let mut verification_key_hash = [0; BYTES_FOR_VERIFICATION_KEY_HASH]; Shake256::shake256(verification_key, &mut verification_key_hash); @@ -554,10 +554,10 @@ pub(crate) mod generic { Err(_) => return Err(VerificationError::VerificationContextTooLongError), }; verify_internal::( - &verification_key_serialized, + verification_key_serialized, message, Some(domain_separation_context), - &signature_serialized, + signature_serialized, ) } @@ -585,10 +585,10 @@ pub(crate) mod generic { Err(_) => return Err(VerificationError::VerificationContextTooLongError), }; verify_internal::( - &verification_key_serialized, + verification_key_serialized, &pre_hashed_message, Some(domain_separation_context), - &signature_serialized, + signature_serialized, ) } } @@ -623,7 +623,7 @@ fn derive_message_representative( debug_assert!(verification_key_hash.len() == 64); let mut shake = Shake256Xof::init(); - shake.absorb(&verification_key_hash); + shake.absorb(verification_key_hash); if let Some(domain_separation_context) = domain_separation_context { shake.absorb(&[domain_separation_context.pre_hash_oid().is_some() as u8]); shake.absorb(&[domain_separation_context.context().len() as u8]); diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/multiplexing.rs b/libcrux-ml-dsa/src/ml_dsa_generic/multiplexing.rs index e759be57b..272e5508b 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic/multiplexing.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic/multiplexing.rs @@ -1,5 +1,4 @@ use super::*; -use libcrux_platform; macro_rules! parameter_set { ($parameter_module:ident, $feature:literal) => { diff --git a/libcrux-ml-dsa/src/polynomial.rs b/libcrux-ml-dsa/src/polynomial.rs index 50f48ad94..b62a45c66 100644 --- a/libcrux-ml-dsa/src/polynomial.rs +++ b/libcrux-ml-dsa/src/polynomial.rs @@ -22,7 +22,7 @@ impl PolynomialRingElement { cloop! { for (i, simd_unit) in self.simd_units.iter().enumerate() { - SIMDUnit::to_coefficient_array(&simd_unit, &mut result[i * COEFFICIENTS_IN_SIMD_UNIT..(i + 1) * COEFFICIENTS_IN_SIMD_UNIT]); + SIMDUnit::to_coefficient_array(simd_unit, &mut result[i * COEFFICIENTS_IN_SIMD_UNIT..(i + 1) * COEFFICIENTS_IN_SIMD_UNIT]); } } diff --git a/libcrux-ml-dsa/src/simd/avx2/rejection_sample/less_than_field_modulus.rs b/libcrux-ml-dsa/src/simd/avx2/rejection_sample/less_than_field_modulus.rs index 394fa211c..3d4a58749 100644 --- a/libcrux-ml-dsa/src/simd/avx2/rejection_sample/less_than_field_modulus.rs +++ b/libcrux-ml-dsa/src/simd/avx2/rejection_sample/less_than_field_modulus.rs @@ -9,7 +9,7 @@ fn bytestream_to_potential_coefficients(serialized: &[u8]) -> Vec256 { debug_assert_eq!(serialized.len(), 24); let mut serialized_extended = [0u8; 32]; - serialized_extended[..24].copy_from_slice(&serialized); + serialized_extended[..24].copy_from_slice(serialized); const COEFFICIENT_MASK: i32 = (1 << 23) - 1; From f63b107d39877fdad7817e58d9a74008173d7c7a Mon Sep 17 00:00:00 2001 From: Jonas Schneider-Bensch Date: Tue, 7 Jan 2025 14:32:03 +0100 Subject: [PATCH 41/58] Update F* extraction --- .../Libcrux_ml_dsa.Constants.V44.fsti | 13 - .../Libcrux_ml_dsa.Constants.V65.fsti | 13 - .../Libcrux_ml_dsa.Constants.V87.fsti | 13 - .../extraction/Libcrux_ml_dsa.Constants.fst | 27 + .../extraction/Libcrux_ml_dsa.Constants.fsti | 17 + .../Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst | 50 +- .../Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst | 50 +- .../Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst | 50 +- .../extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst | 50 +- .../extraction/Libcrux_ml_dsa.Ml_dsa_44_.fsti | 75 - .../Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst | 99 +- .../Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst | 99 +- .../Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst | 99 +- .../extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst | 50 +- .../extraction/Libcrux_ml_dsa.Ml_dsa_65_.fsti | 75 - .../Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst | 50 +- .../Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst | 50 +- .../Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst | 50 +- .../extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst | 50 +- .../extraction/Libcrux_ml_dsa.Ml_dsa_87_.fsti | 75 - ...neric.Instantiations.Avx2.Avx2_feature.fst | 99 - ...eric.Instantiations.Avx2.Avx2_feature.fsti | 74 - ...dsa.Ml_dsa_generic.Instantiations.Avx2.fst | 180 -- ...sa.Ml_dsa_generic.Instantiations.Avx2.fsti | 106 - ...dsa.Ml_dsa_generic.Instantiations.Neon.fst | 158 -- ...sa.Ml_dsa_generic.Instantiations.Neon.fsti | 92 - ...Ml_dsa_generic.Instantiations.Portable.fst | 162 -- ...l_dsa_generic.Instantiations.Portable.fsti | 91 - ...rux_ml_dsa.Ml_dsa_generic.Multiplexing.fst | 273 --- ...ux_ml_dsa.Ml_dsa_generic.Multiplexing.fsti | 71 - .../Libcrux_ml_dsa.Ml_dsa_generic.fst | 1702 ----------------- .../Libcrux_ml_dsa.Ml_dsa_generic.fsti | 254 --- 32 files changed, 479 insertions(+), 3838 deletions(-) delete mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.V44.fsti delete mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.V65.fsti delete mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.V87.fsti delete mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fst delete mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fsti delete mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst delete mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti delete mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fst delete mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fsti delete mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fst delete mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fsti delete mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fst delete mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fsti diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.V44.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.V44.fsti deleted file mode 100644 index 0ac18ca06..000000000 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.V44.fsti +++ /dev/null @@ -1,13 +0,0 @@ -module Libcrux_ml_dsa.Constants.V44 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" -open Core -open FStar.Mul - -let v_BITS_PER_ERROR_COEFFICIENT: usize = sz 3 - -let v_COLUMNS_IN_A: usize = sz 4 - -let v_ETA: Libcrux_ml_dsa.Constants.t_Eta = - Libcrux_ml_dsa.Constants.Eta_Two <: Libcrux_ml_dsa.Constants.t_Eta - -let v_ROWS_IN_A: usize = sz 4 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.V65.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.V65.fsti deleted file mode 100644 index ff1b5d542..000000000 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.V65.fsti +++ /dev/null @@ -1,13 +0,0 @@ -module Libcrux_ml_dsa.Constants.V65 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" -open Core -open FStar.Mul - -let v_BITS_PER_ERROR_COEFFICIENT: usize = sz 4 - -let v_COLUMNS_IN_A: usize = sz 5 - -let v_ETA: Libcrux_ml_dsa.Constants.t_Eta = - Libcrux_ml_dsa.Constants.Eta_Four <: Libcrux_ml_dsa.Constants.t_Eta - -let v_ROWS_IN_A: usize = sz 6 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.V87.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.V87.fsti deleted file mode 100644 index 5f0a77d63..000000000 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.V87.fsti +++ /dev/null @@ -1,13 +0,0 @@ -module Libcrux_ml_dsa.Constants.V87 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" -open Core -open FStar.Mul - -let v_BITS_PER_ERROR_COEFFICIENT: usize = sz 3 - -let v_COLUMNS_IN_A: usize = sz 7 - -let v_ETA: Libcrux_ml_dsa.Constants.t_Eta = - Libcrux_ml_dsa.Constants.Eta_Two <: Libcrux_ml_dsa.Constants.t_Eta - -let v_ROWS_IN_A: usize = sz 8 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fst index 4bd1b2888..2cb494125 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fst @@ -8,9 +8,36 @@ let t_Eta_cast_to_repr (x: t_Eta) = | Eta_Two -> discriminant_Eta_Two | Eta_Four -> discriminant_Eta_Four +let beta (ones_in_verifier_challenge: usize) (eta: t_Eta) = + cast (ones_in_verifier_challenge *! (cast (t_Eta_cast_to_repr eta <: isize) <: usize) <: usize) + <: + i32 + +let commitment_ring_element_size (bits_per_commitment_coefficient: usize) = + (bits_per_commitment_coefficient *! v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! sz 8 + +let commitment_vector_size (bits_per_commitment_coefficient rows_in_a: usize) = + (commitment_ring_element_size bits_per_commitment_coefficient <: usize) *! rows_in_a + let error_ring_element_size (bits_per_error_coefficient: usize) = (bits_per_error_coefficient *! v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! sz 8 +let gamma1_ring_element_size (bits_per_gamma1_coefficient: usize) = + (bits_per_gamma1_coefficient *! v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! sz 8 + +let signature_size + (rows_in_a columns_in_a max_ones_in_hint commitment_hash_size bits_per_gamma1_coefficient: + usize) + = + ((commitment_hash_size +! + (columns_in_a *! (gamma1_ring_element_size bits_per_gamma1_coefficient <: usize) <: usize) + <: + usize) +! + max_ones_in_hint + <: + usize) +! + rows_in_a + let signing_key_size (rows_in_a columns_in_a error_ring_element_size: usize) = (((v_SEED_FOR_A_SIZE +! v_SEED_FOR_SIGNING_SIZE <: usize) +! v_BYTES_FOR_VERIFICATION_KEY_HASH <: diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fsti index 0b03b8cd6..97e8a82d8 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fsti @@ -58,9 +58,26 @@ let v_SEED_FOR_SIGNING_SIZE: usize = sz 32 /// Number of bytes of entropy required for signing. let v_SIGNING_RANDOMNESS_SIZE: usize = sz 32 +val beta (ones_in_verifier_challenge: usize) (eta: t_Eta) + : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) + +val commitment_ring_element_size (bits_per_commitment_coefficient: usize) + : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) + +val commitment_vector_size (bits_per_commitment_coefficient rows_in_a: usize) + : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) + val error_ring_element_size (bits_per_error_coefficient: usize) : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) +val gamma1_ring_element_size (bits_per_gamma1_coefficient: usize) + : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) + +val signature_size + (rows_in_a columns_in_a max_ones_in_hint commitment_hash_size bits_per_gamma1_coefficient: + usize) + : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) + val signing_key_size (rows_in_a columns_in_a error_ring_element_size: usize) : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst index 36357eb9c..79969160b 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst @@ -7,7 +7,7 @@ let generate_key_pair (randomness: t_Array u8 (sz 32)) = let signing_key:t_Array u8 (sz 2560) = Rust_primitives.Hax.repeat 0uy (sz 2560) in let verification_key:t_Array u8 (sz 1312) = Rust_primitives.Hax.repeat 0uy (sz 1312) in let tmp0, tmp1:(t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.generate_key_pair_v44 randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.generate_key_pair randomness signing_key verification_key in @@ -28,37 +28,53 @@ let sign (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign (sz 4) (sz 4) (sz 16) (sz 2) (sz 96) - (sz 17) 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) - (Libcrux_ml_dsa.Types.impl__as_ref (sz 2560) signing_key <: t_Array u8 (sz 2560)) message - context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.sign (Libcrux_ml_dsa.Types.impl__as_ref + (sz 2560) + signing_key + <: + t_Array u8 (sz 2560)) + message + context + randomness let sign_pre_hashed_shake128 (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign_pre_hashed_shake128 (sz 4) (sz 4) (sz 16) - (sz 2) (sz 96) (sz 17) 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) - (sz 2420) (Libcrux_ml_dsa.Types.impl__as_ref (sz 2560) signing_key <: t_Array u8 (sz 2560)) - message context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref + (sz 2560) + signing_key + <: + t_Array u8 (sz 2560)) + message + context + randomness let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify (sz 4) (sz 4) (sz 16) (sz 2420) (sz 1312) - (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) - (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1312) verification_key <: t_Array u8 (sz 1312)) message - context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.verify (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 1312) + verification_key + <: + t_Array u8 (sz 1312)) + message + context + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) let verify_pre_hashed_shake128 (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify_pre_hashed_shake128 (sz 4) (sz 4) (sz 16) - (sz 2420) (sz 1312) (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) - (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1312) verification_key <: t_Array u8 (sz 1312)) message - context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 1312) + verification_key + <: + t_Array u8 (sz 1312)) + message + context + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst index 5d3071ea5..0bc3f9212 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst @@ -7,7 +7,7 @@ let generate_key_pair (randomness: t_Array u8 (sz 32)) = let signing_key:t_Array u8 (sz 2560) = Rust_primitives.Hax.repeat 0uy (sz 2560) in let verification_key:t_Array u8 (sz 1312) = Rust_primitives.Hax.repeat 0uy (sz 1312) in let tmp0, tmp1:(t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.generate_key_pair_v44 randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.generate_key_pair randomness signing_key verification_key in @@ -28,37 +28,53 @@ let sign (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign (sz 4) (sz 4) (sz 16) (sz 2) (sz 96) - (sz 17) 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) - (Libcrux_ml_dsa.Types.impl__as_ref (sz 2560) signing_key <: t_Array u8 (sz 2560)) message - context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.sign (Libcrux_ml_dsa.Types.impl__as_ref + (sz 2560) + signing_key + <: + t_Array u8 (sz 2560)) + message + context + randomness let sign_pre_hashed_shake128 (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign_pre_hashed_shake128 (sz 4) (sz 4) (sz 16) - (sz 2) (sz 96) (sz 17) 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) - (sz 2420) (Libcrux_ml_dsa.Types.impl__as_ref (sz 2560) signing_key <: t_Array u8 (sz 2560)) - message context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref + (sz 2560) + signing_key + <: + t_Array u8 (sz 2560)) + message + context + randomness let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify (sz 4) (sz 4) (sz 16) (sz 2420) (sz 1312) - (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) - (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1312) verification_key <: t_Array u8 (sz 1312)) message - context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.verify (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 1312) + verification_key + <: + t_Array u8 (sz 1312)) + message + context + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) let verify_pre_hashed_shake128 (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify_pre_hashed_shake128 (sz 4) (sz 4) (sz 16) - (sz 2420) (sz 1312) (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) - (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1312) verification_key <: t_Array u8 (sz 1312)) message - context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 1312) + verification_key + <: + t_Array u8 (sz 1312)) + message + context + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst index 7dd744603..b4ff49a2e 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst @@ -7,7 +7,7 @@ let generate_key_pair (randomness: t_Array u8 (sz 32)) = let signing_key:t_Array u8 (sz 2560) = Rust_primitives.Hax.repeat 0uy (sz 2560) in let verification_key:t_Array u8 (sz 1312) = Rust_primitives.Hax.repeat 0uy (sz 1312) in let tmp0, tmp1:(t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair_v44 randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.generate_key_pair randomness signing_key verification_key in @@ -28,39 +28,53 @@ let sign (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign (sz 4) (sz 4) (sz 16) (sz 2) (sz 96) - (sz 17) 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) - (Libcrux_ml_dsa.Types.impl__as_ref (sz 2560) signing_key <: t_Array u8 (sz 2560)) message - context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.sign (Libcrux_ml_dsa.Types.impl__as_ref + (sz 2560) + signing_key + <: + t_Array u8 (sz 2560)) + message + context + randomness let sign_pre_hashed_shake128 (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign_pre_hashed_shake128 (sz 4) (sz 4) - (sz 16) (sz 2) (sz 96) (sz 17) 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) - (sz 2560) (sz 2420) - (Libcrux_ml_dsa.Types.impl__as_ref (sz 2560) signing_key <: t_Array u8 (sz 2560)) message - context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref + (sz 2560) + signing_key + <: + t_Array u8 (sz 2560)) + message + context + randomness let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify (sz 4) (sz 4) (sz 16) (sz 2420) - (sz 1312) (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) - (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1312) verification_key <: t_Array u8 (sz 1312)) message - context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.verify (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 1312) + verification_key + <: + t_Array u8 (sz 1312)) + message + context + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) let verify_pre_hashed_shake128 (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify_pre_hashed_shake128 (sz 4) (sz 4) - (sz 16) (sz 2420) (sz 1312) (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) - (sz 80) (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1312) verification_key <: t_Array u8 (sz 1312)) - message context + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 1312) + verification_key + <: + t_Array u8 (sz 1312)) + message + context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst index 4259c747c..f3364bb9a 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst @@ -7,7 +7,7 @@ let generate_key_pair (randomness: t_Array u8 (sz 32)) = let signing_key:t_Array u8 (sz 2560) = Rust_primitives.Hax.repeat 0uy (sz 2560) in let verification_key:t_Array u8 (sz 1312) = Rust_primitives.Hax.repeat 0uy (sz 1312) in let tmp0, tmp1:(t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.generate_key_pair_v44 randomness + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_44_.generate_key_pair randomness signing_key verification_key in @@ -28,37 +28,53 @@ let sign (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign (sz 4) (sz 4) (sz 16) (sz 2) (sz 96) (sz 17) - 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) - (Libcrux_ml_dsa.Types.impl__as_ref (sz 2560) signing_key <: t_Array u8 (sz 2560)) message - context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_44_.sign (Libcrux_ml_dsa.Types.impl__as_ref (sz + 2560) + signing_key + <: + t_Array u8 (sz 2560)) + message + context + randomness let sign_pre_hashed_shake128 (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign_pre_hashed_shake128 (sz 4) (sz 4) (sz 16) (sz 2) - (sz 96) (sz 17) 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) - (Libcrux_ml_dsa.Types.impl__as_ref (sz 2560) signing_key <: t_Array u8 (sz 2560)) message - context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_44_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref + (sz 2560) + signing_key + <: + t_Array u8 (sz 2560)) + message + context + randomness let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify (sz 4) (sz 4) (sz 16) (sz 2420) (sz 1312) - (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) - (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1312) verification_key <: t_Array u8 (sz 1312)) message - context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_44_.verify (Libcrux_ml_dsa.Types.impl_2__as_ref ( + sz 1312) + verification_key + <: + t_Array u8 (sz 1312)) + message + context + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) let verify_pre_hashed_shake128 (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify_pre_hashed_shake128 (sz 4) (sz 4) (sz 16) - (sz 2420) (sz 1312) (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) - (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1312) verification_key <: t_Array u8 (sz 1312)) message - context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_44_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 1312) + verification_key + <: + t_Array u8 (sz 1312)) + message + context + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fsti index 19875b932..eb77b98a4 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fsti @@ -3,81 +3,6 @@ module Libcrux_ml_dsa.Ml_dsa_44_ open Core open FStar.Mul -let v_BITS_PER_COMMITMENT_COEFFICIENT: usize = sz 6 - -let v_BITS_PER_ERROR_COEFFICIENT: usize = sz 3 - -let v_BITS_PER_GAMMA1_COEFFICIENT: usize = sz 18 - -let v_COLUMNS_IN_A: usize = sz 4 - -let v_COMMITMENT_HASH_SIZE: usize = sz 32 - -let v_COMMITMENT_RING_ELEMENT_SIZE: usize = - (v_BITS_PER_COMMITMENT_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT - <: - usize) /! - sz 8 - -let v_ERROR_RING_ELEMENT_SIZE: usize = - (v_BITS_PER_ERROR_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! - sz 8 - -let v_ETA: usize = sz 2 - -let v_GAMMA1_EXPONENT: usize = sz 17 - -let v_GAMMA1_RING_ELEMENT_SIZE: usize = - (v_BITS_PER_GAMMA1_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize - ) /! - sz 8 - -let v_GAMMA2: i32 = (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS -! 1l <: i32) /! 88l - -let v_MAX_ONES_IN_HINT: usize = sz 80 - -let v_ONES_IN_VERIFIER_CHALLENGE: usize = sz 39 - -let v_BETA: i32 = cast (v_ONES_IN_VERIFIER_CHALLENGE *! v_ETA <: usize) <: i32 - -let v_ROWS_IN_A: usize = sz 4 - -let v_COMMITMENT_VECTOR_SIZE: usize = v_COMMITMENT_RING_ELEMENT_SIZE *! v_ROWS_IN_A - -let v_ROWS_X_COLUMNS: usize = v_ROWS_IN_A *! v_COLUMNS_IN_A - -let v_SIGNATURE_SIZE: usize = - ((v_COMMITMENT_HASH_SIZE +! (v_COLUMNS_IN_A *! v_GAMMA1_RING_ELEMENT_SIZE <: usize) <: usize) +! - v_MAX_ONES_IN_HINT - <: - usize) +! - v_ROWS_IN_A - -let v_SIGNING_KEY_SIZE: usize = - (((Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE +! Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE - <: - usize) +! - Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH - <: - usize) +! - ((v_ROWS_IN_A +! v_COLUMNS_IN_A <: usize) *! v_ERROR_RING_ELEMENT_SIZE <: usize) - <: - usize) +! - (v_ROWS_IN_A *! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T0S_SIZE <: usize) - -let v_VERIFICATION_KEY_SIZE: usize = - Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE +! - (((Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! v_ROWS_IN_A <: usize) *! - (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH -! - Libcrux_ml_dsa.Constants.v_BITS_IN_LOWER_PART_OF_T - <: - usize) - <: - usize) /! - sz 8 - <: - usize) - /// Generate an ML-DSA 44 Key Pair /// Generate an ML-DSA key pair. The input is a byte array of size /// [`KEY_GENERATION_RANDOMNESS_SIZE`]. diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst index dd13a28ce..8a7ec8559 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst @@ -4,82 +4,77 @@ open Core open FStar.Mul let generate_key_pair (randomness: t_Array u8 (sz 32)) = - let kp:Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) = - { - Libcrux_ml_dsa.Types.f_signing_key = Libcrux_ml_dsa.Types.impl__zero (sz 4032) (); - Libcrux_ml_dsa.Types.f_verification_key = Libcrux_ml_dsa.Types.impl_2__zero (sz 1952) () - } - <: - Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) - in + let signing_key:t_Array u8 (sz 4032) = Rust_primitives.Hax.repeat 0uy (sz 4032) in + let verification_key:t_Array u8 (sz 1952) = Rust_primitives.Hax.repeat 0uy (sz 1952) in let tmp0, tmp1:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.generate_key_pair_v65 randomness - kp.Libcrux_ml_dsa.Types.f_signing_key.Libcrux_ml_dsa.Types.f_value - kp.Libcrux_ml_dsa.Types.f_verification_key.Libcrux_ml_dsa.Types.f_value - in - let kp:Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) = - { - kp with - Libcrux_ml_dsa.Types.f_signing_key - = - { kp.Libcrux_ml_dsa.Types.f_signing_key with Libcrux_ml_dsa.Types.f_value = tmp0 } - <: - Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032) - } - <: - Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) - in - let kp:Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) = - { - kp with - Libcrux_ml_dsa.Types.f_verification_key - = - { kp.Libcrux_ml_dsa.Types.f_verification_key with Libcrux_ml_dsa.Types.f_value = tmp1 } - <: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952) - } - <: - Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.generate_key_pair randomness + signing_key + verification_key in + let signing_key:t_Array u8 (sz 4032) = tmp0 in + let verification_key:t_Array u8 (sz 1952) = tmp1 in let _:Prims.unit = () in - kp + { + Libcrux_ml_dsa.Types.f_signing_key = Libcrux_ml_dsa.Types.impl__new (sz 4032) signing_key; + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.impl_2__new (sz 1952) verification_key + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) let sign (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign (sz 6) (sz 5) (sz 30) (sz 4) (sz 128) - (sz 19) 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) - (Libcrux_ml_dsa.Types.impl__as_ref (sz 4032) signing_key <: t_Array u8 (sz 4032)) message - context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.sign (Libcrux_ml_dsa.Types.impl__as_ref + (sz 4032) + signing_key + <: + t_Array u8 (sz 4032)) + message + context + randomness let sign_pre_hashed_shake128 (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign_pre_hashed_shake128 (sz 6) (sz 5) (sz 30) - (sz 4) (sz 128) (sz 19) 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) - (sz 3309) (Libcrux_ml_dsa.Types.impl__as_ref (sz 4032) signing_key <: t_Array u8 (sz 4032)) - message context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref + (sz 4032) + signing_key + <: + t_Array u8 (sz 4032)) + message + context + randomness let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify (sz 6) (sz 5) (sz 30) (sz 3309) (sz 1952) - (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) - (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1952) verification_key <: t_Array u8 (sz 1952)) message - context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.verify (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 1952) + verification_key + <: + t_Array u8 (sz 1952)) + message + context + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) let verify_pre_hashed_shake128 (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify_pre_hashed_shake128 (sz 6) (sz 5) (sz 30) - (sz 3309) (sz 1952) (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) - (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1952) verification_key <: t_Array u8 (sz 1952)) message - context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 1952) + verification_key + <: + t_Array u8 (sz 1952)) + message + context + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst index 4d3b60483..d3978ab3b 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst @@ -4,82 +4,77 @@ open Core open FStar.Mul let generate_key_pair (randomness: t_Array u8 (sz 32)) = - let kp:Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) = - { - Libcrux_ml_dsa.Types.f_signing_key = Libcrux_ml_dsa.Types.impl__zero (sz 4032) (); - Libcrux_ml_dsa.Types.f_verification_key = Libcrux_ml_dsa.Types.impl_2__zero (sz 1952) () - } - <: - Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) - in + let signing_key:t_Array u8 (sz 4032) = Rust_primitives.Hax.repeat 0uy (sz 4032) in + let verification_key:t_Array u8 (sz 1952) = Rust_primitives.Hax.repeat 0uy (sz 1952) in let tmp0, tmp1:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.generate_key_pair_v65 randomness - kp.Libcrux_ml_dsa.Types.f_signing_key.Libcrux_ml_dsa.Types.f_value - kp.Libcrux_ml_dsa.Types.f_verification_key.Libcrux_ml_dsa.Types.f_value - in - let kp:Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) = - { - kp with - Libcrux_ml_dsa.Types.f_signing_key - = - { kp.Libcrux_ml_dsa.Types.f_signing_key with Libcrux_ml_dsa.Types.f_value = tmp0 } - <: - Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032) - } - <: - Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) - in - let kp:Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) = - { - kp with - Libcrux_ml_dsa.Types.f_verification_key - = - { kp.Libcrux_ml_dsa.Types.f_verification_key with Libcrux_ml_dsa.Types.f_value = tmp1 } - <: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952) - } - <: - Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.generate_key_pair randomness + signing_key + verification_key in + let signing_key:t_Array u8 (sz 4032) = tmp0 in + let verification_key:t_Array u8 (sz 1952) = tmp1 in let _:Prims.unit = () in - kp + { + Libcrux_ml_dsa.Types.f_signing_key = Libcrux_ml_dsa.Types.impl__new (sz 4032) signing_key; + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.impl_2__new (sz 1952) verification_key + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) let sign (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign (sz 6) (sz 5) (sz 30) (sz 4) (sz 128) - (sz 19) 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) - (Libcrux_ml_dsa.Types.impl__as_ref (sz 4032) signing_key <: t_Array u8 (sz 4032)) message - context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.sign (Libcrux_ml_dsa.Types.impl__as_ref + (sz 4032) + signing_key + <: + t_Array u8 (sz 4032)) + message + context + randomness let sign_pre_hashed_shake128 (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign_pre_hashed_shake128 (sz 6) (sz 5) (sz 30) - (sz 4) (sz 128) (sz 19) 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) - (sz 3309) (Libcrux_ml_dsa.Types.impl__as_ref (sz 4032) signing_key <: t_Array u8 (sz 4032)) - message context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref + (sz 4032) + signing_key + <: + t_Array u8 (sz 4032)) + message + context + randomness let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify (sz 6) (sz 5) (sz 30) (sz 3309) (sz 1952) - (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) - (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1952) verification_key <: t_Array u8 (sz 1952)) message - context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.verify (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 1952) + verification_key + <: + t_Array u8 (sz 1952)) + message + context + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) let verify_pre_hashed_shake128 (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify_pre_hashed_shake128 (sz 6) (sz 5) (sz 30) - (sz 3309) (sz 1952) (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) - (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1952) verification_key <: t_Array u8 (sz 1952)) message - context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 1952) + verification_key + <: + t_Array u8 (sz 1952)) + message + context + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst index eb7539a48..986c8e0b0 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst @@ -4,84 +4,77 @@ open Core open FStar.Mul let generate_key_pair (randomness: t_Array u8 (sz 32)) = - let kp:Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) = - { - Libcrux_ml_dsa.Types.f_signing_key = Libcrux_ml_dsa.Types.impl__zero (sz 4032) (); - Libcrux_ml_dsa.Types.f_verification_key = Libcrux_ml_dsa.Types.impl_2__zero (sz 1952) () - } - <: - Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) - in + let signing_key:t_Array u8 (sz 4032) = Rust_primitives.Hax.repeat 0uy (sz 4032) in + let verification_key:t_Array u8 (sz 1952) = Rust_primitives.Hax.repeat 0uy (sz 1952) in let tmp0, tmp1:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair_v65 randomness - kp.Libcrux_ml_dsa.Types.f_signing_key.Libcrux_ml_dsa.Types.f_value - kp.Libcrux_ml_dsa.Types.f_verification_key.Libcrux_ml_dsa.Types.f_value - in - let kp:Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) = - { - kp with - Libcrux_ml_dsa.Types.f_signing_key - = - { kp.Libcrux_ml_dsa.Types.f_signing_key with Libcrux_ml_dsa.Types.f_value = tmp0 } - <: - Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032) - } - <: - Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) - in - let kp:Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) = - { - kp with - Libcrux_ml_dsa.Types.f_verification_key - = - { kp.Libcrux_ml_dsa.Types.f_verification_key with Libcrux_ml_dsa.Types.f_value = tmp1 } - <: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952) - } - <: - Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.generate_key_pair randomness + signing_key + verification_key in + let signing_key:t_Array u8 (sz 4032) = tmp0 in + let verification_key:t_Array u8 (sz 1952) = tmp1 in let _:Prims.unit = () in - kp + { + Libcrux_ml_dsa.Types.f_signing_key = Libcrux_ml_dsa.Types.impl__new (sz 4032) signing_key; + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.impl_2__new (sz 1952) verification_key + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) let sign (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign (sz 6) (sz 5) (sz 30) (sz 4) (sz 128) - (sz 19) 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) - (Libcrux_ml_dsa.Types.impl__as_ref (sz 4032) signing_key <: t_Array u8 (sz 4032)) message - context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.sign (Libcrux_ml_dsa.Types.impl__as_ref + (sz 4032) + signing_key + <: + t_Array u8 (sz 4032)) + message + context + randomness let sign_pre_hashed_shake128 (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign_pre_hashed_shake128 (sz 6) (sz 5) - (sz 30) (sz 4) (sz 128) (sz 19) 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) - (sz 4032) (sz 3309) - (Libcrux_ml_dsa.Types.impl__as_ref (sz 4032) signing_key <: t_Array u8 (sz 4032)) message - context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref + (sz 4032) + signing_key + <: + t_Array u8 (sz 4032)) + message + context + randomness let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify (sz 6) (sz 5) (sz 30) (sz 3309) - (sz 1952) (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) - (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1952) verification_key <: t_Array u8 (sz 1952)) message - context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.verify (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 1952) + verification_key + <: + t_Array u8 (sz 1952)) + message + context + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) let verify_pre_hashed_shake128 (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify_pre_hashed_shake128 (sz 6) (sz 5) - (sz 30) (sz 3309) (sz 1952) (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) - (sz 55) (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1952) verification_key <: t_Array u8 (sz 1952)) - message context + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 1952) + verification_key + <: + t_Array u8 (sz 1952)) + message + context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst index 12929b739..04a7f4adc 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst @@ -7,7 +7,7 @@ let generate_key_pair (randomness: t_Array u8 (sz 32)) = let signing_key:t_Array u8 (sz 4032) = Rust_primitives.Hax.repeat 0uy (sz 4032) in let verification_key:t_Array u8 (sz 1952) = Rust_primitives.Hax.repeat 0uy (sz 1952) in let tmp0, tmp1:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.generate_key_pair_v65 randomness + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_65_.generate_key_pair randomness signing_key verification_key in @@ -28,37 +28,53 @@ let sign (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign (sz 6) (sz 5) (sz 30) (sz 4) (sz 128) (sz 19) - 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) - (Libcrux_ml_dsa.Types.impl__as_ref (sz 4032) signing_key <: t_Array u8 (sz 4032)) message - context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_65_.sign (Libcrux_ml_dsa.Types.impl__as_ref (sz + 4032) + signing_key + <: + t_Array u8 (sz 4032)) + message + context + randomness let sign_pre_hashed_shake128 (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign_pre_hashed_shake128 (sz 6) (sz 5) (sz 30) (sz 4) - (sz 128) (sz 19) 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) - (Libcrux_ml_dsa.Types.impl__as_ref (sz 4032) signing_key <: t_Array u8 (sz 4032)) message - context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_65_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref + (sz 4032) + signing_key + <: + t_Array u8 (sz 4032)) + message + context + randomness let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify (sz 6) (sz 5) (sz 30) (sz 3309) (sz 1952) - (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) - (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1952) verification_key <: t_Array u8 (sz 1952)) message - context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_65_.verify (Libcrux_ml_dsa.Types.impl_2__as_ref ( + sz 1952) + verification_key + <: + t_Array u8 (sz 1952)) + message + context + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) let verify_pre_hashed_shake128 (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify_pre_hashed_shake128 (sz 6) (sz 5) (sz 30) - (sz 3309) (sz 1952) (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) - (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1952) verification_key <: t_Array u8 (sz 1952)) message - context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_65_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 1952) + verification_key + <: + t_Array u8 (sz 1952)) + message + context + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fsti index 46a9a2ac0..d7b76e429 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fsti @@ -3,81 +3,6 @@ module Libcrux_ml_dsa.Ml_dsa_65_ open Core open FStar.Mul -let v_BITS_PER_COMMITMENT_COEFFICIENT: usize = sz 4 - -let v_BITS_PER_ERROR_COEFFICIENT: usize = sz 4 - -let v_BITS_PER_GAMMA1_COEFFICIENT: usize = sz 20 - -let v_COLUMNS_IN_A: usize = sz 5 - -let v_COMMITMENT_HASH_SIZE: usize = sz 48 - -let v_COMMITMENT_RING_ELEMENT_SIZE: usize = - (v_BITS_PER_COMMITMENT_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT - <: - usize) /! - sz 8 - -let v_ERROR_RING_ELEMENT_SIZE: usize = - (v_BITS_PER_ERROR_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! - sz 8 - -let v_ETA: usize = sz 4 - -let v_GAMMA1_EXPONENT: usize = sz 19 - -let v_GAMMA1_RING_ELEMENT_SIZE: usize = - (v_BITS_PER_GAMMA1_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize - ) /! - sz 8 - -let v_GAMMA2: i32 = (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS -! 1l <: i32) /! 32l - -let v_MAX_ONES_IN_HINT: usize = sz 55 - -let v_ONES_IN_VERIFIER_CHALLENGE: usize = sz 49 - -let v_BETA: i32 = cast (v_ONES_IN_VERIFIER_CHALLENGE *! v_ETA <: usize) <: i32 - -let v_ROWS_IN_A: usize = sz 6 - -let v_COMMITMENT_VECTOR_SIZE: usize = v_COMMITMENT_RING_ELEMENT_SIZE *! v_ROWS_IN_A - -let v_ROWS_X_COLUMNS: usize = v_ROWS_IN_A *! v_COLUMNS_IN_A - -let v_SIGNATURE_SIZE: usize = - ((v_COMMITMENT_HASH_SIZE +! (v_COLUMNS_IN_A *! v_GAMMA1_RING_ELEMENT_SIZE <: usize) <: usize) +! - v_MAX_ONES_IN_HINT - <: - usize) +! - v_ROWS_IN_A - -let v_SIGNING_KEY_SIZE: usize = - (((Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE +! Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE - <: - usize) +! - Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH - <: - usize) +! - ((v_ROWS_IN_A +! v_COLUMNS_IN_A <: usize) *! v_ERROR_RING_ELEMENT_SIZE <: usize) - <: - usize) +! - (v_ROWS_IN_A *! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T0S_SIZE <: usize) - -let v_VERIFICATION_KEY_SIZE: usize = - Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE +! - (((Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! v_ROWS_IN_A <: usize) *! - (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH -! - Libcrux_ml_dsa.Constants.v_BITS_IN_LOWER_PART_OF_T - <: - usize) - <: - usize) /! - sz 8 - <: - usize) - /// Generate an ML-DSA 65 Key Pair /// Generate an ML-DSA key pair. The input is a byte array of size /// [`KEY_GENERATION_RANDOMNESS_SIZE`]. diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst index 7faac1a9e..0a4c40f8d 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst @@ -7,7 +7,7 @@ let generate_key_pair (randomness: t_Array u8 (sz 32)) = let signing_key:t_Array u8 (sz 4896) = Rust_primitives.Hax.repeat 0uy (sz 4896) in let verification_key:t_Array u8 (sz 2592) = Rust_primitives.Hax.repeat 0uy (sz 2592) in let tmp0, tmp1:(t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.generate_key_pair_v87 randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.generate_key_pair randomness signing_key verification_key in @@ -28,37 +28,53 @@ let sign (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign (sz 8) (sz 7) (sz 56) (sz 2) (sz 96) - (sz 19) 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) - (Libcrux_ml_dsa.Types.impl__as_ref (sz 4896) signing_key <: t_Array u8 (sz 4896)) message - context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.sign (Libcrux_ml_dsa.Types.impl__as_ref + (sz 4896) + signing_key + <: + t_Array u8 (sz 4896)) + message + context + randomness let sign_pre_hashed_shake128 (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign_pre_hashed_shake128 (sz 8) (sz 7) (sz 56) - (sz 2) (sz 96) (sz 19) 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) - (sz 4627) (Libcrux_ml_dsa.Types.impl__as_ref (sz 4896) signing_key <: t_Array u8 (sz 4896)) - message context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref + (sz 4896) + signing_key + <: + t_Array u8 (sz 4896)) + message + context + randomness let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify (sz 8) (sz 7) (sz 56) (sz 4627) (sz 2592) - (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) - (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 2592) verification_key <: t_Array u8 (sz 2592)) message - context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.verify (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 2592) + verification_key + <: + t_Array u8 (sz 2592)) + message + context + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) let verify_pre_hashed_shake128 (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify_pre_hashed_shake128 (sz 8) (sz 7) (sz 56) - (sz 4627) (sz 2592) (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) - (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 2592) verification_key <: t_Array u8 (sz 2592)) message - context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 2592) + verification_key + <: + t_Array u8 (sz 2592)) + message + context + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst index 9dc288ca6..401110e07 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst @@ -7,7 +7,7 @@ let generate_key_pair (randomness: t_Array u8 (sz 32)) = let signing_key:t_Array u8 (sz 4896) = Rust_primitives.Hax.repeat 0uy (sz 4896) in let verification_key:t_Array u8 (sz 2592) = Rust_primitives.Hax.repeat 0uy (sz 2592) in let tmp0, tmp1:(t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.generate_key_pair_v87 randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.generate_key_pair randomness signing_key verification_key in @@ -28,37 +28,53 @@ let sign (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign (sz 8) (sz 7) (sz 56) (sz 2) (sz 96) - (sz 19) 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) - (Libcrux_ml_dsa.Types.impl__as_ref (sz 4896) signing_key <: t_Array u8 (sz 4896)) message - context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.sign (Libcrux_ml_dsa.Types.impl__as_ref + (sz 4896) + signing_key + <: + t_Array u8 (sz 4896)) + message + context + randomness let sign_pre_hashed_shake128 (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign_pre_hashed_shake128 (sz 8) (sz 7) (sz 56) - (sz 2) (sz 96) (sz 19) 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) - (sz 4627) (Libcrux_ml_dsa.Types.impl__as_ref (sz 4896) signing_key <: t_Array u8 (sz 4896)) - message context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref + (sz 4896) + signing_key + <: + t_Array u8 (sz 4896)) + message + context + randomness let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify (sz 8) (sz 7) (sz 56) (sz 4627) (sz 2592) - (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) - (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 2592) verification_key <: t_Array u8 (sz 2592)) message - context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.verify (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 2592) + verification_key + <: + t_Array u8 (sz 2592)) + message + context + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) let verify_pre_hashed_shake128 (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify_pre_hashed_shake128 (sz 8) (sz 7) (sz 56) - (sz 4627) (sz 2592) (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) - (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 2592) verification_key <: t_Array u8 (sz 2592)) message - context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 2592) + verification_key + <: + t_Array u8 (sz 2592)) + message + context + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst index d21986579..ddb5ccee2 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst @@ -7,7 +7,7 @@ let generate_key_pair (randomness: t_Array u8 (sz 32)) = let signing_key:t_Array u8 (sz 4896) = Rust_primitives.Hax.repeat 0uy (sz 4896) in let verification_key:t_Array u8 (sz 2592) = Rust_primitives.Hax.repeat 0uy (sz 2592) in let tmp0, tmp1:(t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair_v87 randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.generate_key_pair randomness signing_key verification_key in @@ -28,39 +28,53 @@ let sign (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign (sz 8) (sz 7) (sz 56) (sz 2) (sz 96) - (sz 19) 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) - (Libcrux_ml_dsa.Types.impl__as_ref (sz 4896) signing_key <: t_Array u8 (sz 4896)) message - context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.sign (Libcrux_ml_dsa.Types.impl__as_ref + (sz 4896) + signing_key + <: + t_Array u8 (sz 4896)) + message + context + randomness let sign_pre_hashed_shake128 (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign_pre_hashed_shake128 (sz 8) (sz 7) - (sz 56) (sz 2) (sz 96) (sz 19) 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) - (sz 4896) (sz 4627) - (Libcrux_ml_dsa.Types.impl__as_ref (sz 4896) signing_key <: t_Array u8 (sz 4896)) message - context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref + (sz 4896) + signing_key + <: + t_Array u8 (sz 4896)) + message + context + randomness let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify (sz 8) (sz 7) (sz 56) (sz 4627) - (sz 2592) (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) - (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 2592) verification_key <: t_Array u8 (sz 2592)) message - context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.verify (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 2592) + verification_key + <: + t_Array u8 (sz 2592)) + message + context + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) let verify_pre_hashed_shake128 (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify_pre_hashed_shake128 (sz 8) (sz 7) - (sz 56) (sz 4627) (sz 2592) (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) - (sz 75) (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 2592) verification_key <: t_Array u8 (sz 2592)) - message context + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 2592) + verification_key + <: + t_Array u8 (sz 2592)) + message + context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst index f15dd3783..856f9a4bc 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst @@ -7,7 +7,7 @@ let generate_key_pair (randomness: t_Array u8 (sz 32)) = let signing_key:t_Array u8 (sz 4896) = Rust_primitives.Hax.repeat 0uy (sz 4896) in let verification_key:t_Array u8 (sz 2592) = Rust_primitives.Hax.repeat 0uy (sz 2592) in let tmp0, tmp1:(t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.generate_key_pair_v87 randomness + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_87_.generate_key_pair randomness signing_key verification_key in @@ -28,37 +28,53 @@ let sign (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign (sz 8) (sz 7) (sz 56) (sz 2) (sz 96) (sz 19) - 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) - (Libcrux_ml_dsa.Types.impl__as_ref (sz 4896) signing_key <: t_Array u8 (sz 4896)) message - context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_87_.sign (Libcrux_ml_dsa.Types.impl__as_ref (sz + 4896) + signing_key + <: + t_Array u8 (sz 4896)) + message + context + randomness let sign_pre_hashed_shake128 (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign_pre_hashed_shake128 (sz 8) (sz 7) (sz 56) (sz 2) - (sz 96) (sz 19) 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) - (Libcrux_ml_dsa.Types.impl__as_ref (sz 4896) signing_key <: t_Array u8 (sz 4896)) message - context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_87_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref + (sz 4896) + signing_key + <: + t_Array u8 (sz 4896)) + message + context + randomness let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify (sz 8) (sz 7) (sz 56) (sz 4627) (sz 2592) - (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) - (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 2592) verification_key <: t_Array u8 (sz 2592)) message - context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_87_.verify (Libcrux_ml_dsa.Types.impl_2__as_ref ( + sz 2592) + verification_key + <: + t_Array u8 (sz 2592)) + message + context + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) let verify_pre_hashed_shake128 (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify_pre_hashed_shake128 (sz 8) (sz 7) (sz 56) - (sz 4627) (sz 2592) (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) - (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 2592) verification_key <: t_Array u8 (sz 2592)) message - context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_87_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 2592) + verification_key + <: + t_Array u8 (sz 2592)) + message + context + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fsti index 582c13b5e..2dbf4d427 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fsti @@ -3,81 +3,6 @@ module Libcrux_ml_dsa.Ml_dsa_87_ open Core open FStar.Mul -let v_BITS_PER_COMMITMENT_COEFFICIENT: usize = sz 4 - -let v_BITS_PER_ERROR_COEFFICIENT: usize = sz 3 - -let v_BITS_PER_GAMMA1_COEFFICIENT: usize = sz 20 - -let v_COLUMNS_IN_A: usize = sz 7 - -let v_COMMITMENT_HASH_SIZE: usize = sz 64 - -let v_COMMITMENT_RING_ELEMENT_SIZE: usize = - (v_BITS_PER_COMMITMENT_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT - <: - usize) /! - sz 8 - -let v_ERROR_RING_ELEMENT_SIZE: usize = - (v_BITS_PER_ERROR_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! - sz 8 - -let v_ETA: usize = sz 2 - -let v_GAMMA1_EXPONENT: usize = sz 19 - -let v_GAMMA1_RING_ELEMENT_SIZE: usize = - (v_BITS_PER_GAMMA1_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize - ) /! - sz 8 - -let v_GAMMA2: i32 = (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS -! 1l <: i32) /! 32l - -let v_MAX_ONES_IN_HINT: usize = sz 75 - -let v_ONES_IN_VERIFIER_CHALLENGE: usize = sz 60 - -let v_BETA: i32 = cast (v_ONES_IN_VERIFIER_CHALLENGE *! v_ETA <: usize) <: i32 - -let v_ROWS_IN_A: usize = sz 8 - -let v_COMMITMENT_VECTOR_SIZE: usize = v_COMMITMENT_RING_ELEMENT_SIZE *! v_ROWS_IN_A - -let v_ROWS_X_COLUMNS: usize = v_ROWS_IN_A *! v_COLUMNS_IN_A - -let v_SIGNATURE_SIZE: usize = - ((v_COMMITMENT_HASH_SIZE +! (v_COLUMNS_IN_A *! v_GAMMA1_RING_ELEMENT_SIZE <: usize) <: usize) +! - v_MAX_ONES_IN_HINT - <: - usize) +! - v_ROWS_IN_A - -let v_SIGNING_KEY_SIZE: usize = - (((Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE +! Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE - <: - usize) +! - Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH - <: - usize) +! - ((v_ROWS_IN_A +! v_COLUMNS_IN_A <: usize) *! v_ERROR_RING_ELEMENT_SIZE <: usize) - <: - usize) +! - (v_ROWS_IN_A *! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T0S_SIZE <: usize) - -let v_VERIFICATION_KEY_SIZE: usize = - Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE +! - (((Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! v_ROWS_IN_A <: usize) *! - (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH -! - Libcrux_ml_dsa.Constants.v_BITS_IN_LOWER_PART_OF_T - <: - usize) - <: - usize) /! - sz 8 - <: - usize) - /// Generate an ML-DSA 87 Key Pair /// Generate an ML-DSA key pair. The input is a byte array of size /// [`KEY_GENERATION_RANDOMNESS_SIZE`]. diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fst deleted file mode 100644 index 26a7dcb2f..000000000 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fst +++ /dev/null @@ -1,99 +0,0 @@ -module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" -open Core -open FStar.Mul - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_dsa.Hash_functions.Portable in - let open Libcrux_ml_dsa.Hash_functions.Shake128 in - let open Libcrux_ml_dsa.Hash_functions.Shake256 in - let open Libcrux_ml_dsa.Hash_functions.Simd256 in - let open Libcrux_ml_dsa.Pre_hash in - let open Libcrux_ml_dsa.Samplex4 in - let open Libcrux_ml_dsa.Samplex4.Avx2 in - let open Libcrux_ml_dsa.Simd.Avx2 in - let open Libcrux_ml_dsa.Simd.Traits in - () - -let sign - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: - usize) - (v_GAMMA2: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: - usize) - (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_dsa.Ml_dsa_generic.sign #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit - #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS - v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE - v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT - v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context - randomness - -let sign_pre_hashed_shake128 - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: - usize) - (v_GAMMA2: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: - usize) - (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_dsa.Ml_dsa_generic.sign_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit - #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH - (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE - v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE - v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT - v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context - randomness - -let verify - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: - usize) - (v_GAMMA2 v_BETA: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: - usize) - (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) - (message context: t_Slice u8) - (signature: t_Array u8 v_SIGNATURE_SIZE) - = - Libcrux_ml_dsa.Ml_dsa_generic.verify #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit - #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof v_ROWS_IN_A v_COLUMNS_IN_A - v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT - v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE - v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT - verification_key message context signature - -let verify_pre_hashed_shake128 - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: - usize) - (v_GAMMA2 v_BETA: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: - usize) - (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) - (message context: t_Slice u8) - (signature: t_Array u8 v_SIGNATURE_SIZE) - = - Libcrux_ml_dsa.Ml_dsa_generic.verify_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit - #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH - (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE - v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE - v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT - verification_key message context signature diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fsti deleted file mode 100644 index 7e8486fde..000000000 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fsti +++ /dev/null @@ -1,74 +0,0 @@ -module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" -open Core -open FStar.Mul - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_dsa.Hash_functions.Portable in - let open Libcrux_ml_dsa.Hash_functions.Shake128 in - let open Libcrux_ml_dsa.Hash_functions.Shake256 in - let open Libcrux_ml_dsa.Hash_functions.Simd256 in - let open Libcrux_ml_dsa.Pre_hash in - let open Libcrux_ml_dsa.Samplex4 in - let open Libcrux_ml_dsa.Samplex4.Avx2 in - let open Libcrux_ml_dsa.Simd.Avx2 in - let open Libcrux_ml_dsa.Simd.Traits in - () - -/// Sign. -val sign - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: - usize) - (v_GAMMA2: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: - usize) - (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) - -/// Sign (pre-hashed). -val sign_pre_hashed_shake128 - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: - usize) - (v_GAMMA2: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: - usize) - (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) - -/// Verify. -val verify - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: - usize) - (v_GAMMA2 v_BETA: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: - usize) - (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) - (message context: t_Slice u8) - (signature: t_Array u8 v_SIGNATURE_SIZE) - : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Verify (pre-hashed with SHAKE-128). -val verify_pre_hashed_shake128 - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: - usize) - (v_GAMMA2 v_BETA: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: - usize) - (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) - (message context: t_Slice u8) - (signature: t_Array u8 v_SIGNATURE_SIZE) - : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) - Prims.l_True - (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst deleted file mode 100644 index e2b4c9833..000000000 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst +++ /dev/null @@ -1,180 +0,0 @@ -module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" -open Core -open FStar.Mul - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_dsa.Hash_functions.Portable in - let open Libcrux_ml_dsa.Hash_functions.Shake128 in - let open Libcrux_ml_dsa.Hash_functions.Shake256 in - let open Libcrux_ml_dsa.Hash_functions.Simd256 in - let open Libcrux_ml_dsa.Samplex4 in - let open Libcrux_ml_dsa.Samplex4.Avx2 in - let open Libcrux_ml_dsa.Simd.Avx2 in - let open Libcrux_ml_dsa.Simd.Traits in - () - -let generate_key_pair_v44___inner - (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - = - let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = - Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair_v44 #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit - #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 - randomness - signing_key - verification_key - in - let signing_key:t_Slice u8 = tmp0 in - let verification_key:t_Slice u8 = tmp1 in - let _:Prims.unit = () in - signing_key, verification_key <: (t_Slice u8 & t_Slice u8) - -let generate_key_pair_v44 - (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - = - let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = - generate_key_pair_v44___inner randomness signing_key verification_key - in - let signing_key:t_Slice u8 = tmp0 in - let verification_key:t_Slice u8 = tmp1 in - let _:Prims.unit = () in - let hax_temp_output:Prims.unit = () in - signing_key, verification_key <: (t_Slice u8 & t_Slice u8) - -let generate_key_pair_v65___inner - (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - = - let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = - Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair_v65 #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit - #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 - randomness - signing_key - verification_key - in - let signing_key:t_Slice u8 = tmp0 in - let verification_key:t_Slice u8 = tmp1 in - let _:Prims.unit = () in - signing_key, verification_key <: (t_Slice u8 & t_Slice u8) - -let generate_key_pair_v65 - (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - = - let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = - generate_key_pair_v65___inner randomness signing_key verification_key - in - let signing_key:t_Slice u8 = tmp0 in - let verification_key:t_Slice u8 = tmp1 in - let _:Prims.unit = () in - let hax_temp_output:Prims.unit = () in - signing_key, verification_key <: (t_Slice u8 & t_Slice u8) - -let generate_key_pair_v87___inner - (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - = - let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = - Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair_v87 #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit - #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 - randomness - signing_key - verification_key - in - let signing_key:t_Slice u8 = tmp0 in - let verification_key:t_Slice u8 = tmp1 in - let _:Prims.unit = () in - signing_key, verification_key <: (t_Slice u8 & t_Slice u8) - -let generate_key_pair_v87 - (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - = - let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = - generate_key_pair_v87___inner randomness signing_key verification_key - in - let signing_key:t_Slice u8 = tmp0 in - let verification_key:t_Slice u8 = tmp1 in - let _:Prims.unit = () in - let hax_temp_output:Prims.unit = () in - signing_key, verification_key <: (t_Slice u8 & t_Slice u8) - -let sign - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: - usize) - (v_GAMMA2: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: - usize) - (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.sign v_ROWS_IN_A v_COLUMNS_IN_A - v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 - v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE - v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE - v_SIGNATURE_SIZE signing_key message context randomness - -let sign_pre_hashed_shake128 - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: - usize) - (v_GAMMA2: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: - usize) - (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.sign_pre_hashed_shake128 v_ROWS_IN_A - v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 - v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE - v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE - v_SIGNATURE_SIZE signing_key message context randomness - -let verify - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: - usize) - (v_GAMMA2 v_BETA: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: - usize) - (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) - (message context: t_Slice u8) - (signature: t_Array u8 v_SIGNATURE_SIZE) - = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.verify v_ROWS_IN_A v_COLUMNS_IN_A - v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT - v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE - v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT - verification_key message context signature - -let verify_pre_hashed_shake128 - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: - usize) - (v_GAMMA2 v_BETA: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: - usize) - (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) - (message context: t_Slice u8) - (signature: t_Array u8 v_SIGNATURE_SIZE) - = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.verify_pre_hashed_shake128 v_ROWS_IN_A - v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT - v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE - v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT - verification_key message context signature diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti deleted file mode 100644 index 17a043f5b..000000000 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti +++ /dev/null @@ -1,106 +0,0 @@ -module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" -open Core -open FStar.Mul - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_dsa.Hash_functions.Portable in - let open Libcrux_ml_dsa.Hash_functions.Shake128 in - let open Libcrux_ml_dsa.Hash_functions.Shake256 in - let open Libcrux_ml_dsa.Hash_functions.Simd256 in - let open Libcrux_ml_dsa.Samplex4 in - let open Libcrux_ml_dsa.Samplex4.Avx2 in - let open Libcrux_ml_dsa.Simd.Avx2 in - let open Libcrux_ml_dsa.Simd.Traits in - () - -val generate_key_pair_v44___inner - (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) - -/// Generate key pair. -val generate_key_pair_v44 - (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) - -val generate_key_pair_v65___inner - (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) - -/// Generate key pair. -val generate_key_pair_v65 - (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) - -val generate_key_pair_v87___inner - (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) - -/// Generate key pair. -val generate_key_pair_v87 - (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) - -/// Sign. -val sign - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: - usize) - (v_GAMMA2: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: - usize) - (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) - -/// Sign (pre-hashed). -val sign_pre_hashed_shake128 - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: - usize) - (v_GAMMA2: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: - usize) - (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) - -/// Verify. -val verify - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: - usize) - (v_GAMMA2 v_BETA: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: - usize) - (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) - (message context: t_Slice u8) - (signature: t_Array u8 v_SIGNATURE_SIZE) - : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Verify (pre-hashed with SHAKE-128). -val verify_pre_hashed_shake128 - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: - usize) - (v_GAMMA2 v_BETA: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: - usize) - (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) - (message context: t_Slice u8) - (signature: t_Array u8 v_SIGNATURE_SIZE) - : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) - Prims.l_True - (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fst deleted file mode 100644 index 87e488d17..000000000 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fst +++ /dev/null @@ -1,158 +0,0 @@ -module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" -open Core -open FStar.Mul - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_dsa.Hash_functions.Neon in - let open Libcrux_ml_dsa.Hash_functions.Portable in - let open Libcrux_ml_dsa.Hash_functions.Shake128 in - let open Libcrux_ml_dsa.Hash_functions.Shake256 in - let open Libcrux_ml_dsa.Pre_hash in - let open Libcrux_ml_dsa.Samplex4 in - let open Libcrux_ml_dsa.Samplex4.Neon in - let open Libcrux_ml_dsa.Simd.Portable in - let open Libcrux_ml_dsa.Simd.Traits in - () - -let generate_key_pair_v44 - (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - = - let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = - Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair_v44 #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler - #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 - randomness - signing_key - verification_key - in - let signing_key:t_Slice u8 = tmp0 in - let verification_key:t_Slice u8 = tmp1 in - let hax_temp_output:Prims.unit = () in - signing_key, verification_key <: (t_Slice u8 & t_Slice u8) - -let generate_key_pair_v65 - (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - = - let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = - Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair_v65 #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler - #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 - randomness - signing_key - verification_key - in - let signing_key:t_Slice u8 = tmp0 in - let verification_key:t_Slice u8 = tmp1 in - let hax_temp_output:Prims.unit = () in - signing_key, verification_key <: (t_Slice u8 & t_Slice u8) - -let generate_key_pair_v87 - (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - = - let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = - Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair_v87 #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler - #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 - randomness - signing_key - verification_key - in - let signing_key:t_Slice u8 = tmp0 in - let verification_key:t_Slice u8 = tmp1 in - let hax_temp_output:Prims.unit = () in - signing_key, verification_key <: (t_Slice u8 & t_Slice u8) - -let sign - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: - usize) - (v_GAMMA2: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: - usize) - (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_dsa.Ml_dsa_generic.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS - v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE - v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT - v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context - randomness - -let sign_pre_hashed_shake128 - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: - usize) - (v_GAMMA2: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: - usize) - (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_dsa.Ml_dsa_generic.sign_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 - #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH (sz 256) - v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT - v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE - v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE - v_SIGNATURE_SIZE signing_key message context randomness - -let verify - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: - usize) - (v_GAMMA2 v_BETA: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: - usize) - (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) - (message context: t_Slice u8) - (signature: t_Array u8 v_SIGNATURE_SIZE) - = - Libcrux_ml_dsa.Ml_dsa_generic.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof v_ROWS_IN_A v_COLUMNS_IN_A - v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT - v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE - v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT - verification_key message context signature - -let verify_pre_hashed_shake128 - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: - usize) - (v_GAMMA2 v_BETA: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: - usize) - (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) - (message context: t_Slice u8) - (signature: t_Array u8 v_SIGNATURE_SIZE) - = - Libcrux_ml_dsa.Ml_dsa_generic.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 - #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH - (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE - v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE - v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT - verification_key message context signature diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fsti deleted file mode 100644 index a4c8557fe..000000000 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fsti +++ /dev/null @@ -1,92 +0,0 @@ -module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" -open Core -open FStar.Mul - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_dsa.Hash_functions.Neon in - let open Libcrux_ml_dsa.Hash_functions.Portable in - let open Libcrux_ml_dsa.Hash_functions.Shake128 in - let open Libcrux_ml_dsa.Hash_functions.Shake256 in - let open Libcrux_ml_dsa.Pre_hash in - let open Libcrux_ml_dsa.Samplex4 in - let open Libcrux_ml_dsa.Samplex4.Neon in - let open Libcrux_ml_dsa.Simd.Portable in - let open Libcrux_ml_dsa.Simd.Traits in - () - -/// Generate key pair. -val generate_key_pair_v44 - (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) - -/// Generate key pair. -val generate_key_pair_v65 - (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) - -/// Generate key pair. -val generate_key_pair_v87 - (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) - -/// Sign. -val sign - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: - usize) - (v_GAMMA2: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: - usize) - (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) - -/// Sign (pre-hashed). -val sign_pre_hashed_shake128 - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: - usize) - (v_GAMMA2: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: - usize) - (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) - -/// Verify. -val verify - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: - usize) - (v_GAMMA2 v_BETA: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: - usize) - (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) - (message context: t_Slice u8) - (signature: t_Array u8 v_SIGNATURE_SIZE) - : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Verify (pre-hashed with SHAKE-128). -val verify_pre_hashed_shake128 - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: - usize) - (v_GAMMA2 v_BETA: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: - usize) - (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) - (message context: t_Slice u8) - (signature: t_Array u8 v_SIGNATURE_SIZE) - : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) - Prims.l_True - (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fst deleted file mode 100644 index 4dbc08d0e..000000000 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fst +++ /dev/null @@ -1,162 +0,0 @@ -module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" -open Core -open FStar.Mul - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_dsa.Hash_functions.Portable in - let open Libcrux_ml_dsa.Hash_functions.Shake128 in - let open Libcrux_ml_dsa.Hash_functions.Shake256 in - let open Libcrux_ml_dsa.Pre_hash in - let open Libcrux_ml_dsa.Samplex4 in - let open Libcrux_ml_dsa.Samplex4.Portable in - let open Libcrux_ml_dsa.Simd.Portable in - let open Libcrux_ml_dsa.Simd.Traits in - () - -let generate_key_pair_v44 - (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - = - let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = - Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair_v44 #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 - randomness - signing_key - verification_key - in - let signing_key:t_Slice u8 = tmp0 in - let verification_key:t_Slice u8 = tmp1 in - let hax_temp_output:Prims.unit = () in - signing_key, verification_key <: (t_Slice u8 & t_Slice u8) - -let generate_key_pair_v65 - (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - = - let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = - Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair_v65 #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 - randomness - signing_key - verification_key - in - let signing_key:t_Slice u8 = tmp0 in - let verification_key:t_Slice u8 = tmp1 in - let hax_temp_output:Prims.unit = () in - signing_key, verification_key <: (t_Slice u8 & t_Slice u8) - -let generate_key_pair_v87 - (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - = - let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = - Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair_v87 #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 - randomness - signing_key - verification_key - in - let signing_key:t_Slice u8 = tmp0 in - let verification_key:t_Slice u8 = tmp1 in - let hax_temp_output:Prims.unit = () in - signing_key, verification_key <: (t_Slice u8 & t_Slice u8) - -let sign - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: - usize) - (v_GAMMA2: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: - usize) - (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_dsa.Ml_dsa_generic.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS - v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE - v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT - v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context - randomness - -let sign_pre_hashed_shake128 - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: - usize) - (v_GAMMA2: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: - usize) - (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_dsa.Ml_dsa_generic.sign_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH - (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE - v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE - v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT - v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context - randomness - -let verify - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: - usize) - (v_GAMMA2 v_BETA: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: - usize) - (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) - (message context: t_Slice u8) - (signature: t_Array u8 v_SIGNATURE_SIZE) - = - Libcrux_ml_dsa.Ml_dsa_generic.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof v_ROWS_IN_A v_COLUMNS_IN_A - v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT - v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE - v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT - verification_key message context signature - -let verify_pre_hashed_shake128 - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: - usize) - (v_GAMMA2 v_BETA: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: - usize) - (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) - (message context: t_Slice u8) - (signature: t_Array u8 v_SIGNATURE_SIZE) - = - Libcrux_ml_dsa.Ml_dsa_generic.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH - (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE - v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE - v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT - verification_key message context signature diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fsti deleted file mode 100644 index 78642deb3..000000000 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fsti +++ /dev/null @@ -1,91 +0,0 @@ -module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" -open Core -open FStar.Mul - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_dsa.Hash_functions.Portable in - let open Libcrux_ml_dsa.Hash_functions.Shake128 in - let open Libcrux_ml_dsa.Hash_functions.Shake256 in - let open Libcrux_ml_dsa.Pre_hash in - let open Libcrux_ml_dsa.Samplex4 in - let open Libcrux_ml_dsa.Samplex4.Portable in - let open Libcrux_ml_dsa.Simd.Portable in - let open Libcrux_ml_dsa.Simd.Traits in - () - -/// Generate key pair. -val generate_key_pair_v44 - (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) - -/// Generate key pair. -val generate_key_pair_v65 - (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) - -/// Generate key pair. -val generate_key_pair_v87 - (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) - -/// Sign. -val sign - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: - usize) - (v_GAMMA2: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: - usize) - (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) - -/// Sign (pre-hashed). -val sign_pre_hashed_shake128 - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: - usize) - (v_GAMMA2: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: - usize) - (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) - -/// Verify. -val verify - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: - usize) - (v_GAMMA2 v_BETA: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: - usize) - (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) - (message context: t_Slice u8) - (signature: t_Array u8 v_SIGNATURE_SIZE) - : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Verify (pre-hashed with SHAKE-128). -val verify_pre_hashed_shake128 - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: - usize) - (v_GAMMA2 v_BETA: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: - usize) - (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) - (message context: t_Slice u8) - (signature: t_Array u8 v_SIGNATURE_SIZE) - : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) - Prims.l_True - (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fst deleted file mode 100644 index 5b396ef69..000000000 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fst +++ /dev/null @@ -1,273 +0,0 @@ -module Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" -open Core -open FStar.Mul - -let generate_key_pair_v44 - (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - = - let (signing_key, verification_key), hax_temp_output:((t_Slice u8 & t_Slice u8) & Prims.unit) = - if Libcrux_platform.Platform.simd256_support () - then - let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair_v44 randomness - signing_key - verification_key - in - let signing_key:t_Slice u8 = tmp0 in - let verification_key:t_Slice u8 = tmp1 in - let _:Prims.unit = () in - (signing_key, verification_key <: (t_Slice u8 & t_Slice u8)), () - <: - ((t_Slice u8 & t_Slice u8) & Prims.unit) - else - if Libcrux_platform.Platform.simd128_support () - then - let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.generate_key_pair_v44 randomness - signing_key - verification_key - in - let signing_key:t_Slice u8 = tmp0 in - let verification_key:t_Slice u8 = tmp1 in - let _:Prims.unit = () in - (signing_key, verification_key <: (t_Slice u8 & t_Slice u8)), () - <: - ((t_Slice u8 & t_Slice u8) & Prims.unit) - else - let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair_v44 randomness - signing_key - verification_key - in - let signing_key:t_Slice u8 = tmp0 in - let verification_key:t_Slice u8 = tmp1 in - let _:Prims.unit = () in - (signing_key, verification_key <: (t_Slice u8 & t_Slice u8)), () - <: - ((t_Slice u8 & t_Slice u8) & Prims.unit) - in - signing_key, verification_key <: (t_Slice u8 & t_Slice u8) - -let generate_key_pair_v65 - (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - = - let (signing_key, verification_key), hax_temp_output:((t_Slice u8 & t_Slice u8) & Prims.unit) = - if Libcrux_platform.Platform.simd256_support () - then - let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair_v65 randomness - signing_key - verification_key - in - let signing_key:t_Slice u8 = tmp0 in - let verification_key:t_Slice u8 = tmp1 in - let _:Prims.unit = () in - (signing_key, verification_key <: (t_Slice u8 & t_Slice u8)), () - <: - ((t_Slice u8 & t_Slice u8) & Prims.unit) - else - if Libcrux_platform.Platform.simd128_support () - then - let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.generate_key_pair_v65 randomness - signing_key - verification_key - in - let signing_key:t_Slice u8 = tmp0 in - let verification_key:t_Slice u8 = tmp1 in - let _:Prims.unit = () in - (signing_key, verification_key <: (t_Slice u8 & t_Slice u8)), () - <: - ((t_Slice u8 & t_Slice u8) & Prims.unit) - else - let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair_v65 randomness - signing_key - verification_key - in - let signing_key:t_Slice u8 = tmp0 in - let verification_key:t_Slice u8 = tmp1 in - let _:Prims.unit = () in - (signing_key, verification_key <: (t_Slice u8 & t_Slice u8)), () - <: - ((t_Slice u8 & t_Slice u8) & Prims.unit) - in - signing_key, verification_key <: (t_Slice u8 & t_Slice u8) - -let generate_key_pair_v87 - (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - = - let (signing_key, verification_key), hax_temp_output:((t_Slice u8 & t_Slice u8) & Prims.unit) = - if Libcrux_platform.Platform.simd256_support () - then - let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair_v87 randomness - signing_key - verification_key - in - let signing_key:t_Slice u8 = tmp0 in - let verification_key:t_Slice u8 = tmp1 in - let _:Prims.unit = () in - (signing_key, verification_key <: (t_Slice u8 & t_Slice u8)), () - <: - ((t_Slice u8 & t_Slice u8) & Prims.unit) - else - if Libcrux_platform.Platform.simd128_support () - then - let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.generate_key_pair_v87 randomness - signing_key - verification_key - in - let signing_key:t_Slice u8 = tmp0 in - let verification_key:t_Slice u8 = tmp1 in - let _:Prims.unit = () in - (signing_key, verification_key <: (t_Slice u8 & t_Slice u8)), () - <: - ((t_Slice u8 & t_Slice u8) & Prims.unit) - else - let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair_v87 randomness - signing_key - verification_key - in - let signing_key:t_Slice u8 = tmp0 in - let verification_key:t_Slice u8 = tmp1 in - let _:Prims.unit = () in - (signing_key, verification_key <: (t_Slice u8 & t_Slice u8)), () - <: - ((t_Slice u8 & t_Slice u8) & Prims.unit) - in - signing_key, verification_key <: (t_Slice u8 & t_Slice u8) - -let sign - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: - usize) - (v_GAMMA2: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: - usize) - (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - = - if Libcrux_platform.Platform.simd256_support () - then - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign v_ROWS_IN_A v_COLUMNS_IN_A - v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 - v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE - v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE - v_SIGNATURE_SIZE signing_key message context randomness - else - if Libcrux_platform.Platform.simd128_support () - then - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign v_ROWS_IN_A v_COLUMNS_IN_A - v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 - v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE - v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE - v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context randomness - else - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign v_ROWS_IN_A v_COLUMNS_IN_A - v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 - v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE - v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE - v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context randomness - -let sign_pre_hashed_shake128 - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: - usize) - (v_GAMMA2: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: - usize) - (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - = - if Libcrux_platform.Platform.simd256_support () - then - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign_pre_hashed_shake128 v_ROWS_IN_A - v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 - v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE - v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE - v_SIGNATURE_SIZE signing_key message context randomness - else - if Libcrux_platform.Platform.simd128_support () - then - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign_pre_hashed_shake128 v_ROWS_IN_A - v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 - v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE - v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE - v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context randomness - else - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign_pre_hashed_shake128 v_ROWS_IN_A - v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 - v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE - v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE - v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context randomness - -let verify - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: - usize) - (v_GAMMA2 v_BETA: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: - usize) - (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) - (message context: t_Slice u8) - (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) - = - if Libcrux_platform.Platform.simd256_support () - then - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify v_ROWS_IN_A v_COLUMNS_IN_A - v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT - v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE - v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE - v_MAX_ONES_IN_HINT verification_key_serialized message context signature_serialized - else - if Libcrux_platform.Platform.simd128_support () - then - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify v_ROWS_IN_A v_COLUMNS_IN_A - v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT - v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE - v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE - v_MAX_ONES_IN_HINT verification_key_serialized message context signature_serialized - else - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify v_ROWS_IN_A v_COLUMNS_IN_A - v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT - v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE - v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE - v_MAX_ONES_IN_HINT verification_key_serialized message context signature_serialized - -let verify_pre_hashed_shake128 - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: - usize) - (v_GAMMA2 v_BETA: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: - usize) - (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) - (message context: t_Slice u8) - (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) - = - if Libcrux_platform.Platform.simd256_support () - then - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify_pre_hashed_shake128 v_ROWS_IN_A - v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT - v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE - v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE - v_MAX_ONES_IN_HINT verification_key_serialized message context signature_serialized - else - if Libcrux_platform.Platform.simd128_support () - then - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify_pre_hashed_shake128 v_ROWS_IN_A - v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT - v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE - v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE - v_MAX_ONES_IN_HINT verification_key_serialized message context signature_serialized - else - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify_pre_hashed_shake128 v_ROWS_IN_A - v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT - v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE - v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE - v_MAX_ONES_IN_HINT verification_key_serialized message context signature_serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fsti deleted file mode 100644 index a7bfdaf2a..000000000 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fsti +++ /dev/null @@ -1,71 +0,0 @@ -module Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" -open Core -open FStar.Mul - -val generate_key_pair_v44 - (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) - -val generate_key_pair_v65 - (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) - -val generate_key_pair_v87 - (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) - -val sign - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: - usize) - (v_GAMMA2: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: - usize) - (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) - -val sign_pre_hashed_shake128 - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: - usize) - (v_GAMMA2: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: - usize) - (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) - -val verify - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: - usize) - (v_GAMMA2 v_BETA: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: - usize) - (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) - (message context: t_Slice u8) - (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) - : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) - Prims.l_True - (fun _ -> Prims.l_True) - -val verify_pre_hashed_shake128 - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: - usize) - (v_GAMMA2 v_BETA: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: - usize) - (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) - (message context: t_Slice u8) - (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) - : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) - Prims.l_True - (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst index c9a3bdca6..b39dcc686 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst @@ -6,12 +6,7 @@ open FStar.Mul let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_dsa.Hash_functions.Shake128 in let open Libcrux_ml_dsa.Hash_functions.Shake256 in - let open Libcrux_ml_dsa.Polynomial in - let open Libcrux_ml_dsa.Pre_hash in - let open Libcrux_ml_dsa.Samplex4 in - let open Libcrux_ml_dsa.Simd.Traits in () let derive_message_representative @@ -127,1700 +122,3 @@ let derive_message_representative let message_representative:t_Array u8 (sz 64) = tmp1 in let _:Prims.unit = () in message_representative - -let sign_internal - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: - usize) - (v_GAMMA2: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: - usize) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i6: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i8: - Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i9: - Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i10: - Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i11: - Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) - (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) - (message: t_Slice u8) - (domain_separation_context: - Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) - (randomness: t_Array u8 (sz 32)) - = - let eta:Libcrux_ml_dsa.Constants.t_Eta = - match cast (v_ETA <: usize) <: u8 with - | 2uy -> Libcrux_ml_dsa.Constants.Eta_Two <: Libcrux_ml_dsa.Constants.t_Eta - | 4uy -> Libcrux_ml_dsa.Constants.Eta_Four <: Libcrux_ml_dsa.Constants.t_Eta - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - - <: - Rust_primitives.Hax.t_Never) - in - let seed_for_a, remaining_serialized:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - (signing_key <: t_Slice u8) - Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE - in - let seed_for_signing, remaining_serialized:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - remaining_serialized - Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE - in - let verification_key_hash, remaining_serialized:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - remaining_serialized - Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH - in - let s1_serialized, remaining_serialized:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - remaining_serialized - (v_ERROR_RING_ELEMENT_SIZE *! v_COLUMNS_IN_A <: usize) - in - let s2_serialized, t0_serialized:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - remaining_serialized - (v_ERROR_RING_ELEMENT_SIZE *! v_ROWS_IN_A <: usize) - in - let s1_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_COLUMNS_IN_A = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_COLUMNS_IN_A - in - let s2_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_ROWS_IN_A - in - let t0_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_ROWS_IN_A - in - let s1_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_COLUMNS_IN_A = - Libcrux_ml_dsa.Encoding.Error.deserialize_to_vector_then_ntt #v_SIMDUnit - eta - v_ERROR_RING_ELEMENT_SIZE - s1_serialized - s1_as_ntt - in - let s2_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = - Libcrux_ml_dsa.Encoding.Error.deserialize_to_vector_then_ntt #v_SIMDUnit - eta - v_ERROR_RING_ELEMENT_SIZE - s2_serialized - s2_as_ntt - in - let t0_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = - Libcrux_ml_dsa.Encoding.T0.deserialize_to_vector_then_ntt #v_SIMDUnit t0_serialized t0_as_ntt - in - let matrix:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_X_COLUMNS - = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_ROWS_X_COLUMNS - in - let matrix:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_X_COLUMNS - = - Libcrux_ml_dsa.Samplex4.f_matrix_flat #v_Sampler - #FStar.Tactics.Typeclasses.solve - #v_SIMDUnit - v_COLUMNS_IN_A - seed_for_a - matrix - in - let message_representative:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in - let message_representative:t_Array u8 (sz 64) = - derive_message_representative #v_Shake256Xof - verification_key_hash - domain_separation_context - message - message_representative - in - let mask_seed:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve () - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - seed_for_signing - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - (randomness <: t_Slice u8) - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - (message_representative <: t_Slice u8) - in - let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 64)) = - Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - mask_seed - in - let shake:v_Shake256Xof = tmp0 in - let mask_seed:t_Array u8 (sz 64) = tmp1 in - let _:Prims.unit = () in - let _:Prims.unit = () in - let (domain_separator_for_mask: u16):u16 = 0us in - let beta:i32 = cast (v_ONES_IN_VERIFIER_CHALLENGE *! v_ETA <: usize) <: i32 in - let attempt:usize = sz 0 in - let commitment_hash:Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) = - Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) - in - let signer_response:Core.Option.t_Option - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) = - Core.Option.Option_None - <: - Core.Option.t_Option - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - in - let hint:Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) = - Core.Option.Option_None <: Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) - in - let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & - Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) & - u16 & - Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) & - Core.Option.t_Option - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)) = - Rust_primitives.f_while_loop (fun temp_0_ -> - let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & - Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) & - u16 & - Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) & - Core.Option.t_Option - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)) - = - temp_0_ - in - attempt <. Libcrux_ml_dsa.Constants.v_REJECTION_SAMPLE_BOUND_SIGN <: bool) - (attempt, commitment_hash, domain_separator_for_mask, hint, signer_response - <: - (usize & Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) & u16 & - Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) & - Core.Option.t_Option - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A))) - (fun temp_0_ -> - let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & - Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) & - u16 & - Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) & - Core.Option.t_Option - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)) - = - temp_0_ - in - let attempt:usize = attempt +! sz 1 in - let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_COLUMNS_IN_A = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_COLUMNS_IN_A - in - let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A - = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_ROWS_IN_A - in - let commitment:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_ROWS_IN_A = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_ROWS_IN_A - in - let tmp0, tmp1:(u16 & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) = - Libcrux_ml_dsa.Sample.sample_mask_vector #v_SIMDUnit - #v_Shake256 - #v_Shake256X4 - v_COLUMNS_IN_A - v_GAMMA1_EXPONENT - mask_seed - domain_separator_for_mask - mask - in - let domain_separator_for_mask:u16 = tmp0 in - let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_COLUMNS_IN_A = - tmp1 - in - let _:Prims.unit = () in - let a_x_mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_ROWS_IN_A = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_ROWS_IN_A - in - let mask_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_COLUMNS_IN_A = - Core.Clone.f_clone #(t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - #FStar.Tactics.Typeclasses.solve - mask - in - let mask_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_COLUMNS_IN_A = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (mask_ntt - <: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - <: - usize) - (fun mask_ntt temp_1_ -> - let mask_ntt:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A = - mask_ntt - in - let _:usize = temp_1_ in - true) - mask_ntt - (fun mask_ntt i -> - let mask_ntt:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A = - mask_ntt - in - let i:usize = i in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask_ntt - i - (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit - (mask_ntt.[ i ] - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - <: - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_COLUMNS_IN_A) - in - let a_x_mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_ROWS_IN_A = - Libcrux_ml_dsa.Matrix.compute_matrix_x_mask #v_SIMDUnit - v_ROWS_IN_A - v_COLUMNS_IN_A - (matrix <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (mask_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - a_x_mask - in - let tmp0, tmp1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_ROWS_IN_A & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) = - Libcrux_ml_dsa.Arithmetic.decompose_vector #v_SIMDUnit - v_ROWS_IN_A - v_GAMMA2 - (a_x_mask <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - w0 - commitment - in - let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A - = - tmp0 - in - let commitment:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_ROWS_IN_A = - tmp1 - in - let _:Prims.unit = () in - let _:Prims.unit = () in - let commitment_hash_candidate:t_Array u8 v_COMMITMENT_HASH_SIZE = - Rust_primitives.Hax.repeat 0uy v_COMMITMENT_HASH_SIZE - in - let commitment_serialized:t_Array u8 v_COMMITMENT_VECTOR_SIZE = - Rust_primitives.Hax.repeat 0uy v_COMMITMENT_VECTOR_SIZE - in - let commitment_serialized:t_Array u8 v_COMMITMENT_VECTOR_SIZE = - Libcrux_ml_dsa.Encoding.Commitment.serialize_vector #v_SIMDUnit - v_COMMITMENT_RING_ELEMENT_SIZE - (commitment <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - commitment_serialized - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - () - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - (message_representative <: t_Slice u8) - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - (commitment_serialized <: t_Slice u8) - in - let tmp0, tmp1:(v_Shake256Xof & t_Array u8 v_COMMITMENT_HASH_SIZE) = - Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - commitment_hash_candidate - in - let shake:v_Shake256Xof = tmp0 in - let commitment_hash_candidate:t_Array u8 v_COMMITMENT_HASH_SIZE = tmp1 in - let _:Prims.unit = () in - let _:Prims.unit = () in - let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - in - let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Libcrux_ml_dsa.Sample.sample_challenge_ring_element #v_SIMDUnit - #v_Shake256 - (commitment_hash_candidate <: t_Slice u8) - v_ONES_IN_VERIFIER_CHALLENGE - verifier_challenge - in - let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit verifier_challenge - in - let challenge_times_s1:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A = - Core.Clone.f_clone #(t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - #FStar.Tactics.Typeclasses.solve - s1_as_ntt - in - let challenge_times_s2:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = - Core.Clone.f_clone #(t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) - #FStar.Tactics.Typeclasses.solve - s2_as_ntt - in - let challenge_times_s1:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A = - Libcrux_ml_dsa.Matrix.vector_times_ring_element #v_SIMDUnit - challenge_times_s1 - verifier_challenge - in - let challenge_times_s2:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = - Libcrux_ml_dsa.Matrix.vector_times_ring_element #v_SIMDUnit - challenge_times_s2 - verifier_challenge - in - let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_COLUMNS_IN_A = - Libcrux_ml_dsa.Matrix.add_vectors #v_SIMDUnit - v_COLUMNS_IN_A - mask - (challenge_times_s1 - <: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - in - let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A - = - Libcrux_ml_dsa.Matrix.subtract_vectors #v_SIMDUnit - v_ROWS_IN_A - w0 - (challenge_times_s2 - <: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - in - if - Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit - (mask <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - ((1l <. v_MAX_ONES_IN_HINT - then - attempt, commitment_hash, domain_separator_for_mask, hint, signer_response - <: - (usize & Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) & u16 & - Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) & - Core.Option.t_Option - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_COLUMNS_IN_A)) - else - let attempt:usize = Libcrux_ml_dsa.Constants.v_REJECTION_SAMPLE_BOUND_SIGN in - let commitment_hash:Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) = - Core.Option.Option_Some commitment_hash_candidate - <: - Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) - in - let signer_response:Core.Option.t_Option - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_COLUMNS_IN_A) = - Core.Option.Option_Some mask - <: - Core.Option.t_Option - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_COLUMNS_IN_A) - in - let hint:Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) = - Core.Option.Option_Some hint_candidate - <: - Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) - in - attempt, commitment_hash, domain_separator_for_mask, hint, signer_response - <: - (usize & Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) & u16 & - Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) & - Core.Option.t_Option - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_COLUMNS_IN_A))) - in - match commitment_hash <: Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) with - | Core.Option.Option_Some commitment_hash -> - let commitment_hash:t_Array u8 v_COMMITMENT_HASH_SIZE = commitment_hash in - (match - signer_response - <: - Core.Option.t_Option - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - with - | Core.Option.Option_Some signer_response -> - let signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_COLUMNS_IN_A = - signer_response - in - (match hint <: Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) with - | Core.Option.Option_Some hint -> - let hint:t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A = hint in - let signature:t_Array u8 v_SIGNATURE_SIZE = - Rust_primitives.Hax.repeat 0uy v_SIGNATURE_SIZE - in - let signature:t_Array u8 v_SIGNATURE_SIZE = - Libcrux_ml_dsa.Encoding.Signature.serialize #v_SIMDUnit - (commitment_hash <: t_Slice u8) - (signer_response - <: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (hint <: t_Slice (t_Array i32 (sz 256))) v_COMMITMENT_HASH_SIZE v_COLUMNS_IN_A - v_ROWS_IN_A v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_MAX_ONES_IN_HINT - signature - in - Core.Result.Result_Ok (Libcrux_ml_dsa.Types.impl_4__new v_SIGNATURE_SIZE signature) - <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - Libcrux_ml_dsa.Types.t_SigningError - | Core.Option.Option_None -> - Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError - <: - Libcrux_ml_dsa.Types.t_SigningError) - <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - Libcrux_ml_dsa.Types.t_SigningError) - | Core.Option.Option_None -> - Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError - <: - Libcrux_ml_dsa.Types.t_SigningError) - <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - Libcrux_ml_dsa.Types.t_SigningError) - | Core.Option.Option_None -> - Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError <: Libcrux_ml_dsa.Types.t_SigningError - ) - <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - Libcrux_ml_dsa.Types.t_SigningError - -let sign - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: - usize) - (v_GAMMA2: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: - usize) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i6: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i8: - Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i9: - Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i10: - Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i11: - Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) - (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - = - match - Libcrux_ml_dsa.Pre_hash.impl_1__new context - (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11))) - <: - Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext - Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError - with - | Core.Result.Result_Ok dsc -> - let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in - sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 - v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT - v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE - v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE - v_SIGNATURE_SIZE signing_key message - (Core.Option.Option_Some domain_separation_context - <: - Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness - | Core.Result.Result_Err _ -> - Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) - <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - Libcrux_ml_dsa.Types.t_SigningError - -let sign_pre_hashed - (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: - Type0) - (v_PH_DIGEST_LEN v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: - usize) - (v_GAMMA2: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: - usize) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i8: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i9: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i10: - Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i11: - Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i12: - Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i13: - Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i14: - Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i15: - Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN) - (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - = - if (Core.Slice.impl__len #u8 context <: usize) >. Libcrux_ml_dsa.Constants.v_CONTEXT_MAX_LEN - then - Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) - <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - Libcrux_ml_dsa.Types.t_SigningError - else - let pre_hashed_message:t_Array u8 v_PH_DIGEST_LEN = - Libcrux_ml_dsa.Pre_hash.f_hash #v_PH - #v_PH_DIGEST_LEN - #FStar.Tactics.Typeclasses.solve - #v_Shake128 - message - in - match - Libcrux_ml_dsa.Pre_hash.impl_1__new context - (Core.Option.Option_Some - (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #v_PH_DIGEST_LEN #FStar.Tactics.Typeclasses.solve () - <: - t_Array u8 (sz 11)) - <: - Core.Option.t_Option (t_Array u8 (sz 11))) - <: - Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext - Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError - with - | Core.Result.Result_Ok dsc -> - let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in - sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 - v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE - v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE - v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT - v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key - (pre_hashed_message <: t_Slice u8) - (Core.Option.Option_Some domain_separation_context - <: - Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness - | Core.Result.Result_Err _ -> - Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) - <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - Libcrux_ml_dsa.Types.t_SigningError - -let verify_internal - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: - usize) - (v_GAMMA2 v_BETA: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: - usize) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i5: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i7: - Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i8: - Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i9: - Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) - (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) - (message: t_Slice u8) - (domain_separation_context: - Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) - (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) - = - let seed_for_a, t1_serialized:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - (verification_key <: t_Slice u8) - Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE - in - let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_ROWS_IN_A - in - let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = - Libcrux_ml_dsa.Encoding.Verification_key.deserialize #v_SIMDUnit - v_ROWS_IN_A - v_VERIFICATION_KEY_SIZE - t1_serialized - t1 - in - let deserialized_commitment_hash:t_Array u8 v_COMMITMENT_HASH_SIZE = - Rust_primitives.Hax.repeat 0uy v_COMMITMENT_HASH_SIZE - in - let deserialized_signer_response:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_COLUMNS_IN_A - in - let deserialized_hint:t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A = - Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0l (sz 256) <: t_Array i32 (sz 256)) - v_ROWS_IN_A - in - let tmp0, tmp1, tmp2, out:(t_Array u8 v_COMMITMENT_HASH_SIZE & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A & - t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = - Libcrux_ml_dsa.Encoding.Signature.deserialize #v_SIMDUnit v_COLUMNS_IN_A v_ROWS_IN_A - v_COMMITMENT_HASH_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_MAX_ONES_IN_HINT - v_SIGNATURE_SIZE (signature_serialized <: t_Slice u8) deserialized_commitment_hash - deserialized_signer_response deserialized_hint - in - let deserialized_commitment_hash:t_Array u8 v_COMMITMENT_HASH_SIZE = tmp0 in - let deserialized_signer_response:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A = - tmp1 - in - let deserialized_hint:t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A = tmp2 in - match out <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError with - | Core.Result.Result_Ok _ -> - let _:Prims.unit = () <: Prims.unit in - if - Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit - (deserialized_signer_response - <: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - ((2l < - let deserialized_signer_response:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A = - deserialized_signer_response - in - let _:usize = temp_1_ in - true) - deserialized_signer_response - (fun deserialized_signer_response i -> - let deserialized_signer_response:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A = - deserialized_signer_response - in - let i:usize = i in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize deserialized_signer_response - i - (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit - (deserialized_signer_response.[ i ] - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - <: - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - in - let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = - Libcrux_ml_dsa.Matrix.compute_w_approx #v_SIMDUnit - v_ROWS_IN_A - v_COLUMNS_IN_A - (matrix <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (deserialized_signer_response - <: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - verifier_challenge - t1 - in - let recomputed_commitment_hash:t_Array u8 v_COMMITMENT_HASH_SIZE = - Rust_primitives.Hax.repeat 0uy v_COMMITMENT_HASH_SIZE - in - let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = - Libcrux_ml_dsa.Arithmetic.use_hint #v_SIMDUnit - v_GAMMA2 - (deserialized_hint <: t_Slice (t_Array i32 (sz 256))) - t1 - in - let commitment_serialized:t_Array u8 v_COMMITMENT_VECTOR_SIZE = - Rust_primitives.Hax.repeat 0uy v_COMMITMENT_VECTOR_SIZE - in - let commitment_serialized:t_Array u8 v_COMMITMENT_VECTOR_SIZE = - Libcrux_ml_dsa.Encoding.Commitment.serialize_vector #v_SIMDUnit - v_COMMITMENT_RING_ELEMENT_SIZE - (t1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - commitment_serialized - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - () - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - (message_representative <: t_Slice u8) - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - (commitment_serialized <: t_Slice u8) - in - let tmp0, tmp1:(v_Shake256Xof & t_Array u8 v_COMMITMENT_HASH_SIZE) = - Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - recomputed_commitment_hash - in - let shake:v_Shake256Xof = tmp0 in - let recomputed_commitment_hash:t_Array u8 v_COMMITMENT_HASH_SIZE = tmp1 in - let _:Prims.unit = () in - let _:Prims.unit = () in - if deserialized_commitment_hash =. recomputed_commitment_hash - then - Core.Result.Result_Ok (() <: Prims.unit) - <: - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError - else - Core.Result.Result_Err - (Libcrux_ml_dsa.Types.VerificationError_CommitmentHashesDontMatchError - <: - Libcrux_ml_dsa.Types.t_VerificationError) - <: - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError - | Core.Result.Result_Err e -> - Core.Result.Result_Err e - <: - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError - -let verify - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: - usize) - (v_GAMMA2 v_BETA: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: - usize) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i5: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i7: - Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i8: - Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i9: - Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) - (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) - (message context: t_Slice u8) - (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) - = - match - Libcrux_ml_dsa.Pre_hash.impl_1__new context - (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11))) - <: - Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext - Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError - with - | Core.Result.Result_Ok dsc -> - let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in - verify_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof v_ROWS_IN_A - v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT - v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE - v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE - v_MAX_ONES_IN_HINT verification_key_serialized message - (Core.Option.Option_Some domain_separation_context - <: - Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) signature_serialized - | Core.Result.Result_Err _ -> - Core.Result.Result_Err - (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError - <: - Libcrux_ml_dsa.Types.t_VerificationError) - <: - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError - -let verify_pre_hashed - (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0) - (v_PH_DIGEST_LEN v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: - usize) - (v_GAMMA2 v_BETA: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: - usize) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i7: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i8: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i9: - Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i10: - Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i11: - Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i12: - Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i13: - Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN) - (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) - (message context: t_Slice u8) - (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) - = - let pre_hashed_message:t_Array u8 v_PH_DIGEST_LEN = - Libcrux_ml_dsa.Pre_hash.f_hash #v_PH - #v_PH_DIGEST_LEN - #FStar.Tactics.Typeclasses.solve - #v_Shake128 - message - in - match - Libcrux_ml_dsa.Pre_hash.impl_1__new context - (Core.Option.Option_Some - (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #v_PH_DIGEST_LEN #FStar.Tactics.Typeclasses.solve () - <: - t_Array u8 (sz 11)) - <: - Core.Option.t_Option (t_Array u8 (sz 11))) - <: - Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext - Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError - with - | Core.Result.Result_Ok dsc -> - let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in - verify_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof v_ROWS_IN_A - v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT - v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE - v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE - v_MAX_ONES_IN_HINT verification_key_serialized (pre_hashed_message <: t_Slice u8) - (Core.Option.Option_Some domain_separation_context - <: - Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) signature_serialized - | Core.Result.Result_Err _ -> - Core.Result.Result_Err - (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError - <: - Libcrux_ml_dsa.Types.t_VerificationError) - <: - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError - -let generate_key_pair_v44 - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i6: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i8: - Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i9: - Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i10: - Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i11: - Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) - (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - = - let _:Prims.unit = - if true - then - let _:Prims.unit = - Hax_lib.v_assert ((Core.Slice.impl__len #u8 signing_key <: usize) =. - generate_key_pair_v44__SIGNING_KEY_SIZE - <: - bool) - in - () - in - let _:Prims.unit = - if true - then - let _:Prims.unit = - Hax_lib.v_assert ((Core.Slice.impl__len #u8 verification_key <: usize) =. - generate_key_pair_v44__VERIFICATION_KEY_SIZE - <: - bool) - in - () - in - let seed_expanded:t_Array u8 (sz 128) = Rust_primitives.Hax.repeat 0uy (sz 128) in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve () - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - (randomness <: t_Slice u8) - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - ((let list = - [ - cast (generate_key_pair_v44__ROWS_IN_A <: usize) <: u8; - cast (generate_key_pair_v44__COLUMNS_IN_A <: usize) <: u8 - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); - Rust_primitives.Hax.array_of_list 2 list) - <: - t_Slice u8) - in - let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 128)) = - Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - seed_expanded - in - let shake:v_Shake256Xof = tmp0 in - let seed_expanded:t_Array u8 (sz 128) = tmp1 in - let _:Prims.unit = () in - let _:Prims.unit = () in - let seed_for_a, seed_expanded:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - (seed_expanded <: t_Slice u8) - Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE - in - let seed_for_error_vectors, seed_for_signing:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - seed_expanded - Libcrux_ml_dsa.Constants.v_SEED_FOR_ERROR_VECTORS_SIZE - in - let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 16) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 16) - in - let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 16) = - Libcrux_ml_dsa.Samplex4.f_matrix_flat #v_Sampler - #FStar.Tactics.Typeclasses.solve - #v_SIMDUnit - generate_key_pair_v44__COLUMNS_IN_A - seed_for_a - a_as_ntt - in - let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 8) - in - let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = - Libcrux_ml_dsa.Samplex4.sample_s1_and_s2 #v_SIMDUnit - #v_Shake256X4 - generate_key_pair_v44__ETA - seed_for_error_vectors - s1_s2 - in - let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 4) - in - let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 4) - in - let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = - Core.Slice.impl__copy_from_slice #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - s1_ntt - (s1_s2.[ { - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = generate_key_pair_v44__COLUMNS_IN_A - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - in - let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - <: - usize) - (fun s1_ntt temp_1_ -> - let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = - s1_ntt - in - let _:usize = temp_1_ in - true) - s1_ntt - (fun s1_ntt i -> - let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = - s1_ntt - in - let i:usize = i in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1_ntt - i - (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit - (s1_ntt.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - <: - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) - in - let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = - Libcrux_ml_dsa.Matrix.compute_as1_plus_s2 #v_SIMDUnit - generate_key_pair_v44__ROWS_IN_A - generate_key_pair_v44__COLUMNS_IN_A - (a_as_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - t0 - in - let _:Prims.unit = () in - let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 4) - in - let tmp0, tmp1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) = - Libcrux_ml_dsa.Arithmetic.power2round_vector #v_SIMDUnit t0 t1 - in - let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = tmp0 in - let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = tmp1 in - let _:Prims.unit = () in - let verification_key:t_Slice u8 = - Libcrux_ml_dsa.Encoding.Verification_key.generate_serialized #v_SIMDUnit - seed_for_a - (t1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - verification_key - in - let signing_key:t_Slice u8 = - Libcrux_ml_dsa.Encoding.Signing_key.generate_serialized #v_SIMDUnit #v_Shake256 - generate_key_pair_v44__ETA generate_key_pair_v44__ERROR_RING_ELEMENT_SIZE seed_for_a - seed_for_signing verification_key - (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (t0 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) signing_key - in - let hax_temp_output:Prims.unit = () in - signing_key, verification_key <: (t_Slice u8 & t_Slice u8) - -let generate_key_pair_v65 - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i6: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i8: - Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i9: - Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i10: - Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i11: - Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) - (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - = - let _:Prims.unit = - if true - then - let _:Prims.unit = - Hax_lib.v_assert ((Core.Slice.impl__len #u8 signing_key <: usize) =. - generate_key_pair_v65__SIGNING_KEY_SIZE - <: - bool) - in - () - in - let _:Prims.unit = - if true - then - let _:Prims.unit = - Hax_lib.v_assert ((Core.Slice.impl__len #u8 verification_key <: usize) =. - generate_key_pair_v65__VERIFICATION_KEY_SIZE - <: - bool) - in - () - in - let seed_expanded:t_Array u8 (sz 128) = Rust_primitives.Hax.repeat 0uy (sz 128) in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve () - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - (randomness <: t_Slice u8) - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - ((let list = - [ - cast (generate_key_pair_v65__ROWS_IN_A <: usize) <: u8; - cast (generate_key_pair_v65__COLUMNS_IN_A <: usize) <: u8 - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); - Rust_primitives.Hax.array_of_list 2 list) - <: - t_Slice u8) - in - let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 128)) = - Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - seed_expanded - in - let shake:v_Shake256Xof = tmp0 in - let seed_expanded:t_Array u8 (sz 128) = tmp1 in - let _:Prims.unit = () in - let _:Prims.unit = () in - let seed_for_a, seed_expanded:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - (seed_expanded <: t_Slice u8) - Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE - in - let seed_for_error_vectors, seed_for_signing:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - seed_expanded - Libcrux_ml_dsa.Constants.v_SEED_FOR_ERROR_VECTORS_SIZE - in - let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 30) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 30) - in - let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 30) = - Libcrux_ml_dsa.Samplex4.f_matrix_flat #v_Sampler - #FStar.Tactics.Typeclasses.solve - #v_SIMDUnit - generate_key_pair_v65__COLUMNS_IN_A - seed_for_a - a_as_ntt - in - let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 11) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 11) - in - let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 11) = - Libcrux_ml_dsa.Samplex4.sample_s1_and_s2 #v_SIMDUnit - #v_Shake256X4 - generate_key_pair_v65__ETA - seed_for_error_vectors - s1_s2 - in - let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 6) - in - let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 5) - in - let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = - Core.Slice.impl__copy_from_slice #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - s1_ntt - (s1_s2.[ { - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = generate_key_pair_v65__COLUMNS_IN_A - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - in - let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - <: - usize) - (fun s1_ntt temp_1_ -> - let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = - s1_ntt - in - let _:usize = temp_1_ in - true) - s1_ntt - (fun s1_ntt i -> - let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = - s1_ntt - in - let i:usize = i in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1_ntt - i - (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit - (s1_ntt.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - <: - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) - in - let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = - Libcrux_ml_dsa.Matrix.compute_as1_plus_s2 #v_SIMDUnit - generate_key_pair_v65__ROWS_IN_A - generate_key_pair_v65__COLUMNS_IN_A - (a_as_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - t0 - in - let _:Prims.unit = () in - let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 6) - in - let tmp0, tmp1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6)) = - Libcrux_ml_dsa.Arithmetic.power2round_vector #v_SIMDUnit t0 t1 - in - let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = tmp0 in - let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = tmp1 in - let _:Prims.unit = () in - let verification_key:t_Slice u8 = - Libcrux_ml_dsa.Encoding.Verification_key.generate_serialized #v_SIMDUnit - seed_for_a - (t1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - verification_key - in - let signing_key:t_Slice u8 = - Libcrux_ml_dsa.Encoding.Signing_key.generate_serialized #v_SIMDUnit #v_Shake256 - generate_key_pair_v65__ETA generate_key_pair_v65__ERROR_RING_ELEMENT_SIZE seed_for_a - seed_for_signing verification_key - (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (t0 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) signing_key - in - let hax_temp_output:Prims.unit = () in - signing_key, verification_key <: (t_Slice u8 & t_Slice u8) - -let generate_key_pair_v87 - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i6: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i8: - Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i9: - Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i10: - Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i11: - Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) - (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - = - let _:Prims.unit = - if true - then - let _:Prims.unit = - Hax_lib.v_assert ((Core.Slice.impl__len #u8 signing_key <: usize) =. - generate_key_pair_v87__SIGNING_KEY_SIZE - <: - bool) - in - () - in - let _:Prims.unit = - if true - then - let _:Prims.unit = - Hax_lib.v_assert ((Core.Slice.impl__len #u8 verification_key <: usize) =. - generate_key_pair_v87__VERIFICATION_KEY_SIZE - <: - bool) - in - () - in - let seed_expanded:t_Array u8 (sz 128) = Rust_primitives.Hax.repeat 0uy (sz 128) in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve () - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - (randomness <: t_Slice u8) - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - ((let list = - [ - cast (generate_key_pair_v87__ROWS_IN_A <: usize) <: u8; - cast (generate_key_pair_v87__COLUMNS_IN_A <: usize) <: u8 - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); - Rust_primitives.Hax.array_of_list 2 list) - <: - t_Slice u8) - in - let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 128)) = - Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - seed_expanded - in - let shake:v_Shake256Xof = tmp0 in - let seed_expanded:t_Array u8 (sz 128) = tmp1 in - let _:Prims.unit = () in - let _:Prims.unit = () in - let seed_for_a, seed_expanded:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - (seed_expanded <: t_Slice u8) - Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE - in - let seed_for_error_vectors, seed_for_signing:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - seed_expanded - Libcrux_ml_dsa.Constants.v_SEED_FOR_ERROR_VECTORS_SIZE - in - let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 56) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 56) - in - let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 56) = - Libcrux_ml_dsa.Samplex4.f_matrix_flat #v_Sampler - #FStar.Tactics.Typeclasses.solve - #v_SIMDUnit - generate_key_pair_v87__COLUMNS_IN_A - seed_for_a - a_as_ntt - in - let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 15) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 15) - in - let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 15) = - Libcrux_ml_dsa.Samplex4.sample_s1_and_s2 #v_SIMDUnit - #v_Shake256X4 - generate_key_pair_v87__ETA - seed_for_error_vectors - s1_s2 - in - let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 8) - in - let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 7) - in - let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = - Core.Slice.impl__copy_from_slice #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - s1_ntt - (s1_s2.[ { - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = generate_key_pair_v87__COLUMNS_IN_A - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - in - let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - <: - usize) - (fun s1_ntt temp_1_ -> - let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = - s1_ntt - in - let _:usize = temp_1_ in - true) - s1_ntt - (fun s1_ntt i -> - let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = - s1_ntt - in - let i:usize = i in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1_ntt - i - (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit - (s1_ntt.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - <: - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) - in - let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = - Libcrux_ml_dsa.Matrix.compute_as1_plus_s2 #v_SIMDUnit - generate_key_pair_v87__ROWS_IN_A - generate_key_pair_v87__COLUMNS_IN_A - (a_as_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - t0 - in - let _:Prims.unit = () in - let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 8) - in - let tmp0, tmp1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8)) = - Libcrux_ml_dsa.Arithmetic.power2round_vector #v_SIMDUnit t0 t1 - in - let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = tmp0 in - let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = tmp1 in - let _:Prims.unit = () in - let verification_key:t_Slice u8 = - Libcrux_ml_dsa.Encoding.Verification_key.generate_serialized #v_SIMDUnit - seed_for_a - (t1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - verification_key - in - let signing_key:t_Slice u8 = - Libcrux_ml_dsa.Encoding.Signing_key.generate_serialized #v_SIMDUnit #v_Shake256 - generate_key_pair_v87__ETA generate_key_pair_v87__ERROR_RING_ELEMENT_SIZE seed_for_a - seed_for_signing verification_key - (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (t0 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) signing_key - in - let hax_temp_output:Prims.unit = () in - signing_key, verification_key <: (t_Slice u8 & t_Slice u8) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti index a43ffe936..731a25876 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti @@ -6,92 +6,9 @@ open FStar.Mul let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_dsa.Hash_functions.Shake128 in let open Libcrux_ml_dsa.Hash_functions.Shake256 in - let open Libcrux_ml_dsa.Polynomial in - let open Libcrux_ml_dsa.Pre_hash in - let open Libcrux_ml_dsa.Samplex4 in - let open Libcrux_ml_dsa.Simd.Traits in () -let generate_key_pair_v44__BITS_PER_ERROR_COEFFICIENT: usize = - Libcrux_ml_dsa.Constants.V44.v_BITS_PER_ERROR_COEFFICIENT - -let generate_key_pair_v44__COLUMNS_IN_A: usize = Libcrux_ml_dsa.Constants.V44.v_COLUMNS_IN_A - -let generate_key_pair_v44__ERROR_RING_ELEMENT_SIZE: usize = - Libcrux_ml_dsa.Constants.error_ring_element_size generate_key_pair_v44__BITS_PER_ERROR_COEFFICIENT - -let generate_key_pair_v44__ETA: Libcrux_ml_dsa.Constants.t_Eta = Libcrux_ml_dsa.Constants.V44.v_ETA - -let generate_key_pair_v44__ROWS_IN_A: usize = Libcrux_ml_dsa.Constants.V44.v_ROWS_IN_A - -let generate_key_pair_v44__ROW_COLUMN: usize = - generate_key_pair_v44__ROWS_IN_A +! generate_key_pair_v44__COLUMNS_IN_A - -let generate_key_pair_v44__ROW_X_COLUMN: usize = - generate_key_pair_v44__ROWS_IN_A *! generate_key_pair_v44__COLUMNS_IN_A - -let generate_key_pair_v44__SIGNING_KEY_SIZE: usize = - Libcrux_ml_dsa.Constants.signing_key_size generate_key_pair_v44__ROWS_IN_A - generate_key_pair_v44__COLUMNS_IN_A - generate_key_pair_v44__ERROR_RING_ELEMENT_SIZE - -let generate_key_pair_v44__VERIFICATION_KEY_SIZE: usize = - Libcrux_ml_dsa.Constants.verification_key_size generate_key_pair_v44__ROWS_IN_A - -let generate_key_pair_v65__BITS_PER_ERROR_COEFFICIENT: usize = - Libcrux_ml_dsa.Constants.V65.v_BITS_PER_ERROR_COEFFICIENT - -let generate_key_pair_v65__COLUMNS_IN_A: usize = Libcrux_ml_dsa.Constants.V65.v_COLUMNS_IN_A - -let generate_key_pair_v65__ERROR_RING_ELEMENT_SIZE: usize = - Libcrux_ml_dsa.Constants.error_ring_element_size generate_key_pair_v65__BITS_PER_ERROR_COEFFICIENT - -let generate_key_pair_v65__ETA: Libcrux_ml_dsa.Constants.t_Eta = Libcrux_ml_dsa.Constants.V65.v_ETA - -let generate_key_pair_v65__ROWS_IN_A: usize = Libcrux_ml_dsa.Constants.V65.v_ROWS_IN_A - -let generate_key_pair_v65__ROW_COLUMN: usize = - generate_key_pair_v65__ROWS_IN_A +! generate_key_pair_v65__COLUMNS_IN_A - -let generate_key_pair_v65__ROW_X_COLUMN: usize = - generate_key_pair_v65__ROWS_IN_A *! generate_key_pair_v65__COLUMNS_IN_A - -let generate_key_pair_v65__SIGNING_KEY_SIZE: usize = - Libcrux_ml_dsa.Constants.signing_key_size generate_key_pair_v65__ROWS_IN_A - generate_key_pair_v65__COLUMNS_IN_A - generate_key_pair_v65__ERROR_RING_ELEMENT_SIZE - -let generate_key_pair_v65__VERIFICATION_KEY_SIZE: usize = - Libcrux_ml_dsa.Constants.verification_key_size generate_key_pair_v65__ROWS_IN_A - -let generate_key_pair_v87__BITS_PER_ERROR_COEFFICIENT: usize = - Libcrux_ml_dsa.Constants.V87.v_BITS_PER_ERROR_COEFFICIENT - -let generate_key_pair_v87__COLUMNS_IN_A: usize = Libcrux_ml_dsa.Constants.V87.v_COLUMNS_IN_A - -let generate_key_pair_v87__ERROR_RING_ELEMENT_SIZE: usize = - Libcrux_ml_dsa.Constants.error_ring_element_size generate_key_pair_v87__BITS_PER_ERROR_COEFFICIENT - -let generate_key_pair_v87__ETA: Libcrux_ml_dsa.Constants.t_Eta = Libcrux_ml_dsa.Constants.V87.v_ETA - -let generate_key_pair_v87__ROWS_IN_A: usize = Libcrux_ml_dsa.Constants.V87.v_ROWS_IN_A - -let generate_key_pair_v87__ROW_COLUMN: usize = - generate_key_pair_v87__ROWS_IN_A +! generate_key_pair_v87__COLUMNS_IN_A - -let generate_key_pair_v87__ROW_X_COLUMN: usize = - generate_key_pair_v87__ROWS_IN_A *! generate_key_pair_v87__COLUMNS_IN_A - -let generate_key_pair_v87__SIGNING_KEY_SIZE: usize = - Libcrux_ml_dsa.Constants.signing_key_size generate_key_pair_v87__ROWS_IN_A - generate_key_pair_v87__COLUMNS_IN_A - generate_key_pair_v87__ERROR_RING_ELEMENT_SIZE - -let generate_key_pair_v87__VERIFICATION_KEY_SIZE: usize = - Libcrux_ml_dsa.Constants.verification_key_size generate_key_pair_v87__ROWS_IN_A - /// This corresponds to line 6 in algorithm 7 in FIPS 204 (line 7 in algorithm /// 8, resp.). /// If `domain_separation_context` is supplied, applies domain @@ -118,174 +35,3 @@ val derive_message_representative (message: t_Slice u8) (message_representative: t_Array u8 (sz 64)) : Prims.Pure (t_Array u8 (sz 64)) Prims.l_True (fun _ -> Prims.l_True) - -/// The internal signing API. -/// If no `domain_separation_context` is supplied, it is assumed that -/// `message` already contains the domain separation. -val sign_internal - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: - usize) - (v_GAMMA2: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: - usize) - {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} - {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} - {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} - {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} - (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) - (message: t_Slice u8) - (domain_separation_context: - Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) - -val sign - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: - usize) - (v_GAMMA2: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: - usize) - {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} - {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} - {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} - {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} - (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) - -val sign_pre_hashed - (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: - Type0) - (v_PH_DIGEST_LEN v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: - usize) - (v_GAMMA2: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: - usize) - {| i8: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i9: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} - {| i10: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |} - {| i11: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - {| i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} - {| i13: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} - {| i14: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} - {| i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN |} - (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) - -/// The internal verification API. -/// If no `domain_separation_context` is supplied, it is assumed that -/// `message` already contains the domain separation. -val verify_internal - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: - usize) - (v_GAMMA2 v_BETA: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: - usize) - {| i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} - {| i7: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} - {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} - (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) - (message: t_Slice u8) - (domain_separation_context: - Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) - (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) - : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) - Prims.l_True - (fun _ -> Prims.l_True) - -val verify - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: - usize) - (v_GAMMA2 v_BETA: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: - usize) - {| i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} - {| i7: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} - {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} - (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) - (message context: t_Slice u8) - (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) - : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) - Prims.l_True - (fun _ -> Prims.l_True) - -val verify_pre_hashed - (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0) - (v_PH_DIGEST_LEN v_ROWS_IN_A v_COLUMNS_IN_A v_ROWS_X_COLUMNS v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: - usize) - (v_GAMMA2 v_BETA: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: - usize) - {| i7: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i8: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} - {| i9: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |} - {| i10: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} - {| i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} - {| i13: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN |} - (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) - (message context: t_Slice u8) - (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) - : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Generate a key pair. -val generate_key_pair_v44 - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) - {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} - {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} - {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} - {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} - (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) - -/// Generate a key pair. -val generate_key_pair_v65 - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) - {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} - {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} - {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} - {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} - (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) - -/// Generate a key pair. -val generate_key_pair_v87 - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) - {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} - {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} - {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} - {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} - (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) From 019b83986d91ef67c167148e03694671889a21be Mon Sep 17 00:00:00 2001 From: Jonas Schneider-Bensch Date: Tue, 7 Jan 2025 14:58:09 +0100 Subject: [PATCH 42/58] Remove const generic for pre-hash length --- libcrux-ml-dsa/src/hash_functions.rs | 6 ++-- libcrux-ml-dsa/src/ml_dsa_44.rs | 8 ++++++ libcrux-ml-dsa/src/ml_dsa_65.rs | 8 ++++++ libcrux-ml-dsa/src/ml_dsa_87.rs | 8 ++++++ libcrux-ml-dsa/src/ml_dsa_generic.rs | 16 +++++------ .../src/ml_dsa_generic/instantiations.rs | 14 +++++++--- .../src/ml_dsa_generic/instantiations/avx2.rs | 28 +++++++++++++++---- .../src/ml_dsa_generic/multiplexing.rs | 22 +++++++++++++-- libcrux-ml-dsa/src/pre_hash.rs | 14 ++++------ 9 files changed, 93 insertions(+), 31 deletions(-) diff --git a/libcrux-ml-dsa/src/hash_functions.rs b/libcrux-ml-dsa/src/hash_functions.rs index 1dea67ca7..25bae4c3b 100644 --- a/libcrux-ml-dsa/src/hash_functions.rs +++ b/libcrux-ml-dsa/src/hash_functions.rs @@ -67,7 +67,7 @@ pub(crate) mod shake128 { pub(crate) const FIVE_BLOCKS_SIZE: usize = BLOCK_SIZE * 5; pub(crate) trait Xof { - fn shake128(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]); + fn shake128(input: &[u8], out: &mut [u8]); } /// When sampling matrix A we always want to do 4 absorb/squeeze calls in @@ -203,13 +203,13 @@ pub(crate) mod portable { pub(crate) struct Shake128 {} #[inline(always)] - fn shake128(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]) { + fn shake128(input: &[u8], out: &mut [u8]) { libcrux_sha3::portable::shake128(out, input); } impl shake128::Xof for Shake128 { #[inline(always)] - fn shake128(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]) { + fn shake128(input: &[u8], out: &mut [u8]) { shake128(input, out); } } diff --git a/libcrux-ml-dsa/src/ml_dsa_44.rs b/libcrux-ml-dsa/src/ml_dsa_44.rs index 8a2b11dcc..ab8bf7a0d 100644 --- a/libcrux-ml-dsa/src/ml_dsa_44.rs +++ b/libcrux-ml-dsa/src/ml_dsa_44.rs @@ -92,10 +92,12 @@ macro_rules! instantiate { context: &[u8], randomness: [u8; SIGNING_RANDOMNESS_SIZE], ) -> Result { + let mut pre_hash_buffer = [0u8; 256]; crate::ml_dsa_generic::instantiations::$modp::ml_dsa_44::sign_pre_hashed_shake128( signing_key.as_ref(), message, context, + &mut pre_hash_buffer, randomness, ) } @@ -130,10 +132,12 @@ macro_rules! instantiate { context: &[u8], signature: &MLDSA44Signature, ) -> Result<(), VerificationError> { + let mut pre_hash_buffer = [0u8; 256]; crate::ml_dsa_generic::instantiations::$modp::ml_dsa_44::verify_pre_hashed_shake128( verification_key.as_ref(), message, context, + &mut pre_hash_buffer, signature.as_ref(), ) } @@ -269,10 +273,12 @@ pub fn sign_pre_hashed_shake128( context: &[u8], randomness: [u8; SIGNING_RANDOMNESS_SIZE], ) -> Result { + let mut pre_hash_buffer = [0u8; 256]; crate::ml_dsa_generic::multiplexing::ml_dsa_44::sign_pre_hashed_shake128( signing_key.as_ref(), message, context, + &mut pre_hash_buffer, randomness, ) } @@ -292,10 +298,12 @@ pub fn verify_pre_hashed_shake128( context: &[u8], signature: &MLDSA44Signature, ) -> Result<(), VerificationError> { + let mut pre_hash_buffer = [0u8; 256]; crate::ml_dsa_generic::multiplexing::ml_dsa_44::verify_pre_hashed_shake128( verification_key.as_ref(), message, context, + &mut pre_hash_buffer, signature.as_ref(), ) } diff --git a/libcrux-ml-dsa/src/ml_dsa_65.rs b/libcrux-ml-dsa/src/ml_dsa_65.rs index 337754bc8..81835139b 100644 --- a/libcrux-ml-dsa/src/ml_dsa_65.rs +++ b/libcrux-ml-dsa/src/ml_dsa_65.rs @@ -92,10 +92,12 @@ macro_rules! instantiate { context: &[u8], randomness: [u8; SIGNING_RANDOMNESS_SIZE], ) -> Result { + let mut pre_hash_buffer = [0u8; 256]; crate::ml_dsa_generic::instantiations::$modp::ml_dsa_65::sign_pre_hashed_shake128( signing_key.as_ref(), message, context, + &mut pre_hash_buffer, randomness, ) } @@ -130,10 +132,12 @@ macro_rules! instantiate { context: &[u8], signature: &MLDSA65Signature, ) -> Result<(), VerificationError> { + let mut pre_hash_buffer = [0u8; 256]; crate::ml_dsa_generic::instantiations::$modp::ml_dsa_65::verify_pre_hashed_shake128( verification_key.as_ref(), message, context, + &mut pre_hash_buffer, signature.as_ref(), ) } @@ -269,10 +273,12 @@ pub fn sign_pre_hashed_shake128( context: &[u8], randomness: [u8; SIGNING_RANDOMNESS_SIZE], ) -> Result { + let mut pre_hash_buffer = [0u8; 256]; crate::ml_dsa_generic::multiplexing::ml_dsa_65::sign_pre_hashed_shake128( signing_key.as_ref(), message, context, + &mut pre_hash_buffer, randomness, ) } @@ -292,10 +298,12 @@ pub fn verify_pre_hashed_shake128( context: &[u8], signature: &MLDSA65Signature, ) -> Result<(), VerificationError> { + let mut pre_hash_buffer = [0u8; 256]; crate::ml_dsa_generic::multiplexing::ml_dsa_65::verify_pre_hashed_shake128( verification_key.as_ref(), message, context, + &mut pre_hash_buffer, signature.as_ref(), ) } diff --git a/libcrux-ml-dsa/src/ml_dsa_87.rs b/libcrux-ml-dsa/src/ml_dsa_87.rs index b60b21905..ab1a4b4f6 100644 --- a/libcrux-ml-dsa/src/ml_dsa_87.rs +++ b/libcrux-ml-dsa/src/ml_dsa_87.rs @@ -92,10 +92,12 @@ macro_rules! instantiate { context: &[u8], randomness: [u8; SIGNING_RANDOMNESS_SIZE], ) -> Result { + let mut pre_hash_buffer = [0u8; 256]; crate::ml_dsa_generic::instantiations::$modp::ml_dsa_87::sign_pre_hashed_shake128( signing_key.as_ref(), message, context, + &mut pre_hash_buffer, randomness, ) } @@ -130,10 +132,12 @@ macro_rules! instantiate { context: &[u8], signature: &MLDSA87Signature, ) -> Result<(), VerificationError> { + let mut pre_hash_buffer = [0u8; 256]; crate::ml_dsa_generic::instantiations::$modp::ml_dsa_87::verify_pre_hashed_shake128( verification_key.as_ref(), message, context, + &mut pre_hash_buffer, signature.as_ref(), ) } @@ -269,10 +273,12 @@ pub fn sign_pre_hashed_shake128( context: &[u8], randomness: [u8; SIGNING_RANDOMNESS_SIZE], ) -> Result { + let mut pre_hash_buffer = [0u8; 256]; crate::ml_dsa_generic::multiplexing::ml_dsa_87::sign_pre_hashed_shake128( signing_key.as_ref(), message, context, + &mut pre_hash_buffer, randomness, ) } @@ -292,10 +298,12 @@ pub fn verify_pre_hashed_shake128( context: &[u8], signature: &MLDSA87Signature, ) -> Result<(), VerificationError> { + let mut pre_hash_buffer = [0u8; 256]; crate::ml_dsa_generic::multiplexing::ml_dsa_87::verify_pre_hashed_shake128( verification_key.as_ref(), message, context, + &mut pre_hash_buffer, signature.as_ref(), ) } diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index c5476802a..7bc1dcab2 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -485,18 +485,18 @@ pub(crate) mod generic { Shake256: shake256::DsaXof, Shake256Xof: shake256::Xof, Shake256X4: shake256::XofX4, - PH: PreHash, - const PH_DIGEST_LEN: usize, + PH: PreHash, >( signing_key: &[u8], message: &[u8], context: &[u8], + pre_hash_buffer: &mut [u8], randomness: [u8; SIGNING_RANDOMNESS_SIZE], ) -> Result, SigningError> { if context.len() > CONTEXT_MAX_LEN { return Err(SigningError::ContextTooLongError); } - let pre_hashed_message = PH::hash::(message); + PH::hash::(message, pre_hash_buffer); let domain_separation_context = match DomainSeparationContext::new(context, Some(PH::oid())) { Ok(dsc) => dsc, @@ -504,7 +504,7 @@ pub(crate) mod generic { }; sign_internal::( signing_key, - &pre_hashed_message, + pre_hash_buffer, Some(domain_separation_context), randomness, ) @@ -570,15 +570,15 @@ pub(crate) mod generic { Shake128X4: shake128::XofX4, Shake256: shake256::DsaXof, Shake256Xof: shake256::Xof, - PH: PreHash, - const PH_DIGEST_LEN: usize, + PH: PreHash, >( verification_key_serialized: &[u8; VERIFICATION_KEY_SIZE], message: &[u8], context: &[u8], + pre_hash_buffer: &mut [u8], signature_serialized: &[u8; SIGNATURE_SIZE], ) -> Result<(), VerificationError> { - let pre_hashed_message = PH::hash::(message); + PH::hash::(message, pre_hash_buffer); let domain_separation_context = match DomainSeparationContext::new(context, Some(PH::oid())) { Ok(dsc) => dsc, @@ -586,7 +586,7 @@ pub(crate) mod generic { }; verify_internal::( verification_key_serialized, - &pre_hashed_message, + pre_hash_buffer, Some(domain_separation_context), signature_serialized, ) diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs index ebe64bd77..dccc74b3b 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs @@ -80,6 +80,7 @@ macro_rules! instantiate { signing_key: &[u8; SIGNING_KEY_SIZE], message: &[u8], context: &[u8], + pre_hash_buffer: &mut [u8], randomness: [u8; SIGNING_RANDOMNESS_SIZE], ) -> Result, SigningError> { crate::ml_dsa_generic::$parameter_module::sign_pre_hashed::< @@ -91,8 +92,7 @@ macro_rules! instantiate { $shake256xof, $shake256x4, SHAKE128_PH, - 256, - >(signing_key, message, context, randomness) + >(signing_key, message, context, pre_hash_buffer, randomness) } /// Verify. @@ -132,6 +132,7 @@ macro_rules! instantiate { verification_key: &[u8; VERIFICATION_KEY_SIZE], message: &[u8], context: &[u8], + pre_hash_buffer: &mut [u8], signature: &[u8; SIGNATURE_SIZE], ) -> Result<(), VerificationError> { crate::ml_dsa_generic::$parameter_module::verify_pre_hashed::< @@ -142,8 +143,13 @@ macro_rules! instantiate { $shake256, $shake256xof, SHAKE128_PH, - 256, - >(verification_key, message, context, signature) + >( + verification_key, + message, + context, + pre_hash_buffer, + signature, + ) } } }; diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs index cc34c1fac..62dd0a39c 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs @@ -106,6 +106,7 @@ macro_rules! parameter_set { signing_key: &[u8; SIGNING_KEY_SIZE], message: &[u8], context: &[u8], + pre_hash_buffer: &mut [u8], randomness: [u8; SIGNING_RANDOMNESS_SIZE], ) -> Result, SigningError> { #[cfg_attr(not(hax), target_feature(enable = "avx2"))] @@ -114,6 +115,7 @@ macro_rules! parameter_set { signing_key: &[u8; SIGNING_KEY_SIZE], message: &[u8], context: &[u8], + pre_hash_buffer: &mut [u8], randomness: [u8; SIGNING_RANDOMNESS_SIZE], ) -> Result, SigningError> { crate::ml_dsa_generic::$parameter_module::sign_pre_hashed::< @@ -129,10 +131,9 @@ macro_rules! parameter_set { crate::hash_functions::portable::Shake256Xof, crate::hash_functions::simd256::Shake256x4, SHAKE128_PH, - 256, - >(signing_key, message, context, randomness) + >(signing_key, message, context, pre_hash_buffer, randomness) } - unsafe { _inner(signing_key, message, context, randomness) } + unsafe { _inner(signing_key, message, context, pre_hash_buffer, randomness) } } /// Verify. @@ -198,6 +199,7 @@ macro_rules! parameter_set { verification_key: &[u8; VERIFICATION_KEY_SIZE], message: &[u8], context: &[u8], + pre_hash_buffer: &mut [u8], signature: &[u8; SIGNATURE_SIZE], ) -> Result<(), VerificationError> { #[cfg_attr(not(hax), target_feature(enable = "avx2"))] @@ -206,6 +208,7 @@ macro_rules! parameter_set { verification_key: &[u8; VERIFICATION_KEY_SIZE], message: &[u8], context: &[u8], + pre_hash_buffer: &mut [u8], signature: &[u8; SIGNATURE_SIZE], ) -> Result<(), VerificationError> { crate::ml_dsa_generic::$parameter_module::verify_pre_hashed::< @@ -220,10 +223,23 @@ macro_rules! parameter_set { // It doesn' make sense to do these in parallel. crate::hash_functions::portable::Shake256Xof, SHAKE128_PH, - 256, - >(verification_key, message, context, signature) + >( + verification_key, + message, + context, + pre_hash_buffer, + signature, + ) + } + unsafe { + _inner( + verification_key, + message, + context, + pre_hash_buffer, + signature, + ) } - unsafe { _inner(verification_key, message, context, signature) } } } }; diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/multiplexing.rs b/libcrux-ml-dsa/src/ml_dsa_generic/multiplexing.rs index 272e5508b..97ee259d1 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic/multiplexing.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic/multiplexing.rs @@ -121,17 +121,31 @@ macro_rules! parameter_set { signing_key: &[u8; SIGNING_KEY_SIZE], message: &[u8], context: &[u8], + pre_hash_buffer: &mut [u8], randomness: [u8; SIGNING_RANDOMNESS_SIZE], ) -> Result, SigningError> { if libcrux_platform::simd256_support() { - sign_pre_hashed_shake128_avx2(signing_key, message, context, randomness) + sign_pre_hashed_shake128_avx2( + signing_key, + message, + context, + pre_hash_buffer, + randomness, + ) } else if libcrux_platform::simd128_support() { - sign_pre_hashed_shake128_neon(signing_key, message, context, randomness) + sign_pre_hashed_shake128_neon( + signing_key, + message, + context, + pre_hash_buffer, + randomness, + ) } else { instantiations::portable::$parameter_module::sign_pre_hashed_shake128( signing_key, message, context, + pre_hash_buffer, randomness, ) } @@ -190,6 +204,7 @@ macro_rules! parameter_set { verification_key_serialized: &[u8; VERIFICATION_KEY_SIZE], message: &[u8], context: &[u8], + pre_hash_buffer: &mut [u8], signature_serialized: &[u8; SIGNATURE_SIZE], ) -> Result<(), VerificationError> { if libcrux_platform::simd256_support() { @@ -197,6 +212,7 @@ macro_rules! parameter_set { verification_key_serialized, message, context, + pre_hash_buffer, signature_serialized, ) } else if libcrux_platform::simd128_support() { @@ -204,6 +220,7 @@ macro_rules! parameter_set { verification_key_serialized, message, context, + pre_hash_buffer, signature_serialized, ) } else { @@ -211,6 +228,7 @@ macro_rules! parameter_set { verification_key_serialized, message, context, + pre_hash_buffer, signature_serialized, ) } diff --git a/libcrux-ml-dsa/src/pre_hash.rs b/libcrux-ml-dsa/src/pre_hash.rs index 1e678a770..df368b339 100644 --- a/libcrux-ml-dsa/src/pre_hash.rs +++ b/libcrux-ml-dsa/src/pre_hash.rs @@ -9,13 +9,13 @@ use crate::{constants::CONTEXT_MAX_LEN, hash_functions, SigningError, Verificati pub(crate) const PRE_HASH_OID_LEN: usize = 11; pub(crate) type PreHashOID = [u8; PRE_HASH_OID_LEN]; -pub(crate) trait PreHash { +pub(crate) trait PreHash { /// The object identifier (OID) of the hash function or XOF used /// to perform the pre-hashing of the message. fn oid() -> PreHashOID; /// Used to derive the pre-hash PH of the message before signing. - fn hash(message: &[u8]) -> [u8; DIGEST_LEN]; + fn hash(message: &[u8], output: &mut [u8]); } #[allow(non_camel_case_types)] @@ -27,17 +27,15 @@ const SHAKE128_OID: PreHashOID = [ 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x0b, ]; -impl PreHash<256> for SHAKE128_PH { +impl PreHash for SHAKE128_PH { fn oid() -> PreHashOID { SHAKE128_OID } #[inline(always)] - fn hash(message: &[u8]) -> [u8; 256] { - let mut output = [0u8; 256]; - Shake128::shake128(message, &mut output); - - output + fn hash(message: &[u8], output: &mut [u8]) { + debug_assert_eq!(output.len(), 256); + Shake128::shake128(message, output); } } From da62157bec7291757ae2d9759dc4e0d33524beb8 Mon Sep 17 00:00:00 2001 From: Jonas Schneider-Bensch Date: Tue, 7 Jan 2025 15:13:25 +0100 Subject: [PATCH 43/58] Updated F* extraction --- .../Libcrux_ml_dsa.Constants.Ml_dsa_44_.fsti | 27 + .../Libcrux_ml_dsa.Constants.Ml_dsa_65_.fsti | 27 + .../Libcrux_ml_dsa.Constants.Ml_dsa_87_.fsti | 27 + ...Libcrux_ml_dsa.Hash_functions.Portable.fst | 6 +- ...ibcrux_ml_dsa.Hash_functions.Portable.fsti | 3 +- ...ibcrux_ml_dsa.Hash_functions.Shake128.fsti | 15 +- .../Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst | 47 +- .../Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst | 47 +- .../Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst | 47 +- .../extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst | 47 +- .../Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst | 47 +- .../Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst | 47 +- .../Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst | 47 +- .../extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst | 47 +- .../Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst | 47 +- .../Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst | 47 +- .../Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst | 47 +- .../extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst | 47 +- ...generic.Instantiations.Avx2.Ml_dsa_44_.fst | 173 +++ ...eneric.Instantiations.Avx2.Ml_dsa_44_.fsti | 99 ++ ...generic.Instantiations.Avx2.Ml_dsa_65_.fst | 173 +++ ...eneric.Instantiations.Avx2.Ml_dsa_65_.fsti | 99 ++ ...generic.Instantiations.Avx2.Ml_dsa_87_.fst | 173 +++ ...eneric.Instantiations.Avx2.Ml_dsa_87_.fsti | 99 ++ ...generic.Instantiations.Neon.Ml_dsa_44_.fst | 115 ++ ...eneric.Instantiations.Neon.Ml_dsa_44_.fsti | 63 + ...generic.Instantiations.Neon.Ml_dsa_65_.fst | 115 ++ ...eneric.Instantiations.Neon.Ml_dsa_65_.fsti | 63 + ...generic.Instantiations.Neon.Ml_dsa_87_.fst | 115 ++ ...eneric.Instantiations.Neon.Ml_dsa_87_.fsti | 63 + ...ric.Instantiations.Portable.Ml_dsa_44_.fst | 117 ++ ...ic.Instantiations.Portable.Ml_dsa_44_.fsti | 62 + ...ric.Instantiations.Portable.Ml_dsa_65_.fst | 117 ++ ...ic.Instantiations.Portable.Ml_dsa_65_.fsti | 62 + ...ric.Instantiations.Portable.Ml_dsa_87_.fst | 117 ++ ...ic.Instantiations.Portable.Ml_dsa_87_.fsti | 62 + ...bcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fst | 1271 ++++++++++++++++ ...crux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fsti | 165 +++ ...bcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fst | 1271 ++++++++++++++++ ...crux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fsti | 165 +++ ...bcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fst | 1273 +++++++++++++++++ ...crux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fsti | 165 +++ ...Ml_dsa_generic.Multiplexing.Ml_dsa_44_.fst | 223 +++ ...l_dsa_generic.Multiplexing.Ml_dsa_44_.fsti | 44 + ...Ml_dsa_generic.Multiplexing.Ml_dsa_65_.fst | 223 +++ ...l_dsa_generic.Multiplexing.Ml_dsa_65_.fsti | 44 + ...Ml_dsa_generic.Multiplexing.Ml_dsa_87_.fst | 223 +++ ...l_dsa_generic.Multiplexing.Ml_dsa_87_.fsti | 44 + .../extraction/Libcrux_ml_dsa.Pre_hash.fst | 44 +- .../extraction/Libcrux_ml_dsa.Pre_hash.fsti | 21 +- 50 files changed, 7498 insertions(+), 234 deletions(-) create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_44_.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_65_.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_87_.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_44_.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_44_.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_65_.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_65_.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_87_.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_87_.fsti diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_44_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_44_.fsti new file mode 100644 index 000000000..105a22c73 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_44_.fsti @@ -0,0 +1,27 @@ +module Libcrux_ml_dsa.Constants.Ml_dsa_44_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let v_BITS_PER_COMMITMENT_COEFFICIENT: usize = sz 6 + +let v_BITS_PER_ERROR_COEFFICIENT: usize = sz 3 + +let v_BITS_PER_GAMMA1_COEFFICIENT: usize = sz 18 + +let v_COLUMNS_IN_A: usize = sz 4 + +let v_COMMITMENT_HASH_SIZE: usize = sz 32 + +let v_ETA: Libcrux_ml_dsa.Constants.t_Eta = + Libcrux_ml_dsa.Constants.Eta_Two <: Libcrux_ml_dsa.Constants.t_Eta + +let v_GAMMA1_EXPONENT: usize = sz 17 + +let v_MAX_ONES_IN_HINT: usize = sz 80 + +let v_ONES_IN_VERIFIER_CHALLENGE: usize = sz 39 + +let v_ROWS_IN_A: usize = sz 4 + +let v_GAMMA2: i32 = (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS -! 1l <: i32) /! 88l diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_65_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_65_.fsti new file mode 100644 index 000000000..ac228b809 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_65_.fsti @@ -0,0 +1,27 @@ +module Libcrux_ml_dsa.Constants.Ml_dsa_65_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let v_BITS_PER_COMMITMENT_COEFFICIENT: usize = sz 4 + +let v_BITS_PER_ERROR_COEFFICIENT: usize = sz 4 + +let v_BITS_PER_GAMMA1_COEFFICIENT: usize = sz 20 + +let v_COLUMNS_IN_A: usize = sz 5 + +let v_COMMITMENT_HASH_SIZE: usize = sz 48 + +let v_ETA: Libcrux_ml_dsa.Constants.t_Eta = + Libcrux_ml_dsa.Constants.Eta_Four <: Libcrux_ml_dsa.Constants.t_Eta + +let v_GAMMA1_EXPONENT: usize = sz 19 + +let v_MAX_ONES_IN_HINT: usize = sz 55 + +let v_ONES_IN_VERIFIER_CHALLENGE: usize = sz 49 + +let v_ROWS_IN_A: usize = sz 6 + +let v_GAMMA2: i32 = (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS -! 1l <: i32) /! 32l diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_87_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_87_.fsti new file mode 100644 index 000000000..30097ecf0 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_87_.fsti @@ -0,0 +1,27 @@ +module Libcrux_ml_dsa.Constants.Ml_dsa_87_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let v_BITS_PER_COMMITMENT_COEFFICIENT: usize = sz 4 + +let v_BITS_PER_ERROR_COEFFICIENT: usize = sz 3 + +let v_BITS_PER_GAMMA1_COEFFICIENT: usize = sz 20 + +let v_COLUMNS_IN_A: usize = sz 7 + +let v_COMMITMENT_HASH_SIZE: usize = sz 64 + +let v_ETA: Libcrux_ml_dsa.Constants.t_Eta = + Libcrux_ml_dsa.Constants.Eta_Two <: Libcrux_ml_dsa.Constants.t_Eta + +let v_GAMMA1_EXPONENT: usize = sz 19 + +let v_MAX_ONES_IN_HINT: usize = sz 75 + +let v_ONES_IN_VERIFIER_CHALLENGE: usize = sz 60 + +let v_ROWS_IN_A: usize = sz 8 + +let v_GAMMA2: i32 = (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS -! 1l <: i32) /! 32l diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fst index b93e63c07..4d34ec255 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fst @@ -85,10 +85,10 @@ val init_absorb_x4': let init_absorb_x4 = init_absorb_x4' assume -val shake128': v_OUTPUT_LENGTH: usize -> input: t_Slice u8 -> out: t_Array u8 v_OUTPUT_LENGTH - -> Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) Prims.l_True (fun _ -> Prims.l_True) +val shake128': input: t_Slice u8 -> out: t_Slice u8 + -> Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) -let shake128 (v_OUTPUT_LENGTH: usize) = shake128' v_OUTPUT_LENGTH +let shake128 = shake128' assume val shake256': v_OUTPUT_LENGTH: usize -> input: t_Slice u8 -> out: t_Array u8 v_OUTPUT_LENGTH diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti index 0b7e313f7..3fc96890c 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti @@ -43,8 +43,7 @@ val init_absorb_final_shake256 (input: t_Slice u8) val init_absorb_x4 (input0 input1 input2 input3: t_Slice u8) : Prims.Pure t_Shake256X4 Prims.l_True (fun _ -> Prims.l_True) -val shake128 (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) - : Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) Prims.l_True (fun _ -> Prims.l_True) +val shake128 (input out: t_Slice u8) : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) val shake256 (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) : Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fsti index aa229c844..67503f772 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fsti @@ -4,17 +4,10 @@ open Core open FStar.Mul class t_Xof (v_Self: Type0) = { - f_shake128_pre:v_OUTPUT_LENGTH: usize -> t_Slice u8 -> t_Array u8 v_OUTPUT_LENGTH -> Type0; - f_shake128_post: - v_OUTPUT_LENGTH: usize -> - t_Slice u8 -> - t_Array u8 v_OUTPUT_LENGTH -> - t_Array u8 v_OUTPUT_LENGTH - -> Type0; - f_shake128:v_OUTPUT_LENGTH: usize -> x0: t_Slice u8 -> x1: t_Array u8 v_OUTPUT_LENGTH - -> Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) - (f_shake128_pre v_OUTPUT_LENGTH x0 x1) - (fun result -> f_shake128_post v_OUTPUT_LENGTH x0 x1 result) + f_shake128_pre:t_Slice u8 -> t_Slice u8 -> Type0; + f_shake128_post:t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> Type0; + f_shake128:x0: t_Slice u8 -> x1: t_Slice u8 + -> Prims.Pure (t_Slice u8) (f_shake128_pre x0 x1) (fun result -> f_shake128_post x0 x1 result) } /// When sampling matrix A we always want to do 4 absorb/squeeze calls in diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst index 79969160b..79582529e 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst @@ -42,14 +42,22 @@ let sign_pre_hashed_shake128 (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref - (sz 2560) - signing_key - <: - t_Array u8 (sz 2560)) - message - context - randomness + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref + (sz 2560) + signing_key + <: + t_Array u8 (sz 2560)) + message + context + pre_hash_buffer + randomness + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) @@ -70,11 +78,18 @@ let verify_pre_hashed_shake128 (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref - (sz 1312) - verification_key - <: - t_Array u8 (sz 1312)) - message - context - (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 1312) + verification_key + <: + t_Array u8 (sz 1312)) + message + context + pre_hash_buffer + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst index 0bc3f9212..8a6b279e8 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst @@ -42,14 +42,22 @@ let sign_pre_hashed_shake128 (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref - (sz 2560) - signing_key - <: - t_Array u8 (sz 2560)) - message - context - randomness + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref + (sz 2560) + signing_key + <: + t_Array u8 (sz 2560)) + message + context + pre_hash_buffer + randomness + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) @@ -70,11 +78,18 @@ let verify_pre_hashed_shake128 (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref - (sz 1312) - verification_key - <: - t_Array u8 (sz 1312)) - message - context - (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 1312) + verification_key + <: + t_Array u8 (sz 1312)) + message + context + pre_hash_buffer + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst index b4ff49a2e..5d10a32f4 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst @@ -42,14 +42,22 @@ let sign_pre_hashed_shake128 (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref - (sz 2560) - signing_key - <: - t_Array u8 (sz 2560)) - message - context - randomness + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref + (sz 2560) + signing_key + <: + t_Array u8 (sz 2560)) + message + context + pre_hash_buffer + randomness + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) @@ -70,11 +78,18 @@ let verify_pre_hashed_shake128 (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref - (sz 1312) - verification_key - <: - t_Array u8 (sz 1312)) - message - context - (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 1312) + verification_key + <: + t_Array u8 (sz 1312)) + message + context + pre_hash_buffer + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst index f3364bb9a..3506b3983 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst @@ -42,14 +42,22 @@ let sign_pre_hashed_shake128 (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_44_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref - (sz 2560) - signing_key - <: - t_Array u8 (sz 2560)) - message - context - randomness + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_44_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref + (sz 2560) + signing_key + <: + t_Array u8 (sz 2560)) + message + context + pre_hash_buffer + randomness + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) @@ -70,11 +78,18 @@ let verify_pre_hashed_shake128 (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_44_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref - (sz 1312) - verification_key - <: - t_Array u8 (sz 1312)) - message - context - (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_44_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 1312) + verification_key + <: + t_Array u8 (sz 1312)) + message + context + pre_hash_buffer + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst index 8a7ec8559..2fad9a3d2 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst @@ -42,14 +42,22 @@ let sign_pre_hashed_shake128 (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref - (sz 4032) - signing_key - <: - t_Array u8 (sz 4032)) - message - context - randomness + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref + (sz 4032) + signing_key + <: + t_Array u8 (sz 4032)) + message + context + pre_hash_buffer + randomness + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) @@ -70,11 +78,18 @@ let verify_pre_hashed_shake128 (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref - (sz 1952) - verification_key - <: - t_Array u8 (sz 1952)) - message - context - (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 1952) + verification_key + <: + t_Array u8 (sz 1952)) + message + context + pre_hash_buffer + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst index d3978ab3b..24205fe33 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst @@ -42,14 +42,22 @@ let sign_pre_hashed_shake128 (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref - (sz 4032) - signing_key - <: - t_Array u8 (sz 4032)) - message - context - randomness + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref + (sz 4032) + signing_key + <: + t_Array u8 (sz 4032)) + message + context + pre_hash_buffer + randomness + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) @@ -70,11 +78,18 @@ let verify_pre_hashed_shake128 (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref - (sz 1952) - verification_key - <: - t_Array u8 (sz 1952)) - message - context - (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 1952) + verification_key + <: + t_Array u8 (sz 1952)) + message + context + pre_hash_buffer + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst index 986c8e0b0..325f4c11f 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst @@ -42,14 +42,22 @@ let sign_pre_hashed_shake128 (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref - (sz 4032) - signing_key - <: - t_Array u8 (sz 4032)) - message - context - randomness + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref + (sz 4032) + signing_key + <: + t_Array u8 (sz 4032)) + message + context + pre_hash_buffer + randomness + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) @@ -70,11 +78,18 @@ let verify_pre_hashed_shake128 (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref - (sz 1952) - verification_key - <: - t_Array u8 (sz 1952)) - message - context - (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 1952) + verification_key + <: + t_Array u8 (sz 1952)) + message + context + pre_hash_buffer + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst index 04a7f4adc..243d5de79 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst @@ -42,14 +42,22 @@ let sign_pre_hashed_shake128 (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_65_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref - (sz 4032) - signing_key - <: - t_Array u8 (sz 4032)) - message - context - randomness + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_65_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref + (sz 4032) + signing_key + <: + t_Array u8 (sz 4032)) + message + context + pre_hash_buffer + randomness + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) @@ -70,11 +78,18 @@ let verify_pre_hashed_shake128 (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_65_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref - (sz 1952) - verification_key - <: - t_Array u8 (sz 1952)) - message - context - (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_65_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 1952) + verification_key + <: + t_Array u8 (sz 1952)) + message + context + pre_hash_buffer + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst index 0a4c40f8d..bbb9f7a6a 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst @@ -42,14 +42,22 @@ let sign_pre_hashed_shake128 (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref - (sz 4896) - signing_key - <: - t_Array u8 (sz 4896)) - message - context - randomness + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref + (sz 4896) + signing_key + <: + t_Array u8 (sz 4896)) + message + context + pre_hash_buffer + randomness + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) @@ -70,11 +78,18 @@ let verify_pre_hashed_shake128 (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref - (sz 2592) - verification_key - <: - t_Array u8 (sz 2592)) - message - context - (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 2592) + verification_key + <: + t_Array u8 (sz 2592)) + message + context + pre_hash_buffer + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst index 401110e07..754385046 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst @@ -42,14 +42,22 @@ let sign_pre_hashed_shake128 (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref - (sz 4896) - signing_key - <: - t_Array u8 (sz 4896)) - message - context - randomness + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref + (sz 4896) + signing_key + <: + t_Array u8 (sz 4896)) + message + context + pre_hash_buffer + randomness + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) @@ -70,11 +78,18 @@ let verify_pre_hashed_shake128 (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref - (sz 2592) - verification_key - <: - t_Array u8 (sz 2592)) - message - context - (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 2592) + verification_key + <: + t_Array u8 (sz 2592)) + message + context + pre_hash_buffer + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst index ddb5ccee2..8dd52879e 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst @@ -42,14 +42,22 @@ let sign_pre_hashed_shake128 (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref - (sz 4896) - signing_key - <: - t_Array u8 (sz 4896)) - message - context - randomness + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref + (sz 4896) + signing_key + <: + t_Array u8 (sz 4896)) + message + context + pre_hash_buffer + randomness + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) @@ -70,11 +78,18 @@ let verify_pre_hashed_shake128 (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref - (sz 2592) - verification_key - <: - t_Array u8 (sz 2592)) - message - context - (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 2592) + verification_key + <: + t_Array u8 (sz 2592)) + message + context + pre_hash_buffer + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst index 856f9a4bc..56f5baaf3 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst @@ -42,14 +42,22 @@ let sign_pre_hashed_shake128 (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_87_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref - (sz 4896) - signing_key - <: - t_Array u8 (sz 4896)) - message - context - randomness + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_87_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref + (sz 4896) + signing_key + <: + t_Array u8 (sz 4896)) + message + context + pre_hash_buffer + randomness + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) @@ -70,11 +78,18 @@ let verify_pre_hashed_shake128 (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_87_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref - (sz 2592) - verification_key - <: - t_Array u8 (sz 2592)) - message - context - (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_87_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 2592) + verification_key + <: + t_Array u8 (sz 2592)) + message + context + pre_hash_buffer + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.fst new file mode 100644 index 000000000..0e90b5905 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.fst @@ -0,0 +1,173 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Hash_functions.Simd256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Samplex4.Avx2 in + let open Libcrux_ml_dsa.Simd.Avx2 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let generate_key_pair___inner + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + = + let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.generate_key_pair #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 + randomness + signing_key + verification_key + in + let signing_key:t_Slice u8 = tmp0 in + let verification_key:t_Slice u8 = tmp1 in + let _:Prims.unit = () in + signing_key, verification_key <: (t_Slice u8 & t_Slice u8) + +let generate_key_pair (randomness: t_Array u8 (sz 32)) (signing_key verification_key: t_Slice u8) = + let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = + generate_key_pair___inner randomness signing_key verification_key + in + let signing_key:t_Slice u8 = tmp0 in + let verification_key:t_Slice u8 = tmp1 in + let hax_temp_output:Prims.unit = () in + signing_key, verification_key <: (t_Slice u8 & t_Slice u8) + +let sign___inner + (signing_key: t_Array u8 (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.sign #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 (signing_key <: t_Slice u8) message context + randomness + +let sign + (signing_key: t_Array u8 (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = sign___inner signing_key message context randomness + +let sign_pre_hashed_shake128___inner + (signing_key: t_Array u8 (sz 2560)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.sign_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + (signing_key <: t_Slice u8) message context pre_hash_buffer randomness + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) + +let sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 2560)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) = + sign_pre_hashed_shake128___inner signing_key message context pre_hash_buffer randomness + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) + +let verify___inner + (verification_key: t_Array u8 (sz 1312)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 2420)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.verify #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + verification_key + message + context + signature + +let verify + (verification_key: t_Array u8 (sz 1312)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 2420)) + = verify___inner verification_key message context signature + +let verify_pre_hashed_shake128___inner + (verification_key: t_Array u8 (sz 1312)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 2420)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + verification_key message context pre_hash_buffer signature + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + +let verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 1312)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 2420)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + verify_pre_hashed_shake128___inner verification_key message context pre_hash_buffer signature + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.fsti new file mode 100644 index 000000000..1d183a070 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.fsti @@ -0,0 +1,99 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Hash_functions.Simd256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Samplex4.Avx2 in + let open Libcrux_ml_dsa.Simd.Avx2 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +/// Key Generation. +val generate_key_pair___inner + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +val generate_key_pair (randomness: t_Array u8 (sz 32)) (signing_key verification_key: t_Slice u8) + : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +val sign___inner + (signing_key: t_Array u8 (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign. +val sign + (signing_key: t_Array u8 (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign_pre_hashed_shake128___inner + (signing_key: t_Array u8 (sz 2560)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign (pre-hashed). +val sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 2560)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val verify___inner + (verification_key: t_Array u8 (sz 1312)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 2420)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify. +val verify + (verification_key: t_Array u8 (sz 1312)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 2420)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +val verify_pre_hashed_shake128___inner + (verification_key: t_Array u8 (sz 1312)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 2420)) + : Prims.Pure + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify (pre-hashed with SHAKE-128). +val verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 1312)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 2420)) + : Prims.Pure + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.fst new file mode 100644 index 000000000..2eaef669f --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.fst @@ -0,0 +1,173 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Hash_functions.Simd256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Samplex4.Avx2 in + let open Libcrux_ml_dsa.Simd.Avx2 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let generate_key_pair___inner + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + = + let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.generate_key_pair #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 + randomness + signing_key + verification_key + in + let signing_key:t_Slice u8 = tmp0 in + let verification_key:t_Slice u8 = tmp1 in + let _:Prims.unit = () in + signing_key, verification_key <: (t_Slice u8 & t_Slice u8) + +let generate_key_pair (randomness: t_Array u8 (sz 32)) (signing_key verification_key: t_Slice u8) = + let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = + generate_key_pair___inner randomness signing_key verification_key + in + let signing_key:t_Slice u8 = tmp0 in + let verification_key:t_Slice u8 = tmp1 in + let hax_temp_output:Prims.unit = () in + signing_key, verification_key <: (t_Slice u8 & t_Slice u8) + +let sign___inner + (signing_key: t_Array u8 (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.sign #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 (signing_key <: t_Slice u8) message context + randomness + +let sign + (signing_key: t_Array u8 (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = sign___inner signing_key message context randomness + +let sign_pre_hashed_shake128___inner + (signing_key: t_Array u8 (sz 4032)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.sign_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + (signing_key <: t_Slice u8) message context pre_hash_buffer randomness + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) + +let sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 4032)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) = + sign_pre_hashed_shake128___inner signing_key message context pre_hash_buffer randomness + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) + +let verify___inner + (verification_key: t_Array u8 (sz 1952)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 3309)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.verify #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + verification_key + message + context + signature + +let verify + (verification_key: t_Array u8 (sz 1952)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 3309)) + = verify___inner verification_key message context signature + +let verify_pre_hashed_shake128___inner + (verification_key: t_Array u8 (sz 1952)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 3309)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + verification_key message context pre_hash_buffer signature + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + +let verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 1952)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 3309)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + verify_pre_hashed_shake128___inner verification_key message context pre_hash_buffer signature + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.fsti new file mode 100644 index 000000000..5ca65ea3e --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.fsti @@ -0,0 +1,99 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Hash_functions.Simd256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Samplex4.Avx2 in + let open Libcrux_ml_dsa.Simd.Avx2 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +/// Key Generation. +val generate_key_pair___inner + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +val generate_key_pair (randomness: t_Array u8 (sz 32)) (signing_key verification_key: t_Slice u8) + : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +val sign___inner + (signing_key: t_Array u8 (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign. +val sign + (signing_key: t_Array u8 (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign_pre_hashed_shake128___inner + (signing_key: t_Array u8 (sz 4032)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign (pre-hashed). +val sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 4032)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val verify___inner + (verification_key: t_Array u8 (sz 1952)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 3309)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify. +val verify + (verification_key: t_Array u8 (sz 1952)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 3309)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +val verify_pre_hashed_shake128___inner + (verification_key: t_Array u8 (sz 1952)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 3309)) + : Prims.Pure + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify (pre-hashed with SHAKE-128). +val verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 1952)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 3309)) + : Prims.Pure + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.fst new file mode 100644 index 000000000..b33bc079f --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.fst @@ -0,0 +1,173 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Hash_functions.Simd256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Samplex4.Avx2 in + let open Libcrux_ml_dsa.Simd.Avx2 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let generate_key_pair___inner + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + = + let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.generate_key_pair #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 + randomness + signing_key + verification_key + in + let signing_key:t_Slice u8 = tmp0 in + let verification_key:t_Slice u8 = tmp1 in + let _:Prims.unit = () in + signing_key, verification_key <: (t_Slice u8 & t_Slice u8) + +let generate_key_pair (randomness: t_Array u8 (sz 32)) (signing_key verification_key: t_Slice u8) = + let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = + generate_key_pair___inner randomness signing_key verification_key + in + let signing_key:t_Slice u8 = tmp0 in + let verification_key:t_Slice u8 = tmp1 in + let hax_temp_output:Prims.unit = () in + signing_key, verification_key <: (t_Slice u8 & t_Slice u8) + +let sign___inner + (signing_key: t_Array u8 (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.sign #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 (signing_key <: t_Slice u8) message context + randomness + +let sign + (signing_key: t_Array u8 (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = sign___inner signing_key message context randomness + +let sign_pre_hashed_shake128___inner + (signing_key: t_Array u8 (sz 4896)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.sign_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + (signing_key <: t_Slice u8) message context pre_hash_buffer randomness + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) + +let sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 4896)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) = + sign_pre_hashed_shake128___inner signing_key message context pre_hash_buffer randomness + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) + +let verify___inner + (verification_key: t_Array u8 (sz 2592)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 4627)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.verify #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + verification_key + message + context + signature + +let verify + (verification_key: t_Array u8 (sz 2592)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 4627)) + = verify___inner verification_key message context signature + +let verify_pre_hashed_shake128___inner + (verification_key: t_Array u8 (sz 2592)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 4627)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + verification_key message context pre_hash_buffer signature + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + +let verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 2592)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 4627)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + verify_pre_hashed_shake128___inner verification_key message context pre_hash_buffer signature + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.fsti new file mode 100644 index 000000000..a7b0d3ae2 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.fsti @@ -0,0 +1,99 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Hash_functions.Simd256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Samplex4.Avx2 in + let open Libcrux_ml_dsa.Simd.Avx2 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +/// Key Generation. +val generate_key_pair___inner + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +val generate_key_pair (randomness: t_Array u8 (sz 32)) (signing_key verification_key: t_Slice u8) + : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +val sign___inner + (signing_key: t_Array u8 (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign. +val sign + (signing_key: t_Array u8 (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign_pre_hashed_shake128___inner + (signing_key: t_Array u8 (sz 4896)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign (pre-hashed). +val sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 4896)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val verify___inner + (verification_key: t_Array u8 (sz 2592)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 4627)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify. +val verify + (verification_key: t_Array u8 (sz 2592)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 4627)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +val verify_pre_hashed_shake128___inner + (verification_key: t_Array u8 (sz 2592)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 4627)) + : Prims.Pure + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify (pre-hashed with SHAKE-128). +val verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 2592)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 4627)) + : Prims.Pure + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.fst new file mode 100644 index 000000000..f427c1cf1 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.fst @@ -0,0 +1,115 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Neon in + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Samplex4.Neon in + let open Libcrux_ml_dsa.Simd.Portable in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let generate_key_pair + (randomness: t_Array u8 (sz 32)) + (signing_key: t_Array u8 (sz 2560)) + (verification_key: t_Array u8 (sz 1312)) + = + let tmp0, tmp1:(t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.generate_key_pair #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 + randomness + signing_key + verification_key + in + let signing_key:t_Array u8 (sz 2560) = tmp0 in + let verification_key:t_Array u8 (sz 1312) = tmp1 in + let hax_temp_output:Prims.unit = () in + signing_key, verification_key <: (t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) + +let sign + (signing_key: t_Array u8 (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 (signing_key <: t_Slice u8) message context + randomness + +let sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 2560)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.sign_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + (signing_key <: t_Slice u8) message context pre_hash_buffer randomness + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) + +let verify + (verification_key: t_Array u8 (sz 1312)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 2420)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + verification_key + message + context + signature + +let verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 1312)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 2420)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + verification_key message context pre_hash_buffer signature + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.fsti new file mode 100644 index 000000000..a8681a605 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.fsti @@ -0,0 +1,63 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Neon in + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Samplex4.Neon in + let open Libcrux_ml_dsa.Simd.Portable in + let open Libcrux_ml_dsa.Simd.Traits in + () + +/// Generate key pair. +val generate_key_pair + (randomness: t_Array u8 (sz 32)) + (signing_key: t_Array u8 (sz 2560)) + (verification_key: t_Array u8 (sz 1312)) + : Prims.Pure (t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign. +val sign + (signing_key: t_Array u8 (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign (pre-hashed). +val sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 2560)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify. +val verify + (verification_key: t_Array u8 (sz 1312)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 2420)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify (pre-hashed with SHAKE-128). +val verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 1312)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 2420)) + : Prims.Pure + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.fst new file mode 100644 index 000000000..32e1935fe --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.fst @@ -0,0 +1,115 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Neon in + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Samplex4.Neon in + let open Libcrux_ml_dsa.Simd.Portable in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let generate_key_pair + (randomness: t_Array u8 (sz 32)) + (signing_key: t_Array u8 (sz 4032)) + (verification_key: t_Array u8 (sz 1952)) + = + let tmp0, tmp1:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.generate_key_pair #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 + randomness + signing_key + verification_key + in + let signing_key:t_Array u8 (sz 4032) = tmp0 in + let verification_key:t_Array u8 (sz 1952) = tmp1 in + let hax_temp_output:Prims.unit = () in + signing_key, verification_key <: (t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) + +let sign + (signing_key: t_Array u8 (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 (signing_key <: t_Slice u8) message context + randomness + +let sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 4032)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.sign_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + (signing_key <: t_Slice u8) message context pre_hash_buffer randomness + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) + +let verify + (verification_key: t_Array u8 (sz 1952)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 3309)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + verification_key + message + context + signature + +let verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 1952)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 3309)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + verification_key message context pre_hash_buffer signature + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.fsti new file mode 100644 index 000000000..dbc3427cc --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.fsti @@ -0,0 +1,63 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Neon in + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Samplex4.Neon in + let open Libcrux_ml_dsa.Simd.Portable in + let open Libcrux_ml_dsa.Simd.Traits in + () + +/// Generate key pair. +val generate_key_pair + (randomness: t_Array u8 (sz 32)) + (signing_key: t_Array u8 (sz 4032)) + (verification_key: t_Array u8 (sz 1952)) + : Prims.Pure (t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign. +val sign + (signing_key: t_Array u8 (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign (pre-hashed). +val sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 4032)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify. +val verify + (verification_key: t_Array u8 (sz 1952)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 3309)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify (pre-hashed with SHAKE-128). +val verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 1952)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 3309)) + : Prims.Pure + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.fst new file mode 100644 index 000000000..02aca3140 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.fst @@ -0,0 +1,115 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Neon in + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Samplex4.Neon in + let open Libcrux_ml_dsa.Simd.Portable in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let generate_key_pair + (randomness: t_Array u8 (sz 32)) + (signing_key: t_Array u8 (sz 4896)) + (verification_key: t_Array u8 (sz 2592)) + = + let tmp0, tmp1:(t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.generate_key_pair #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 + randomness + signing_key + verification_key + in + let signing_key:t_Array u8 (sz 4896) = tmp0 in + let verification_key:t_Array u8 (sz 2592) = tmp1 in + let hax_temp_output:Prims.unit = () in + signing_key, verification_key <: (t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) + +let sign + (signing_key: t_Array u8 (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 (signing_key <: t_Slice u8) message context + randomness + +let sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 4896)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.sign_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + (signing_key <: t_Slice u8) message context pre_hash_buffer randomness + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) + +let verify + (verification_key: t_Array u8 (sz 2592)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 4627)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + verification_key + message + context + signature + +let verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 2592)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 4627)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + verification_key message context pre_hash_buffer signature + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.fsti new file mode 100644 index 000000000..3179307e3 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.fsti @@ -0,0 +1,63 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Neon in + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Samplex4.Neon in + let open Libcrux_ml_dsa.Simd.Portable in + let open Libcrux_ml_dsa.Simd.Traits in + () + +/// Generate key pair. +val generate_key_pair + (randomness: t_Array u8 (sz 32)) + (signing_key: t_Array u8 (sz 4896)) + (verification_key: t_Array u8 (sz 2592)) + : Prims.Pure (t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign. +val sign + (signing_key: t_Array u8 (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign (pre-hashed). +val sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 4896)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify. +val verify + (verification_key: t_Array u8 (sz 2592)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 4627)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify (pre-hashed with SHAKE-128). +val verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 2592)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 4627)) + : Prims.Pure + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.fst new file mode 100644 index 000000000..f5d75d98f --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.fst @@ -0,0 +1,117 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Samplex4.Portable in + let open Libcrux_ml_dsa.Simd.Portable in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let generate_key_pair + (randomness: t_Array u8 (sz 32)) + (signing_key: t_Array u8 (sz 2560)) + (verification_key: t_Array u8 (sz 1312)) + = + let tmp0, tmp1:(t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.generate_key_pair #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 + randomness + signing_key + verification_key + in + let signing_key:t_Array u8 (sz 2560) = tmp0 in + let verification_key:t_Array u8 (sz 1312) = tmp1 in + let hax_temp_output:Prims.unit = () in + signing_key, verification_key <: (t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) + +let sign + (signing_key: t_Array u8 (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 (signing_key <: t_Slice u8) message context + randomness + +let sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 2560)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.sign_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + (signing_key <: t_Slice u8) message context pre_hash_buffer randomness + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) + +let verify + (verification_key: t_Array u8 (sz 1312)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 2420)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + verification_key + message + context + signature + +let verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 1312)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 2420)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + verification_key message context pre_hash_buffer signature + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.fsti new file mode 100644 index 000000000..676d92da6 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.fsti @@ -0,0 +1,62 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Samplex4.Portable in + let open Libcrux_ml_dsa.Simd.Portable in + let open Libcrux_ml_dsa.Simd.Traits in + () + +/// Generate key pair. +val generate_key_pair + (randomness: t_Array u8 (sz 32)) + (signing_key: t_Array u8 (sz 2560)) + (verification_key: t_Array u8 (sz 1312)) + : Prims.Pure (t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign. +val sign + (signing_key: t_Array u8 (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign (pre-hashed). +val sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 2560)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify. +val verify + (verification_key: t_Array u8 (sz 1312)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 2420)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify (pre-hashed with SHAKE-128). +val verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 1312)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 2420)) + : Prims.Pure + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.fst new file mode 100644 index 000000000..7350b6417 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.fst @@ -0,0 +1,117 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Samplex4.Portable in + let open Libcrux_ml_dsa.Simd.Portable in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let generate_key_pair + (randomness: t_Array u8 (sz 32)) + (signing_key: t_Array u8 (sz 4032)) + (verification_key: t_Array u8 (sz 1952)) + = + let tmp0, tmp1:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.generate_key_pair #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 + randomness + signing_key + verification_key + in + let signing_key:t_Array u8 (sz 4032) = tmp0 in + let verification_key:t_Array u8 (sz 1952) = tmp1 in + let hax_temp_output:Prims.unit = () in + signing_key, verification_key <: (t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) + +let sign + (signing_key: t_Array u8 (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 (signing_key <: t_Slice u8) message context + randomness + +let sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 4032)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.sign_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + (signing_key <: t_Slice u8) message context pre_hash_buffer randomness + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) + +let verify + (verification_key: t_Array u8 (sz 1952)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 3309)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + verification_key + message + context + signature + +let verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 1952)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 3309)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + verification_key message context pre_hash_buffer signature + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.fsti new file mode 100644 index 000000000..45fa9ce86 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.fsti @@ -0,0 +1,62 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Samplex4.Portable in + let open Libcrux_ml_dsa.Simd.Portable in + let open Libcrux_ml_dsa.Simd.Traits in + () + +/// Generate key pair. +val generate_key_pair + (randomness: t_Array u8 (sz 32)) + (signing_key: t_Array u8 (sz 4032)) + (verification_key: t_Array u8 (sz 1952)) + : Prims.Pure (t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign. +val sign + (signing_key: t_Array u8 (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign (pre-hashed). +val sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 4032)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify. +val verify + (verification_key: t_Array u8 (sz 1952)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 3309)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify (pre-hashed with SHAKE-128). +val verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 1952)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 3309)) + : Prims.Pure + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.fst new file mode 100644 index 000000000..e57e2445f --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.fst @@ -0,0 +1,117 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Samplex4.Portable in + let open Libcrux_ml_dsa.Simd.Portable in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let generate_key_pair + (randomness: t_Array u8 (sz 32)) + (signing_key: t_Array u8 (sz 4896)) + (verification_key: t_Array u8 (sz 2592)) + = + let tmp0, tmp1:(t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.generate_key_pair #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 + randomness + signing_key + verification_key + in + let signing_key:t_Array u8 (sz 4896) = tmp0 in + let verification_key:t_Array u8 (sz 2592) = tmp1 in + let hax_temp_output:Prims.unit = () in + signing_key, verification_key <: (t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) + +let sign + (signing_key: t_Array u8 (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 (signing_key <: t_Slice u8) message context + randomness + +let sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 4896)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.sign_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + (signing_key <: t_Slice u8) message context pre_hash_buffer randomness + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) + +let verify + (verification_key: t_Array u8 (sz 2592)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 4627)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + verification_key + message + context + signature + +let verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 2592)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 4627)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + verification_key message context pre_hash_buffer signature + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.fsti new file mode 100644 index 000000000..dd7f46ae3 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.fsti @@ -0,0 +1,62 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Samplex4.Portable in + let open Libcrux_ml_dsa.Simd.Portable in + let open Libcrux_ml_dsa.Simd.Traits in + () + +/// Generate key pair. +val generate_key_pair + (randomness: t_Array u8 (sz 32)) + (signing_key: t_Array u8 (sz 4896)) + (verification_key: t_Array u8 (sz 2592)) + : Prims.Pure (t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign. +val sign + (signing_key: t_Array u8 (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign (pre-hashed). +val sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 4896)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify. +val verify + (verification_key: t_Array u8 (sz 2592)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 4627)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify (pre-hashed with SHAKE-128). +val verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 2592)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 4627)) + : Prims.Pure + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fst new file mode 100644 index 000000000..7c4cf255d --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fst @@ -0,0 +1,1271 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Polynomial in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let sign_internal + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i6: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (signing_key message: t_Slice u8) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (randomness: t_Array u8 (sz 32)) + = + let eta:Libcrux_ml_dsa.Constants.t_Eta = + match + cast (Libcrux_ml_dsa.Constants.t_Eta_cast_to_repr Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ETA + <: + isize) + <: + u8 + with + | 2uy -> Libcrux_ml_dsa.Constants.Eta_Two <: Libcrux_ml_dsa.Constants.t_Eta + | 4uy -> Libcrux_ml_dsa.Constants.Eta_Four <: Libcrux_ml_dsa.Constants.t_Eta + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + in + let seed_for_a, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 signing_key Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + in + let seed_for_signing, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE + in + let verification_key_hash, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH + in + let s1_serialized, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + (v_ERROR_RING_ELEMENT_SIZE *! Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A <: usize) + in + let s2_serialized, t0_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + (v_ERROR_RING_ELEMENT_SIZE *! Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A <: usize) + in + let s1_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) + in + let s2_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) + in + let t0_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) + in + let s1_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Libcrux_ml_dsa.Encoding.Error.deserialize_to_vector_then_ntt #v_SIMDUnit + eta + v_ERROR_RING_ELEMENT_SIZE + s1_serialized + s1_as_ntt + in + let s2_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Libcrux_ml_dsa.Encoding.Error.deserialize_to_vector_then_ntt #v_SIMDUnit + eta + v_ERROR_RING_ELEMENT_SIZE + s2_serialized + s2_as_ntt + in + let t0_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Libcrux_ml_dsa.Encoding.T0.deserialize_to_vector_then_ntt #v_SIMDUnit t0_serialized t0_as_ntt + in + let matrix:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 16) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 16) + in + let matrix:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 16) = + Libcrux_ml_dsa.Samplex4.f_matrix_flat #v_Sampler + #FStar.Tactics.Typeclasses.solve + #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A + seed_for_a + matrix + in + let message_representative:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let message_representative:t_Array u8 (sz 64) = + Libcrux_ml_dsa.Ml_dsa_generic.derive_message_representative #v_Shake256Xof + verification_key_hash + domain_separation_context + message + message_representative + in + let mask_seed:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve () + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + seed_for_signing + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (randomness <: t_Slice u8) + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (message_representative <: t_Slice u8) + in + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 64)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + mask_seed + in + let shake:v_Shake256Xof = tmp0 in + let mask_seed:t_Array u8 (sz 64) = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + let (domain_separator_for_mask: u16):u16 = 0us in + let attempt:usize = sz 0 in + let commitment_hash:Core.Option.t_Option (t_Array u8 (sz 32)) = + Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 32)) + in + let signer_response:Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) = + Core.Option.Option_None + <: + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) + in + let hint:Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) = + Core.Option.Option_None <: Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) + in + let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & + Core.Option.t_Option (t_Array u8 (sz 32)) & + u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4))) = + Rust_primitives.f_while_loop (fun temp_0_ -> + let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & + Core.Option.t_Option (t_Array u8 (sz 32)) & + u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4))) = + temp_0_ + in + attempt <. Libcrux_ml_dsa.Constants.v_REJECTION_SAMPLE_BOUND_SIGN <: bool) + (attempt, commitment_hash, domain_separator_for_mask, hint, signer_response + <: + (usize & Core.Option.t_Option (t_Array u8 (sz 32)) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)))) + (fun temp_0_ -> + let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & + Core.Option.t_Option (t_Array u8 (sz 32)) & + u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4))) = + temp_0_ + in + let attempt:usize = attempt +! sz 1 in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) + in + let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) + in + let commitment:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) + in + let tmp0, tmp1:(u16 & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) = + Libcrux_ml_dsa.Sample.sample_mask_vector #v_SIMDUnit + #v_Shake256 + #v_Shake256X4 + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_GAMMA1_EXPONENT + mask_seed + domain_separator_for_mask + mask + in + let domain_separator_for_mask:u16 = tmp0 in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + tmp1 + in + let _:Prims.unit = () in + let a_x_mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) + = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) + in + let mask_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) + = + Core.Clone.f_clone #(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) + #FStar.Tactics.Typeclasses.solve + mask + in + let mask_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) + = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (mask_ntt + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + usize) + (fun mask_ntt temp_1_ -> + let mask_ntt:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + mask_ntt + in + let _:usize = temp_1_ in + true) + mask_ntt + (fun mask_ntt i -> + let mask_ntt:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + mask_ntt + in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask_ntt + i + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (mask_ntt.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) + in + let a_x_mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) + = + Libcrux_ml_dsa.Matrix.compute_matrix_x_mask #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A + (matrix <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (mask_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + a_x_mask + in + let tmp0, tmp1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) = + Libcrux_ml_dsa.Arithmetic.decompose_vector #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_GAMMA2 + (a_x_mask <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + w0 + commitment + in + let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + tmp0 + in + let commitment:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) = + tmp1 + in + let _:Prims.unit = () in + let _:Prims.unit = () in + let commitment_hash_candidate:t_Array u8 (sz 32) = + Rust_primitives.Hax.repeat 0uy (sz 32) + in + let commitment_serialized:t_Array u8 (sz 768) = Rust_primitives.Hax.repeat 0uy (sz 768) in + let commitment_serialized:t_Array u8 (sz 768) = + Libcrux_ml_dsa.Encoding.Commitment.serialize_vector #v_SIMDUnit + v_COMMITMENT_RING_ELEMENT_SIZE + (commitment <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + commitment_serialized + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + () + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (message_representative <: t_Slice u8) + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (commitment_serialized <: t_Slice u8) + in + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 32)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + commitment_hash_candidate + in + let shake:v_Shake256Xof = tmp0 in + let commitment_hash_candidate:t_Array u8 (sz 32) = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + in + let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Sample.sample_challenge_ring_element #v_SIMDUnit + #v_Shake256 + (commitment_hash_candidate <: t_Slice u8) + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ONES_IN_VERIFIER_CHALLENGE + verifier_challenge + in + let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit verifier_challenge + in + let challenge_times_s1:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Core.Clone.f_clone #(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) + #FStar.Tactics.Typeclasses.solve + s1_as_ntt + in + let challenge_times_s2:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Core.Clone.f_clone #(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) + #FStar.Tactics.Typeclasses.solve + s2_as_ntt + in + let challenge_times_s1:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Libcrux_ml_dsa.Matrix.vector_times_ring_element #v_SIMDUnit + challenge_times_s1 + verifier_challenge + in + let challenge_times_s2:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Libcrux_ml_dsa.Matrix.vector_times_ring_element #v_SIMDUnit + challenge_times_s2 + verifier_challenge + in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Libcrux_ml_dsa.Matrix.add_vectors #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A + mask + (challenge_times_s1 + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + in + let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Libcrux_ml_dsa.Matrix.subtract_vectors #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A + w0 + (challenge_times_s2 + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + in + if + Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit + (mask <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + ((1l <. Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_MAX_ONES_IN_HINT + then + attempt, commitment_hash, domain_separator_for_mask, hint, signer_response + <: + (usize & Core.Option.t_Option (t_Array u8 (sz 32)) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4))) + else + let attempt:usize = Libcrux_ml_dsa.Constants.v_REJECTION_SAMPLE_BOUND_SIGN in + let commitment_hash:Core.Option.t_Option (t_Array u8 (sz 32)) = + Core.Option.Option_Some commitment_hash_candidate + <: + Core.Option.t_Option (t_Array u8 (sz 32)) + in + let signer_response:Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) = + Core.Option.Option_Some mask + <: + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) + in + let hint:Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) = + Core.Option.Option_Some hint_candidate + <: + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) + in + attempt, commitment_hash, domain_separator_for_mask, hint, signer_response + <: + (usize & Core.Option.t_Option (t_Array u8 (sz 32)) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4))) + ) + in + match commitment_hash <: Core.Option.t_Option (t_Array u8 (sz 32)) with + | Core.Option.Option_Some commitment_hash -> + let commitment_hash:t_Array u8 (sz 32) = commitment_hash in + (match + signer_response + <: + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) + with + | Core.Option.Option_Some signer_response -> + let signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) = + signer_response + in + (match hint <: Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) with + | Core.Option.Option_Some hint -> + let hint:t_Array (t_Array i32 (sz 256)) (sz 4) = hint in + let signature:t_Array u8 (sz 2420) = Rust_primitives.Hax.repeat 0uy (sz 2420) in + let signature:t_Array u8 (sz 2420) = + Libcrux_ml_dsa.Encoding.Signature.serialize #v_SIMDUnit + (commitment_hash <: t_Slice u8) + (signer_response + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (hint <: t_Slice (t_Array i32 (sz 256))) + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COMMITMENT_HASH_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_MAX_ONES_IN_HINT signature + in + Core.Result.Result_Ok (Libcrux_ml_dsa.Types.impl_4__new (sz 2420) signature) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError + | Core.Option.Option_None -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + <: + Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) + | Core.Option.Option_None -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + <: + Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) + | Core.Option.Option_None -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError <: Libcrux_ml_dsa.Types.t_SigningError + ) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError + +let sign + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i6: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (signing_key message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11))) + <: + Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext + Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + with + | Core.Result.Result_Ok dsc -> + let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in + sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 + signing_key message + (Core.Option.Option_Some domain_separation_context + <: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness + | Core.Result.Result_Err _ -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError + +let sign_pre_hashed + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: + Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i9: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i12: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i13: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i14: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH) + (signing_key message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + if (Core.Slice.impl__len #u8 context <: usize) >. Libcrux_ml_dsa.Constants.v_CONTEXT_MAX_LEN + then + pre_hash_buffer, + (Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) + else + let pre_hash_buffer:t_Slice u8 = + Libcrux_ml_dsa.Pre_hash.f_hash #v_PH + #FStar.Tactics.Typeclasses.solve + #v_Shake128 + message + pre_hash_buffer + in + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_Some + (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #FStar.Tactics.Typeclasses.solve () + <: + t_Array u8 (sz 11)) + <: + Core.Option.t_Option (t_Array u8 (sz 11))) + <: + Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext + Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + with + | Core.Result.Result_Ok dsc -> + let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in + let hax_temp_output:Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError = + sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 + signing_key pre_hash_buffer + (Core.Option.Option_Some domain_separation_context + <: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) + | Core.Result.Result_Err _ -> + pre_hash_buffer, + (Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError + <: + Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) + +let verify_internal + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i5: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i7: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (verification_key: t_Array u8 (sz 1312)) + (message: t_Slice u8) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (signature_serialized: t_Array u8 (sz 2420)) + = + let seed_for_a, t1_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + (verification_key <: t_Slice u8) + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) + in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Libcrux_ml_dsa.Encoding.Verification_key.deserialize #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A + v_VERIFICATION_KEY_SIZE + t1_serialized + t1 + in + let deserialized_commitment_hash:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let deserialized_signer_response:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) + in + let deserialized_hint:t_Array (t_Array i32 (sz 256)) (sz 4) = + Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0l (sz 256) <: t_Array i32 (sz 256)) + (sz 4) + in + let tmp0, tmp1, tmp2, out:(t_Array u8 (sz 32) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) & + t_Array (t_Array i32 (sz 256)) (sz 4) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Encoding.Signature.deserialize #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COMMITMENT_HASH_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_MAX_ONES_IN_HINT v_SIGNATURE_SIZE + (signature_serialized <: t_Slice u8) deserialized_commitment_hash deserialized_signer_response + deserialized_hint + in + let deserialized_commitment_hash:t_Array u8 (sz 32) = tmp0 in + let deserialized_signer_response:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + tmp1 + in + let deserialized_hint:t_Array (t_Array i32 (sz 256)) (sz 4) = tmp2 in + match out <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError with + | Core.Result.Result_Ok _ -> + let _:Prims.unit = () <: Prims.unit in + if + Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit + (deserialized_signer_response + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + ((2l < + let deserialized_signer_response:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + deserialized_signer_response + in + let _:usize = temp_1_ in + true) + deserialized_signer_response + (fun deserialized_signer_response i -> + let deserialized_signer_response:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + deserialized_signer_response + in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize deserialized_signer_response + i + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (deserialized_signer_response.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) + in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Libcrux_ml_dsa.Matrix.compute_w_approx #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A + (matrix <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (deserialized_signer_response + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + verifier_challenge + t1 + in + let recomputed_commitment_hash:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Libcrux_ml_dsa.Arithmetic.use_hint #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_GAMMA2 + (deserialized_hint <: t_Slice (t_Array i32 (sz 256))) + t1 + in + let commitment_serialized:t_Array u8 (sz 768) = Rust_primitives.Hax.repeat 0uy (sz 768) in + let commitment_serialized:t_Array u8 (sz 768) = + Libcrux_ml_dsa.Encoding.Commitment.serialize_vector #v_SIMDUnit + v_COMMITMENT_RING_ELEMENT_SIZE + (t1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + commitment_serialized + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + () + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (message_representative <: t_Slice u8) + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (commitment_serialized <: t_Slice u8) + in + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 32)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + recomputed_commitment_hash + in + let shake:v_Shake256Xof = tmp0 in + let recomputed_commitment_hash:t_Array u8 (sz 32) = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + if deserialized_commitment_hash =. recomputed_commitment_hash + then + Core.Result.Result_Ok (() <: Prims.unit) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + else + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.VerificationError_CommitmentHashesDontMatchError + <: + Libcrux_ml_dsa.Types.t_VerificationError) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + | Core.Result.Result_Err e -> + Core.Result.Result_Err e + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + +let verify + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i5: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i7: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (verification_key_serialized: t_Array u8 (sz 1312)) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 (sz 2420)) + = + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11))) + <: + Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext + Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + with + | Core.Result.Result_Ok dsc -> + let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in + verify_internal #v_SIMDUnit + #v_Sampler + #v_Shake128X4 + #v_Shake256 + #v_Shake256Xof + verification_key_serialized + message + (Core.Option.Option_Some domain_separation_context + <: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + signature_serialized + | Core.Result.Result_Err _ -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError + <: + Libcrux_ml_dsa.Types.t_VerificationError) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + +let verify_pre_hashed + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i7: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i8: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i12: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i13: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH) + (verification_key_serialized: t_Array u8 (sz 1312)) + (message context pre_hash_buffer: t_Slice u8) + (signature_serialized: t_Array u8 (sz 2420)) + = + let pre_hash_buffer:t_Slice u8 = + Libcrux_ml_dsa.Pre_hash.f_hash #v_PH + #FStar.Tactics.Typeclasses.solve + #v_Shake128 + message + pre_hash_buffer + in + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_Some + (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #FStar.Tactics.Typeclasses.solve () + <: + t_Array u8 (sz 11)) + <: + Core.Option.t_Option (t_Array u8 (sz 11))) + <: + Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext + Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + with + | Core.Result.Result_Ok dsc -> + let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + verify_internal #v_SIMDUnit + #v_Sampler + #v_Shake128X4 + #v_Shake256 + #v_Shake256Xof + verification_key_serialized + pre_hash_buffer + (Core.Option.Option_Some domain_separation_context + <: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + signature_serialized + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + | Core.Result.Result_Err _ -> + pre_hash_buffer, + (Core.Result.Result_Err + (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError + <: + Libcrux_ml_dsa.Types.t_VerificationError) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + +let generate_key_pair + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i6: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 signing_key <: usize) =. v_SIGNING_KEY_SIZE + <: + bool) + in + () + in + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 verification_key <: usize) =. + v_VERIFICATION_KEY_SIZE + <: + bool) + in + () + in + let seed_expanded:t_Array u8 (sz 128) = Rust_primitives.Hax.repeat 0uy (sz 128) in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve () + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (randomness <: t_Slice u8) + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + ((let list = + [ + cast (Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A <: usize) <: u8; + cast (Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A <: usize) <: u8 + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); + Rust_primitives.Hax.array_of_list 2 list) + <: + t_Slice u8) + in + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 128)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + seed_expanded + in + let shake:v_Shake256Xof = tmp0 in + let seed_expanded:t_Array u8 (sz 128) = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + let seed_for_a, seed_expanded:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + (seed_expanded <: t_Slice u8) + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + in + let seed_for_error_vectors, seed_for_signing:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + seed_expanded + Libcrux_ml_dsa.Constants.v_SEED_FOR_ERROR_VECTORS_SIZE + in + let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 16) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 16) + in + let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 16) = + Libcrux_ml_dsa.Samplex4.f_matrix_flat #v_Sampler + #FStar.Tactics.Typeclasses.solve + #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A + seed_for_a + a_as_ntt + in + let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 8) + in + let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Libcrux_ml_dsa.Samplex4.sample_s1_and_s2 #v_SIMDUnit + #v_Shake256X4 + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ETA + seed_for_error_vectors + s1_s2 + in + let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) + in + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) + in + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Core.Slice.impl__copy_from_slice #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + s1_ntt + (s1_s2.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + in + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + usize) + (fun s1_ntt temp_1_ -> + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + s1_ntt + in + let _:usize = temp_1_ in + true) + s1_ntt + (fun s1_ntt i -> + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + s1_ntt + in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1_ntt + i + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (s1_ntt.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) + in + let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Libcrux_ml_dsa.Matrix.compute_as1_plus_s2 #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A + (a_as_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + t0 + in + let _:Prims.unit = () in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) + in + let tmp0, tmp1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) = + Libcrux_ml_dsa.Arithmetic.power2round_vector #v_SIMDUnit t0 t1 + in + let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = tmp0 in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = tmp1 in + let _:Prims.unit = () in + let verification_key:t_Slice u8 = + Libcrux_ml_dsa.Encoding.Verification_key.generate_serialized #v_SIMDUnit + seed_for_a + (t1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + verification_key + in + let signing_key:t_Slice u8 = + Libcrux_ml_dsa.Encoding.Signing_key.generate_serialized #v_SIMDUnit #v_Shake256 + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ETA v_ERROR_RING_ELEMENT_SIZE seed_for_a + seed_for_signing verification_key + (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (t0 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) signing_key + in + signing_key, verification_key <: (t_Slice u8 & t_Slice u8) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fsti new file mode 100644 index 000000000..d42b5c793 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fsti @@ -0,0 +1,165 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Polynomial in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let v_BETA: i32 = + Libcrux_ml_dsa.Constants.beta Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ONES_IN_VERIFIER_CHALLENGE + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ETA + +let v_COMMITMENT_RING_ELEMENT_SIZE: usize = + Libcrux_ml_dsa.Constants.commitment_ring_element_size Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_BITS_PER_COMMITMENT_COEFFICIENT + +let v_COMMITMENT_VECTOR_SIZE: usize = + Libcrux_ml_dsa.Constants.commitment_vector_size Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_BITS_PER_COMMITMENT_COEFFICIENT + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A + +let v_ERROR_RING_ELEMENT_SIZE: usize = + Libcrux_ml_dsa.Constants.error_ring_element_size Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_BITS_PER_ERROR_COEFFICIENT + +let v_GAMMA1_RING_ELEMENT_SIZE: usize = + Libcrux_ml_dsa.Constants.gamma1_ring_element_size Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_BITS_PER_GAMMA1_COEFFICIENT + +let v_ROW_COLUMN: usize = + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A +! + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A + +let v_ROW_X_COLUMN: usize = + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A *! + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A + +let v_SIGNATURE_SIZE: usize = + Libcrux_ml_dsa.Constants.signature_size Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_MAX_ONES_IN_HINT + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COMMITMENT_HASH_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_BITS_PER_GAMMA1_COEFFICIENT + +let v_SIGNING_KEY_SIZE: usize = + Libcrux_ml_dsa.Constants.signing_key_size Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A + v_ERROR_RING_ELEMENT_SIZE + +let v_VERIFICATION_KEY_SIZE: usize = + Libcrux_ml_dsa.Constants.verification_key_size Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A + +val sign_internal + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (signing_key message: t_Slice u8) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (signing_key message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign_pre_hashed + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: + Type0) + {| i8: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i9: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i13: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i14: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + {| i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH |} + (signing_key message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// The internal verification API. +/// If no `domain_separation_context` is supplied, it is assumed that +/// `message` already contains the domain separation. +val verify_internal + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) + {| i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i7: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + (verification_key: t_Array u8 (sz 1312)) + (message: t_Slice u8) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (signature_serialized: t_Array u8 (sz 2420)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +val verify + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) + {| i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i7: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + (verification_key_serialized: t_Array u8 (sz 1312)) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 (sz 2420)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +val verify_pre_hashed + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0) + {| i7: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i8: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i13: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH |} + (verification_key_serialized: t_Array u8 (sz 1312)) + (message context pre_hash_buffer: t_Slice u8) + (signature_serialized: t_Array u8 (sz 2420)) + : Prims.Pure + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +val generate_key_pair + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fst new file mode 100644 index 000000000..d7663ec47 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fst @@ -0,0 +1,1271 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Polynomial in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let sign_internal + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i6: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (signing_key message: t_Slice u8) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (randomness: t_Array u8 (sz 32)) + = + let eta:Libcrux_ml_dsa.Constants.t_Eta = + match + cast (Libcrux_ml_dsa.Constants.t_Eta_cast_to_repr Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ETA + <: + isize) + <: + u8 + with + | 2uy -> Libcrux_ml_dsa.Constants.Eta_Two <: Libcrux_ml_dsa.Constants.t_Eta + | 4uy -> Libcrux_ml_dsa.Constants.Eta_Four <: Libcrux_ml_dsa.Constants.t_Eta + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + in + let seed_for_a, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 signing_key Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + in + let seed_for_signing, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE + in + let verification_key_hash, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH + in + let s1_serialized, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + (v_ERROR_RING_ELEMENT_SIZE *! Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A <: usize) + in + let s2_serialized, t0_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + (v_ERROR_RING_ELEMENT_SIZE *! Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A <: usize) + in + let s1_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 5) + in + let s2_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 6) + in + let t0_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 6) + in + let s1_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + Libcrux_ml_dsa.Encoding.Error.deserialize_to_vector_then_ntt #v_SIMDUnit + eta + v_ERROR_RING_ELEMENT_SIZE + s1_serialized + s1_as_ntt + in + let s2_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Libcrux_ml_dsa.Encoding.Error.deserialize_to_vector_then_ntt #v_SIMDUnit + eta + v_ERROR_RING_ELEMENT_SIZE + s2_serialized + s2_as_ntt + in + let t0_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Libcrux_ml_dsa.Encoding.T0.deserialize_to_vector_then_ntt #v_SIMDUnit t0_serialized t0_as_ntt + in + let matrix:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 30) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 30) + in + let matrix:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 30) = + Libcrux_ml_dsa.Samplex4.f_matrix_flat #v_Sampler + #FStar.Tactics.Typeclasses.solve + #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A + seed_for_a + matrix + in + let message_representative:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let message_representative:t_Array u8 (sz 64) = + Libcrux_ml_dsa.Ml_dsa_generic.derive_message_representative #v_Shake256Xof + verification_key_hash + domain_separation_context + message + message_representative + in + let mask_seed:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve () + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + seed_for_signing + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (randomness <: t_Slice u8) + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (message_representative <: t_Slice u8) + in + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 64)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + mask_seed + in + let shake:v_Shake256Xof = tmp0 in + let mask_seed:t_Array u8 (sz 64) = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + let (domain_separator_for_mask: u16):u16 = 0us in + let attempt:usize = sz 0 in + let commitment_hash:Core.Option.t_Option (t_Array u8 (sz 48)) = + Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 48)) + in + let signer_response:Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) = + Core.Option.Option_None + <: + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) + in + let hint:Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) = + Core.Option.Option_None <: Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) + in + let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & + Core.Option.t_Option (t_Array u8 (sz 48)) & + u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5))) = + Rust_primitives.f_while_loop (fun temp_0_ -> + let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & + Core.Option.t_Option (t_Array u8 (sz 48)) & + u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5))) = + temp_0_ + in + attempt <. Libcrux_ml_dsa.Constants.v_REJECTION_SAMPLE_BOUND_SIGN <: bool) + (attempt, commitment_hash, domain_separator_for_mask, hint, signer_response + <: + (usize & Core.Option.t_Option (t_Array u8 (sz 48)) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)))) + (fun temp_0_ -> + let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & + Core.Option.t_Option (t_Array u8 (sz 48)) & + u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5))) = + temp_0_ + in + let attempt:usize = attempt +! sz 1 in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 5) + in + let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 6) + in + let commitment:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 6) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 6) + in + let tmp0, tmp1:(u16 & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) = + Libcrux_ml_dsa.Sample.sample_mask_vector #v_SIMDUnit + #v_Shake256 + #v_Shake256X4 + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_GAMMA1_EXPONENT + mask_seed + domain_separator_for_mask + mask + in + let domain_separator_for_mask:u16 = tmp0 in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + tmp1 + in + let _:Prims.unit = () in + let a_x_mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) + = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 6) + in + let mask_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) + = + Core.Clone.f_clone #(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) + #FStar.Tactics.Typeclasses.solve + mask + in + let mask_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) + = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (mask_ntt + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + usize) + (fun mask_ntt temp_1_ -> + let mask_ntt:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + mask_ntt + in + let _:usize = temp_1_ in + true) + mask_ntt + (fun mask_ntt i -> + let mask_ntt:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + mask_ntt + in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask_ntt + i + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (mask_ntt.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) + in + let a_x_mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) + = + Libcrux_ml_dsa.Matrix.compute_matrix_x_mask #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A + (matrix <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (mask_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + a_x_mask + in + let tmp0, tmp1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 6) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6)) = + Libcrux_ml_dsa.Arithmetic.decompose_vector #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_GAMMA2 + (a_x_mask <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + w0 + commitment + in + let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + tmp0 + in + let commitment:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 6) = + tmp1 + in + let _:Prims.unit = () in + let _:Prims.unit = () in + let commitment_hash_candidate:t_Array u8 (sz 48) = + Rust_primitives.Hax.repeat 0uy (sz 48) + in + let commitment_serialized:t_Array u8 (sz 768) = Rust_primitives.Hax.repeat 0uy (sz 768) in + let commitment_serialized:t_Array u8 (sz 768) = + Libcrux_ml_dsa.Encoding.Commitment.serialize_vector #v_SIMDUnit + v_COMMITMENT_RING_ELEMENT_SIZE + (commitment <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + commitment_serialized + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + () + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (message_representative <: t_Slice u8) + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (commitment_serialized <: t_Slice u8) + in + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 48)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + commitment_hash_candidate + in + let shake:v_Shake256Xof = tmp0 in + let commitment_hash_candidate:t_Array u8 (sz 48) = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + in + let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Sample.sample_challenge_ring_element #v_SIMDUnit + #v_Shake256 + (commitment_hash_candidate <: t_Slice u8) + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ONES_IN_VERIFIER_CHALLENGE + verifier_challenge + in + let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit verifier_challenge + in + let challenge_times_s1:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + Core.Clone.f_clone #(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) + #FStar.Tactics.Typeclasses.solve + s1_as_ntt + in + let challenge_times_s2:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Core.Clone.f_clone #(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6)) + #FStar.Tactics.Typeclasses.solve + s2_as_ntt + in + let challenge_times_s1:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + Libcrux_ml_dsa.Matrix.vector_times_ring_element #v_SIMDUnit + challenge_times_s1 + verifier_challenge + in + let challenge_times_s2:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Libcrux_ml_dsa.Matrix.vector_times_ring_element #v_SIMDUnit + challenge_times_s2 + verifier_challenge + in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + Libcrux_ml_dsa.Matrix.add_vectors #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A + mask + (challenge_times_s1 + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + in + let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Libcrux_ml_dsa.Matrix.subtract_vectors #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A + w0 + (challenge_times_s2 + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + in + if + Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit + (mask <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + ((1l <. Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_MAX_ONES_IN_HINT + then + attempt, commitment_hash, domain_separator_for_mask, hint, signer_response + <: + (usize & Core.Option.t_Option (t_Array u8 (sz 48)) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5))) + else + let attempt:usize = Libcrux_ml_dsa.Constants.v_REJECTION_SAMPLE_BOUND_SIGN in + let commitment_hash:Core.Option.t_Option (t_Array u8 (sz 48)) = + Core.Option.Option_Some commitment_hash_candidate + <: + Core.Option.t_Option (t_Array u8 (sz 48)) + in + let signer_response:Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) = + Core.Option.Option_Some mask + <: + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) + in + let hint:Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) = + Core.Option.Option_Some hint_candidate + <: + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) + in + attempt, commitment_hash, domain_separator_for_mask, hint, signer_response + <: + (usize & Core.Option.t_Option (t_Array u8 (sz 48)) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5))) + ) + in + match commitment_hash <: Core.Option.t_Option (t_Array u8 (sz 48)) with + | Core.Option.Option_Some commitment_hash -> + let commitment_hash:t_Array u8 (sz 48) = commitment_hash in + (match + signer_response + <: + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) + with + | Core.Option.Option_Some signer_response -> + let signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 5) = + signer_response + in + (match hint <: Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) with + | Core.Option.Option_Some hint -> + let hint:t_Array (t_Array i32 (sz 256)) (sz 6) = hint in + let signature:t_Array u8 (sz 3309) = Rust_primitives.Hax.repeat 0uy (sz 3309) in + let signature:t_Array u8 (sz 3309) = + Libcrux_ml_dsa.Encoding.Signature.serialize #v_SIMDUnit + (commitment_hash <: t_Slice u8) + (signer_response + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (hint <: t_Slice (t_Array i32 (sz 256))) + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COMMITMENT_HASH_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_MAX_ONES_IN_HINT signature + in + Core.Result.Result_Ok (Libcrux_ml_dsa.Types.impl_4__new (sz 3309) signature) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError + | Core.Option.Option_None -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + <: + Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) + | Core.Option.Option_None -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + <: + Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) + | Core.Option.Option_None -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError <: Libcrux_ml_dsa.Types.t_SigningError + ) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError + +let sign + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i6: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (signing_key message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11))) + <: + Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext + Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + with + | Core.Result.Result_Ok dsc -> + let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in + sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 + signing_key message + (Core.Option.Option_Some domain_separation_context + <: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness + | Core.Result.Result_Err _ -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError + +let sign_pre_hashed + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: + Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i9: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i12: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i13: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i14: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH) + (signing_key message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + if (Core.Slice.impl__len #u8 context <: usize) >. Libcrux_ml_dsa.Constants.v_CONTEXT_MAX_LEN + then + pre_hash_buffer, + (Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) + else + let pre_hash_buffer:t_Slice u8 = + Libcrux_ml_dsa.Pre_hash.f_hash #v_PH + #FStar.Tactics.Typeclasses.solve + #v_Shake128 + message + pre_hash_buffer + in + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_Some + (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #FStar.Tactics.Typeclasses.solve () + <: + t_Array u8 (sz 11)) + <: + Core.Option.t_Option (t_Array u8 (sz 11))) + <: + Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext + Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + with + | Core.Result.Result_Ok dsc -> + let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in + let hax_temp_output:Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError = + sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 + signing_key pre_hash_buffer + (Core.Option.Option_Some domain_separation_context + <: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) + | Core.Result.Result_Err _ -> + pre_hash_buffer, + (Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError + <: + Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) + +let verify_internal + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i5: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i7: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (verification_key: t_Array u8 (sz 1952)) + (message: t_Slice u8) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (signature_serialized: t_Array u8 (sz 3309)) + = + let seed_for_a, t1_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + (verification_key <: t_Slice u8) + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 6) + in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Libcrux_ml_dsa.Encoding.Verification_key.deserialize #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A + v_VERIFICATION_KEY_SIZE + t1_serialized + t1 + in + let deserialized_commitment_hash:t_Array u8 (sz 48) = Rust_primitives.Hax.repeat 0uy (sz 48) in + let deserialized_signer_response:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 5) + in + let deserialized_hint:t_Array (t_Array i32 (sz 256)) (sz 6) = + Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0l (sz 256) <: t_Array i32 (sz 256)) + (sz 6) + in + let tmp0, tmp1, tmp2, out:(t_Array u8 (sz 48) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) & + t_Array (t_Array i32 (sz 256)) (sz 6) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Encoding.Signature.deserialize #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COMMITMENT_HASH_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_MAX_ONES_IN_HINT v_SIGNATURE_SIZE + (signature_serialized <: t_Slice u8) deserialized_commitment_hash deserialized_signer_response + deserialized_hint + in + let deserialized_commitment_hash:t_Array u8 (sz 48) = tmp0 in + let deserialized_signer_response:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + tmp1 + in + let deserialized_hint:t_Array (t_Array i32 (sz 256)) (sz 6) = tmp2 in + match out <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError with + | Core.Result.Result_Ok _ -> + let _:Prims.unit = () <: Prims.unit in + if + Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit + (deserialized_signer_response + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + ((2l < + let deserialized_signer_response:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + deserialized_signer_response + in + let _:usize = temp_1_ in + true) + deserialized_signer_response + (fun deserialized_signer_response i -> + let deserialized_signer_response:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + deserialized_signer_response + in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize deserialized_signer_response + i + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (deserialized_signer_response.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) + in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Libcrux_ml_dsa.Matrix.compute_w_approx #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A + (matrix <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (deserialized_signer_response + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + verifier_challenge + t1 + in + let recomputed_commitment_hash:t_Array u8 (sz 48) = Rust_primitives.Hax.repeat 0uy (sz 48) in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Libcrux_ml_dsa.Arithmetic.use_hint #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_GAMMA2 + (deserialized_hint <: t_Slice (t_Array i32 (sz 256))) + t1 + in + let commitment_serialized:t_Array u8 (sz 768) = Rust_primitives.Hax.repeat 0uy (sz 768) in + let commitment_serialized:t_Array u8 (sz 768) = + Libcrux_ml_dsa.Encoding.Commitment.serialize_vector #v_SIMDUnit + v_COMMITMENT_RING_ELEMENT_SIZE + (t1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + commitment_serialized + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + () + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (message_representative <: t_Slice u8) + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (commitment_serialized <: t_Slice u8) + in + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 48)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + recomputed_commitment_hash + in + let shake:v_Shake256Xof = tmp0 in + let recomputed_commitment_hash:t_Array u8 (sz 48) = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + if deserialized_commitment_hash =. recomputed_commitment_hash + then + Core.Result.Result_Ok (() <: Prims.unit) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + else + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.VerificationError_CommitmentHashesDontMatchError + <: + Libcrux_ml_dsa.Types.t_VerificationError) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + | Core.Result.Result_Err e -> + Core.Result.Result_Err e + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + +let verify + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i5: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i7: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (verification_key_serialized: t_Array u8 (sz 1952)) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 (sz 3309)) + = + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11))) + <: + Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext + Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + with + | Core.Result.Result_Ok dsc -> + let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in + verify_internal #v_SIMDUnit + #v_Sampler + #v_Shake128X4 + #v_Shake256 + #v_Shake256Xof + verification_key_serialized + message + (Core.Option.Option_Some domain_separation_context + <: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + signature_serialized + | Core.Result.Result_Err _ -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError + <: + Libcrux_ml_dsa.Types.t_VerificationError) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + +let verify_pre_hashed + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i7: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i8: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i12: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i13: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH) + (verification_key_serialized: t_Array u8 (sz 1952)) + (message context pre_hash_buffer: t_Slice u8) + (signature_serialized: t_Array u8 (sz 3309)) + = + let pre_hash_buffer:t_Slice u8 = + Libcrux_ml_dsa.Pre_hash.f_hash #v_PH + #FStar.Tactics.Typeclasses.solve + #v_Shake128 + message + pre_hash_buffer + in + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_Some + (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #FStar.Tactics.Typeclasses.solve () + <: + t_Array u8 (sz 11)) + <: + Core.Option.t_Option (t_Array u8 (sz 11))) + <: + Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext + Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + with + | Core.Result.Result_Ok dsc -> + let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + verify_internal #v_SIMDUnit + #v_Sampler + #v_Shake128X4 + #v_Shake256 + #v_Shake256Xof + verification_key_serialized + pre_hash_buffer + (Core.Option.Option_Some domain_separation_context + <: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + signature_serialized + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + | Core.Result.Result_Err _ -> + pre_hash_buffer, + (Core.Result.Result_Err + (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError + <: + Libcrux_ml_dsa.Types.t_VerificationError) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + +let generate_key_pair + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i6: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 signing_key <: usize) =. v_SIGNING_KEY_SIZE + <: + bool) + in + () + in + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 verification_key <: usize) =. + v_VERIFICATION_KEY_SIZE + <: + bool) + in + () + in + let seed_expanded:t_Array u8 (sz 128) = Rust_primitives.Hax.repeat 0uy (sz 128) in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve () + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (randomness <: t_Slice u8) + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + ((let list = + [ + cast (Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A <: usize) <: u8; + cast (Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A <: usize) <: u8 + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); + Rust_primitives.Hax.array_of_list 2 list) + <: + t_Slice u8) + in + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 128)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + seed_expanded + in + let shake:v_Shake256Xof = tmp0 in + let seed_expanded:t_Array u8 (sz 128) = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + let seed_for_a, seed_expanded:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + (seed_expanded <: t_Slice u8) + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + in + let seed_for_error_vectors, seed_for_signing:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + seed_expanded + Libcrux_ml_dsa.Constants.v_SEED_FOR_ERROR_VECTORS_SIZE + in + let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 30) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 30) + in + let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 30) = + Libcrux_ml_dsa.Samplex4.f_matrix_flat #v_Sampler + #FStar.Tactics.Typeclasses.solve + #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A + seed_for_a + a_as_ntt + in + let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 11) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 11) + in + let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 11) = + Libcrux_ml_dsa.Samplex4.sample_s1_and_s2 #v_SIMDUnit + #v_Shake256X4 + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ETA + seed_for_error_vectors + s1_s2 + in + let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 6) + in + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 5) + in + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + Core.Slice.impl__copy_from_slice #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + s1_ntt + (s1_s2.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + in + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + usize) + (fun s1_ntt temp_1_ -> + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + s1_ntt + in + let _:usize = temp_1_ in + true) + s1_ntt + (fun s1_ntt i -> + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + s1_ntt + in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1_ntt + i + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (s1_ntt.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) + in + let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Libcrux_ml_dsa.Matrix.compute_as1_plus_s2 #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A + (a_as_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + t0 + in + let _:Prims.unit = () in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 6) + in + let tmp0, tmp1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6)) = + Libcrux_ml_dsa.Arithmetic.power2round_vector #v_SIMDUnit t0 t1 + in + let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = tmp0 in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = tmp1 in + let _:Prims.unit = () in + let verification_key:t_Slice u8 = + Libcrux_ml_dsa.Encoding.Verification_key.generate_serialized #v_SIMDUnit + seed_for_a + (t1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + verification_key + in + let signing_key:t_Slice u8 = + Libcrux_ml_dsa.Encoding.Signing_key.generate_serialized #v_SIMDUnit #v_Shake256 + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ETA v_ERROR_RING_ELEMENT_SIZE seed_for_a + seed_for_signing verification_key + (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (t0 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) signing_key + in + signing_key, verification_key <: (t_Slice u8 & t_Slice u8) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fsti new file mode 100644 index 000000000..46aa5f314 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fsti @@ -0,0 +1,165 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Polynomial in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let v_BETA: i32 = + Libcrux_ml_dsa.Constants.beta Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ONES_IN_VERIFIER_CHALLENGE + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ETA + +let v_COMMITMENT_RING_ELEMENT_SIZE: usize = + Libcrux_ml_dsa.Constants.commitment_ring_element_size Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_BITS_PER_COMMITMENT_COEFFICIENT + +let v_COMMITMENT_VECTOR_SIZE: usize = + Libcrux_ml_dsa.Constants.commitment_vector_size Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_BITS_PER_COMMITMENT_COEFFICIENT + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A + +let v_ERROR_RING_ELEMENT_SIZE: usize = + Libcrux_ml_dsa.Constants.error_ring_element_size Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_BITS_PER_ERROR_COEFFICIENT + +let v_GAMMA1_RING_ELEMENT_SIZE: usize = + Libcrux_ml_dsa.Constants.gamma1_ring_element_size Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_BITS_PER_GAMMA1_COEFFICIENT + +let v_ROW_COLUMN: usize = + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A +! + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A + +let v_ROW_X_COLUMN: usize = + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A *! + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A + +let v_SIGNATURE_SIZE: usize = + Libcrux_ml_dsa.Constants.signature_size Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_MAX_ONES_IN_HINT + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COMMITMENT_HASH_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_BITS_PER_GAMMA1_COEFFICIENT + +let v_SIGNING_KEY_SIZE: usize = + Libcrux_ml_dsa.Constants.signing_key_size Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A + v_ERROR_RING_ELEMENT_SIZE + +let v_VERIFICATION_KEY_SIZE: usize = + Libcrux_ml_dsa.Constants.verification_key_size Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A + +val sign_internal + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (signing_key message: t_Slice u8) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (signing_key message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign_pre_hashed + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: + Type0) + {| i8: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i9: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i13: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i14: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + {| i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH |} + (signing_key message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// The internal verification API. +/// If no `domain_separation_context` is supplied, it is assumed that +/// `message` already contains the domain separation. +val verify_internal + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) + {| i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i7: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + (verification_key: t_Array u8 (sz 1952)) + (message: t_Slice u8) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (signature_serialized: t_Array u8 (sz 3309)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +val verify + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) + {| i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i7: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + (verification_key_serialized: t_Array u8 (sz 1952)) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 (sz 3309)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +val verify_pre_hashed + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0) + {| i7: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i8: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i13: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH |} + (verification_key_serialized: t_Array u8 (sz 1952)) + (message context pre_hash_buffer: t_Slice u8) + (signature_serialized: t_Array u8 (sz 3309)) + : Prims.Pure + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +val generate_key_pair + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fst new file mode 100644 index 000000000..ae888c151 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fst @@ -0,0 +1,1273 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Polynomial in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let sign_internal + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i6: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (signing_key message: t_Slice u8) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (randomness: t_Array u8 (sz 32)) + = + let eta:Libcrux_ml_dsa.Constants.t_Eta = + match + cast (Libcrux_ml_dsa.Constants.t_Eta_cast_to_repr Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ETA + <: + isize) + <: + u8 + with + | 2uy -> Libcrux_ml_dsa.Constants.Eta_Two <: Libcrux_ml_dsa.Constants.t_Eta + | 4uy -> Libcrux_ml_dsa.Constants.Eta_Four <: Libcrux_ml_dsa.Constants.t_Eta + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + in + let seed_for_a, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 signing_key Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + in + let seed_for_signing, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE + in + let verification_key_hash, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH + in + let s1_serialized, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + (v_ERROR_RING_ELEMENT_SIZE *! Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A <: usize) + in + let s2_serialized, t0_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + (v_ERROR_RING_ELEMENT_SIZE *! Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A <: usize) + in + let s1_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 7) + in + let s2_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 8) + in + let t0_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 8) + in + let s1_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + Libcrux_ml_dsa.Encoding.Error.deserialize_to_vector_then_ntt #v_SIMDUnit + eta + v_ERROR_RING_ELEMENT_SIZE + s1_serialized + s1_as_ntt + in + let s2_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Libcrux_ml_dsa.Encoding.Error.deserialize_to_vector_then_ntt #v_SIMDUnit + eta + v_ERROR_RING_ELEMENT_SIZE + s2_serialized + s2_as_ntt + in + let t0_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Libcrux_ml_dsa.Encoding.T0.deserialize_to_vector_then_ntt #v_SIMDUnit t0_serialized t0_as_ntt + in + let matrix:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 56) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 56) + in + let matrix:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 56) = + Libcrux_ml_dsa.Samplex4.f_matrix_flat #v_Sampler + #FStar.Tactics.Typeclasses.solve + #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A + seed_for_a + matrix + in + let message_representative:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let message_representative:t_Array u8 (sz 64) = + Libcrux_ml_dsa.Ml_dsa_generic.derive_message_representative #v_Shake256Xof + verification_key_hash + domain_separation_context + message + message_representative + in + let mask_seed:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve () + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + seed_for_signing + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (randomness <: t_Slice u8) + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (message_representative <: t_Slice u8) + in + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 64)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + mask_seed + in + let shake:v_Shake256Xof = tmp0 in + let mask_seed:t_Array u8 (sz 64) = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + let (domain_separator_for_mask: u16):u16 = 0us in + let attempt:usize = sz 0 in + let commitment_hash:Core.Option.t_Option (t_Array u8 (sz 64)) = + Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 64)) + in + let signer_response:Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) = + Core.Option.Option_None + <: + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) + in + let hint:Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) = + Core.Option.Option_None <: Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) + in + let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & + Core.Option.t_Option (t_Array u8 (sz 64)) & + u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7))) = + Rust_primitives.f_while_loop (fun temp_0_ -> + let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & + Core.Option.t_Option (t_Array u8 (sz 64)) & + u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7))) = + temp_0_ + in + attempt <. Libcrux_ml_dsa.Constants.v_REJECTION_SAMPLE_BOUND_SIGN <: bool) + (attempt, commitment_hash, domain_separator_for_mask, hint, signer_response + <: + (usize & Core.Option.t_Option (t_Array u8 (sz 64)) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)))) + (fun temp_0_ -> + let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & + Core.Option.t_Option (t_Array u8 (sz 64)) & + u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7))) = + temp_0_ + in + let attempt:usize = attempt +! sz 1 in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 7) + in + let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 8) + in + let commitment:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 8) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 8) + in + let tmp0, tmp1:(u16 & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) = + Libcrux_ml_dsa.Sample.sample_mask_vector #v_SIMDUnit + #v_Shake256 + #v_Shake256X4 + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_GAMMA1_EXPONENT + mask_seed + domain_separator_for_mask + mask + in + let domain_separator_for_mask:u16 = tmp0 in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + tmp1 + in + let _:Prims.unit = () in + let a_x_mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) + = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 8) + in + let mask_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) + = + Core.Clone.f_clone #(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) + #FStar.Tactics.Typeclasses.solve + mask + in + let mask_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) + = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (mask_ntt + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + usize) + (fun mask_ntt temp_1_ -> + let mask_ntt:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + mask_ntt + in + let _:usize = temp_1_ in + true) + mask_ntt + (fun mask_ntt i -> + let mask_ntt:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + mask_ntt + in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask_ntt + i + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (mask_ntt.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) + in + let a_x_mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) + = + Libcrux_ml_dsa.Matrix.compute_matrix_x_mask #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A + (matrix <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (mask_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + a_x_mask + in + let tmp0, tmp1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 8) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8)) = + Libcrux_ml_dsa.Arithmetic.decompose_vector #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_GAMMA2 + (a_x_mask <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + w0 + commitment + in + let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + tmp0 + in + let commitment:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 8) = + tmp1 + in + let _:Prims.unit = () in + let _:Prims.unit = () in + let commitment_hash_candidate:t_Array u8 (sz 64) = + Rust_primitives.Hax.repeat 0uy (sz 64) + in + let commitment_serialized:t_Array u8 (sz 1024) = + Rust_primitives.Hax.repeat 0uy (sz 1024) + in + let commitment_serialized:t_Array u8 (sz 1024) = + Libcrux_ml_dsa.Encoding.Commitment.serialize_vector #v_SIMDUnit + v_COMMITMENT_RING_ELEMENT_SIZE + (commitment <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + commitment_serialized + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + () + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (message_representative <: t_Slice u8) + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (commitment_serialized <: t_Slice u8) + in + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 64)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + commitment_hash_candidate + in + let shake:v_Shake256Xof = tmp0 in + let commitment_hash_candidate:t_Array u8 (sz 64) = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + in + let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Sample.sample_challenge_ring_element #v_SIMDUnit + #v_Shake256 + (commitment_hash_candidate <: t_Slice u8) + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ONES_IN_VERIFIER_CHALLENGE + verifier_challenge + in + let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit verifier_challenge + in + let challenge_times_s1:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + Core.Clone.f_clone #(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) + #FStar.Tactics.Typeclasses.solve + s1_as_ntt + in + let challenge_times_s2:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Core.Clone.f_clone #(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8)) + #FStar.Tactics.Typeclasses.solve + s2_as_ntt + in + let challenge_times_s1:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + Libcrux_ml_dsa.Matrix.vector_times_ring_element #v_SIMDUnit + challenge_times_s1 + verifier_challenge + in + let challenge_times_s2:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Libcrux_ml_dsa.Matrix.vector_times_ring_element #v_SIMDUnit + challenge_times_s2 + verifier_challenge + in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + Libcrux_ml_dsa.Matrix.add_vectors #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A + mask + (challenge_times_s1 + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + in + let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Libcrux_ml_dsa.Matrix.subtract_vectors #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A + w0 + (challenge_times_s2 + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + in + if + Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit + (mask <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + ((1l <. Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_MAX_ONES_IN_HINT + then + attempt, commitment_hash, domain_separator_for_mask, hint, signer_response + <: + (usize & Core.Option.t_Option (t_Array u8 (sz 64)) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7))) + else + let attempt:usize = Libcrux_ml_dsa.Constants.v_REJECTION_SAMPLE_BOUND_SIGN in + let commitment_hash:Core.Option.t_Option (t_Array u8 (sz 64)) = + Core.Option.Option_Some commitment_hash_candidate + <: + Core.Option.t_Option (t_Array u8 (sz 64)) + in + let signer_response:Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) = + Core.Option.Option_Some mask + <: + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) + in + let hint:Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) = + Core.Option.Option_Some hint_candidate + <: + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) + in + attempt, commitment_hash, domain_separator_for_mask, hint, signer_response + <: + (usize & Core.Option.t_Option (t_Array u8 (sz 64)) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7))) + ) + in + match commitment_hash <: Core.Option.t_Option (t_Array u8 (sz 64)) with + | Core.Option.Option_Some commitment_hash -> + let commitment_hash:t_Array u8 (sz 64) = commitment_hash in + (match + signer_response + <: + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) + with + | Core.Option.Option_Some signer_response -> + let signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 7) = + signer_response + in + (match hint <: Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) with + | Core.Option.Option_Some hint -> + let hint:t_Array (t_Array i32 (sz 256)) (sz 8) = hint in + let signature:t_Array u8 (sz 4627) = Rust_primitives.Hax.repeat 0uy (sz 4627) in + let signature:t_Array u8 (sz 4627) = + Libcrux_ml_dsa.Encoding.Signature.serialize #v_SIMDUnit + (commitment_hash <: t_Slice u8) + (signer_response + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (hint <: t_Slice (t_Array i32 (sz 256))) + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COMMITMENT_HASH_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_MAX_ONES_IN_HINT signature + in + Core.Result.Result_Ok (Libcrux_ml_dsa.Types.impl_4__new (sz 4627) signature) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError + | Core.Option.Option_None -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + <: + Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) + | Core.Option.Option_None -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + <: + Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) + | Core.Option.Option_None -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError <: Libcrux_ml_dsa.Types.t_SigningError + ) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError + +let sign + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i6: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (signing_key message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11))) + <: + Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext + Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + with + | Core.Result.Result_Ok dsc -> + let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in + sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 + signing_key message + (Core.Option.Option_Some domain_separation_context + <: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness + | Core.Result.Result_Err _ -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError + +let sign_pre_hashed + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: + Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i9: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i12: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i13: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i14: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH) + (signing_key message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + if (Core.Slice.impl__len #u8 context <: usize) >. Libcrux_ml_dsa.Constants.v_CONTEXT_MAX_LEN + then + pre_hash_buffer, + (Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) + else + let pre_hash_buffer:t_Slice u8 = + Libcrux_ml_dsa.Pre_hash.f_hash #v_PH + #FStar.Tactics.Typeclasses.solve + #v_Shake128 + message + pre_hash_buffer + in + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_Some + (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #FStar.Tactics.Typeclasses.solve () + <: + t_Array u8 (sz 11)) + <: + Core.Option.t_Option (t_Array u8 (sz 11))) + <: + Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext + Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + with + | Core.Result.Result_Ok dsc -> + let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in + let hax_temp_output:Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError = + sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 + signing_key pre_hash_buffer + (Core.Option.Option_Some domain_separation_context + <: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) + | Core.Result.Result_Err _ -> + pre_hash_buffer, + (Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError + <: + Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) + +let verify_internal + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i5: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i7: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (verification_key: t_Array u8 (sz 2592)) + (message: t_Slice u8) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (signature_serialized: t_Array u8 (sz 4627)) + = + let seed_for_a, t1_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + (verification_key <: t_Slice u8) + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 8) + in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Libcrux_ml_dsa.Encoding.Verification_key.deserialize #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A + v_VERIFICATION_KEY_SIZE + t1_serialized + t1 + in + let deserialized_commitment_hash:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let deserialized_signer_response:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 7) + in + let deserialized_hint:t_Array (t_Array i32 (sz 256)) (sz 8) = + Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0l (sz 256) <: t_Array i32 (sz 256)) + (sz 8) + in + let tmp0, tmp1, tmp2, out:(t_Array u8 (sz 64) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) & + t_Array (t_Array i32 (sz 256)) (sz 8) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Encoding.Signature.deserialize #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COMMITMENT_HASH_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_MAX_ONES_IN_HINT v_SIGNATURE_SIZE + (signature_serialized <: t_Slice u8) deserialized_commitment_hash deserialized_signer_response + deserialized_hint + in + let deserialized_commitment_hash:t_Array u8 (sz 64) = tmp0 in + let deserialized_signer_response:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + tmp1 + in + let deserialized_hint:t_Array (t_Array i32 (sz 256)) (sz 8) = tmp2 in + match out <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError with + | Core.Result.Result_Ok _ -> + let _:Prims.unit = () <: Prims.unit in + if + Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit + (deserialized_signer_response + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + ((2l < + let deserialized_signer_response:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + deserialized_signer_response + in + let _:usize = temp_1_ in + true) + deserialized_signer_response + (fun deserialized_signer_response i -> + let deserialized_signer_response:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + deserialized_signer_response + in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize deserialized_signer_response + i + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (deserialized_signer_response.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) + in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Libcrux_ml_dsa.Matrix.compute_w_approx #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A + (matrix <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (deserialized_signer_response + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + verifier_challenge + t1 + in + let recomputed_commitment_hash:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Libcrux_ml_dsa.Arithmetic.use_hint #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_GAMMA2 + (deserialized_hint <: t_Slice (t_Array i32 (sz 256))) + t1 + in + let commitment_serialized:t_Array u8 (sz 1024) = Rust_primitives.Hax.repeat 0uy (sz 1024) in + let commitment_serialized:t_Array u8 (sz 1024) = + Libcrux_ml_dsa.Encoding.Commitment.serialize_vector #v_SIMDUnit + v_COMMITMENT_RING_ELEMENT_SIZE + (t1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + commitment_serialized + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + () + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (message_representative <: t_Slice u8) + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (commitment_serialized <: t_Slice u8) + in + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 64)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + recomputed_commitment_hash + in + let shake:v_Shake256Xof = tmp0 in + let recomputed_commitment_hash:t_Array u8 (sz 64) = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + if deserialized_commitment_hash =. recomputed_commitment_hash + then + Core.Result.Result_Ok (() <: Prims.unit) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + else + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.VerificationError_CommitmentHashesDontMatchError + <: + Libcrux_ml_dsa.Types.t_VerificationError) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + | Core.Result.Result_Err e -> + Core.Result.Result_Err e + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + +let verify + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i5: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i7: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (verification_key_serialized: t_Array u8 (sz 2592)) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 (sz 4627)) + = + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11))) + <: + Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext + Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + with + | Core.Result.Result_Ok dsc -> + let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in + verify_internal #v_SIMDUnit + #v_Sampler + #v_Shake128X4 + #v_Shake256 + #v_Shake256Xof + verification_key_serialized + message + (Core.Option.Option_Some domain_separation_context + <: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + signature_serialized + | Core.Result.Result_Err _ -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError + <: + Libcrux_ml_dsa.Types.t_VerificationError) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + +let verify_pre_hashed + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i7: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i8: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i12: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i13: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH) + (verification_key_serialized: t_Array u8 (sz 2592)) + (message context pre_hash_buffer: t_Slice u8) + (signature_serialized: t_Array u8 (sz 4627)) + = + let pre_hash_buffer:t_Slice u8 = + Libcrux_ml_dsa.Pre_hash.f_hash #v_PH + #FStar.Tactics.Typeclasses.solve + #v_Shake128 + message + pre_hash_buffer + in + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_Some + (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #FStar.Tactics.Typeclasses.solve () + <: + t_Array u8 (sz 11)) + <: + Core.Option.t_Option (t_Array u8 (sz 11))) + <: + Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext + Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + with + | Core.Result.Result_Ok dsc -> + let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + verify_internal #v_SIMDUnit + #v_Sampler + #v_Shake128X4 + #v_Shake256 + #v_Shake256Xof + verification_key_serialized + pre_hash_buffer + (Core.Option.Option_Some domain_separation_context + <: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + signature_serialized + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + | Core.Result.Result_Err _ -> + pre_hash_buffer, + (Core.Result.Result_Err + (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError + <: + Libcrux_ml_dsa.Types.t_VerificationError) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + +let generate_key_pair + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i6: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 signing_key <: usize) =. v_SIGNING_KEY_SIZE + <: + bool) + in + () + in + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 verification_key <: usize) =. + v_VERIFICATION_KEY_SIZE + <: + bool) + in + () + in + let seed_expanded:t_Array u8 (sz 128) = Rust_primitives.Hax.repeat 0uy (sz 128) in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve () + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (randomness <: t_Slice u8) + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + ((let list = + [ + cast (Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A <: usize) <: u8; + cast (Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A <: usize) <: u8 + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); + Rust_primitives.Hax.array_of_list 2 list) + <: + t_Slice u8) + in + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 128)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + seed_expanded + in + let shake:v_Shake256Xof = tmp0 in + let seed_expanded:t_Array u8 (sz 128) = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + let seed_for_a, seed_expanded:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + (seed_expanded <: t_Slice u8) + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + in + let seed_for_error_vectors, seed_for_signing:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + seed_expanded + Libcrux_ml_dsa.Constants.v_SEED_FOR_ERROR_VECTORS_SIZE + in + let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 56) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 56) + in + let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 56) = + Libcrux_ml_dsa.Samplex4.f_matrix_flat #v_Sampler + #FStar.Tactics.Typeclasses.solve + #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A + seed_for_a + a_as_ntt + in + let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 15) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 15) + in + let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 15) = + Libcrux_ml_dsa.Samplex4.sample_s1_and_s2 #v_SIMDUnit + #v_Shake256X4 + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ETA + seed_for_error_vectors + s1_s2 + in + let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 8) + in + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 7) + in + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + Core.Slice.impl__copy_from_slice #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + s1_ntt + (s1_s2.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + in + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + usize) + (fun s1_ntt temp_1_ -> + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + s1_ntt + in + let _:usize = temp_1_ in + true) + s1_ntt + (fun s1_ntt i -> + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + s1_ntt + in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1_ntt + i + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (s1_ntt.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) + in + let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Libcrux_ml_dsa.Matrix.compute_as1_plus_s2 #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A + (a_as_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + t0 + in + let _:Prims.unit = () in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 8) + in + let tmp0, tmp1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8)) = + Libcrux_ml_dsa.Arithmetic.power2round_vector #v_SIMDUnit t0 t1 + in + let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = tmp0 in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = tmp1 in + let _:Prims.unit = () in + let verification_key:t_Slice u8 = + Libcrux_ml_dsa.Encoding.Verification_key.generate_serialized #v_SIMDUnit + seed_for_a + (t1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + verification_key + in + let signing_key:t_Slice u8 = + Libcrux_ml_dsa.Encoding.Signing_key.generate_serialized #v_SIMDUnit #v_Shake256 + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ETA v_ERROR_RING_ELEMENT_SIZE seed_for_a + seed_for_signing verification_key + (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (t0 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) signing_key + in + signing_key, verification_key <: (t_Slice u8 & t_Slice u8) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fsti new file mode 100644 index 000000000..c47847ef4 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fsti @@ -0,0 +1,165 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Polynomial in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let v_BETA: i32 = + Libcrux_ml_dsa.Constants.beta Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ONES_IN_VERIFIER_CHALLENGE + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ETA + +let v_COMMITMENT_RING_ELEMENT_SIZE: usize = + Libcrux_ml_dsa.Constants.commitment_ring_element_size Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_BITS_PER_COMMITMENT_COEFFICIENT + +let v_COMMITMENT_VECTOR_SIZE: usize = + Libcrux_ml_dsa.Constants.commitment_vector_size Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_BITS_PER_COMMITMENT_COEFFICIENT + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A + +let v_ERROR_RING_ELEMENT_SIZE: usize = + Libcrux_ml_dsa.Constants.error_ring_element_size Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_BITS_PER_ERROR_COEFFICIENT + +let v_GAMMA1_RING_ELEMENT_SIZE: usize = + Libcrux_ml_dsa.Constants.gamma1_ring_element_size Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_BITS_PER_GAMMA1_COEFFICIENT + +let v_ROW_COLUMN: usize = + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A +! + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A + +let v_ROW_X_COLUMN: usize = + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A *! + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A + +let v_SIGNATURE_SIZE: usize = + Libcrux_ml_dsa.Constants.signature_size Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_MAX_ONES_IN_HINT + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COMMITMENT_HASH_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_BITS_PER_GAMMA1_COEFFICIENT + +let v_SIGNING_KEY_SIZE: usize = + Libcrux_ml_dsa.Constants.signing_key_size Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A + v_ERROR_RING_ELEMENT_SIZE + +let v_VERIFICATION_KEY_SIZE: usize = + Libcrux_ml_dsa.Constants.verification_key_size Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A + +val sign_internal + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (signing_key message: t_Slice u8) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (signing_key message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign_pre_hashed + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: + Type0) + {| i8: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i9: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i13: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i14: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + {| i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH |} + (signing_key message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// The internal verification API. +/// If no `domain_separation_context` is supplied, it is assumed that +/// `message` already contains the domain separation. +val verify_internal + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) + {| i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i7: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + (verification_key: t_Array u8 (sz 2592)) + (message: t_Slice u8) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (signature_serialized: t_Array u8 (sz 4627)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +val verify + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) + {| i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i7: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + (verification_key_serialized: t_Array u8 (sz 2592)) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 (sz 4627)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +val verify_pre_hashed + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0) + {| i7: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i8: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i13: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH |} + (verification_key_serialized: t_Array u8 (sz 2592)) + (message context pre_hash_buffer: t_Slice u8) + (signature_serialized: t_Array u8 (sz 4627)) + : Prims.Pure + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +val generate_key_pair + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_44_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_44_.fst new file mode 100644 index 000000000..3d5bc9e4a --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_44_.fst @@ -0,0 +1,223 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_44_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let generate_key_pair + (randomness: t_Array u8 (sz 32)) + (signing_key: t_Array u8 (sz 2560)) + (verification_key: t_Array u8 (sz 1312)) + = + let (signing_key, verification_key), hax_temp_output:((t_Array u8 (sz 2560) & t_Array u8 (sz 1312) + ) & + Prims.unit) = + if Libcrux_platform.Platform.simd256_support () + then + let tmp0, tmp1:(t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.generate_key_pair randomness + signing_key + verification_key + in + let signing_key:t_Array u8 (sz 2560) = tmp0 in + let verification_key:t_Array u8 (sz 1312) = tmp1 in + let _:Prims.unit = () in + (signing_key, verification_key <: (t_Array u8 (sz 2560) & t_Array u8 (sz 1312))), () + <: + ((t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) & Prims.unit) + else + if Libcrux_platform.Platform.simd128_support () + then + let tmp0, tmp1:(t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.generate_key_pair randomness + signing_key + verification_key + in + let signing_key:t_Array u8 (sz 2560) = tmp0 in + let verification_key:t_Array u8 (sz 1312) = tmp1 in + let _:Prims.unit = () in + (signing_key, verification_key <: (t_Array u8 (sz 2560) & t_Array u8 (sz 1312))), () + <: + ((t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) & Prims.unit) + else + let tmp0, tmp1:(t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.generate_key_pair randomness + signing_key + verification_key + in + let signing_key:t_Array u8 (sz 2560) = tmp0 in + let verification_key:t_Array u8 (sz 1312) = tmp1 in + let _:Prims.unit = () in + (signing_key, verification_key <: (t_Array u8 (sz 2560) & t_Array u8 (sz 1312))), () + <: + ((t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) & Prims.unit) + in + signing_key, verification_key <: (t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) + +let sign + (signing_key: t_Array u8 (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + if Libcrux_platform.Platform.simd256_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.sign signing_key + message + context + randomness + else + if Libcrux_platform.Platform.simd128_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.sign signing_key + message + context + randomness + else + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.sign signing_key + message + context + randomness + +let sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 2560)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + let pre_hash_buffer, hax_temp_output:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) = + if Libcrux_platform.Platform.simd256_support () + then + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.sign_pre_hashed_shake128 signing_key + message + context + pre_hash_buffer + randomness + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) + else + if Libcrux_platform.Platform.simd128_support () + then + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.sign_pre_hashed_shake128 signing_key + message + context + pre_hash_buffer + randomness + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) + else + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.sign_pre_hashed_shake128 signing_key + message + context + pre_hash_buffer + randomness + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) + +let verify + (verification_key_serialized: t_Array u8 (sz 1312)) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 (sz 2420)) + = + if Libcrux_platform.Platform.simd256_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.verify verification_key_serialized + message + context + signature_serialized + else + if Libcrux_platform.Platform.simd128_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.verify verification_key_serialized + message + context + signature_serialized + else + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.verify verification_key_serialized + message + context + signature_serialized + +let verify_pre_hashed_shake128 + (verification_key_serialized: t_Array u8 (sz 1312)) + (message context pre_hash_buffer: t_Slice u8) + (signature_serialized: t_Array u8 (sz 2420)) + = + let pre_hash_buffer, hax_temp_output:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + if Libcrux_platform.Platform.simd256_support () + then + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.verify_pre_hashed_shake128 verification_key_serialized + message + context + pre_hash_buffer + signature_serialized + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + else + if Libcrux_platform.Platform.simd128_support () + then + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.verify_pre_hashed_shake128 verification_key_serialized + message + context + pre_hash_buffer + signature_serialized + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + else + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.verify_pre_hashed_shake128 + verification_key_serialized + message + context + pre_hash_buffer + signature_serialized + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_44_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_44_.fsti new file mode 100644 index 000000000..86e20ee9e --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_44_.fsti @@ -0,0 +1,44 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_44_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +val generate_key_pair + (randomness: t_Array u8 (sz 32)) + (signing_key: t_Array u8 (sz 2560)) + (verification_key: t_Array u8 (sz 1312)) + : Prims.Pure (t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) Prims.l_True (fun _ -> Prims.l_True) + +val sign + (signing_key: t_Array u8 (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 2560)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val verify + (verification_key_serialized: t_Array u8 (sz 1312)) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 (sz 2420)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +val verify_pre_hashed_shake128 + (verification_key_serialized: t_Array u8 (sz 1312)) + (message context pre_hash_buffer: t_Slice u8) + (signature_serialized: t_Array u8 (sz 2420)) + : Prims.Pure + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_65_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_65_.fst new file mode 100644 index 000000000..22dde3f4a --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_65_.fst @@ -0,0 +1,223 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_65_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let generate_key_pair + (randomness: t_Array u8 (sz 32)) + (signing_key: t_Array u8 (sz 4032)) + (verification_key: t_Array u8 (sz 1952)) + = + let (signing_key, verification_key), hax_temp_output:((t_Array u8 (sz 4032) & t_Array u8 (sz 1952) + ) & + Prims.unit) = + if Libcrux_platform.Platform.simd256_support () + then + let tmp0, tmp1:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.generate_key_pair randomness + signing_key + verification_key + in + let signing_key:t_Array u8 (sz 4032) = tmp0 in + let verification_key:t_Array u8 (sz 1952) = tmp1 in + let _:Prims.unit = () in + (signing_key, verification_key <: (t_Array u8 (sz 4032) & t_Array u8 (sz 1952))), () + <: + ((t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) & Prims.unit) + else + if Libcrux_platform.Platform.simd128_support () + then + let tmp0, tmp1:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.generate_key_pair randomness + signing_key + verification_key + in + let signing_key:t_Array u8 (sz 4032) = tmp0 in + let verification_key:t_Array u8 (sz 1952) = tmp1 in + let _:Prims.unit = () in + (signing_key, verification_key <: (t_Array u8 (sz 4032) & t_Array u8 (sz 1952))), () + <: + ((t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) & Prims.unit) + else + let tmp0, tmp1:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.generate_key_pair randomness + signing_key + verification_key + in + let signing_key:t_Array u8 (sz 4032) = tmp0 in + let verification_key:t_Array u8 (sz 1952) = tmp1 in + let _:Prims.unit = () in + (signing_key, verification_key <: (t_Array u8 (sz 4032) & t_Array u8 (sz 1952))), () + <: + ((t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) & Prims.unit) + in + signing_key, verification_key <: (t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) + +let sign + (signing_key: t_Array u8 (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + if Libcrux_platform.Platform.simd256_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.sign signing_key + message + context + randomness + else + if Libcrux_platform.Platform.simd128_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.sign signing_key + message + context + randomness + else + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.sign signing_key + message + context + randomness + +let sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 4032)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + let pre_hash_buffer, hax_temp_output:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) = + if Libcrux_platform.Platform.simd256_support () + then + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.sign_pre_hashed_shake128 signing_key + message + context + pre_hash_buffer + randomness + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) + else + if Libcrux_platform.Platform.simd128_support () + then + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.sign_pre_hashed_shake128 signing_key + message + context + pre_hash_buffer + randomness + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) + else + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.sign_pre_hashed_shake128 signing_key + message + context + pre_hash_buffer + randomness + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) + +let verify + (verification_key_serialized: t_Array u8 (sz 1952)) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 (sz 3309)) + = + if Libcrux_platform.Platform.simd256_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.verify verification_key_serialized + message + context + signature_serialized + else + if Libcrux_platform.Platform.simd128_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.verify verification_key_serialized + message + context + signature_serialized + else + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.verify verification_key_serialized + message + context + signature_serialized + +let verify_pre_hashed_shake128 + (verification_key_serialized: t_Array u8 (sz 1952)) + (message context pre_hash_buffer: t_Slice u8) + (signature_serialized: t_Array u8 (sz 3309)) + = + let pre_hash_buffer, hax_temp_output:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + if Libcrux_platform.Platform.simd256_support () + then + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.verify_pre_hashed_shake128 verification_key_serialized + message + context + pre_hash_buffer + signature_serialized + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + else + if Libcrux_platform.Platform.simd128_support () + then + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.verify_pre_hashed_shake128 verification_key_serialized + message + context + pre_hash_buffer + signature_serialized + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + else + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.verify_pre_hashed_shake128 + verification_key_serialized + message + context + pre_hash_buffer + signature_serialized + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_65_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_65_.fsti new file mode 100644 index 000000000..c19ae6a03 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_65_.fsti @@ -0,0 +1,44 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_65_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +val generate_key_pair + (randomness: t_Array u8 (sz 32)) + (signing_key: t_Array u8 (sz 4032)) + (verification_key: t_Array u8 (sz 1952)) + : Prims.Pure (t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) Prims.l_True (fun _ -> Prims.l_True) + +val sign + (signing_key: t_Array u8 (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 4032)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val verify + (verification_key_serialized: t_Array u8 (sz 1952)) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 (sz 3309)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +val verify_pre_hashed_shake128 + (verification_key_serialized: t_Array u8 (sz 1952)) + (message context pre_hash_buffer: t_Slice u8) + (signature_serialized: t_Array u8 (sz 3309)) + : Prims.Pure + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_87_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_87_.fst new file mode 100644 index 000000000..8427f42e6 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_87_.fst @@ -0,0 +1,223 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_87_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let generate_key_pair + (randomness: t_Array u8 (sz 32)) + (signing_key: t_Array u8 (sz 4896)) + (verification_key: t_Array u8 (sz 2592)) + = + let (signing_key, verification_key), hax_temp_output:((t_Array u8 (sz 4896) & t_Array u8 (sz 2592) + ) & + Prims.unit) = + if Libcrux_platform.Platform.simd256_support () + then + let tmp0, tmp1:(t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.generate_key_pair randomness + signing_key + verification_key + in + let signing_key:t_Array u8 (sz 4896) = tmp0 in + let verification_key:t_Array u8 (sz 2592) = tmp1 in + let _:Prims.unit = () in + (signing_key, verification_key <: (t_Array u8 (sz 4896) & t_Array u8 (sz 2592))), () + <: + ((t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) & Prims.unit) + else + if Libcrux_platform.Platform.simd128_support () + then + let tmp0, tmp1:(t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.generate_key_pair randomness + signing_key + verification_key + in + let signing_key:t_Array u8 (sz 4896) = tmp0 in + let verification_key:t_Array u8 (sz 2592) = tmp1 in + let _:Prims.unit = () in + (signing_key, verification_key <: (t_Array u8 (sz 4896) & t_Array u8 (sz 2592))), () + <: + ((t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) & Prims.unit) + else + let tmp0, tmp1:(t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.generate_key_pair randomness + signing_key + verification_key + in + let signing_key:t_Array u8 (sz 4896) = tmp0 in + let verification_key:t_Array u8 (sz 2592) = tmp1 in + let _:Prims.unit = () in + (signing_key, verification_key <: (t_Array u8 (sz 4896) & t_Array u8 (sz 2592))), () + <: + ((t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) & Prims.unit) + in + signing_key, verification_key <: (t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) + +let sign + (signing_key: t_Array u8 (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + if Libcrux_platform.Platform.simd256_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.sign signing_key + message + context + randomness + else + if Libcrux_platform.Platform.simd128_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.sign signing_key + message + context + randomness + else + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.sign signing_key + message + context + randomness + +let sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 4896)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + let pre_hash_buffer, hax_temp_output:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) = + if Libcrux_platform.Platform.simd256_support () + then + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.sign_pre_hashed_shake128 signing_key + message + context + pre_hash_buffer + randomness + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) + else + if Libcrux_platform.Platform.simd128_support () + then + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.sign_pre_hashed_shake128 signing_key + message + context + pre_hash_buffer + randomness + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) + else + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.sign_pre_hashed_shake128 signing_key + message + context + pre_hash_buffer + randomness + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) + +let verify + (verification_key_serialized: t_Array u8 (sz 2592)) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 (sz 4627)) + = + if Libcrux_platform.Platform.simd256_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.verify verification_key_serialized + message + context + signature_serialized + else + if Libcrux_platform.Platform.simd128_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.verify verification_key_serialized + message + context + signature_serialized + else + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.verify verification_key_serialized + message + context + signature_serialized + +let verify_pre_hashed_shake128 + (verification_key_serialized: t_Array u8 (sz 2592)) + (message context pre_hash_buffer: t_Slice u8) + (signature_serialized: t_Array u8 (sz 4627)) + = + let pre_hash_buffer, hax_temp_output:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + if Libcrux_platform.Platform.simd256_support () + then + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.verify_pre_hashed_shake128 verification_key_serialized + message + context + pre_hash_buffer + signature_serialized + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + else + if Libcrux_platform.Platform.simd128_support () + then + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.verify_pre_hashed_shake128 verification_key_serialized + message + context + pre_hash_buffer + signature_serialized + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + else + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.verify_pre_hashed_shake128 + verification_key_serialized + message + context + pre_hash_buffer + signature_serialized + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_87_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_87_.fsti new file mode 100644 index 000000000..d90ff6e68 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_87_.fsti @@ -0,0 +1,44 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_87_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +val generate_key_pair + (randomness: t_Array u8 (sz 32)) + (signing_key: t_Array u8 (sz 4896)) + (verification_key: t_Array u8 (sz 2592)) + : Prims.Pure (t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) Prims.l_True (fun _ -> Prims.l_True) + +val sign + (signing_key: t_Array u8 (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 4896)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val verify + (verification_key_serialized: t_Array u8 (sz 2592)) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 (sz 4627)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +val verify_pre_hashed_shake128 + (verification_key_serialized: t_Array u8 (sz 2592)) + (message context pre_hash_buffer: t_Slice u8) + (signature_serialized: t_Array u8 (sz 4627)) + : Prims.Pure + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fst index 43d3a2fb7..55181b452 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fst @@ -48,20 +48,8 @@ let impl_3: Core.Convert.t_From Libcrux_ml_dsa.Types.t_VerificationError t_Domai Libcrux_ml_dsa.Types.t_VerificationError } -let impl_1__new (context: t_Slice u8) (pre_hash_oid: Core.Option.t_Option (t_Array u8 (sz 11))) = - if (Core.Slice.impl__len #u8 context <: usize) >. Libcrux_ml_dsa.Constants.v_CONTEXT_MAX_LEN - then - Core.Result.Result_Err (DomainSeparationError_ContextTooLongError <: t_DomainSeparationError) - <: - Core.Result.t_Result t_DomainSeparationContext t_DomainSeparationError - else - Core.Result.Result_Ok - ({ f_context = context; f_pre_hash_oid = pre_hash_oid } <: t_DomainSeparationContext) - <: - Core.Result.t_Result t_DomainSeparationContext t_DomainSeparationError - [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl: t_PreHash t_SHAKE128_PH (sz 256) = +let impl: t_PreHash t_SHAKE128_PH = { f_oid_pre = (fun (_: Prims.unit) -> true); f_oid_post = (fun (_: Prims.unit) (out: t_Array u8 (sz 11)) -> true); @@ -74,6 +62,7 @@ let impl: t_PreHash t_SHAKE128_PH (sz 256) = i1: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) (message: t_Slice u8) + (output: t_Slice u8) -> true); f_hash_post @@ -84,7 +73,8 @@ let impl: t_PreHash t_SHAKE128_PH (sz 256) = i1: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) (message: t_Slice u8) - (out: t_Array u8 (sz 256)) + (output: t_Slice u8) + (out: t_Slice u8) -> true); f_hash @@ -95,14 +85,34 @@ let impl: t_PreHash t_SHAKE128_PH (sz 256) = i1: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) (message: t_Slice u8) + (output: t_Slice u8) -> - let output:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in - let output:t_Array u8 (sz 256) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + match Core.Slice.impl__len #u8 output, sz 256 <: (usize & usize) with + | left_val, right_val -> Hax_lib.v_assert (left_val =. right_val <: bool) + in + () + in + let output:t_Slice u8 = Libcrux_ml_dsa.Hash_functions.Shake128.f_shake128 #v_Shake128 #FStar.Tactics.Typeclasses.solve - (sz 256) message output in output } + +let impl_1__new (context: t_Slice u8) (pre_hash_oid: Core.Option.t_Option (t_Array u8 (sz 11))) = + if (Core.Slice.impl__len #u8 context <: usize) >. Libcrux_ml_dsa.Constants.v_CONTEXT_MAX_LEN + then + Core.Result.Result_Err (DomainSeparationError_ContextTooLongError <: t_DomainSeparationError) + <: + Core.Result.t_Result t_DomainSeparationContext t_DomainSeparationError + else + Core.Result.Result_Ok + ({ f_context = context; f_pre_hash_oid = pre_hash_oid } <: t_DomainSeparationContext) + <: + Core.Result.t_Result t_DomainSeparationContext t_DomainSeparationError diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fsti index c23391618..37b79c9e3 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fsti @@ -29,7 +29,7 @@ type t_DomainSeparationError = | DomainSeparationError_ContextTooLongError : t_D val t_DomainSeparationError_cast_to_repr (x: t_DomainSeparationError) : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True) -class t_PreHash (v_Self: Type0) (v_DIGEST_LEN: usize) = { +class t_PreHash (v_Self: Type0) = { f_oid_pre:Prims.unit -> Type0; f_oid_post:Prims.unit -> t_Array u8 (sz 11) -> Type0; f_oid:x0: Prims.unit @@ -37,21 +37,24 @@ class t_PreHash (v_Self: Type0) (v_DIGEST_LEN: usize) = { f_hash_pre: #v_Shake128: Type0 -> {| i1: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |} -> + t_Slice u8 -> t_Slice u8 -> Type0; f_hash_post: #v_Shake128: Type0 -> {| i1: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |} -> t_Slice u8 -> - t_Array u8 v_DIGEST_LEN + t_Slice u8 -> + t_Slice u8 -> Type0; f_hash: #v_Shake128: Type0 -> {| i1: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |} -> - x0: t_Slice u8 - -> Prims.Pure (t_Array u8 v_DIGEST_LEN) - (f_hash_pre #v_Shake128 #i1 x0) - (fun result -> f_hash_post #v_Shake128 #i1 x0 result) + x0: t_Slice u8 -> + x1: t_Slice u8 + -> Prims.Pure (t_Slice u8) + (f_hash_pre #v_Shake128 #i1 x0 x1) + (fun result -> f_hash_post #v_Shake128 #i1 x0 x1 result) } /// An implementation of the pre-hash trait for the SHAKE-128 XOF with @@ -71,11 +74,11 @@ val impl_2:Core.Convert.t_From Libcrux_ml_dsa.Types.t_SigningError t_DomainSepar [@@ FStar.Tactics.Typeclasses.tcinstance] val impl_3:Core.Convert.t_From Libcrux_ml_dsa.Types.t_VerificationError t_DomainSeparationError +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl:t_PreHash t_SHAKE128_PH + /// `context` must be at most 255 bytes long. val impl_1__new (context: t_Slice u8) (pre_hash_oid: Core.Option.t_Option (t_Array u8 (sz 11))) : Prims.Pure (Core.Result.t_Result t_DomainSeparationContext t_DomainSeparationError) Prims.l_True (fun _ -> Prims.l_True) - -[@@ FStar.Tactics.Typeclasses.tcinstance] -val impl:t_PreHash t_SHAKE128_PH (sz 256) From 95e75ed0cb9907668b9f70c06b35a2c48ff0ce13 Mon Sep 17 00:00:00 2001 From: Jonas Schneider-Bensch Date: Tue, 7 Jan 2025 15:37:32 +0100 Subject: [PATCH 44/58] Fix multiplexing --- libcrux-ml-dsa/src/ml_dsa_generic/multiplexing.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/multiplexing.rs b/libcrux-ml-dsa/src/ml_dsa_generic/multiplexing.rs index 97ee259d1..d297e0095 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic/multiplexing.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic/multiplexing.rs @@ -44,7 +44,7 @@ macro_rules! parameter_set { }; #[cfg(all(not(feature = "simd256"), feature = "acvp", feature = $feature))] - use instantiations::portable::{ + use instantiations::portable::$parameter_module::{ sign_internal as sign_internal_avx2, verify_internal as verify_internal_avx2, }; From b86414fd0f417dbbe7a0fc7af345eff47bdecc72 Mon Sep 17 00:00:00 2001 From: Jonas Schneider-Bensch Date: Tue, 7 Jan 2025 15:51:21 +0100 Subject: [PATCH 45/58] Disable error ring element sampling test on portable --- libcrux-ml-dsa/src/sample.rs | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libcrux-ml-dsa/src/sample.rs b/libcrux-ml-dsa/src/sample.rs index ef6553d2f..d8883de12 100644 --- a/libcrux-ml-dsa/src/sample.rs +++ b/libcrux-ml-dsa/src/sample.rs @@ -802,13 +802,13 @@ mod tests { >(); } - #[test] - fn test_sample_error_ring_element() { - test_sample_error_ring_element_generic::< - simd::portable::PortableSIMDUnit, - hash_functions::portable::Shake256X4, - >(); - } + // #[test] + // fn test_sample_error_ring_element() { + // test_sample_error_ring_element_generic::< + // simd::portable::PortableSIMDUnit, + // hash_functions::portable::Shake256X4, + // >(); + // } #[test] fn test_sample_challenge_ring_element() { From b895bda560d248ec1373c7ad6c27192090ff3311 Mon Sep 17 00:00:00 2001 From: Jonas Schneider-Bensch Date: Tue, 7 Jan 2025 16:13:56 +0100 Subject: [PATCH 46/58] Attempt to prevent buffer overflow in ML-KEM tests --- libcrux-sha3/src/lib.rs | 4 ---- 1 file changed, 4 deletions(-) diff --git a/libcrux-sha3/src/lib.rs b/libcrux-sha3/src/lib.rs index b3b3b0a5c..45033ab98 100644 --- a/libcrux-sha3/src/lib.rs +++ b/libcrux-sha3/src/lib.rs @@ -319,7 +319,6 @@ pub mod portable { /// Shake256 XOF in absorb state impl Xof<136> for Shake256Xof { /// Shake256 new state - #[inline(always)] fn new() -> Self { Self { state: KeccakXofState::<1, 136, u64>::new(), @@ -327,19 +326,16 @@ pub mod portable { } /// Shake256 absorb - #[inline(always)] fn absorb(&mut self, input: &[u8]) { self.state.absorb([input]); } /// Shake256 absorb final - #[inline(always)] fn absorb_final(&mut self, input: &[u8]) { self.state.absorb_final::<0x1fu8>([input]); } /// Shake256 squeeze - #[inline(always)] fn squeeze(&mut self, out: &mut [u8]) { self.state.squeeze([out]); } From ec8b7f5f504ea7b080bfac3f304859f19c6b5266 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Wed, 8 Jan 2025 09:13:38 +0000 Subject: [PATCH 47/58] mldsa: drop const generic in Operations trait Eurydice can't handle associated types right now. So this changes it such that the Operations trait is implemented on top of a wrapper struct for the coefficients again. This requires the implementations of the trait to point into the struct again. But this is more self contained than propagating the generic type for the trait. I couldn't measure an impact on performance or stack size with this change --- libcrux-ml-dsa/src/constants.rs | 7 +- libcrux-ml-dsa/src/encoding/signature.rs | 1 + libcrux-ml-dsa/src/ml_dsa_generic.rs | 11 +-- libcrux-ml-dsa/src/polynomial.rs | 5 +- libcrux-ml-dsa/src/simd/avx2.rs | 95 ++++++++----------- libcrux-ml-dsa/src/simd/avx2/arithmetic.rs | 6 +- .../src/simd/avx2/encoding/error.rs | 1 + libcrux-ml-dsa/src/simd/avx2/invntt.rs | 81 ++++++++++------ libcrux-ml-dsa/src/simd/avx2/ntt.rs | 94 ++++++++++-------- libcrux-ml-dsa/src/simd/avx2/vector_type.rs | 18 ++-- libcrux-ml-dsa/src/simd/portable.rs | 20 ++-- .../src/simd/portable/arithmetic.rs | 72 +++++++------- .../src/simd/portable/encoding/commitment.rs | 4 +- .../src/simd/portable/encoding/error.rs | 42 ++++---- .../src/simd/portable/encoding/gamma1.rs | 16 ++-- .../src/simd/portable/encoding/t0.rs | 32 +++---- .../src/simd/portable/encoding/t1.rs | 10 +- libcrux-ml-dsa/src/simd/portable/invntt.rs | 72 +++++++------- libcrux-ml-dsa/src/simd/portable/ntt.rs | 72 +++++++------- .../src/simd/portable/vector_type.rs | 16 ++-- libcrux-ml-dsa/src/simd/traits.rs | 61 +++++------- 21 files changed, 368 insertions(+), 368 deletions(-) diff --git a/libcrux-ml-dsa/src/constants.rs b/libcrux-ml-dsa/src/constants.rs index e47f10840..e3f65b528 100644 --- a/libcrux-ml-dsa/src/constants.rs +++ b/libcrux-ml-dsa/src/constants.rs @@ -158,7 +158,12 @@ pub(crate) mod ml_dsa_87 { } pub(crate) const fn beta(ones_in_verifier_challenge: usize, eta: Eta) -> i32 { - (ones_in_verifier_challenge * (eta as usize)) as i32 + // [eurydice] can't handle conversion of enum into a usize + let eta_val: usize = match eta { + Eta::Two => 2, + Eta::Four => 4, + }; + (ones_in_verifier_challenge * eta_val) as i32 } pub(crate) const fn error_ring_element_size(bits_per_error_coefficient: usize) -> usize { diff --git a/libcrux-ml-dsa/src/encoding/signature.rs b/libcrux-ml-dsa/src/encoding/signature.rs index 316cba459..029d2758e 100644 --- a/libcrux-ml-dsa/src/encoding/signature.rs +++ b/libcrux-ml-dsa/src/encoding/signature.rs @@ -66,6 +66,7 @@ pub(crate) fn deserialize( out_signer_response: &mut [PolynomialRingElement], out_hint: &mut [[i32; COEFFICIENTS_IN_RING_ELEMENT]], ) -> Result<(), VerificationError> { + // [eurydice] generates an unused variable pointing to out_hint here. debug_assert!(serialized.len() == signature_size); let (commitment_hash, rest_of_serialized) = serialized.split_at(commitment_hash_size); diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index 7bc1dcab2..bfae816f9 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -138,13 +138,6 @@ pub(crate) mod generic { domain_separation_context: Option, randomness: [u8; SIGNING_RANDOMNESS_SIZE], ) -> Result, SigningError> { - // FIXME: pass these in as enums instead - let eta = match ETA as u8 { - 2 => Eta::Two, - 4 => Eta::Four, - _ => unreachable!(), - }; - // Split the signing key into its parts. let (seed_for_a, remaining_serialized) = signing_key.split_at(SEED_FOR_A_SIZE); let (seed_for_signing, remaining_serialized) = @@ -163,13 +156,13 @@ pub(crate) mod generic { let mut t0_as_ntt = [PolynomialRingElement::zero(); ROWS_IN_A]; encoding::error::deserialize_to_vector_then_ntt::( - eta, + ETA, ERROR_RING_ELEMENT_SIZE, s1_serialized, &mut s1_as_ntt, ); encoding::error::deserialize_to_vector_then_ntt::( - eta, + ETA, ERROR_RING_ELEMENT_SIZE, s2_serialized, &mut s2_as_ntt, diff --git a/libcrux-ml-dsa/src/polynomial.rs b/libcrux-ml-dsa/src/polynomial.rs index b62a45c66..9c4b42372 100644 --- a/libcrux-ml-dsa/src/polynomial.rs +++ b/libcrux-ml-dsa/src/polynomial.rs @@ -5,7 +5,7 @@ use crate::{ #[derive(Clone, Copy)] pub(crate) struct PolynomialRingElement { - pub(crate) simd_units: [SIMDUnit::Coefficient; SIMD_UNITS_IN_RING_ELEMENT], + pub(crate) simd_units: [SIMDUnit; SIMD_UNITS_IN_RING_ELEMENT], } impl PolynomialRingElement { @@ -15,8 +15,7 @@ impl PolynomialRingElement { } } - // This is useful for debugging. - // XXX: Used in `make_int` + // This is used in `make_int` and for tests pub(crate) fn to_i32_array(&self) -> [i32; 256] { let mut result = [0i32; 256]; diff --git a/libcrux-ml-dsa/src/simd/avx2.rs b/libcrux-ml-dsa/src/simd/avx2.rs index 3739b5cde..12ff3e638 100644 --- a/libcrux-ml-dsa/src/simd/avx2.rs +++ b/libcrux-ml-dsa/src/simd/avx2.rs @@ -10,79 +10,68 @@ mod ntt; mod rejection_sample; mod vector_type; -pub(crate) use vector_type::{AVX2RingElement, AVX2SIMDUnit}; +pub(crate) use vector_type::{AVX2RingElement, Vec256 as AVX2SIMDUnit}; /// Implementing the [`Operations`] for AVX2. impl Operations for AVX2SIMDUnit { - type Coefficient = vector_type::Vec256; - #[inline(always)] - fn zero() -> Self::Coefficient { + fn zero() -> Self { vector_type::zero() } #[inline(always)] - fn from_coefficient_array(coefficient_array: &[i32], out: &mut Self::Coefficient) { + fn from_coefficient_array(coefficient_array: &[i32], out: &mut Self) { vector_type::from_coefficient_array(coefficient_array, out) } #[inline(always)] - fn to_coefficient_array(value: &Self::Coefficient, out: &mut [i32]) { + fn to_coefficient_array(value: &Self, out: &mut [i32]) { vector_type::to_coefficient_array(value, out) } #[inline(always)] - fn add(lhs: &mut Self::Coefficient, rhs: &Self::Coefficient) { - arithmetic::add(lhs, rhs) + fn add(lhs: &mut Self, rhs: &Self) { + arithmetic::add(&mut lhs.value, &rhs.value) } #[inline(always)] - fn subtract(lhs: &mut Self::Coefficient, rhs: &Self::Coefficient) { - arithmetic::subtract(lhs, rhs) + fn subtract(lhs: &mut Self, rhs: &Self) { + arithmetic::subtract(&mut lhs.value, &rhs.value) } #[inline(always)] - fn montgomery_multiply(lhs: &mut Self::Coefficient, rhs: &Self::Coefficient) { - arithmetic::montgomery_multiply(lhs, rhs); + fn montgomery_multiply(lhs: &mut Self, rhs: &Self) { + arithmetic::montgomery_multiply(&mut lhs.value, &rhs.value); } #[inline(always)] - fn shift_left_then_reduce(simd_unit: &mut Self::Coefficient) { - arithmetic::shift_left_then_reduce::(simd_unit) + fn shift_left_then_reduce(simd_unit: &mut Self) { + arithmetic::shift_left_then_reduce::(&mut simd_unit.value) } #[inline(always)] - fn power2round(t0: &mut Self::Coefficient, t1: &mut Self::Coefficient) { - arithmetic::power2round(t0, t1); + fn power2round(t0: &mut Self, t1: &mut Self) { + arithmetic::power2round(&mut t0.value, &mut t1.value); } #[inline(always)] - fn infinity_norm_exceeds(simd_unit: &Self::Coefficient, bound: i32) -> bool { - arithmetic::infinity_norm_exceeds(simd_unit, bound) + fn infinity_norm_exceeds(simd_unit: &Self, bound: i32) -> bool { + arithmetic::infinity_norm_exceeds(&simd_unit.value, bound) } #[inline(always)] - fn decompose( - gamma2: Gamma2, - simd_unit: &Self::Coefficient, - low: &mut Self::Coefficient, - high: &mut Self::Coefficient, - ) { - arithmetic::decompose(gamma2, simd_unit, low, high); + fn decompose(gamma2: Gamma2, simd_unit: &Self, low: &mut Self, high: &mut Self) { + arithmetic::decompose(gamma2, &simd_unit.value, &mut low.value, &mut high.value); } #[inline(always)] - fn compute_hint( - low: &Self::Coefficient, - high: &Self::Coefficient, - hint: &mut Self::Coefficient, - ) -> usize { - arithmetic::compute_hint::(low, high, hint) + fn compute_hint(low: &Self, high: &Self, hint: &mut Self) -> usize { + arithmetic::compute_hint::(&low.value, &high.value, &mut hint.value) } #[inline(always)] - fn use_hint(gamma2: Gamma2, simd_unit: &Self::Coefficient, hint: &mut Self::Coefficient) { - arithmetic::use_hint(gamma2, simd_unit, hint); + fn use_hint(gamma2: Gamma2, simd_unit: &Self, hint: &mut Self) { + arithmetic::use_hint(gamma2, &simd_unit.value, &mut hint.value); } #[inline(always)] @@ -101,51 +90,47 @@ impl Operations for AVX2SIMDUnit { } #[inline(always)] - fn gamma1_serialize( - simd_unit: &Self::Coefficient, - serialized: &mut [u8], - gamma1_exponent: usize, - ) { - encoding::gamma1::serialize(simd_unit, serialized, gamma1_exponent) + fn gamma1_serialize(simd_unit: &Self, serialized: &mut [u8], gamma1_exponent: usize) { + encoding::gamma1::serialize(&simd_unit.value, serialized, gamma1_exponent) } #[inline(always)] - fn gamma1_deserialize(serialized: &[u8], out: &mut Self::Coefficient, gamma1_exponent: usize) { - encoding::gamma1::deserialize(serialized, out, gamma1_exponent); + fn gamma1_deserialize(serialized: &[u8], out: &mut Self, gamma1_exponent: usize) { + encoding::gamma1::deserialize(serialized, &mut out.value, gamma1_exponent); } #[inline(always)] - fn commitment_serialize(simd_unit: &Self::Coefficient, serialized: &mut [u8]) { - encoding::commitment::serialize(simd_unit, serialized) + fn commitment_serialize(simd_unit: &Self, serialized: &mut [u8]) { + encoding::commitment::serialize(&simd_unit.value, serialized) } #[inline(always)] - fn error_serialize(eta: Eta, simd_unit: &Self::Coefficient, serialized: &mut [u8]) { - encoding::error::serialize(eta, simd_unit, serialized) + fn error_serialize(eta: Eta, simd_unit: &Self, serialized: &mut [u8]) { + encoding::error::serialize(eta, &simd_unit.value, serialized) } #[inline(always)] - fn error_deserialize(eta: Eta, serialized: &[u8], out: &mut Self::Coefficient) { - encoding::error::deserialize(eta, serialized, out); + fn error_deserialize(eta: Eta, serialized: &[u8], out: &mut Self) { + encoding::error::deserialize(eta, serialized, &mut out.value); } #[inline(always)] - fn t0_serialize(simd_unit: &Self::Coefficient, out: &mut [u8]) { + fn t0_serialize(simd_unit: &Self, out: &mut [u8]) { // out len 13 - encoding::t0::serialize(simd_unit, out); + encoding::t0::serialize(&simd_unit.value, out); } #[inline(always)] - fn t0_deserialize(serialized: &[u8], out: &mut Self::Coefficient) { - encoding::t0::deserialize(serialized, out); + fn t0_deserialize(serialized: &[u8], out: &mut Self) { + encoding::t0::deserialize(serialized, &mut out.value); } #[inline(always)] - fn t1_serialize(simd_unit: &Self::Coefficient, out: &mut [u8]) { - encoding::t1::serialize(simd_unit, out); + fn t1_serialize(simd_unit: &Self, out: &mut [u8]) { + encoding::t1::serialize(&simd_unit.value, out); } #[inline(always)] - fn t1_deserialize(serialized: &[u8], out: &mut Self::Coefficient) { - encoding::t1::deserialize(serialized, out); + fn t1_deserialize(serialized: &[u8], out: &mut Self) { + encoding::t1::deserialize(serialized, &mut out.value); } #[inline(always)] diff --git a/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs b/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs index 22d8ed078..6aaeaf408 100644 --- a/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs +++ b/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs @@ -3,9 +3,9 @@ use crate::{ simd::traits::{FIELD_MODULUS, INVERSE_OF_MODULUS_MOD_MONTGOMERY_R}, }; -use libcrux_intrinsics::avx2::*; +use libcrux_intrinsics::avx2::{mm256_setzero_si256, *}; -use super::{vector_type::zero, Gamma2}; +use super::Gamma2; #[inline(always)] fn to_unsigned_representatives_ret(t: &Vec256) -> Vec256 { @@ -209,7 +209,7 @@ pub(super) fn compute_hint( #[inline(always)] pub(super) fn use_hint(gamma2: Gamma2, r: &Vec256, hint: &mut Vec256) { - let (mut r0, mut r1) = (zero(), zero()); + let (mut r0, mut r1) = (mm256_setzero_si256(), mm256_setzero_si256()); decompose(gamma2, r, &mut r0, &mut r1); let all_zeros = mm256_setzero_si256(); diff --git a/libcrux-ml-dsa/src/simd/avx2/encoding/error.rs b/libcrux-ml-dsa/src/simd/avx2/encoding/error.rs index e66e75b83..b2d3faec0 100644 --- a/libcrux-ml-dsa/src/simd/avx2/encoding/error.rs +++ b/libcrux-ml-dsa/src/simd/avx2/encoding/error.rs @@ -69,6 +69,7 @@ fn serialize_when_eta_is_4(simd_unit: &Vec256, out: &mut [u8]) { #[inline(always)] pub fn serialize(eta: Eta, simd_unit: &Vec256, serialized: &mut [u8]) { + // [eurydice] injects an unused variable here in the C code for some reason. match eta { Eta::Two => serialize_when_eta_is_2(simd_unit, serialized), Eta::Four => serialize_when_eta_is_4(simd_unit, serialized), diff --git a/libcrux-ml-dsa/src/simd/avx2/invntt.rs b/libcrux-ml-dsa/src/simd/avx2/invntt.rs index bb15d5ac6..7c46fb206 100644 --- a/libcrux-ml-dsa/src/simd/avx2/invntt.rs +++ b/libcrux-ml-dsa/src/simd/avx2/invntt.rs @@ -1,5 +1,5 @@ use super::{arithmetic, AVX2RingElement}; -use crate::simd::traits::{COEFFICIENTS_IN_SIMD_UNIT, SIMD_UNITS_IN_RING_ELEMENT}; +use crate::simd::{avx2::AVX2SIMDUnit, traits::COEFFICIENTS_IN_SIMD_UNIT}; use libcrux_intrinsics::avx2::*; @@ -25,7 +25,9 @@ pub(crate) fn invert_ntt_montgomery(re: &mut AVX2RingElement) { // - Divide the elements by 256 and // - Convert the elements form montgomery domain to the standard domain. const FACTOR: i32 = 41_978; - re[i] = arithmetic::montgomery_multiply_by_constant(re[i], FACTOR); + re[i] = AVX2SIMDUnit { + value: arithmetic::montgomery_multiply_by_constant(re[i].value, FACTOR), + }; } // [hax] https://github.com/hacspec/hax/issues/720 @@ -47,7 +49,7 @@ fn simd_unit_invert_ntt_at_layer_0( zeta11: i32, zeta12: i32, zeta13: i32, -) -> (Vec256, Vec256) { +) -> (AVX2SIMDUnit, AVX2SIMDUnit) { const SHUFFLE: i32 = 0b11_01_10_00; let a_shuffled = mm256_shuffle_epi32::(simd_unit0); let b_shuffled = mm256_shuffle_epi32::(simd_unit1); @@ -68,8 +70,12 @@ fn simd_unit_invert_ntt_at_layer_0( let a_shuffled = mm256_unpacklo_epi64(sums, differences); let b_shuffled = mm256_unpackhi_epi64(sums, differences); - let a = mm256_shuffle_epi32::(a_shuffled); - let b = mm256_shuffle_epi32::(b_shuffled); + let a = AVX2SIMDUnit { + value: mm256_shuffle_epi32::(a_shuffled), + }; + let b = AVX2SIMDUnit { + value: mm256_shuffle_epi32::(b_shuffled), + }; (a, b) } @@ -82,7 +88,7 @@ fn simd_unit_invert_ntt_at_layer_1( zeta01: i32, zeta10: i32, zeta11: i32, -) -> (Vec256, Vec256) { +) -> (AVX2SIMDUnit, AVX2SIMDUnit) { let mut lo_values = mm256_unpacklo_epi64(simd_unit0, simd_unit1); let hi_values = mm256_unpackhi_epi64(simd_unit0, simd_unit1); @@ -96,8 +102,12 @@ fn simd_unit_invert_ntt_at_layer_1( ); arithmetic::montgomery_multiply(&mut differences, &zetas); - let a = mm256_unpacklo_epi64(sums, differences); - let b = mm256_unpackhi_epi64(sums, differences); + let a = AVX2SIMDUnit { + value: mm256_unpacklo_epi64(sums, differences), + }; + let b = AVX2SIMDUnit { + value: mm256_unpackhi_epi64(sums, differences), + }; (a, b) } @@ -108,7 +118,7 @@ fn simd_unit_invert_ntt_at_layer_2( simd_unit1: Vec256, zeta0: i32, zeta1: i32, -) -> (Vec256, Vec256) { +) -> (AVX2SIMDUnit, AVX2SIMDUnit) { let mut lo_values = mm256_permute2x128_si256::<0x20>(simd_unit0, simd_unit1); let hi_values = mm256_permute2x128_si256::<0x31>(simd_unit0, simd_unit1); @@ -120,18 +130,22 @@ fn simd_unit_invert_ntt_at_layer_2( let zetas = mm256_set_epi32(zeta1, zeta1, zeta1, zeta1, zeta0, zeta0, zeta0, zeta0); arithmetic::montgomery_multiply(&mut differences, &zetas); - let a = mm256_permute2x128_si256::<0x20>(sums, differences); - let b = mm256_permute2x128_si256::<0x31>(sums, differences); + let a = AVX2SIMDUnit { + value: mm256_permute2x128_si256::<0x20>(sums, differences), + }; + let b = AVX2SIMDUnit { + value: mm256_permute2x128_si256::<0x31>(sums, differences), + }; (a, b) } #[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] -unsafe fn invert_ntt_at_layer_0(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { +unsafe fn invert_ntt_at_layer_0(re: &mut AVX2RingElement) { #[inline(always)] fn round( - re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT], + re: &mut AVX2RingElement, index: usize, zeta00: i32, zeta01: i32, @@ -143,8 +157,8 @@ unsafe fn invert_ntt_at_layer_0(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { zeta13: i32, ) { (re[index], re[index + 1]) = simd_unit_invert_ntt_at_layer_0( - re[index], - re[index + 1], + re[index].value, + re[index + 1].value, zeta00, zeta01, zeta02, @@ -208,10 +222,10 @@ unsafe fn invert_ntt_at_layer_0(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { #[allow(unsafe_code)] #[cfg_attr(not(hax), target_feature(enable = "avx2"))] -unsafe fn invert_ntt_at_layer_1(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { +unsafe fn invert_ntt_at_layer_1(re: &mut AVX2RingElement) { #[inline(always)] fn round( - re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT], + re: &mut AVX2RingElement, index: usize, zeta_00: i32, zeta_01: i32, @@ -219,8 +233,8 @@ unsafe fn invert_ntt_at_layer_1(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { zeta_11: i32, ) { (re[index], re[index + 1]) = simd_unit_invert_ntt_at_layer_1( - re[index], - re[index + 1], + re[index].value, + re[index + 1].value, zeta_00, zeta_01, zeta_10, @@ -248,11 +262,11 @@ unsafe fn invert_ntt_at_layer_1(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { #[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] -unsafe fn invert_ntt_at_layer_2(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { +unsafe fn invert_ntt_at_layer_2(re: &mut AVX2RingElement) { #[inline(always)] - fn round(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT], index: usize, zeta1: i32, zeta2: i32) { + fn round(re: &mut AVX2RingElement, index: usize, zeta1: i32, zeta2: i32) { (re[index], re[index + 1]) = - simd_unit_invert_ntt_at_layer_2(re[index], re[index + 1], zeta1, zeta2); + simd_unit_invert_ntt_at_layer_2(re[index].value, re[index + 1].value, zeta1, zeta2); } round(re, 0, -2797779, 2071892); @@ -275,12 +289,17 @@ unsafe fn invert_ntt_at_layer_2(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { #[inline(always)] fn outer_3_plus( - re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT], + re: &mut AVX2RingElement, ) { for j in OFFSET..OFFSET + STEP_BY { - let a_minus_b = mm256_sub_epi32(re[j + STEP_BY], re[j]); - re[j] = mm256_add_epi32(re[j], re[j + STEP_BY]); - re[j + STEP_BY] = arithmetic::montgomery_multiply_by_constant(a_minus_b, ZETA); + let a_minus_b = mm256_sub_epi32(re[j + STEP_BY].value, re[j].value); + re[j] = AVX2SIMDUnit { + value: mm256_add_epi32(re[j].value, re[j + STEP_BY].value), + }; + re[j + STEP_BY] = AVX2SIMDUnit { + value: arithmetic::montgomery_multiply_by_constant(a_minus_b + , ZETA), + }; } // [hax] https://github.com/hacspec/hax/issues/720 @@ -289,7 +308,7 @@ fn outer_3_plus( #[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] -unsafe fn invert_ntt_at_layer_3(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { +unsafe fn invert_ntt_at_layer_3(re: &mut AVX2RingElement) { const STEP: usize = 8; // 1 << LAYER; const STEP_BY: usize = 1; // step / COEFFICIENTS_IN_SIMD_UNIT; @@ -313,7 +332,7 @@ unsafe fn invert_ntt_at_layer_3(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { #[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] -unsafe fn invert_ntt_at_layer_4(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { +unsafe fn invert_ntt_at_layer_4(re: &mut AVX2RingElement) { const STEP: usize = 16; // 1 << LAYER; const STEP_BY: usize = 2; // step / COEFFICIENTS_IN_SIMD_UNIT; @@ -329,7 +348,7 @@ unsafe fn invert_ntt_at_layer_4(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { #[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] -unsafe fn invert_ntt_at_layer_5(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { +unsafe fn invert_ntt_at_layer_5(re: &mut AVX2RingElement) { const STEP: usize = 32; // 1 << LAYER; const STEP_BY: usize = 4; // step / COEFFICIENTS_IN_SIMD_UNIT; @@ -341,7 +360,7 @@ unsafe fn invert_ntt_at_layer_5(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { #[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] -unsafe fn invert_ntt_at_layer_6(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { +unsafe fn invert_ntt_at_layer_6(re: &mut AVX2RingElement) { const STEP: usize = 64; // 1 << LAYER; const STEP_BY: usize = 8; // step / COEFFICIENTS_IN_SIMD_UNIT; @@ -351,7 +370,7 @@ unsafe fn invert_ntt_at_layer_6(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { #[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] -unsafe fn invert_ntt_at_layer_7(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { +unsafe fn invert_ntt_at_layer_7(re: &mut AVX2RingElement) { const STEP: usize = 128; // 1 << LAYER; const STEP_BY: usize = 16; // step / COEFFICIENTS_IN_SIMD_UNIT; diff --git a/libcrux-ml-dsa/src/simd/avx2/ntt.rs b/libcrux-ml-dsa/src/simd/avx2/ntt.rs index 03aa24059..0f0306642 100644 --- a/libcrux-ml-dsa/src/simd/avx2/ntt.rs +++ b/libcrux-ml-dsa/src/simd/avx2/ntt.rs @@ -1,11 +1,11 @@ -use super::{arithmetic, AVX2RingElement}; -use crate::simd::traits::{COEFFICIENTS_IN_SIMD_UNIT, SIMD_UNITS_IN_RING_ELEMENT}; +use super::{arithmetic, AVX2RingElement, AVX2SIMDUnit}; +use crate::simd::traits::COEFFICIENTS_IN_SIMD_UNIT; use libcrux_intrinsics::avx2::*; #[inline(always)] fn butterfly_2( - re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT], + re: &mut AVX2RingElement, index: usize, zeta_a0: i32, zeta_a1: i32, @@ -24,8 +24,8 @@ fn butterfly_2( // a_shuffled = ( a7, a5, a6, a4, a3, a1, a2, a0) // b_shuffled = ( b7, b5, b6, b4, b3, b1, b2, b0) const SHUFFLE: i32 = 0b11_01_10_00; - let a = mm256_shuffle_epi32::(re[index]); - let b = mm256_shuffle_epi32::(re[index + 1]); + let a = mm256_shuffle_epi32::(re[index].value); + let b = mm256_shuffle_epi32::(re[index + 1].value); // Now we can use the same approach as for `butterfly_4`, only // zetas need to be adjusted. @@ -44,22 +44,26 @@ fn butterfly_2( let b_terms_shuffled = mm256_unpackhi_epi64(add_terms, sub_terms); // Here, we undo the initial shuffle (it's self-inverse). - re[index] = mm256_shuffle_epi32::(a_terms_shuffled); - re[index + 1] = mm256_shuffle_epi32::(b_terms_shuffled); + re[index] = AVX2SIMDUnit { + value: mm256_shuffle_epi32::(a_terms_shuffled), + }; + re[index + 1] = AVX2SIMDUnit { + value: mm256_shuffle_epi32::(b_terms_shuffled), + }; } // Compute (a,b) ↦ (a + ζb, a - ζb) at layer 1 for 2 SIMD Units in one go. #[inline(always)] fn butterfly_4( - re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT], + re: &mut AVX2RingElement, index: usize, zeta_a0: i32, zeta_a1: i32, zeta_b0: i32, zeta_b1: i32, ) { - let summands = mm256_unpacklo_epi64(re[index], re[index + 1]); - let mut zeta_products = mm256_unpackhi_epi64(re[index], re[index + 1]); + let summands = mm256_unpacklo_epi64(re[index].value, re[index + 1].value); + let mut zeta_products = mm256_unpackhi_epi64(re[index].value, re[index + 1].value); let zetas = mm256_set_epi32( zeta_b1, zeta_b1, zeta_a1, zeta_a1, zeta_b0, zeta_b0, zeta_a0, zeta_a0, @@ -71,23 +75,23 @@ fn butterfly_4( // Results are shuffled across the two SIMD registers. // We need to bring them in the right order. - re[index] = mm256_unpacklo_epi64(add_terms, sub_terms); - re[index + 1] = mm256_unpackhi_epi64(add_terms, sub_terms); + re[index] = AVX2SIMDUnit { + value: mm256_unpacklo_epi64(add_terms, sub_terms), + }; + re[index + 1] = AVX2SIMDUnit { + value: mm256_unpackhi_epi64(add_terms, sub_terms), + }; } // Compute (a,b) ↦ (a + ζb, a - ζb) at layer 2 for 2 SIMD Units in one go. #[inline(always)] -fn butterfly_8( - re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT], - index: usize, - zeta0: i32, - zeta1: i32, -) { +fn butterfly_8(re: &mut AVX2RingElement, index: usize, zeta0: i32, zeta1: i32) { let summands = mm256_set_m128i( - mm256_castsi256_si128(re[index + 1]), - mm256_castsi256_si128(re[index]), + mm256_castsi256_si128(re[index + 1].value), + mm256_castsi256_si128(re[index].value), ); - let mut zeta_products = mm256_permute2x128_si256::<0b0001_0011>(re[index + 1], re[index]); + let mut zeta_products = + mm256_permute2x128_si256::<0b0001_0011>(re[index + 1].value, re[index].value); let zetas = mm256_set_epi32(zeta1, zeta1, zeta1, zeta1, zeta0, zeta0, zeta0, zeta0); arithmetic::montgomery_multiply(&mut zeta_products, &zetas); @@ -95,16 +99,20 @@ fn butterfly_8( let sub_terms = mm256_sub_epi32(summands, zeta_products); let add_terms = mm256_add_epi32(summands, zeta_products); - re[index] = mm256_set_m128i( - mm256_castsi256_si128(sub_terms), - mm256_castsi256_si128(add_terms), - ); - re[index + 1] = mm256_permute2x128_si256::<0b0001_0011>(sub_terms, add_terms); + re[index] = AVX2SIMDUnit { + value: mm256_set_m128i( + mm256_castsi256_si128(sub_terms), + mm256_castsi256_si128(add_terms), + ), + }; + re[index + 1] = AVX2SIMDUnit { + value: mm256_permute2x128_si256::<0b0001_0011>(sub_terms, add_terms), + }; } #[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] -unsafe fn ntt_at_layer_0(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { +unsafe fn ntt_at_layer_0(re: &mut AVX2RingElement) { butterfly_2( re, 0, 2091667, 3407706, 2316500, 3817976, -3342478, 2244091, -2446433, -3562462, ); @@ -157,7 +165,7 @@ unsafe fn ntt_at_layer_0(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { #[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] -unsafe fn ntt_at_layer_1(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { +unsafe fn ntt_at_layer_1(re: &mut AVX2RingElement) { butterfly_4(re, 0, -3930395, -1528703, -3677745, -3041255); butterfly_4(re, 2, -1452451, 3475950, 2176455, -1585221); butterfly_4(re, 4, -1257611, 1939314, -4083598, -1000202); @@ -178,7 +186,7 @@ unsafe fn ntt_at_layer_1(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { #[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] -unsafe fn ntt_at_layer_2(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { +unsafe fn ntt_at_layer_2(re: &mut AVX2RingElement) { butterfly_8(re, 0, 2706023, 95776); butterfly_8(re, 2, 3077325, 3530437); butterfly_8(re, 4, -1661693, -3592148); @@ -203,24 +211,24 @@ unsafe fn ntt_at_layer_2(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { /// This is the same as in pqclean. The only difference is locality of registers. #[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] -unsafe fn ntt_at_layer_7_and_6(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { +unsafe fn ntt_at_layer_7_and_6(re: &mut AVX2RingElement) { let field_modulus = mm256_set1_epi32(crate::simd::traits::FIELD_MODULUS); let inverse_of_modulus_mod_montgomery_r = mm256_set1_epi32(crate::simd::traits::INVERSE_OF_MODULUS_MOD_MONTGOMERY_R as i32); #[inline(always)] fn mul( - re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT], + re: &mut AVX2RingElement, index: usize, zeta: Vec256, step_by: usize, field_modulus: Vec256, inverse_of_modulus_mod_montgomery_r: Vec256, ) { - let prod02 = mm256_mul_epi32(re[index + step_by], zeta); + let prod02 = mm256_mul_epi32(re[index + step_by].value, zeta); let prod13 = mm256_mul_epi32( - mm256_shuffle_epi32::<0b11_11_01_01>(re[index + step_by]), // 0xF5 - mm256_shuffle_epi32::<0b11_11_01_01>(zeta), // 0xF5 + mm256_shuffle_epi32::<0b11_11_01_01>(re[index + step_by].value), // 0xF5 + mm256_shuffle_epi32::<0b11_11_01_01>(zeta), // 0xF5 ); let k02 = mm256_mul_epi32(prod02, inverse_of_modulus_mod_montgomery_r); let k13 = mm256_mul_epi32(prod13, inverse_of_modulus_mod_montgomery_r); @@ -234,8 +242,8 @@ unsafe fn ntt_at_layer_7_and_6(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { let t = mm256_blend_epi32::<0b10101010>(res02_shifted, res13); // 0xAA re[index + step_by] = re[index]; - arithmetic::subtract(&mut re[index + step_by], &t); - arithmetic::add(&mut re[index], &t); + arithmetic::subtract(&mut re[index + step_by].value, &t); + arithmetic::add(&mut re[index].value, &t); } macro_rules! layer { @@ -299,10 +307,10 @@ unsafe fn ntt_at_layer_7_and_6(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { /// pqclean does 4 * 4 on each layer -> 48 total | plus 4 * 4 shuffles every time (48) #[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] -unsafe fn ntt_at_layer_5_to_3(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { +unsafe fn ntt_at_layer_5_to_3(re: &mut AVX2RingElement) { #[inline(always)] fn round( - re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT], + re: &mut AVX2RingElement, index: usize, zeta: i32, ) { @@ -310,11 +318,13 @@ unsafe fn ntt_at_layer_5_to_3(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { let offset = (index * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT; for j in offset..offset + STEP_BY { - arithmetic::montgomery_multiply(&mut re[j + STEP_BY], &rhs); + arithmetic::montgomery_multiply(&mut re[j + STEP_BY].value, &rhs); - let tmp = mm256_sub_epi32(re[j], re[j + STEP_BY]); - re[j] = mm256_add_epi32(re[j], re[j + STEP_BY]); - re[j + STEP_BY] = tmp; + let tmp = mm256_sub_epi32(re[j].value, re[j + STEP_BY].value); + re[j] = AVX2SIMDUnit { + value: mm256_add_epi32(re[j].value, re[j + STEP_BY].value), + }; + re[j + STEP_BY] = AVX2SIMDUnit { value: tmp }; } // [hax] https://github.com/hacspec/hax/issues/720 diff --git a/libcrux-ml-dsa/src/simd/avx2/vector_type.rs b/libcrux-ml-dsa/src/simd/avx2/vector_type.rs index 1016ce22b..783540aca 100644 --- a/libcrux-ml-dsa/src/simd/avx2/vector_type.rs +++ b/libcrux-ml-dsa/src/simd/avx2/vector_type.rs @@ -1,25 +1,27 @@ -/// An empty type to implement the SIMD operations on -#[derive(Clone, Copy)] -pub struct AVX2SIMDUnit {} - /// The vector type -pub(crate) type Vec256 = libcrux_intrinsics::avx2::Vec256; +#[derive(Clone, Copy)] +#[repr(transparent)] +pub(crate) struct Vec256 { + pub(super) value: libcrux_intrinsics::avx2::Vec256, +} /// An avx2 encoded ring element pub(crate) type AVX2RingElement = [Vec256; super::SIMD_UNITS_IN_RING_ELEMENT]; /// Create an all-zero vector coefficient pub(crate) fn zero() -> Vec256 { - libcrux_intrinsics::avx2::mm256_setzero_si256() + Vec256 { + value: libcrux_intrinsics::avx2::mm256_setzero_si256(), + } } /// Create a coefficient from an `i32` array pub(crate) fn from_coefficient_array(coefficient_array: &[i32], out: &mut Vec256) { - *out = libcrux_intrinsics::avx2::mm256_loadu_si256_i32(coefficient_array) + out.value = libcrux_intrinsics::avx2::mm256_loadu_si256_i32(coefficient_array) } /// Write out the coefficient to an `i32` array #[inline(always)] pub(crate) fn to_coefficient_array(value: &Vec256, out: &mut [i32]) { - libcrux_intrinsics::avx2::mm256_storeu_si256_i32(out, *value); + libcrux_intrinsics::avx2::mm256_storeu_si256_i32(out, value.value); } diff --git a/libcrux-ml-dsa/src/simd/portable.rs b/libcrux-ml-dsa/src/simd/portable.rs index 1f917c084..9e90bd026 100644 --- a/libcrux-ml-dsa/src/simd/portable.rs +++ b/libcrux-ml-dsa/src/simd/portable.rs @@ -12,12 +12,11 @@ mod invntt; mod ntt; mod sample; +/// Portable SIMD coefficients +pub(crate) use vector_type::Coefficients as PortableSIMDUnit; use vector_type::Coefficients; -pub(crate) use vector_type::PortableSIMDUnit; - -impl Operations for PortableSIMDUnit { - type Coefficient = Coefficients; +impl Operations for Coefficients { fn zero() -> Coefficients { vector_type::zero() } @@ -54,19 +53,14 @@ impl Operations for PortableSIMDUnit { arithmetic::infinity_norm_exceeds(simd_unit, bound) } - fn decompose( - gamma2: Gamma2, - simd_unit: &Self::Coefficient, - low: &mut Self::Coefficient, - high: &mut Self::Coefficient, - ) { + fn decompose(gamma2: Gamma2, simd_unit: &Self, low: &mut Self, high: &mut Self) { arithmetic::decompose(gamma2, simd_unit, low, high) } fn compute_hint( low: &Coefficients, high: &Coefficients, - hint: &mut Self::Coefficient, + hint: &mut Self, ) -> usize { arithmetic::compute_hint::(low, high, hint) } @@ -115,11 +109,11 @@ impl Operations for PortableSIMDUnit { encoding::t0::deserialize(serialized, out) } - fn t1_serialize(simd_unit: &Self::Coefficient, out: &mut [u8]) { + fn t1_serialize(simd_unit: &Self, out: &mut [u8]) { encoding::t1::serialize(simd_unit, out); } - fn t1_deserialize(serialized: &[u8], out: &mut Self::Coefficient) { + fn t1_deserialize(serialized: &[u8], out: &mut Self) { encoding::t1::deserialize(serialized, out); } diff --git a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs index eb4a0434e..e2d2eb788 100644 --- a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs +++ b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs @@ -1,7 +1,6 @@ use super::vector_type::{Coefficients, FieldElement}; use crate::{ constants::{Gamma2, BITS_IN_LOWER_PART_OF_T, GAMMA2_V261_888, GAMMA2_V95_232}, - helper::cloop, simd::traits::{ FieldElementTimesMontgomeryR, FIELD_MODULUS, INVERSE_OF_MODULUS_MOD_MONTGOMERY_R, }, @@ -11,8 +10,8 @@ pub(crate) const MONTGOMERY_SHIFT: u8 = 32; #[inline(always)] pub fn add(lhs: &mut Coefficients, rhs: &Coefficients) { - for i in 0..lhs.len() { - lhs[i] += rhs[i]; + for i in 0..lhs.values.len() { + lhs.values[i] += rhs.values[i]; } // [hax] https://github.com/hacspec/hax/issues/720 @@ -21,8 +20,8 @@ pub fn add(lhs: &mut Coefficients, rhs: &Coefficients) { #[inline(always)] pub fn subtract(lhs: &mut Coefficients, rhs: &Coefficients) { - for i in 0..lhs.len() { - lhs[i] -= rhs[i]; + for i in 0..lhs.values.len() { + lhs.values[i] -= rhs.values[i]; } // [hax] https://github.com/hacspec/hax/issues/720 @@ -58,8 +57,8 @@ pub(crate) fn montgomery_multiply_fe_by_fer( #[inline(always)] pub(crate) fn montgomery_multiply_by_constant(simd_unit: &mut Coefficients, c: i32) { - for i in 0..simd_unit.len() { - simd_unit[i] = montgomery_reduce_element((simd_unit[i] as i64) * (c as i64)) + for i in 0..simd_unit.values.len() { + simd_unit.values[i] = montgomery_reduce_element((simd_unit.values[i] as i64) * (c as i64)) } // [hax] https://github.com/hacspec/hax/issues/720 @@ -68,8 +67,8 @@ pub(crate) fn montgomery_multiply_by_constant(simd_unit: &mut Coefficients, c: i #[inline(always)] pub(crate) fn montgomery_multiply(lhs: &mut Coefficients, rhs: &Coefficients) { - for i in 0..lhs.len() { - lhs[i] = montgomery_reduce_element((lhs[i] as i64) * (rhs[i] as i64)) + for i in 0..lhs.values.len() { + lhs.values[i] = montgomery_reduce_element((lhs.values[i] as i64) * (rhs.values[i] as i64)) } // [hax] https://github.com/hacspec/hax/issues/720 @@ -105,8 +104,8 @@ fn power2round_element(t: i32) -> (i32, i32) { #[inline(always)] pub(super) fn power2round(t0: &mut Coefficients, t1: &mut Coefficients) { - for i in 0..t0.len() { - (t0[i], t1[i]) = power2round_element(t0[i]); + for i in 0..t0.values.len() { + (t0.values[i], t1.values[i]) = power2round_element(t0.values[i]); } // [hax] https://github.com/hacspec/hax/issues/720 @@ -121,23 +120,22 @@ pub(super) fn infinity_norm_exceeds(simd_unit: &Coefficients, bound: i32) -> boo // It is ok to leak which coefficient violates the bound since // the probability for each coefficient is independent of secret // data but we must not leak the sign of the centralized representative. - cloop! { - for coefficient in simd_unit.iter() { - debug_assert!(*coefficient > -FIELD_MODULUS && *coefficient < FIELD_MODULUS); - // This norm is calculated using the absolute value of the - // signed representative in the range: - // - // -FIELD_MODULUS / 2 < r <= FIELD_MODULUS / 2. - // - // So if the coefficient is negative, get its absolute value, but - // don't convert it into a different representation. - let sign = coefficient >> 31; - let normalized = coefficient - (sign & (2 * coefficient)); - - // FIXME: return - // [hax] https://github.com/hacspec/hax/issues/1204 - result = result ||normalized >= bound; - } + for i in 0..simd_unit.values.len() { + let coefficient = simd_unit.values[i]; + debug_assert!(coefficient > -FIELD_MODULUS && coefficient < FIELD_MODULUS); + // This norm is calculated using the absolute value of the + // signed representative in the range: + // + // -FIELD_MODULUS / 2 < r <= FIELD_MODULUS / 2. + // + // So if the coefficient is negative, get its absolute value, but + // don't convert it into a different representation. + let sign = coefficient >> 31; + let normalized = coefficient - (sign & (2 * coefficient)); + + // FIXME: return + // [hax] https://github.com/hacspec/hax/issues/1204 + result = result || normalized >= bound; } result @@ -152,8 +150,8 @@ fn reduce_element(fe: FieldElement) -> FieldElement { #[inline(always)] pub(super) fn shift_left_then_reduce(simd_unit: &mut Coefficients) { - for i in 0..simd_unit.len() { - simd_unit[i] = reduce_element(simd_unit[i] << SHIFT_BY); + for i in 0..simd_unit.values.len() { + simd_unit.values[i] = reduce_element(simd_unit.values[i] << SHIFT_BY); } // [hax] https://github.com/hacspec/hax/issues/720 @@ -177,9 +175,9 @@ pub(super) fn compute_hint( ) -> usize { let mut one_hints_count = 0; - for i in 0..hint.len() { - hint[i] = compute_one_hint::(low[i], high[i]); - one_hints_count += hint[i] as usize; + for i in 0..hint.values.len() { + hint.values[i] = compute_one_hint::(low.values[i], high.values[i]); + one_hints_count += hint.values[i] as usize; } one_hints_count @@ -285,8 +283,8 @@ pub fn decompose( low: &mut Coefficients, high: &mut Coefficients, ) { - for i in 0..low.len() { - (low[i], high[i]) = decompose_element(gamma2, simd_unit[i]); + for i in 0..low.values.len() { + (low.values[i], high.values[i]) = decompose_element(gamma2, simd_unit.values[i]); } // [hax] https://github.com/hacspec/hax/issues/720 @@ -295,8 +293,8 @@ pub fn decompose( #[inline(always)] pub fn use_hint(gamma2: Gamma2, simd_unit: &Coefficients, hint: &mut Coefficients) { - for i in 0..hint.len() { - hint[i] = use_one_hint(gamma2, simd_unit[i], hint[i]); + for i in 0..hint.values.len() { + hint.values[i] = use_one_hint(gamma2, simd_unit.values[i], hint.values[i]); } // [hax] https://github.com/hacspec/hax/issues/720 diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/commitment.rs b/libcrux-ml-dsa/src/simd/portable/encoding/commitment.rs index b65111ae8..874c5bf42 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/commitment.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/commitment.rs @@ -7,7 +7,7 @@ pub fn serialize(simd_unit: &Coefficients, serialized: &mut [u8]) { // The commitment has coefficients in [0,15] => each coefficient occupies // 4 bits. cloop! { - for (i, coefficients) in simd_unit.chunks_exact(2).enumerate() { + for (i, coefficients) in simd_unit.values.chunks_exact(2).enumerate() { let coefficient0 = coefficients[0] as u8; let coefficient1 = coefficients[1] as u8; @@ -21,7 +21,7 @@ pub fn serialize(simd_unit: &Coefficients, serialized: &mut [u8]) { // The commitment has coefficients in [0,43] => each coefficient occupies // 6 bits. cloop! { - for (i, coefficients) in simd_unit.chunks_exact(4).enumerate() { + for (i, coefficients) in simd_unit.values.chunks_exact(4).enumerate() { let coefficient0 = coefficients[0] as u8; let coefficient1 = coefficients[1] as u8; let coefficient2 = coefficients[2] as u8; diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/error.rs b/libcrux-ml-dsa/src/simd/portable/encoding/error.rs index fe370913c..c83d82895 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/error.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/error.rs @@ -6,14 +6,14 @@ fn serialize_when_eta_is_2(simd_unit: &Coefficients, serialized: &mut [u8]) { const ETA: i32 = 2; - let coefficient0 = (ETA - simd_unit[0]) as u8; - let coefficient1 = (ETA - simd_unit[1]) as u8; - let coefficient2 = (ETA - simd_unit[2]) as u8; - let coefficient3 = (ETA - simd_unit[3]) as u8; - let coefficient4 = (ETA - simd_unit[4]) as u8; - let coefficient5 = (ETA - simd_unit[5]) as u8; - let coefficient6 = (ETA - simd_unit[6]) as u8; - let coefficient7 = (ETA - simd_unit[7]) as u8; + let coefficient0 = (ETA - simd_unit.values[0]) as u8; + let coefficient1 = (ETA - simd_unit.values[1]) as u8; + let coefficient2 = (ETA - simd_unit.values[2]) as u8; + let coefficient3 = (ETA - simd_unit.values[3]) as u8; + let coefficient4 = (ETA - simd_unit.values[4]) as u8; + let coefficient5 = (ETA - simd_unit.values[5]) as u8; + let coefficient6 = (ETA - simd_unit.values[6]) as u8; + let coefficient7 = (ETA - simd_unit.values[7]) as u8; serialized[0] = (coefficient2 << 6) | (coefficient1 << 3) | coefficient0; serialized[1] = @@ -26,7 +26,7 @@ fn serialize_when_eta_is_4(simd_unit: &Coefficients, serialized: &mut [u8]) { const ETA: i32 = 4; cloop! { - for (i, coefficients) in simd_unit.chunks_exact(2).enumerate() { + for (i, coefficients) in simd_unit.values.chunks_exact(2).enumerate() { let coefficient0 = (ETA - coefficients[0]) as u8; let coefficient1 = (ETA - coefficients[1]) as u8; @@ -40,6 +40,8 @@ fn serialize_when_eta_is_4(simd_unit: &Coefficients, serialized: &mut [u8]) { #[inline(always)] pub(crate) fn serialize(eta: Eta, simd_unit: &Coefficients, serialized: &mut [u8]) { + // [eurydice] injects an unused variable here in the C code for some reason. + // That's why we don't match here. match eta { Eta::Two => serialize_when_eta_is_2(simd_unit, serialized), Eta::Four => serialize_when_eta_is_4(simd_unit, serialized), @@ -56,14 +58,14 @@ fn deserialize_when_eta_is_2(serialized: &[u8], simd_unit: &mut Coefficients) { let byte1 = serialized[1] as i32; let byte2 = serialized[2] as i32; - simd_unit[0] = ETA - (byte0 & 7); - simd_unit[1] = ETA - ((byte0 >> 3) & 7); - simd_unit[2] = ETA - (((byte0 >> 6) | (byte1 << 2)) & 7); - simd_unit[3] = ETA - ((byte1 >> 1) & 7); - simd_unit[4] = ETA - ((byte1 >> 4) & 7); - simd_unit[5] = ETA - (((byte1 >> 7) | (byte2 << 1)) & 7); - simd_unit[6] = ETA - ((byte2 >> 2) & 7); - simd_unit[7] = ETA - ((byte2 >> 5) & 7); + simd_unit.values[0] = ETA - (byte0 & 7); + simd_unit.values[1] = ETA - ((byte0 >> 3) & 7); + simd_unit.values[2] = ETA - (((byte0 >> 6) | (byte1 << 2)) & 7); + simd_unit.values[3] = ETA - ((byte1 >> 1) & 7); + simd_unit.values[4] = ETA - ((byte1 >> 4) & 7); + simd_unit.values[5] = ETA - (((byte1 >> 7) | (byte2 << 1)) & 7); + simd_unit.values[6] = ETA - ((byte2 >> 2) & 7); + simd_unit.values[7] = ETA - ((byte2 >> 5) & 7); } #[inline(always)] @@ -74,8 +76,8 @@ fn deserialize_when_eta_is_4(serialized: &[u8], simd_units: &mut Coefficients) { cloop! { for (i, byte) in serialized.iter().enumerate() { - simd_units[2 * i] = ETA - ((byte & 0xF) as i32); - simd_units[2 * i + 1] = ETA - ((byte >> 4) as i32); + simd_units.values[2 * i] = ETA - ((byte & 0xF) as i32); + simd_units.values[2 * i + 1] = ETA - ((byte >> 4) as i32); } } @@ -84,6 +86,8 @@ fn deserialize_when_eta_is_4(serialized: &[u8], simd_units: &mut Coefficients) { } #[inline(always)] pub(crate) fn deserialize(eta: Eta, serialized: &[u8], out: &mut Coefficients) { + // [eurydice] injects an unused variable here in the C code for some reason. + // That's why we don't match here. match eta { Eta::Two => deserialize_when_eta_is_2(serialized, out), Eta::Four => deserialize_when_eta_is_4(serialized, out), diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs b/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs index b0eaa4c17..520c8adfa 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs @@ -5,7 +5,7 @@ fn serialize_when_gamma1_is_2_pow_17(simd_unit: &Coefficients, serialized: &mut const GAMMA1: i32 = 1 << 17; cloop! { - for (i, coefficients) in simd_unit.chunks_exact(4).enumerate() { + for (i, coefficients) in simd_unit.values.chunks_exact(4).enumerate() { let coefficient0 = GAMMA1 - coefficients[0]; let coefficient1 = GAMMA1 - coefficients[1]; let coefficient2 = GAMMA1 - coefficients[2]; @@ -41,7 +41,7 @@ fn serialize_when_gamma1_is_2_pow_19(simd_unit: &Coefficients, serialized: &mut const GAMMA1: i32 = 1 << 19; cloop! { - for (i, coefficients) in simd_unit.chunks_exact(2).enumerate() { + for (i, coefficients) in simd_unit.values.chunks_exact(2).enumerate() { let coefficient0 = GAMMA1 - coefficients[0]; let coefficient1 = GAMMA1 - coefficients[1]; @@ -100,10 +100,10 @@ fn deserialize_when_gamma1_is_2_pow_17(serialized: &[u8], simd_unit: &mut Coeffi coefficient3 |= (bytes[8] as i32) << 10; coefficient3 &= GAMMA1_TIMES_2_BITMASK; - simd_unit[4 * i] = GAMMA1 - coefficient0; - simd_unit[4 * i + 1] = GAMMA1 - coefficient1; - simd_unit[4 * i + 2] = GAMMA1 - coefficient2; - simd_unit[4 * i + 3] = GAMMA1 - coefficient3; + simd_unit.values[4 * i] = GAMMA1 - coefficient0; + simd_unit.values[4 * i + 1] = GAMMA1 - coefficient1; + simd_unit.values[4 * i + 2] = GAMMA1 - coefficient2; + simd_unit.values[4 * i + 3] = GAMMA1 - coefficient3; } } @@ -131,8 +131,8 @@ fn deserialize_when_gamma1_is_2_pow_19(serialized: &[u8], simd_unit: &mut Coeffi coefficient1 |= (bytes[3] as i32) << 4; coefficient1 |= (bytes[4] as i32) << 12; - simd_unit[2 * i] = GAMMA1 - coefficient0; - simd_unit[2 * i + 1] = GAMMA1 - coefficient1; + simd_unit.values[2 * i] = GAMMA1 - coefficient0; + simd_unit.values[2 * i + 1] = GAMMA1 - coefficient1; } } diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/t0.rs b/libcrux-ml-dsa/src/simd/portable/encoding/t0.rs index 9a55a2015..6afb25600 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/t0.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/t0.rs @@ -11,14 +11,14 @@ fn change_t0_interval(t0: i32) -> i32 { pub fn serialize(simd_unit: &Coefficients, serialized: &mut [u8]) { debug_assert!(serialized.len() == 13); - let coefficient0 = change_t0_interval(simd_unit[0]); - let coefficient1 = change_t0_interval(simd_unit[1]); - let coefficient2 = change_t0_interval(simd_unit[2]); - let coefficient3 = change_t0_interval(simd_unit[3]); - let coefficient4 = change_t0_interval(simd_unit[4]); - let coefficient5 = change_t0_interval(simd_unit[5]); - let coefficient6 = change_t0_interval(simd_unit[6]); - let coefficient7 = change_t0_interval(simd_unit[7]); + let coefficient0 = change_t0_interval(simd_unit.values[0]); + let coefficient1 = change_t0_interval(simd_unit.values[1]); + let coefficient2 = change_t0_interval(simd_unit.values[2]); + let coefficient3 = change_t0_interval(simd_unit.values[3]); + let coefficient4 = change_t0_interval(simd_unit.values[4]); + let coefficient5 = change_t0_interval(simd_unit.values[5]); + let coefficient6 = change_t0_interval(simd_unit.values[6]); + let coefficient7 = change_t0_interval(simd_unit.values[7]); serialized[0] = coefficient0 as u8; @@ -110,12 +110,12 @@ pub fn deserialize(serialized: &[u8], simd_unit: &mut Coefficients) { coefficient7 |= byte12 << 5; coefficient7 &= BITS_IN_LOWER_PART_OF_T_MASK; - simd_unit[0] = change_t0_interval(coefficient0); - simd_unit[1] = change_t0_interval(coefficient1); - simd_unit[2] = change_t0_interval(coefficient2); - simd_unit[3] = change_t0_interval(coefficient3); - simd_unit[4] = change_t0_interval(coefficient4); - simd_unit[5] = change_t0_interval(coefficient5); - simd_unit[6] = change_t0_interval(coefficient6); - simd_unit[7] = change_t0_interval(coefficient7); + simd_unit.values[0] = change_t0_interval(coefficient0); + simd_unit.values[1] = change_t0_interval(coefficient1); + simd_unit.values[2] = change_t0_interval(coefficient2); + simd_unit.values[3] = change_t0_interval(coefficient3); + simd_unit.values[4] = change_t0_interval(coefficient4); + simd_unit.values[5] = change_t0_interval(coefficient5); + simd_unit.values[6] = change_t0_interval(coefficient6); + simd_unit.values[7] = change_t0_interval(coefficient7); } diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/t1.rs b/libcrux-ml-dsa/src/simd/portable/encoding/t1.rs index 72f08046f..f53788dd6 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/t1.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/t1.rs @@ -7,7 +7,7 @@ pub fn serialize(simd_unit: &Coefficients, serialized: &mut [u8]) { debug_assert!(serialized.len() == 10); cloop! { - for (i, coefficients) in simd_unit.chunks_exact(4).enumerate() { + for (i, coefficients) in simd_unit.values.chunks_exact(4).enumerate() { serialized[5 * i] = (coefficients[0] & 0xFF) as u8; serialized[5 * i + 1] = ((coefficients[1] & 0x3F) as u8) << 2 | ((coefficients[0] >> 8) & 0x03) as u8; @@ -37,10 +37,10 @@ pub fn deserialize(serialized: &[u8], simd_unit: &mut Coefficients) { let byte3 = bytes[3] as i32; let byte4 = bytes[4] as i32; - simd_unit[4 * i] = (byte0 | (byte1 << 8)) & mask; - simd_unit[4 * i + 1] = ((byte1 >> 2) | (byte2 << 6)) & mask; - simd_unit[4 * i + 2] = ((byte2 >> 4) | (byte3 << 4)) & mask; - simd_unit[4 * i + 3] = ((byte3 >> 6) | (byte4 << 2)) & mask; + simd_unit.values[4 * i] = (byte0 | (byte1 << 8)) & mask; + simd_unit.values[4 * i + 1] = ((byte1 >> 2) | (byte2 << 6)) & mask; + simd_unit.values[4 * i + 2] = ((byte2 >> 4) | (byte3 << 4)) & mask; + simd_unit.values[4 * i + 3] = ((byte3 >> 6) | (byte4 << 2)) & mask; } } diff --git a/libcrux-ml-dsa/src/simd/portable/invntt.rs b/libcrux-ml-dsa/src/simd/portable/invntt.rs index bd85f0c9e..4ec015e60 100644 --- a/libcrux-ml-dsa/src/simd/portable/invntt.rs +++ b/libcrux-ml-dsa/src/simd/portable/invntt.rs @@ -10,59 +10,59 @@ pub fn simd_unit_invert_ntt_at_layer_0( zeta2: i32, zeta3: i32, ) { - let a_minus_b = simd_unit[1] - simd_unit[0]; - simd_unit[0] = simd_unit[0] + simd_unit[1]; - simd_unit[1] = montgomery_multiply_fe_by_fer(a_minus_b, zeta0); + let a_minus_b = simd_unit.values[1] - simd_unit.values[0]; + simd_unit.values[0] = simd_unit.values[0] + simd_unit.values[1]; + simd_unit.values[1] = montgomery_multiply_fe_by_fer(a_minus_b, zeta0); - let a_minus_b = simd_unit[3] - simd_unit[2]; - simd_unit[2] = simd_unit[2] + simd_unit[3]; - simd_unit[3] = montgomery_multiply_fe_by_fer(a_minus_b, zeta1); + let a_minus_b = simd_unit.values[3] - simd_unit.values[2]; + simd_unit.values[2] = simd_unit.values[2] + simd_unit.values[3]; + simd_unit.values[3] = montgomery_multiply_fe_by_fer(a_minus_b, zeta1); - let a_minus_b = simd_unit[5] - simd_unit[4]; - simd_unit[4] = simd_unit[4] + simd_unit[5]; - simd_unit[5] = montgomery_multiply_fe_by_fer(a_minus_b, zeta2); + let a_minus_b = simd_unit.values[5] - simd_unit.values[4]; + simd_unit.values[4] = simd_unit.values[4] + simd_unit.values[5]; + simd_unit.values[5] = montgomery_multiply_fe_by_fer(a_minus_b, zeta2); - let a_minus_b = simd_unit[7] - simd_unit[6]; - simd_unit[6] = simd_unit[6] + simd_unit[7]; - simd_unit[7] = montgomery_multiply_fe_by_fer(a_minus_b, zeta3); + let a_minus_b = simd_unit.values[7] - simd_unit.values[6]; + simd_unit.values[6] = simd_unit.values[6] + simd_unit.values[7]; + simd_unit.values[7] = montgomery_multiply_fe_by_fer(a_minus_b, zeta3); } #[inline(always)] pub fn simd_unit_invert_ntt_at_layer_1(simd_unit: &mut Coefficients, zeta0: i32, zeta1: i32) { - let a_minus_b = simd_unit[2] - simd_unit[0]; - simd_unit[0] = simd_unit[0] + simd_unit[2]; - simd_unit[2] = montgomery_multiply_fe_by_fer(a_minus_b, zeta0); + let a_minus_b = simd_unit.values[2] - simd_unit.values[0]; + simd_unit.values[0] = simd_unit.values[0] + simd_unit.values[2]; + simd_unit.values[2] = montgomery_multiply_fe_by_fer(a_minus_b, zeta0); - let a_minus_b = simd_unit[3] - simd_unit[1]; - simd_unit[1] = simd_unit[1] + simd_unit[3]; - simd_unit[3] = montgomery_multiply_fe_by_fer(a_minus_b, zeta0); + let a_minus_b = simd_unit.values[3] - simd_unit.values[1]; + simd_unit.values[1] = simd_unit.values[1] + simd_unit.values[3]; + simd_unit.values[3] = montgomery_multiply_fe_by_fer(a_minus_b, zeta0); - let a_minus_b = simd_unit[6] - simd_unit[4]; - simd_unit[4] = simd_unit[4] + simd_unit[6]; - simd_unit[6] = montgomery_multiply_fe_by_fer(a_minus_b, zeta1); + let a_minus_b = simd_unit.values[6] - simd_unit.values[4]; + simd_unit.values[4] = simd_unit.values[4] + simd_unit.values[6]; + simd_unit.values[6] = montgomery_multiply_fe_by_fer(a_minus_b, zeta1); - let a_minus_b = simd_unit[7] - simd_unit[5]; - simd_unit[5] = simd_unit[5] + simd_unit[7]; - simd_unit[7] = montgomery_multiply_fe_by_fer(a_minus_b, zeta1); + let a_minus_b = simd_unit.values[7] - simd_unit.values[5]; + simd_unit.values[5] = simd_unit.values[5] + simd_unit.values[7]; + simd_unit.values[7] = montgomery_multiply_fe_by_fer(a_minus_b, zeta1); } #[inline(always)] pub fn simd_unit_invert_ntt_at_layer_2(simd_unit: &mut Coefficients, zeta: i32) { - let a_minus_b = simd_unit[4] - simd_unit[0]; - simd_unit[0] = simd_unit[0] + simd_unit[4]; - simd_unit[4] = montgomery_multiply_fe_by_fer(a_minus_b, zeta); + let a_minus_b = simd_unit.values[4] - simd_unit.values[0]; + simd_unit.values[0] = simd_unit.values[0] + simd_unit.values[4]; + simd_unit.values[4] = montgomery_multiply_fe_by_fer(a_minus_b, zeta); - let a_minus_b = simd_unit[5] - simd_unit[1]; - simd_unit[1] = simd_unit[1] + simd_unit[5]; - simd_unit[5] = montgomery_multiply_fe_by_fer(a_minus_b, zeta); + let a_minus_b = simd_unit.values[5] - simd_unit.values[1]; + simd_unit.values[1] = simd_unit.values[1] + simd_unit.values[5]; + simd_unit.values[5] = montgomery_multiply_fe_by_fer(a_minus_b, zeta); - let a_minus_b = simd_unit[6] - simd_unit[2]; - simd_unit[2] = simd_unit[2] + simd_unit[6]; - simd_unit[6] = montgomery_multiply_fe_by_fer(a_minus_b, zeta); + let a_minus_b = simd_unit.values[6] - simd_unit.values[2]; + simd_unit.values[2] = simd_unit.values[2] + simd_unit.values[6]; + simd_unit.values[6] = montgomery_multiply_fe_by_fer(a_minus_b, zeta); - let a_minus_b = simd_unit[7] - simd_unit[3]; - simd_unit[3] = simd_unit[3] + simd_unit[7]; - simd_unit[7] = montgomery_multiply_fe_by_fer(a_minus_b, zeta); + let a_minus_b = simd_unit.values[7] - simd_unit.values[3]; + simd_unit.values[3] = simd_unit.values[3] + simd_unit.values[7]; + simd_unit.values[7] = montgomery_multiply_fe_by_fer(a_minus_b, zeta); } #[inline(always)] diff --git a/libcrux-ml-dsa/src/simd/portable/ntt.rs b/libcrux-ml-dsa/src/simd/portable/ntt.rs index 77fd2f7e5..6e017f5a8 100644 --- a/libcrux-ml-dsa/src/simd/portable/ntt.rs +++ b/libcrux-ml-dsa/src/simd/portable/ntt.rs @@ -10,59 +10,59 @@ pub fn simd_unit_ntt_at_layer_0( zeta2: i32, zeta3: i32, ) { - let t = montgomery_multiply_fe_by_fer(simd_unit[1], zeta0); - simd_unit[1] = simd_unit[0] - t; - simd_unit[0] = simd_unit[0] + t; + let t = montgomery_multiply_fe_by_fer(simd_unit.values[1], zeta0); + simd_unit.values[1] = simd_unit.values[0] - t; + simd_unit.values[0] = simd_unit.values[0] + t; - let t = montgomery_multiply_fe_by_fer(simd_unit[3], zeta1); - simd_unit[3] = simd_unit[2] - t; - simd_unit[2] = simd_unit[2] + t; + let t = montgomery_multiply_fe_by_fer(simd_unit.values[3], zeta1); + simd_unit.values[3] = simd_unit.values[2] - t; + simd_unit.values[2] = simd_unit.values[2] + t; - let t = montgomery_multiply_fe_by_fer(simd_unit[5], zeta2); - simd_unit[5] = simd_unit[4] - t; - simd_unit[4] = simd_unit[4] + t; + let t = montgomery_multiply_fe_by_fer(simd_unit.values[5], zeta2); + simd_unit.values[5] = simd_unit.values[4] - t; + simd_unit.values[4] = simd_unit.values[4] + t; - let t = montgomery_multiply_fe_by_fer(simd_unit[7], zeta3); - simd_unit[7] = simd_unit[6] - t; - simd_unit[6] = simd_unit[6] + t; + let t = montgomery_multiply_fe_by_fer(simd_unit.values[7], zeta3); + simd_unit.values[7] = simd_unit.values[6] - t; + simd_unit.values[6] = simd_unit.values[6] + t; } #[inline(always)] pub fn simd_unit_ntt_at_layer_1(simd_unit: &mut Coefficients, zeta1: i32, zeta2: i32) { - let t = montgomery_multiply_fe_by_fer(simd_unit[2], zeta1); - simd_unit[2] = simd_unit[0] - t; - simd_unit[0] = simd_unit[0] + t; + let t = montgomery_multiply_fe_by_fer(simd_unit.values[2], zeta1); + simd_unit.values[2] = simd_unit.values[0] - t; + simd_unit.values[0] = simd_unit.values[0] + t; - let t = montgomery_multiply_fe_by_fer(simd_unit[3], zeta1); - simd_unit[3] = simd_unit[1] - t; - simd_unit[1] = simd_unit[1] + t; + let t = montgomery_multiply_fe_by_fer(simd_unit.values[3], zeta1); + simd_unit.values[3] = simd_unit.values[1] - t; + simd_unit.values[1] = simd_unit.values[1] + t; - let t = montgomery_multiply_fe_by_fer(simd_unit[6], zeta2); - simd_unit[6] = simd_unit[4] - t; - simd_unit[4] = simd_unit[4] + t; + let t = montgomery_multiply_fe_by_fer(simd_unit.values[6], zeta2); + simd_unit.values[6] = simd_unit.values[4] - t; + simd_unit.values[4] = simd_unit.values[4] + t; - let t = montgomery_multiply_fe_by_fer(simd_unit[7], zeta2); - simd_unit[7] = simd_unit[5] - t; - simd_unit[5] = simd_unit[5] + t; + let t = montgomery_multiply_fe_by_fer(simd_unit.values[7], zeta2); + simd_unit.values[7] = simd_unit.values[5] - t; + simd_unit.values[5] = simd_unit.values[5] + t; } #[inline(always)] pub fn simd_unit_ntt_at_layer_2(simd_unit: &mut Coefficients, zeta: i32) { - let t = montgomery_multiply_fe_by_fer(simd_unit[4], zeta); - simd_unit[4] = simd_unit[0] - t; - simd_unit[0] = simd_unit[0] + t; + let t = montgomery_multiply_fe_by_fer(simd_unit.values[4], zeta); + simd_unit.values[4] = simd_unit.values[0] - t; + simd_unit.values[0] = simd_unit.values[0] + t; - let t = montgomery_multiply_fe_by_fer(simd_unit[5], zeta); - simd_unit[5] = simd_unit[1] - t; - simd_unit[1] = simd_unit[1] + t; + let t = montgomery_multiply_fe_by_fer(simd_unit.values[5], zeta); + simd_unit.values[5] = simd_unit.values[1] - t; + simd_unit.values[1] = simd_unit.values[1] + t; - let t = montgomery_multiply_fe_by_fer(simd_unit[6], zeta); - simd_unit[6] = simd_unit[2] - t; - simd_unit[2] = simd_unit[2] + t; + let t = montgomery_multiply_fe_by_fer(simd_unit.values[6], zeta); + simd_unit.values[6] = simd_unit.values[2] - t; + simd_unit.values[2] = simd_unit.values[2] + t; - let t = montgomery_multiply_fe_by_fer(simd_unit[7], zeta); - simd_unit[7] = simd_unit[3] - t; - simd_unit[3] = simd_unit[3] + t; + let t = montgomery_multiply_fe_by_fer(simd_unit.values[7], zeta); + simd_unit.values[7] = simd_unit.values[3] - t; + simd_unit.values[3] = simd_unit.values[3] + t; } #[inline(always)] diff --git a/libcrux-ml-dsa/src/simd/portable/vector_type.rs b/libcrux-ml-dsa/src/simd/portable/vector_type.rs index db019f0dc..02228c225 100644 --- a/libcrux-ml-dsa/src/simd/portable/vector_type.rs +++ b/libcrux-ml-dsa/src/simd/portable/vector_type.rs @@ -4,16 +4,20 @@ use crate::simd::traits::COEFFICIENTS_IN_SIMD_UNIT; pub(crate) type FieldElement = i32; #[derive(Clone, Copy)] -pub(crate) struct PortableSIMDUnit {} - -pub(super) type Coefficients = [FieldElement; COEFFICIENTS_IN_SIMD_UNIT]; +#[repr(transparent)] +pub(crate) struct Coefficients { + pub(super) values: [FieldElement; COEFFICIENTS_IN_SIMD_UNIT], +} pub(crate) fn zero() -> Coefficients { - [0i32; COEFFICIENTS_IN_SIMD_UNIT] + Coefficients { + values: [0i32; COEFFICIENTS_IN_SIMD_UNIT], + } } pub(crate) fn from_coefficient_array(array: &[i32], out: &mut Coefficients) { - out.copy_from_slice(&array[0..COEFFICIENTS_IN_SIMD_UNIT]) + out.values + .copy_from_slice(&array[0..COEFFICIENTS_IN_SIMD_UNIT]) } #[inline(always)] @@ -21,5 +25,5 @@ pub(crate) fn to_coefficient_array( value: &Coefficients, out: &mut [i32], // len: COEFFICIENTS_IN_SIMD_UNIT ) { - out.copy_from_slice(value); + out.copy_from_slice(&value.values); } diff --git a/libcrux-ml-dsa/src/simd/traits.rs b/libcrux-ml-dsa/src/simd/traits.rs index 08cfa8678..e96b25d2a 100644 --- a/libcrux-ml-dsa/src/simd/traits.rs +++ b/libcrux-ml-dsa/src/simd/traits.rs @@ -17,36 +17,25 @@ pub const INVERSE_OF_MODULUS_MOD_MONTGOMERY_R: u64 = 58_728_449; pub(crate) type FieldElementTimesMontgomeryR = i32; pub(crate) trait Operations: Copy + Clone { - type Coefficient: Copy; // XXX: make generic? + fn zero() -> Self; - fn zero() -> Self::Coefficient; - - fn from_coefficient_array(array: &[i32], out: &mut Self::Coefficient); - fn to_coefficient_array(value: &Self::Coefficient, out: &mut [i32]); + fn from_coefficient_array(array: &[i32], out: &mut Self); + fn to_coefficient_array(value: &Self, out: &mut [i32]); // Arithmetic - fn add(lhs: &mut Self::Coefficient, rhs: &Self::Coefficient); - fn subtract(lhs: &mut Self::Coefficient, rhs: &Self::Coefficient); - fn infinity_norm_exceeds(simd_unit: &Self::Coefficient, bound: i32) -> bool; - fn decompose( - gamma2: Gamma2, - simd_unit: &Self::Coefficient, - low: &mut Self::Coefficient, - high: &mut Self::Coefficient, - ); - fn compute_hint( - low: &Self::Coefficient, - high: &Self::Coefficient, - hint: &mut Self::Coefficient, - ) -> usize; - fn use_hint(gamma2: Gamma2, simd_unit: &Self::Coefficient, hint: &mut Self::Coefficient); + fn add(lhs: &mut Self, rhs: &Self); + fn subtract(lhs: &mut Self, rhs: &Self); + fn infinity_norm_exceeds(simd_unit: &Self, bound: i32) -> bool; + fn decompose(gamma2: Gamma2, simd_unit: &Self, low: &mut Self, high: &mut Self); + fn compute_hint(low: &Self, high: &Self, hint: &mut Self) -> usize; + fn use_hint(gamma2: Gamma2, simd_unit: &Self, hint: &mut Self); // Modular operations - fn montgomery_multiply(lhs: &mut Self::Coefficient, rhs: &Self::Coefficient); - fn shift_left_then_reduce(simd_unit: &mut Self::Coefficient); + fn montgomery_multiply(lhs: &mut Self, rhs: &Self); + fn shift_left_then_reduce(simd_unit: &mut Self); // Decomposition operations - fn power2round(t0: &mut Self::Coefficient, t1: &mut Self::Coefficient); + fn power2round(t0: &mut Self, t1: &mut Self); // Sampling // @@ -65,31 +54,27 @@ pub(crate) trait Operations: Copy + Clone { // Encoding operations // Gamma1 - fn gamma1_serialize( - simd_unit: &Self::Coefficient, - serialized: &mut [u8], - gamma1_exponent: usize, - ); - fn gamma1_deserialize(serialized: &[u8], out: &mut Self::Coefficient, gamma1_exponent: usize); + fn gamma1_serialize(simd_unit: &Self, serialized: &mut [u8], gamma1_exponent: usize); + fn gamma1_deserialize(serialized: &[u8], out: &mut Self, gamma1_exponent: usize); // Commitment - fn commitment_serialize(simd_unit: &Self::Coefficient, serialized: &mut [u8]); + fn commitment_serialize(simd_unit: &Self, serialized: &mut [u8]); // Error - fn error_serialize(eta: Eta, simd_unit: &Self::Coefficient, serialized: &mut [u8]); - fn error_deserialize(eta: Eta, serialized: &[u8], out: &mut Self::Coefficient); + fn error_serialize(eta: Eta, simd_unit: &Self, serialized: &mut [u8]); + fn error_deserialize(eta: Eta, serialized: &[u8], out: &mut Self); // t0 - fn t0_serialize(simd_unit: &Self::Coefficient, out: &mut [u8]); // out len 13 - fn t0_deserialize(serialized: &[u8], out: &mut Self::Coefficient); + fn t0_serialize(simd_unit: &Self, out: &mut [u8]); // out len 13 + fn t0_deserialize(serialized: &[u8], out: &mut Self); // t1 - fn t1_serialize(simd_unit: &Self::Coefficient, out: &mut [u8]); // out len 10 - fn t1_deserialize(serialized: &[u8], out: &mut Self::Coefficient); + fn t1_serialize(simd_unit: &Self, out: &mut [u8]); // out len 10 + fn t1_deserialize(serialized: &[u8], out: &mut Self); // NTT - fn ntt(simd_units: &mut [Self::Coefficient; SIMD_UNITS_IN_RING_ELEMENT]); + fn ntt(simd_units: &mut [Self; SIMD_UNITS_IN_RING_ELEMENT]); // invert NTT and convert to standard domain - fn invert_ntt_montgomery(simd_units: &mut [Self::Coefficient; SIMD_UNITS_IN_RING_ELEMENT]); + fn invert_ntt_montgomery(simd_units: &mut [Self; SIMD_UNITS_IN_RING_ELEMENT]); } From f6464f0e1b7a24fb9c00639224077ffaf472d527 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Wed, 8 Jan 2025 09:14:05 +0000 Subject: [PATCH 48/58] mldsa: update C and F* extraction --- libcrux-ml-dsa/cg/code_gen.txt | 8 +- libcrux-ml-dsa/cg/header.txt | 8 +- libcrux-ml-dsa/cg/libcrux_core.h | 150 +- libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h | 9198 ++++++-------- libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h | 10085 +++++++++------- libcrux-ml-dsa/cg/libcrux_sha3_avx2.h | 8 +- libcrux-ml-dsa/cg/libcrux_sha3_portable.h | 8 +- .../extraction/Libcrux_ml_dsa.Arithmetic.fst | 219 +- .../extraction/Libcrux_ml_dsa.Arithmetic.fsti | 20 +- .../extraction/Libcrux_ml_dsa.Constants.fst | 9 +- .../Libcrux_ml_dsa.Encoding.Commitment.fst | 4 +- .../Libcrux_ml_dsa.Encoding.Error.fst | 112 +- .../Libcrux_ml_dsa.Encoding.Error.fsti | 16 +- .../Libcrux_ml_dsa.Encoding.Gamma1.fst | 14 +- .../extraction/Libcrux_ml_dsa.Encoding.T0.fst | 106 +- .../Libcrux_ml_dsa.Encoding.T0.fsti | 14 +- .../extraction/Libcrux_ml_dsa.Encoding.T1.fst | 14 +- .../extraction/Libcrux_ml_dsa.Matrix.fst | 64 +- .../extraction/Libcrux_ml_dsa.Matrix.fsti | 18 +- ...generic.Instantiations.Avx2.Ml_dsa_44_.fst | 10 +- ...generic.Instantiations.Avx2.Ml_dsa_65_.fst | 10 +- ...generic.Instantiations.Avx2.Ml_dsa_87_.fst | 10 +- ...generic.Instantiations.Neon.Ml_dsa_44_.fst | 10 +- ...generic.Instantiations.Neon.Ml_dsa_65_.fst | 10 +- ...generic.Instantiations.Neon.Ml_dsa_87_.fst | 10 +- ...ric.Instantiations.Portable.Ml_dsa_44_.fst | 10 +- ...ric.Instantiations.Portable.Ml_dsa_65_.fst | 10 +- ...ric.Instantiations.Portable.Ml_dsa_87_.fst | 10 +- ...bcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fst | 1760 ++- ...crux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fsti | 96 +- ...bcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fst | 1768 ++- ...crux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fsti | 96 +- ...bcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fst | 1772 ++- ...crux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fsti | 96 +- .../fstar/extraction/Libcrux_ml_dsa.Ntt.fst | 12 +- .../extraction/Libcrux_ml_dsa.Polynomial.fst | 208 +- .../extraction/Libcrux_ml_dsa.Polynomial.fsti | 52 +- .../extraction/Libcrux_ml_dsa.Sample.fst | 242 +- .../extraction/Libcrux_ml_dsa.Sample.fsti | 26 +- .../Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst | 3 +- .../Libcrux_ml_dsa.Simd.Avx2.Invntt.fst | 427 +- .../Libcrux_ml_dsa.Simd.Avx2.Invntt.fsti | 72 +- .../Libcrux_ml_dsa.Simd.Avx2.Ntt.fst | 483 +- .../Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti | 48 +- .../Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst | 25 +- .../Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti | 19 +- .../extraction/Libcrux_ml_dsa.Simd.Avx2.fsti | 569 +- ...ibcrux_ml_dsa.Simd.Portable.Arithmetic.fst | 444 +- ...bcrux_ml_dsa.Simd.Portable.Arithmetic.fsti | 86 +- ..._dsa.Simd.Portable.Encoding.Commitment.fst | 9 +- ...dsa.Simd.Portable.Encoding.Commitment.fsti | 4 +- ...ux_ml_dsa.Simd.Portable.Encoding.Error.fst | 274 +- ...x_ml_dsa.Simd.Portable.Encoding.Error.fsti | 32 +- ...x_ml_dsa.Simd.Portable.Encoding.Gamma1.fst | 164 +- ..._ml_dsa.Simd.Portable.Encoding.Gamma1.fsti | 44 +- ...bcrux_ml_dsa.Simd.Portable.Encoding.T0.fst | 170 +- ...crux_ml_dsa.Simd.Portable.Encoding.T0.fsti | 12 +- ...bcrux_ml_dsa.Simd.Portable.Encoding.T1.fst | 82 +- ...crux_ml_dsa.Simd.Portable.Encoding.T1.fsti | 12 +- .../Libcrux_ml_dsa.Simd.Portable.Invntt.fst | 1078 +- .../Libcrux_ml_dsa.Simd.Portable.Invntt.fsti | 137 +- .../Libcrux_ml_dsa.Simd.Portable.Ntt.fst | 995 +- .../Libcrux_ml_dsa.Simd.Portable.Ntt.fsti | 127 +- ...bcrux_ml_dsa.Simd.Portable.Vector_type.fst | 43 +- ...crux_ml_dsa.Simd.Portable.Vector_type.fsti | 14 +- .../Libcrux_ml_dsa.Simd.Portable.fsti | 441 +- .../Libcrux_ml_dsa.Simd.Traits.fsti | 209 +- 67 files changed, 16178 insertions(+), 16138 deletions(-) diff --git a/libcrux-ml-dsa/cg/code_gen.txt b/libcrux-ml-dsa/cg/code_gen.txt index a724f2bbe..adf942008 100644 --- a/libcrux-ml-dsa/cg/code_gen.txt +++ b/libcrux-ml-dsa/cg/code_gen.txt @@ -1,6 +1,6 @@ This code was generated with the following revisions: -Charon: db4e045d4597d06d854ce7a2c10e8dcfda6ecd25 -Eurydice: 75eae2e2534a16f5ba5430e6ee5c69d8a46f3bea -Karamel: 3823e3d82fa0b271d799b61c59ffb4742ddc1e65 +Charon: 0de54092afb546bf53cd8261c79499f3cae2c24b +Eurydice: 8e112cd3065d2c1eb6c023cd37111300dbf9fc9a +Karamel: f82ecfe9b99edd64642d47b4e3fb6314a8e2320b F*: b0961063393215ca65927f017720cb365a193833-dirty -Libcrux: a596b564bbc047e157eb19f66887f965403a30e6 +Libcrux: b895bda560d248ec1373c7ad6c27192090ff3311 diff --git a/libcrux-ml-dsa/cg/header.txt b/libcrux-ml-dsa/cg/header.txt index 8cdf86129..5eb58886c 100644 --- a/libcrux-ml-dsa/cg/header.txt +++ b/libcrux-ml-dsa/cg/header.txt @@ -4,9 +4,9 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: db4e045d4597d06d854ce7a2c10e8dcfda6ecd25 - * Eurydice: 75eae2e2534a16f5ba5430e6ee5c69d8a46f3bea - * Karamel: 3823e3d82fa0b271d799b61c59ffb4742ddc1e65 + * Charon: 0de54092afb546bf53cd8261c79499f3cae2c24b + * Eurydice: 8e112cd3065d2c1eb6c023cd37111300dbf9fc9a + * Karamel: f82ecfe9b99edd64642d47b4e3fb6314a8e2320b * F*: b0961063393215ca65927f017720cb365a193833-dirty - * Libcrux: a596b564bbc047e157eb19f66887f965403a30e6 + * Libcrux: b895bda560d248ec1373c7ad6c27192090ff3311 */ diff --git a/libcrux-ml-dsa/cg/libcrux_core.h b/libcrux-ml-dsa/cg/libcrux_core.h index 3db8579a3..56ede5059 100644 --- a/libcrux-ml-dsa/cg/libcrux_core.h +++ b/libcrux-ml-dsa/cg/libcrux_core.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: db4e045d4597d06d854ce7a2c10e8dcfda6ecd25 - * Eurydice: 75eae2e2534a16f5ba5430e6ee5c69d8a46f3bea - * Karamel: 3823e3d82fa0b271d799b61c59ffb4742ddc1e65 + * Charon: 0de54092afb546bf53cd8261c79499f3cae2c24b + * Eurydice: 8e112cd3065d2c1eb6c023cd37111300dbf9fc9a + * Karamel: f82ecfe9b99edd64642d47b4e3fb6314a8e2320b * F*: b0961063393215ca65927f017720cb365a193833-dirty - * Libcrux: 834b7f51701fa4e8695a784c138ed230f49f0c4e + * Libcrux: b895bda560d248ec1373c7ad6c27192090ff3311 */ #ifndef __libcrux_core_H @@ -61,66 +61,53 @@ static inline uint64_t core_num__u64_9__from_le_bytes(uint8_t x0[8U]); static inline void core_num__u64_9__to_le_bytes(uint64_t x0, uint8_t x1[8U]); /** -A monomorphic instance of core.result.Result -with types int32_t[8size_t], core_array_TryFromSliceError - +A monomorphic instance of libcrux_ml_dsa.types.MLDSASignature +with const generics +- $3309size_t */ -typedef struct Result_6c_s { - Result_a9_tags tag; - union { - int32_t case_Ok[8U]; - TryFromSliceError case_Err; - } val; -} Result_6c; +typedef struct libcrux_ml_dsa_types_MLDSASignature_8f_s { + uint8_t value[3309U]; +} libcrux_ml_dsa_types_MLDSASignature_8f; /** -This function found in impl {core::result::Result[TraitClause@0, -TraitClause@1]} + A reference to the raw byte array. */ /** -A monomorphic instance of core.result.unwrap_26 -with types int32_t[8size_t], core_array_TryFromSliceError - +This function found in impl {libcrux_ml_dsa::types::MLDSASignature#4} */ -static inline void unwrap_26_55(Result_6c self, int32_t ret[8U]) { - if (self.tag == Ok) { - int32_t f0[8U]; - memcpy(f0, self.val.case_Ok, (size_t)8U * sizeof(int32_t)); - memcpy(ret, f0, (size_t)8U * sizeof(int32_t)); - } else { - KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "unwrap not Ok"); - KRML_HOST_EXIT(255U); - } +/** +A monomorphic instance of libcrux_ml_dsa.types.as_ref_8f +with const generics +- SIZE= 3309 +*/ +static inline uint8_t *libcrux_ml_dsa_types_as_ref_8f_fa( + libcrux_ml_dsa_types_MLDSASignature_8f *self) { + return self->value; } /** -A monomorphic instance of core.option.Option -with types uint8_t[11size_t] - +A monomorphic instance of libcrux_ml_dsa.types.MLDSAVerificationKey +with const generics +- $1952size_t */ -typedef struct Option_30_s { - Option_d8_tags tag; - uint8_t f0[11U]; -} Option_30; - -typedef struct libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature_s { - uint8_t value[3309U]; -} libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature; +typedef struct libcrux_ml_dsa_types_MLDSAVerificationKey_ea_s { + uint8_t value[1952U]; +} libcrux_ml_dsa_types_MLDSAVerificationKey_ea; /** A reference to the raw byte array. */ /** -This function found in impl {libcrux_ml_dsa::types::MLDSASignature#4} +This function found in impl +{libcrux_ml_dsa::types::MLDSAVerificationKey#2} */ /** -A monomorphic instance of libcrux_ml_dsa.types.as_ref_8f +A monomorphic instance of libcrux_ml_dsa.types.as_ref_66 with const generics -- SIZE= 3309 +- SIZE= 1952 */ -static inline uint8_t *libcrux_ml_dsa_types_as_ref_8f_fa( - libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature *self) { +static inline uint8_t *libcrux_ml_dsa_types_as_ref_66_97( + libcrux_ml_dsa_types_MLDSAVerificationKey_ea *self) { return self->value; } @@ -142,28 +129,27 @@ typedef struct Result_41_s { } Result_41; /** -A monomorphic instance of libcrux_ml_dsa.types.MLDSAVerificationKey +A monomorphic instance of libcrux_ml_dsa.types.MLDSASigningKey with const generics -- $1952size_t +- $4032size_t */ -typedef struct libcrux_ml_dsa_types_MLDSAVerificationKey_ea_s { - uint8_t value[1952U]; -} libcrux_ml_dsa_types_MLDSAVerificationKey_ea; +typedef struct libcrux_ml_dsa_types_MLDSASigningKey_22_s { + uint8_t value[4032U]; +} libcrux_ml_dsa_types_MLDSASigningKey_22; /** A reference to the raw byte array. */ /** -This function found in impl -{libcrux_ml_dsa::types::MLDSAVerificationKey#2} +This function found in impl {libcrux_ml_dsa::types::MLDSASigningKey} */ /** -A monomorphic instance of libcrux_ml_dsa.types.as_ref_66 +A monomorphic instance of libcrux_ml_dsa.types.as_ref_9b with const generics -- SIZE= 1952 +- SIZE= 4032 */ -static inline uint8_t *libcrux_ml_dsa_types_as_ref_66_97( - libcrux_ml_dsa_types_MLDSAVerificationKey_ea *self) { +static inline uint8_t *libcrux_ml_dsa_types_as_ref_9b_09( + libcrux_ml_dsa_types_MLDSASigningKey_22 *self) { return self->value; } @@ -201,35 +187,42 @@ libcrux_ml_dsa_types_SigningError typedef struct Result_2e_s { Result_a9_tags tag; union { - libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature case_Ok; + libcrux_ml_dsa_types_MLDSASignature_8f case_Ok; libcrux_ml_dsa_types_SigningError case_Err; } val; } Result_2e; /** -A monomorphic instance of libcrux_ml_dsa.types.MLDSASigningKey -with const generics -- $4032size_t + Build */ -typedef struct libcrux_ml_dsa_types_MLDSASigningKey_22_s { - uint8_t value[4032U]; -} libcrux_ml_dsa_types_MLDSASigningKey_22; - /** - A reference to the raw byte array. +This function found in impl {libcrux_ml_dsa::types::MLDSASignature#4} */ /** -This function found in impl {libcrux_ml_dsa::types::MLDSASigningKey} +A monomorphic instance of libcrux_ml_dsa.types.new_8f +with const generics +- SIZE= 3309 */ +static inline libcrux_ml_dsa_types_MLDSASignature_8f +libcrux_ml_dsa_types_new_8f_fa(uint8_t value[3309U]) { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_value[3309U]; + memcpy(copy_of_value, value, (size_t)3309U * sizeof(uint8_t)); + libcrux_ml_dsa_types_MLDSASignature_8f lit; + memcpy(lit.value, copy_of_value, (size_t)3309U * sizeof(uint8_t)); + return lit; +} + /** -A monomorphic instance of libcrux_ml_dsa.types.as_ref_9b +A monomorphic instance of libcrux_ml_dsa.types.MLDSAKeyPair with const generics -- SIZE= 4032 +- $1952size_t +- $4032size_t */ -static inline uint8_t *libcrux_ml_dsa_types_as_ref_9b_09( - libcrux_ml_dsa_types_MLDSASigningKey_22 *self) { - return self->value; -} +typedef struct libcrux_ml_dsa_types_MLDSAKeyPair_06_s { + libcrux_ml_dsa_types_MLDSASigningKey_22 signing_key; + libcrux_ml_dsa_types_MLDSAVerificationKey_ea verification_key; +} libcrux_ml_dsa_types_MLDSAKeyPair_06; /** Build @@ -274,10 +267,15 @@ libcrux_ml_dsa_types_new_9b_09(uint8_t value[4032U]) { return lit; } -typedef struct libcrux_ml_dsa_ml_dsa_65_MLDSA65KeyPair_s { - libcrux_ml_dsa_types_MLDSASigningKey_22 signing_key; - libcrux_ml_dsa_types_MLDSAVerificationKey_ea verification_key; -} libcrux_ml_dsa_ml_dsa_65_MLDSA65KeyPair; +/** +A monomorphic instance of core.option.Option +with types uint8_t[11size_t] + +*/ +typedef struct Option_30_s { + Option_d8_tags tag; + uint8_t f0[11U]; +} Option_30; typedef struct Eurydice_slice_uint8_t_4size_t__x2_s { Eurydice_slice fst[4U]; diff --git a/libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h b/libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h index 2b52f015d..5cd50dc45 100644 --- a/libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h +++ b/libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: db4e045d4597d06d854ce7a2c10e8dcfda6ecd25 - * Eurydice: 75eae2e2534a16f5ba5430e6ee5c69d8a46f3bea - * Karamel: 3823e3d82fa0b271d799b61c59ffb4742ddc1e65 + * Charon: 0de54092afb546bf53cd8261c79499f3cae2c24b + * Eurydice: 8e112cd3065d2c1eb6c023cd37111300dbf9fc9a + * Karamel: f82ecfe9b99edd64642d47b4e3fb6314a8e2320b * F*: b0961063393215ca65927f017720cb365a193833-dirty - * Libcrux: 834b7f51701fa4e8695a784c138ed230f49f0c4e + * Libcrux: b895bda560d248ec1373c7ad6c27192090ff3311 */ #ifndef __libcrux_mldsa65_avx2_H @@ -315,465 +315,268 @@ libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_x4_fb( return libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_x4(self); } -/** - Generate key pair. -*/ -/** -A monomorphic instance of -libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.avx2_feature.generate_key_pair -with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- ROW_COLUMN= 11 -- ETA= 4 -- ERROR_RING_ELEMENT_SIZE= 128 -- SIGNING_KEY_SIZE= 4032 -- VERIFICATION_KEY_SIZE= 1952 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static inline tuple_a0 -libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_generate_key_pair_c9( - uint8_t randomness[32U]) { - KRML_HOST_EPRINTF( - "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "Eurydice error: Failure(\"TODO: TraitTypes Self::Coefficient\")\n"); - KRML_HOST_EXIT(255U); -} - -/** - Generate key pair. -*/ -/** -A monomorphic instance of -libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.generate_key_pair with const -generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- ROW_COLUMN= 11 -- ETA= 4 -- ERROR_RING_ELEMENT_SIZE= 128 -- SIGNING_KEY_SIZE= 4032 -- VERIFICATION_KEY_SIZE= 1952 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static inline tuple_a0 -libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_generate_key_pair_c9( - uint8_t randomness[32U]) { - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_randomness[32U]; - memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_generate_key_pair_c9( - copy_of_randomness); -} - -/** - Generate an ML-DSA-65 Key Pair -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static inline libcrux_ml_dsa_ml_dsa_65_MLDSA65KeyPair -libcrux_ml_dsa_ml_dsa_65_avx2_generate_key_pair(uint8_t randomness[32U]) { - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_randomness[32U]; - memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - tuple_a0 uu____1 = - libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_generate_key_pair_c9( - copy_of_randomness); - uint8_t signing_key[4032U]; - memcpy(signing_key, uu____1.fst, (size_t)4032U * sizeof(uint8_t)); - uint8_t verification_key[1952U]; - memcpy(verification_key, uu____1.snd, (size_t)1952U * sizeof(uint8_t)); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_signing_key[4032U]; - memcpy(copy_of_signing_key, signing_key, (size_t)4032U * sizeof(uint8_t)); - libcrux_ml_dsa_types_MLDSASigningKey_22 uu____3 = - libcrux_ml_dsa_types_new_9b_09(copy_of_signing_key); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_verification_key[1952U]; - memcpy(copy_of_verification_key, verification_key, - (size_t)1952U * sizeof(uint8_t)); - libcrux_ml_dsa_ml_dsa_65_MLDSA65KeyPair lit; - lit.signing_key = uu____3; - lit.verification_key = - libcrux_ml_dsa_types_new_66_97(copy_of_verification_key); - return lit; -} +typedef __m256i libcrux_ml_dsa_simd_avx2_vector_type_Vec256; /** - Sign. -*/ -/** -A monomorphic instance of -libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.avx2_feature.sign with const -generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- ETA= 4 -- ERROR_RING_ELEMENT_SIZE= 128 -- GAMMA1_EXPONENT= 19 -- GAMMA2= 261888 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- SIGNING_KEY_SIZE= 4032 -- SIGNATURE_SIZE= 3309 + Create an all-zero vector coefficient */ KRML_ATTRIBUTE_TARGET("avx2") -static inline Result_2e -libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_sign_f3( - uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, - uint8_t randomness[32U]) { - KRML_HOST_EPRINTF( - "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "Eurydice error: Failure(\"TODO: TraitTypes Self::Coefficient\")\n"); - KRML_HOST_EXIT(255U); +static inline __m256i libcrux_ml_dsa_simd_avx2_vector_type_zero(void) { + return libcrux_intrinsics_avx2_mm256_setzero_si256(); } /** - Sign. -*/ -/** -A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.sign -with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- ETA= 4 -- ERROR_RING_ELEMENT_SIZE= 128 -- GAMMA1_EXPONENT= 19 -- GAMMA2= 261888 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- SIGNING_KEY_SIZE= 4032 -- SIGNATURE_SIZE= 3309 +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::Vec256)} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE Result_2e -libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_sign_f3( - uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, - uint8_t randomness[32U]) { - uint8_t *uu____0 = signing_key; - Eurydice_slice uu____1 = message; - Eurydice_slice uu____2 = context; - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_randomness[32U]; - memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_sign_f3( - uu____0, uu____1, uu____2, copy_of_randomness); +static KRML_MUSTINLINE __m256i libcrux_ml_dsa_simd_avx2_zero_22(void) { + return libcrux_ml_dsa_simd_avx2_vector_type_zero(); } /** - Generate an ML-DSA-65 Signature - - The parameter `context` is used for domain separation - and is a byte string of length at most 255 bytes. It - may also be empty. + Create a coefficient from an `i32` array */ KRML_ATTRIBUTE_TARGET("avx2") -static inline Result_2e libcrux_ml_dsa_ml_dsa_65_avx2_sign( - libcrux_ml_dsa_types_MLDSASigningKey_22 *signing_key, - Eurydice_slice message, Eurydice_slice context, uint8_t randomness[32U]) { - uint8_t *uu____0 = libcrux_ml_dsa_types_as_ref_9b_09(signing_key); - Eurydice_slice uu____1 = message; - Eurydice_slice uu____2 = context; - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_randomness[32U]; - memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_sign_f3( - uu____0, uu____1, uu____2, copy_of_randomness); +static inline void libcrux_ml_dsa_simd_avx2_vector_type_from_coefficient_array( + Eurydice_slice coefficient_array, __m256i *out) { + out[0U] = libcrux_intrinsics_avx2_mm256_loadu_si256_i32(coefficient_array); } /** - Sign (pre-hashed). -*/ -/** -A monomorphic instance of -libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.avx2_feature.sign_pre_hashed_shake128 -with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- ETA= 4 -- ERROR_RING_ELEMENT_SIZE= 128 -- GAMMA1_EXPONENT= 19 -- GAMMA2= 261888 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- SIGNING_KEY_SIZE= 4032 -- SIGNATURE_SIZE= 3309 +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::Vec256)} */ KRML_ATTRIBUTE_TARGET("avx2") -static inline Result_2e -libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_sign_pre_hashed_shake128_f3( - uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, - uint8_t randomness[32U]) { - KRML_HOST_EPRINTF( - "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "Eurydice error: Failure(\"TODO: TraitTypes Self::Coefficient\")\n"); - KRML_HOST_EXIT(255U); +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_from_coefficient_array_22( + Eurydice_slice coefficient_array, __m256i *out) { + libcrux_ml_dsa_simd_avx2_vector_type_from_coefficient_array(coefficient_array, + out); } /** - Sign (pre-hashed). -*/ -/** -A monomorphic instance of -libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.sign_pre_hashed_shake128 with -const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- ETA= 4 -- ERROR_RING_ELEMENT_SIZE= 128 -- GAMMA1_EXPONENT= 19 -- GAMMA2= 261888 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- SIGNING_KEY_SIZE= 4032 -- SIGNATURE_SIZE= 3309 + Write out the coefficient to an `i32` array */ KRML_ATTRIBUTE_TARGET("avx2") -static inline Result_2e -libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_sign_pre_hashed_shake128_f3( - uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, - uint8_t randomness[32U]) { - uint8_t *uu____0 = signing_key; - Eurydice_slice uu____1 = message; - Eurydice_slice uu____2 = context; - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_randomness[32U]; - memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_sign_pre_hashed_shake128_f3( - uu____0, uu____1, uu____2, copy_of_randomness); +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_avx2_vector_type_to_coefficient_array(__m256i *value, + Eurydice_slice out) { + libcrux_intrinsics_avx2_mm256_storeu_si256_i32(out, value[0U]); } /** - Generate a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing - - The parameter `context` is used for domain separation - and is a byte string of length at most 255 bytes. It - may also be empty. +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::Vec256)} */ KRML_ATTRIBUTE_TARGET("avx2") -static inline Result_2e libcrux_ml_dsa_ml_dsa_65_avx2_sign_pre_hashed_shake128( - libcrux_ml_dsa_types_MLDSASigningKey_22 *signing_key, - Eurydice_slice message, Eurydice_slice context, uint8_t randomness[32U]) { - uint8_t *uu____0 = libcrux_ml_dsa_types_as_ref_9b_09(signing_key); - Eurydice_slice uu____1 = message; - Eurydice_slice uu____2 = context; - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_randomness[32U]; - memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_sign_pre_hashed_shake128_f3( - uu____0, uu____1, uu____2, copy_of_randomness); +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_to_coefficient_array_22( + __m256i *value, Eurydice_slice out) { + libcrux_ml_dsa_simd_avx2_vector_type_to_coefficient_array(value, out); } -/** - Verify. -*/ -/** -A monomorphic instance of -libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.avx2_feature.verify with const -generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- SIGNATURE_SIZE= 3309 -- VERIFICATION_KEY_SIZE= 1952 -- GAMMA1_EXPONENT= 19 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- GAMMA2= 261888 -- BETA= 196 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 -*/ KRML_ATTRIBUTE_TARGET("avx2") -static inline Result_41 -libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_verify_01( - uint8_t *verification_key, Eurydice_slice message, Eurydice_slice context, - uint8_t *signature) { - KRML_HOST_EPRINTF( - "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "Eurydice error: Failure(\"TODO: TraitTypes Self::Coefficient\")\n"); - KRML_HOST_EXIT(255U); +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_arithmetic_add( + __m256i *lhs, __m256i *rhs) { + lhs[0U] = libcrux_intrinsics_avx2_mm256_add_epi32(lhs[0U], rhs[0U]); } /** - Verify. -*/ -/** -A monomorphic instance of -libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.verify with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- SIGNATURE_SIZE= 3309 -- VERIFICATION_KEY_SIZE= 1952 -- GAMMA1_EXPONENT= 19 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- GAMMA2= 261888 -- BETA= 196 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::Vec256)} */ KRML_ATTRIBUTE_TARGET("avx2") -static inline Result_41 -libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_verify_01( - uint8_t *verification_key, Eurydice_slice message, Eurydice_slice context, - uint8_t *signature) { - return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_verify_01( - verification_key, message, context, signature); +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_add_22(__m256i *lhs, + __m256i *rhs) { + libcrux_ml_dsa_simd_avx2_arithmetic_add(lhs, rhs); } -/** - Verify an ML-DSA-65 Signature - - The parameter `context` is used for domain separation - and is a byte string of length at most 255 bytes. It - may also be empty. -*/ KRML_ATTRIBUTE_TARGET("avx2") -static inline Result_41 libcrux_ml_dsa_ml_dsa_65_avx2_verify( - libcrux_ml_dsa_types_MLDSAVerificationKey_ea *verification_key, - Eurydice_slice message, Eurydice_slice context, - libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature *signature) { - return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_verify_01( - libcrux_ml_dsa_types_as_ref_66_97(verification_key), message, context, - libcrux_ml_dsa_types_as_ref_8f_fa(signature)); +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_arithmetic_subtract( + __m256i *lhs, __m256i *rhs) { + lhs[0U] = libcrux_intrinsics_avx2_mm256_sub_epi32(lhs[0U], rhs[0U]); } /** - Verify (pre-hashed with SHAKE-128). -*/ -/** -A monomorphic instance of -libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.avx2_feature.verify_pre_hashed_shake128 -with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- SIGNATURE_SIZE= 3309 -- VERIFICATION_KEY_SIZE= 1952 -- GAMMA1_EXPONENT= 19 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- GAMMA2= 261888 -- BETA= 196 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::Vec256)} */ KRML_ATTRIBUTE_TARGET("avx2") -static inline Result_41 -libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_verify_pre_hashed_shake128_01( - uint8_t *verification_key, Eurydice_slice message, Eurydice_slice context, - uint8_t *signature) { - KRML_HOST_EPRINTF( - "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "Eurydice error: Failure(\"TODO: TraitTypes Self::Coefficient\")\n"); - KRML_HOST_EXIT(255U); +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_subtract_22(__m256i *lhs, + __m256i *rhs) { + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(lhs, rhs); } -/** - Verify (pre-hashed with SHAKE-128). -*/ -/** -A monomorphic instance of -libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.verify_pre_hashed_shake128 -with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- SIGNATURE_SIZE= 3309 -- VERIFICATION_KEY_SIZE= 1952 -- GAMMA1_EXPONENT= 19 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- GAMMA2= 261888 -- BETA= 196 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 -*/ KRML_ATTRIBUTE_TARGET("avx2") -static inline Result_41 -libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_verify_pre_hashed_shake128_01( - uint8_t *verification_key, Eurydice_slice message, Eurydice_slice context, - uint8_t *signature) { - return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_verify_pre_hashed_shake128_01( - verification_key, message, context, signature); +static KRML_MUSTINLINE bool +libcrux_ml_dsa_simd_avx2_arithmetic_infinity_norm_exceeds(__m256i *simd_unit, + int32_t bound) { + __m256i absolute_values = + libcrux_intrinsics_avx2_mm256_abs_epi32(simd_unit[0U]); + __m256i bound0 = libcrux_intrinsics_avx2_mm256_set1_epi32(bound - (int32_t)1); + __m256i compare_with_bound = + libcrux_intrinsics_avx2_mm256_cmpgt_epi32(absolute_values, bound0); + int32_t result = libcrux_intrinsics_avx2_mm256_testz_si256( + compare_with_bound, compare_with_bound); + return result != (int32_t)1; } /** - Verify a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing - - The parameter `context` is used for domain separation - and is a byte string of length at most 255 bytes. It - may also be empty. +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::Vec256)} */ KRML_ATTRIBUTE_TARGET("avx2") -static inline Result_41 -libcrux_ml_dsa_ml_dsa_65_avx2_verify_pre_hashed_shake128( - libcrux_ml_dsa_types_MLDSAVerificationKey_ea *verification_key, - Eurydice_slice message, Eurydice_slice context, - libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature *signature) { - return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_verify_pre_hashed_shake128_01( - libcrux_ml_dsa_types_as_ref_66_97(verification_key), message, context, - libcrux_ml_dsa_types_as_ref_8f_fa(signature)); -} - -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_arithmetic_add( - __m256i *lhs, __m256i *rhs) { - lhs[0U] = libcrux_intrinsics_avx2_mm256_add_epi32(lhs[0U], rhs[0U]); +static KRML_MUSTINLINE bool libcrux_ml_dsa_simd_avx2_infinity_norm_exceeds_22( + __m256i *simd_unit, int32_t bound) { + return libcrux_ml_dsa_simd_avx2_arithmetic_infinity_norm_exceeds(simd_unit, + bound); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_avx2_arithmetic_to_unsigned_representatives(__m256i *t) { +static KRML_MUSTINLINE __m256i +libcrux_ml_dsa_simd_avx2_arithmetic_to_unsigned_representatives_ret( + __m256i *t) { __m256i signs = libcrux_intrinsics_avx2_mm256_srai_epi32((int32_t)31, t[0U], __m256i); __m256i conditional_add_field_modulus = libcrux_intrinsics_avx2_mm256_and_si256( signs, libcrux_intrinsics_avx2_mm256_set1_epi32( LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS)); - t[0U] = libcrux_intrinsics_avx2_mm256_add_epi32( - t[0U], conditional_add_field_modulus); -} - -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE bool -libcrux_ml_dsa_simd_avx2_arithmetic_infinity_norm_exceeds(__m256i *simd_unit, - int32_t bound) { - __m256i absolute_values = - libcrux_intrinsics_avx2_mm256_abs_epi32(simd_unit[0U]); - __m256i bound0 = libcrux_intrinsics_avx2_mm256_set1_epi32(bound - (int32_t)1); - __m256i compare_with_bound = - libcrux_intrinsics_avx2_mm256_cmpgt_epi32(absolute_values, bound0); - int32_t result = libcrux_intrinsics_avx2_mm256_testz_si256( - compare_with_bound, compare_with_bound); - return result != (int32_t)1; + return libcrux_intrinsics_avx2_mm256_add_epi32(t[0U], + conditional_add_field_modulus); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(__m256i *lhs, - __m256i *rhs) { +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_arithmetic_decompose( + int32_t gamma2, __m256i *r, __m256i *r0, __m256i *r1) { + __m256i r2 = + libcrux_ml_dsa_simd_avx2_arithmetic_to_unsigned_representatives_ret(r); + __m256i ceil_of_r_by_128 = libcrux_intrinsics_avx2_mm256_add_epi32( + r2, libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)127)); + __m256i ceil_of_r_by_1280 = libcrux_intrinsics_avx2_mm256_srai_epi32( + (int32_t)7, ceil_of_r_by_128, __m256i); + switch (gamma2) { + case 95232: { + __m256i result = libcrux_intrinsics_avx2_mm256_mullo_epi32( + ceil_of_r_by_1280, + libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)11275)); + __m256i result0 = libcrux_intrinsics_avx2_mm256_add_epi32( + result, libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)1 << 23U)); + __m256i result1 = libcrux_intrinsics_avx2_mm256_srai_epi32( + (int32_t)24, result0, __m256i); + __m256i mask = libcrux_intrinsics_avx2_mm256_sub_epi32( + libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)43), result1); + __m256i mask0 = + libcrux_intrinsics_avx2_mm256_srai_epi32((int32_t)31, mask, __m256i); + __m256i not_result = + libcrux_intrinsics_avx2_mm256_xor_si256(result1, mask0); + r1[0U] = libcrux_intrinsics_avx2_mm256_and_si256(result1, not_result); + break; + } + case 261888: { + __m256i result = libcrux_intrinsics_avx2_mm256_mullo_epi32( + ceil_of_r_by_1280, + libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)1025)); + __m256i result0 = libcrux_intrinsics_avx2_mm256_add_epi32( + result, libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)1 << 21U)); + __m256i result1 = libcrux_intrinsics_avx2_mm256_srai_epi32( + (int32_t)22, result0, __m256i); + r1[0U] = libcrux_intrinsics_avx2_mm256_and_si256( + result1, libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)15)); + break; + } + default: { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "panic!"); + KRML_HOST_EXIT(255U); + } + } + int32_t alpha = gamma2 * (int32_t)2; + __m256i r0_tmp = libcrux_intrinsics_avx2_mm256_mullo_epi32( + r1[0U], libcrux_intrinsics_avx2_mm256_set1_epi32(alpha)); + __m256i r0_tmp0 = libcrux_intrinsics_avx2_mm256_sub_epi32(r2, r0_tmp); + __m256i field_modulus_halved = libcrux_intrinsics_avx2_mm256_set1_epi32( + (LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS - (int32_t)1) / (int32_t)2); + __m256i mask = + libcrux_intrinsics_avx2_mm256_sub_epi32(field_modulus_halved, r0_tmp0); + __m256i mask0 = + libcrux_intrinsics_avx2_mm256_srai_epi32((int32_t)31, mask, __m256i); + __m256i field_modulus_and_mask = libcrux_intrinsics_avx2_mm256_and_si256( + mask0, libcrux_intrinsics_avx2_mm256_set1_epi32( + LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS)); + r0[0U] = + libcrux_intrinsics_avx2_mm256_sub_epi32(r0_tmp0, field_modulus_and_mask); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::Vec256)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_decompose_22( + int32_t gamma2, __m256i *simd_unit, __m256i *low, __m256i *high) { + libcrux_ml_dsa_simd_avx2_arithmetic_decompose(gamma2, simd_unit, low, high); +} + +typedef struct core_core_arch_x86___m256i_x2_s { + __m256i fst; + __m256i snd; +} core_core_arch_x86___m256i_x2; + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_arithmetic_use_hint( + int32_t gamma2, __m256i *r, __m256i *hint) { + core_core_arch_x86___m256i_x2 uu____0 = { + .fst = libcrux_intrinsics_avx2_mm256_setzero_si256(), + .snd = libcrux_intrinsics_avx2_mm256_setzero_si256()}; + __m256i r0 = uu____0.fst; + __m256i r1 = uu____0.snd; + libcrux_ml_dsa_simd_avx2_arithmetic_decompose(gamma2, r, &r0, &r1); + __m256i all_zeros = libcrux_intrinsics_avx2_mm256_setzero_si256(); + __m256i negate_hints = + libcrux_intrinsics_avx2_vec256_blendv_epi32(all_zeros, hint[0U], r0); + __m256i negate_hints0 = libcrux_intrinsics_avx2_mm256_slli_epi32( + (int32_t)1, negate_hints, __m256i); + __m256i hints = + libcrux_intrinsics_avx2_mm256_sub_epi32(hint[0U], negate_hints0); + __m256i r1_plus_hints = libcrux_intrinsics_avx2_mm256_add_epi32(r1, hints); + switch (gamma2) { + case 95232: { + __m256i max = libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)43); + r1_plus_hints = libcrux_intrinsics_avx2_vec256_blendv_epi32( + r1_plus_hints, max, r1_plus_hints); + __m256i greater_than_or_equal_to_max = + libcrux_intrinsics_avx2_mm256_cmpgt_epi32(r1_plus_hints, max); + hint[0U] = libcrux_intrinsics_avx2_vec256_blendv_epi32( + r1_plus_hints, all_zeros, greater_than_or_equal_to_max); + break; + } + case 261888: { + hint[0U] = libcrux_intrinsics_avx2_mm256_and_si256( + r1_plus_hints, libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)15)); + break; + } + default: { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "panic!"); + KRML_HOST_EXIT(255U); + } + } +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::Vec256)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_use_hint_22( + int32_t gamma2, __m256i *simd_unit, __m256i *hint) { + libcrux_ml_dsa_simd_avx2_arithmetic_use_hint(gamma2, simd_unit, hint); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(__m256i *lhs, + __m256i *rhs) { __m256i field_modulus = libcrux_intrinsics_avx2_mm256_set1_epi32( LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS); __m256i inverse_of_modulus_mod_montgomery_r = @@ -800,33 +603,21 @@ libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(__m256i *lhs, (int32_t)170, res02_shifted, res13, __m256i); } +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::Vec256)} +*/ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( - __m256i lhs, int32_t constant) { - __m256i rhs = libcrux_intrinsics_avx2_mm256_set1_epi32(constant); - __m256i field_modulus = libcrux_intrinsics_avx2_mm256_set1_epi32( - LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS); - __m256i inverse_of_modulus_mod_montgomery_r = - libcrux_intrinsics_avx2_mm256_set1_epi32( - (int32_t) - LIBCRUX_ML_DSA_SIMD_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R); - __m256i prod02 = libcrux_intrinsics_avx2_mm256_mul_epi32(lhs, rhs); - __m256i prod13 = libcrux_intrinsics_avx2_mm256_mul_epi32( - libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)245, lhs, __m256i), - libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)245, rhs, __m256i)); - __m256i k02 = libcrux_intrinsics_avx2_mm256_mul_epi32( - prod02, inverse_of_modulus_mod_montgomery_r); - __m256i k13 = libcrux_intrinsics_avx2_mm256_mul_epi32( - prod13, inverse_of_modulus_mod_montgomery_r); - __m256i c02 = libcrux_intrinsics_avx2_mm256_mul_epi32(k02, field_modulus); - __m256i c13 = libcrux_intrinsics_avx2_mm256_mul_epi32(k13, field_modulus); - __m256i res02 = libcrux_intrinsics_avx2_mm256_sub_epi32(prod02, c02); - __m256i res13 = libcrux_intrinsics_avx2_mm256_sub_epi32(prod13, c13); - __m256i res02_shifted = - libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)245, res02, __m256i); - return libcrux_intrinsics_avx2_mm256_blend_epi32((int32_t)170, res02_shifted, - res13, __m256i); +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_montgomery_multiply_22( + __m256i *lhs, __m256i *rhs) { + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(lhs, rhs); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_avx2_arithmetic_to_unsigned_representatives(__m256i *t) { + t[0U] = + libcrux_ml_dsa_simd_avx2_arithmetic_to_unsigned_representatives_ret(t); } KRML_ATTRIBUTE_TARGET("avx2") @@ -847,345 +638,398 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_arithmetic_power2round( r0[0U] = libcrux_intrinsics_avx2_mm256_sub_epi32(r0[0U], tmp); } +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::Vec256)} +*/ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_arithmetic_subtract( - __m256i *lhs, __m256i *rhs) { - lhs[0U] = libcrux_intrinsics_avx2_mm256_sub_epi32(lhs[0U], rhs[0U]); +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_power2round_22( + __m256i *t0, __m256i *t1) { + libcrux_ml_dsa_simd_avx2_arithmetic_power2round(t0, t1); } -KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_ml_dsa_simd_avx2_vector_type_zero(void) { - return libcrux_intrinsics_avx2_mm256_setzero_si256(); -} +#define LIBCRUX_ML_DSA_SIMD_AVX2_REJECTION_SAMPLE_LESS_THAN_FIELD_MODULUS_BYTESTREAM_TO_POTENTIAL_COEFFICIENTS_COEFFICIENT_MASK \ + (((int32_t)1 << 23U) - (int32_t)1) KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_avx2_encoding_commitment_serialize(__m256i *simd_unit, - Eurydice_slice out) { - uint8_t serialized[19U] = {0U}; - switch ((uint8_t)Eurydice_slice_len(out, uint8_t)) { - case 4U: { - __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32( - simd_unit[0U], libcrux_intrinsics_avx2_mm256_set_epi32( - (int32_t)0, (int32_t)28, (int32_t)0, (int32_t)28, - (int32_t)0, (int32_t)28, (int32_t)0, (int32_t)28)); - __m256i adjacent_2_combined0 = libcrux_intrinsics_avx2_mm256_srli_epi64( - (int32_t)28, adjacent_2_combined, __m256i); - __m256i adjacent_4_combined = - libcrux_intrinsics_avx2_mm256_permutevar8x32_epi32( - adjacent_2_combined0, - libcrux_intrinsics_avx2_mm256_set_epi32( - (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)6, - (int32_t)2, (int32_t)4, (int32_t)0)); - __m128i adjacent_4_combined0 = - libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_4_combined); - __m128i adjacent_4_combined1 = libcrux_intrinsics_avx2_mm_shuffle_epi8( - adjacent_4_combined0, - libcrux_intrinsics_avx2_mm_set_epi8(240U, 240U, 240U, 240U, 240U, - 240U, 240U, 240U, 240U, 240U, - 240U, 240U, 12U, 4U, 8U, 0U)); - libcrux_intrinsics_avx2_mm_storeu_bytes_si128( - Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, - uint8_t), - adjacent_4_combined1); - Eurydice_slice uu____0 = out; - Eurydice_slice_copy(uu____0, - Eurydice_array_to_subslice2(serialized, (size_t)0U, - (size_t)4U, uint8_t), - uint8_t); - break; - } - case 6U: { - __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32( - simd_unit[0U], libcrux_intrinsics_avx2_mm256_set_epi32( - (int32_t)0, (int32_t)26, (int32_t)0, (int32_t)26, - (int32_t)0, (int32_t)26, (int32_t)0, (int32_t)26)); - __m256i adjacent_2_combined0 = libcrux_intrinsics_avx2_mm256_srli_epi64( - (int32_t)26, adjacent_2_combined, __m256i); - __m256i adjacent_3_combined = libcrux_intrinsics_avx2_mm256_shuffle_epi8( - adjacent_2_combined0, - libcrux_intrinsics_avx2_mm256_set_epi8( - (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, - (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, - (int8_t)-1, (int8_t)-1, (int8_t)9, (int8_t)8, (int8_t)1, - (int8_t)0, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, - (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, - (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)9, (int8_t)8, - (int8_t)1, (int8_t)0)); - __m256i adjacent_3_combined0 = libcrux_intrinsics_avx2_mm256_mullo_epi16( - adjacent_3_combined, - libcrux_intrinsics_avx2_mm256_set_epi16( - (int16_t)1, (int16_t)1, (int16_t)1, (int16_t)1, (int16_t)1, - (int16_t)1, (int16_t)1, (int16_t)1 << 4U, (int16_t)1, (int16_t)1, - (int16_t)1, (int16_t)1, (int16_t)1, (int16_t)1, (int16_t)1, - (int16_t)1 << 4U)); - __m256i adjacent_3_combined1 = libcrux_intrinsics_avx2_mm256_srlv_epi32( - adjacent_3_combined0, - libcrux_intrinsics_avx2_mm256_set_epi32( - (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)4, (int32_t)0, - (int32_t)0, (int32_t)0, (int32_t)4)); - __m128i lower_3 = - libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_3_combined1); - libcrux_intrinsics_avx2_mm_storeu_bytes_si128( - Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, - uint8_t), - lower_3); - __m128i upper_3 = libcrux_intrinsics_avx2_mm256_extracti128_si256( - (int32_t)1, adjacent_3_combined1, __m128i); - libcrux_intrinsics_avx2_mm_storeu_bytes_si128( - Eurydice_array_to_subslice2(serialized, (size_t)3U, (size_t)19U, - uint8_t), - upper_3); - Eurydice_slice uu____1 = out; - Eurydice_slice_copy(uu____1, - Eurydice_array_to_subslice2(serialized, (size_t)0U, - (size_t)6U, uint8_t), - uint8_t); - break; - } - default: { - KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "panic!"); - KRML_HOST_EXIT(255U); - } - } +static KRML_MUSTINLINE __m256i +libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus_bytestream_to_potential_coefficients( + Eurydice_slice serialized) { + uint8_t serialized_extended[32U] = {0U}; + Eurydice_slice_copy( + Eurydice_array_to_subslice_to((size_t)32U, serialized_extended, + (size_t)24U, uint8_t, size_t), + serialized, uint8_t); + __m256i coefficients = libcrux_intrinsics_avx2_mm256_loadu_si256_u8( + Eurydice_array_to_slice((size_t)32U, serialized_extended, uint8_t)); + __m256i coefficients0 = libcrux_intrinsics_avx2_mm256_permutevar8x32_epi32( + coefficients, libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)0, (int32_t)5, (int32_t)4, (int32_t)3, + (int32_t)0, (int32_t)2, (int32_t)1, (int32_t)0)); + __m256i coefficients1 = libcrux_intrinsics_avx2_mm256_shuffle_epi8( + coefficients0, + libcrux_intrinsics_avx2_mm256_set_epi8( + (int8_t)-1, (int8_t)11, (int8_t)10, (int8_t)9, (int8_t)-1, (int8_t)8, + (int8_t)7, (int8_t)6, (int8_t)-1, (int8_t)5, (int8_t)4, (int8_t)3, + (int8_t)-1, (int8_t)2, (int8_t)1, (int8_t)0, (int8_t)-1, (int8_t)11, + (int8_t)10, (int8_t)9, (int8_t)-1, (int8_t)8, (int8_t)7, (int8_t)6, + (int8_t)-1, (int8_t)5, (int8_t)4, (int8_t)3, (int8_t)-1, (int8_t)2, + (int8_t)1, (int8_t)0)); + return libcrux_intrinsics_avx2_mm256_and_si256( + coefficients1, + libcrux_intrinsics_avx2_mm256_set1_epi32( + LIBCRUX_ML_DSA_SIMD_AVX2_REJECTION_SAMPLE_LESS_THAN_FIELD_MODULUS_BYTESTREAM_TO_POTENTIAL_COEFFICIENTS_COEFFICIENT_MASK)); } -#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_ERROR_DESERIALIZE_TO_UNSIGNED_WHEN_ETA_IS_2_COEFFICIENT_MASK \ - (((int32_t)1 << 3U) - (int32_t)1) - -KRML_ATTRIBUTE_TARGET("avx2") +static const uint8_t + libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_SHUFFLE_TABLE + [16U][16U] = {{255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U, 255U, 255U, 255U}, + {0U, 1U, 2U, 3U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U, 255U}, + {4U, 5U, 6U, 7U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U, 255U}, + {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U}, + {8U, 9U, 10U, 11U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U, 255U, 255U}, + {0U, 1U, 2U, 3U, 8U, 9U, 10U, 11U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U}, + {4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U}, + {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 255U, + 255U, 255U, 255U}, + {12U, 13U, 14U, 15U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U, 255U, 255U}, + {0U, 1U, 2U, 3U, 12U, 13U, 14U, 15U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U, 255U}, + {4U, 5U, 6U, 7U, 12U, 13U, 14U, 15U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U, 255U}, + {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 12U, 13U, 14U, 15U, 255U, + 255U, 255U, 255U}, + {8U, 9U, 10U, 11U, 12U, 13U, 14U, 15U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U, 255U}, + {0U, 1U, 2U, 3U, 8U, 9U, 10U, 11U, 12U, 13U, 14U, 15U, + 255U, 255U, 255U, 255U}, + {4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 12U, 13U, 14U, 15U, + 255U, 255U, 255U, 255U}, + {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 12U, + 13U, 14U, 15U}}; + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE size_t +libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus_sample( + Eurydice_slice input, Eurydice_slice output) { + __m256i field_modulus = libcrux_intrinsics_avx2_mm256_set1_epi32( + LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS); + __m256i potential_coefficients = + libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus_bytestream_to_potential_coefficients( + input); + __m256i compare_with_field_modulus = + libcrux_intrinsics_avx2_mm256_cmpgt_epi32(field_modulus, + potential_coefficients); + int32_t good = libcrux_intrinsics_avx2_mm256_movemask_ps( + libcrux_intrinsics_avx2_mm256_castsi256_ps(compare_with_field_modulus)); + int32_t good_lower_half = good & (int32_t)15; + int32_t good_upper_half = good >> 4U; + uint8_t lower_shuffles[16U]; + memcpy(lower_shuffles, + libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_SHUFFLE_TABLE[( + size_t)good_lower_half], + (size_t)16U * sizeof(uint8_t)); + __m128i lower_shuffles0 = libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_array_to_slice((size_t)16U, lower_shuffles, uint8_t)); + __m128i lower_coefficients = + libcrux_intrinsics_avx2_mm256_castsi256_si128(potential_coefficients); + __m128i lower_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( + lower_coefficients, lower_shuffles0); + libcrux_intrinsics_avx2_mm_storeu_si128_i32( + Eurydice_slice_subslice2(output, (size_t)0U, (size_t)4U, int32_t), + lower_coefficients0); + size_t sampled_count = (size_t)core_num__i32_2__count_ones(good_lower_half); + uint8_t upper_shuffles[16U]; + memcpy(upper_shuffles, + libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_SHUFFLE_TABLE[( + size_t)good_upper_half], + (size_t)16U * sizeof(uint8_t)); + __m128i upper_shuffles0 = libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_array_to_slice((size_t)16U, upper_shuffles, uint8_t)); + __m128i upper_coefficients = libcrux_intrinsics_avx2_mm256_extracti128_si256( + (int32_t)1, potential_coefficients, __m128i); + __m128i upper_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( + upper_coefficients, upper_shuffles0); + libcrux_intrinsics_avx2_mm_storeu_si128_i32( + Eurydice_slice_subslice2(output, sampled_count, + sampled_count + (size_t)4U, int32_t), + upper_coefficients0); + size_t uu____0 = sampled_count; + return uu____0 + (size_t)core_num__i32_2__count_ones(good_upper_half); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::Vec256)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE size_t +libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus_22( + Eurydice_slice randomness, Eurydice_slice out) { + return libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus_sample( + randomness, out); +} + +#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_ERROR_DESERIALIZE_TO_UNSIGNED_WHEN_ETA_IS_4_COEFFICIENT_MASK \ + (((int32_t)1 << 4U) - (int32_t)1) + +KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_dsa_simd_avx2_encoding_error_deserialize_to_unsigned_when_eta_is_2( +libcrux_ml_dsa_simd_avx2_encoding_error_deserialize_to_unsigned_when_eta_is_4( Eurydice_slice bytes) { __m256i bytes_in_simd_unit = libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *), + (int32_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *), (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *), (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *), - (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *) - << 8U | - (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), - (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *) - << 8U | - (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *)); __m256i coefficients = libcrux_intrinsics_avx2_mm256_srlv_epi32( bytes_in_simd_unit, libcrux_intrinsics_avx2_mm256_set_epi32( - (int32_t)5, (int32_t)2, (int32_t)7, (int32_t)4, - (int32_t)1, (int32_t)6, (int32_t)3, (int32_t)0)); + (int32_t)4, (int32_t)0, (int32_t)4, (int32_t)0, + (int32_t)4, (int32_t)0, (int32_t)4, (int32_t)0)); return libcrux_intrinsics_avx2_mm256_and_si256( coefficients, libcrux_intrinsics_avx2_mm256_set1_epi32( - LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_ERROR_DESERIALIZE_TO_UNSIGNED_WHEN_ETA_IS_2_COEFFICIENT_MASK)); + LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_ERROR_DESERIALIZE_TO_UNSIGNED_WHEN_ETA_IS_4_COEFFICIENT_MASK)); } -#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_ERROR_DESERIALIZE_TO_UNSIGNED_WHEN_ETA_IS_4_COEFFICIENT_MASK \ - (((int32_t)1 << 4U) - (int32_t)1) +#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_ERROR_DESERIALIZE_TO_UNSIGNED_WHEN_ETA_IS_2_COEFFICIENT_MASK \ + (((int32_t)1 << 3U) - (int32_t)1) KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_dsa_simd_avx2_encoding_error_deserialize_to_unsigned_when_eta_is_4( +libcrux_ml_dsa_simd_avx2_encoding_error_deserialize_to_unsigned_when_eta_is_2( Eurydice_slice bytes) { __m256i bytes_in_simd_unit = libcrux_intrinsics_avx2_mm256_set_epi32( - (int32_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *), - (int32_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *), (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *), (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *), + (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *) + << 8U | + (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *) + << 8U | + (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *)); __m256i coefficients = libcrux_intrinsics_avx2_mm256_srlv_epi32( bytes_in_simd_unit, libcrux_intrinsics_avx2_mm256_set_epi32( - (int32_t)4, (int32_t)0, (int32_t)4, (int32_t)0, - (int32_t)4, (int32_t)0, (int32_t)4, (int32_t)0)); + (int32_t)5, (int32_t)2, (int32_t)7, (int32_t)4, + (int32_t)1, (int32_t)6, (int32_t)3, (int32_t)0)); return libcrux_intrinsics_avx2_mm256_and_si256( coefficients, libcrux_intrinsics_avx2_mm256_set1_epi32( - LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_ERROR_DESERIALIZE_TO_UNSIGNED_WHEN_ETA_IS_4_COEFFICIENT_MASK)); + LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_ERROR_DESERIALIZE_TO_UNSIGNED_WHEN_ETA_IS_2_COEFFICIENT_MASK)); } -#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA \ - ((int32_t)2) - KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_avx2_encoding_error_serialize_when_eta_is_2( - __m256i *simd_unit, Eurydice_slice out) { - uint8_t serialized[16U] = {0U}; - __m256i simd_unit_shifted = libcrux_intrinsics_avx2_mm256_sub_epi32( - libcrux_intrinsics_avx2_mm256_set1_epi32( - LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA), - simd_unit[0U]); - __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32( - simd_unit_shifted, libcrux_intrinsics_avx2_mm256_set_epi32( - (int32_t)0, (int32_t)29, (int32_t)0, (int32_t)29, - (int32_t)0, (int32_t)29, (int32_t)0, (int32_t)29)); - __m256i adjacent_2_combined0 = libcrux_intrinsics_avx2_mm256_srli_epi64( - (int32_t)29, adjacent_2_combined, __m256i); - __m256i adjacent_4_combined = libcrux_intrinsics_avx2_mm256_shuffle_epi8( - adjacent_2_combined0, - libcrux_intrinsics_avx2_mm256_set_epi8( - (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, - (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, - (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)8, (int8_t)-1, (int8_t)0, - (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, - (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, - (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)8, (int8_t)-1, - (int8_t)0)); - __m256i adjacent_4_combined0 = libcrux_intrinsics_avx2_mm256_madd_epi16( - adjacent_4_combined, - libcrux_intrinsics_avx2_mm256_set_epi16( - (int16_t)0, (int16_t)0, (int16_t)0, (int16_t)0, (int16_t)0, - (int16_t)0, (int16_t)1 << 6U, (int16_t)1, (int16_t)0, (int16_t)0, - (int16_t)0, (int16_t)0, (int16_t)0, (int16_t)0, (int16_t)1 << 6U, - (int16_t)1)); - __m256i adjacent_6_combined = - libcrux_intrinsics_avx2_mm256_permutevar8x32_epi32( - adjacent_4_combined0, - libcrux_intrinsics_avx2_mm256_set_epi32( - (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)0, - (int32_t)0, (int32_t)4, (int32_t)0)); - __m128i adjacent_6_combined0 = - libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_6_combined); - __m128i adjacent_6_combined1 = libcrux_intrinsics_avx2_mm_sllv_epi32( - adjacent_6_combined0, - libcrux_intrinsics_avx2_mm_set_epi32((int32_t)0, (int32_t)0, (int32_t)0, - (int32_t)20)); - __m128i adjacent_6_combined2 = libcrux_intrinsics_avx2_mm_srli_epi64( - (int32_t)20, adjacent_6_combined1, __m128i); - libcrux_intrinsics_avx2_mm_storeu_bytes_si128( - Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t), - adjacent_6_combined2); - Eurydice_slice uu____0 = out; - Eurydice_slice_copy( - uu____0, - Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)3U, uint8_t), - uint8_t); +static KRML_MUSTINLINE __m256i +libcrux_ml_dsa_simd_avx2_encoding_error_deserialize_to_unsigned( + libcrux_ml_dsa_constants_Eta eta, Eurydice_slice serialized) { + if (!(eta == libcrux_ml_dsa_constants_Eta_Two)) { + return libcrux_ml_dsa_simd_avx2_encoding_error_deserialize_to_unsigned_when_eta_is_4( + serialized); + } + return libcrux_ml_dsa_simd_avx2_encoding_error_deserialize_to_unsigned_when_eta_is_2( + serialized); } -#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_4_ETA \ - ((int32_t)4) - +/** +A monomorphic instance of +libcrux_ml_dsa.simd.avx2.rejection_sample.less_than_eta.shift_interval with +const generics +- ETA= 2 +*/ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_avx2_encoding_error_serialize_when_eta_is_4( - __m256i *simd_unit, Eurydice_slice out) { - uint8_t serialized[16U] = {0U}; - __m256i simd_unit_shifted = libcrux_intrinsics_avx2_mm256_sub_epi32( - libcrux_intrinsics_avx2_mm256_set1_epi32( - LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_4_ETA), - simd_unit[0U]); - __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32( - simd_unit_shifted, libcrux_intrinsics_avx2_mm256_set_epi32( - (int32_t)0, (int32_t)28, (int32_t)0, (int32_t)28, - (int32_t)0, (int32_t)28, (int32_t)0, (int32_t)28)); - __m256i adjacent_2_combined0 = libcrux_intrinsics_avx2_mm256_srli_epi64( - (int32_t)28, adjacent_2_combined, __m256i); - __m256i adjacent_4_combined = - libcrux_intrinsics_avx2_mm256_permutevar8x32_epi32( - adjacent_2_combined0, - libcrux_intrinsics_avx2_mm256_set_epi32( - (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)6, - (int32_t)2, (int32_t)4, (int32_t)0)); - __m128i adjacent_4_combined0 = - libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_4_combined); - __m128i adjacent_4_combined1 = libcrux_intrinsics_avx2_mm_shuffle_epi8( - adjacent_4_combined0, libcrux_intrinsics_avx2_mm_set_epi8( - 240U, 240U, 240U, 240U, 240U, 240U, 240U, 240U, - 240U, 240U, 240U, 240U, 12U, 4U, 8U, 0U)); - libcrux_intrinsics_avx2_mm_storeu_bytes_si128( - Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t), - adjacent_4_combined1); - Eurydice_slice uu____0 = out; - Eurydice_slice_copy( - uu____0, - Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)4U, uint8_t), - uint8_t); +static KRML_MUSTINLINE __m256i +libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_shift_interval_fd( + __m256i coefficients) { + __m256i uu____0; + __m256i quotient = libcrux_intrinsics_avx2_mm256_mullo_epi32( + coefficients, libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)26)); + __m256i quotient0 = + libcrux_intrinsics_avx2_mm256_srai_epi32((int32_t)7, quotient, __m256i); + __m256i quotient1 = libcrux_intrinsics_avx2_mm256_mullo_epi32( + quotient0, libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)5)); + __m256i coefficients_mod_5 = + libcrux_intrinsics_avx2_mm256_sub_epi32(coefficients, quotient1); + uu____0 = libcrux_intrinsics_avx2_mm256_sub_epi32( + libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)(size_t)2U), + coefficients_mod_5); + return uu____0; } -#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 \ - ((int32_t)1 << 17U) - -#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1_TIMES_2_MASK \ - ((LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 \ - << 1U) - \ - (int32_t)1) +/** +A monomorphic instance of +libcrux_ml_dsa.simd.avx2.rejection_sample.less_than_eta.sample with const +generics +- ETA= 2 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE size_t +libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_sample_fd( + Eurydice_slice input, Eurydice_slice output) { + __m256i potential_coefficients = + libcrux_ml_dsa_simd_avx2_encoding_error_deserialize_to_unsigned( + libcrux_ml_dsa_constants_Eta_Four, input); + int32_t interval_boundary; + interval_boundary = (int32_t)15; + __m256i compare_with_interval_boundary = + libcrux_intrinsics_avx2_mm256_cmpgt_epi32( + libcrux_intrinsics_avx2_mm256_set1_epi32(interval_boundary), + potential_coefficients); + int32_t good = libcrux_intrinsics_avx2_mm256_movemask_ps( + libcrux_intrinsics_avx2_mm256_castsi256_ps( + compare_with_interval_boundary)); + int32_t good_lower_half = good & (int32_t)15; + int32_t good_upper_half = good >> 4U; + __m256i shifted = + libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_shift_interval_fd( + potential_coefficients); + uint8_t lower_shuffles[16U]; + memcpy(lower_shuffles, + libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_SHUFFLE_TABLE[( + size_t)good_lower_half], + (size_t)16U * sizeof(uint8_t)); + __m128i lower_shuffles0 = libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_array_to_slice((size_t)16U, lower_shuffles, uint8_t)); + __m128i lower_coefficients = + libcrux_intrinsics_avx2_mm256_castsi256_si128(shifted); + __m128i lower_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( + lower_coefficients, lower_shuffles0); + libcrux_intrinsics_avx2_mm_storeu_si128_i32( + Eurydice_slice_subslice2(output, (size_t)0U, (size_t)4U, int32_t), + lower_coefficients0); + size_t sampled_count = (size_t)core_num__i32_2__count_ones(good_lower_half); + uint8_t upper_shuffles[16U]; + memcpy(upper_shuffles, + libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_SHUFFLE_TABLE[( + size_t)good_upper_half], + (size_t)16U * sizeof(uint8_t)); + __m128i upper_shuffles0 = libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_array_to_slice((size_t)16U, upper_shuffles, uint8_t)); + __m128i upper_coefficients = libcrux_intrinsics_avx2_mm256_extracti128_si256( + (int32_t)1, shifted, __m128i); + __m128i upper_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( + upper_coefficients, upper_shuffles0); + libcrux_intrinsics_avx2_mm_storeu_si128_i32( + Eurydice_slice_subslice2(output, sampled_count, + sampled_count + (size_t)4U, int32_t), + upper_coefficients0); + size_t uu____0 = sampled_count; + return uu____0 + (size_t)core_num__i32_2__count_ones(good_upper_half); +} +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::Vec256)} +*/ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_avx2_encoding_gamma1_deserialize_when_gamma1_is_2_pow_17( - Eurydice_slice serialized, __m256i *out) { - __m128i serialized_lower = libcrux_intrinsics_avx2_mm_loadu_si128( - Eurydice_slice_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t)); - __m128i serialized_upper = libcrux_intrinsics_avx2_mm_loadu_si128( - Eurydice_slice_subslice2(serialized, (size_t)2U, (size_t)18U, uint8_t)); - __m256i serialized0 = libcrux_intrinsics_avx2_mm256_set_m128i( - serialized_upper, serialized_lower); - __m256i coefficients = libcrux_intrinsics_avx2_mm256_shuffle_epi8( - serialized0, - libcrux_intrinsics_avx2_mm256_set_epi8( - (int8_t)-1, (int8_t)15, (int8_t)14, (int8_t)13, (int8_t)-1, - (int8_t)13, (int8_t)12, (int8_t)11, (int8_t)-1, (int8_t)11, - (int8_t)10, (int8_t)9, (int8_t)-1, (int8_t)9, (int8_t)8, (int8_t)7, - (int8_t)-1, (int8_t)8, (int8_t)7, (int8_t)6, (int8_t)-1, (int8_t)6, - (int8_t)5, (int8_t)4, (int8_t)-1, (int8_t)4, (int8_t)3, (int8_t)2, - (int8_t)-1, (int8_t)2, (int8_t)1, (int8_t)0)); - __m256i coefficients0 = libcrux_intrinsics_avx2_mm256_srlv_epi32( - coefficients, libcrux_intrinsics_avx2_mm256_set_epi32( - (int32_t)6, (int32_t)4, (int32_t)2, (int32_t)0, - (int32_t)6, (int32_t)4, (int32_t)2, (int32_t)0)); - __m256i coefficients1 = libcrux_intrinsics_avx2_mm256_and_si256( - coefficients0, - libcrux_intrinsics_avx2_mm256_set1_epi32( - LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1_TIMES_2_MASK)); - out[0U] = libcrux_intrinsics_avx2_mm256_sub_epi32( - libcrux_intrinsics_avx2_mm256_set1_epi32( - LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1), - coefficients1); +static KRML_MUSTINLINE size_t +libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_equals_2_22( + Eurydice_slice randomness, Eurydice_slice out) { + return libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_sample_fd( + randomness, out); } -#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 \ - ((int32_t)1 << 19U) +/** +A monomorphic instance of +libcrux_ml_dsa.simd.avx2.rejection_sample.less_than_eta.shift_interval with +const generics +- ETA= 4 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_shift_interval_ac( + __m256i coefficients) { + return libcrux_intrinsics_avx2_mm256_sub_epi32( + libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)(size_t)4U), + coefficients); +} -#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1_TIMES_2_MASK \ - ((LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 \ - << 1U) - \ - (int32_t)1) +/** +A monomorphic instance of +libcrux_ml_dsa.simd.avx2.rejection_sample.less_than_eta.sample with const +generics +- ETA= 4 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE size_t +libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_sample_ac( + Eurydice_slice input, Eurydice_slice output) { + __m256i potential_coefficients = + libcrux_ml_dsa_simd_avx2_encoding_error_deserialize_to_unsigned( + libcrux_ml_dsa_constants_Eta_Four, input); + int32_t interval_boundary; + interval_boundary = (int32_t)9; + __m256i compare_with_interval_boundary = + libcrux_intrinsics_avx2_mm256_cmpgt_epi32( + libcrux_intrinsics_avx2_mm256_set1_epi32(interval_boundary), + potential_coefficients); + int32_t good = libcrux_intrinsics_avx2_mm256_movemask_ps( + libcrux_intrinsics_avx2_mm256_castsi256_ps( + compare_with_interval_boundary)); + int32_t good_lower_half = good & (int32_t)15; + int32_t good_upper_half = good >> 4U; + __m256i shifted = + libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_shift_interval_ac( + potential_coefficients); + uint8_t lower_shuffles[16U]; + memcpy(lower_shuffles, + libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_SHUFFLE_TABLE[( + size_t)good_lower_half], + (size_t)16U * sizeof(uint8_t)); + __m128i lower_shuffles0 = libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_array_to_slice((size_t)16U, lower_shuffles, uint8_t)); + __m128i lower_coefficients = + libcrux_intrinsics_avx2_mm256_castsi256_si128(shifted); + __m128i lower_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( + lower_coefficients, lower_shuffles0); + libcrux_intrinsics_avx2_mm_storeu_si128_i32( + Eurydice_slice_subslice2(output, (size_t)0U, (size_t)4U, int32_t), + lower_coefficients0); + size_t sampled_count = (size_t)core_num__i32_2__count_ones(good_lower_half); + uint8_t upper_shuffles[16U]; + memcpy(upper_shuffles, + libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_SHUFFLE_TABLE[( + size_t)good_upper_half], + (size_t)16U * sizeof(uint8_t)); + __m128i upper_shuffles0 = libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_array_to_slice((size_t)16U, upper_shuffles, uint8_t)); + __m128i upper_coefficients = libcrux_intrinsics_avx2_mm256_extracti128_si256( + (int32_t)1, shifted, __m128i); + __m128i upper_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( + upper_coefficients, upper_shuffles0); + libcrux_intrinsics_avx2_mm_storeu_si128_i32( + Eurydice_slice_subslice2(output, sampled_count, + sampled_count + (size_t)4U, int32_t), + upper_coefficients0); + size_t uu____0 = sampled_count; + return uu____0 + (size_t)core_num__i32_2__count_ones(good_upper_half); +} +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::Vec256)} +*/ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_avx2_encoding_gamma1_deserialize_when_gamma1_is_2_pow_19( - Eurydice_slice serialized, __m256i *out) { - __m128i serialized_lower = libcrux_intrinsics_avx2_mm_loadu_si128( - Eurydice_slice_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t)); - __m128i serialized_upper = libcrux_intrinsics_avx2_mm_loadu_si128( - Eurydice_slice_subslice2(serialized, (size_t)4U, (size_t)20U, uint8_t)); - __m256i serialized0 = libcrux_intrinsics_avx2_mm256_set_m128i( - serialized_upper, serialized_lower); - __m256i coefficients = libcrux_intrinsics_avx2_mm256_shuffle_epi8( - serialized0, - libcrux_intrinsics_avx2_mm256_set_epi8( - (int8_t)-1, (int8_t)15, (int8_t)14, (int8_t)13, (int8_t)-1, - (int8_t)13, (int8_t)12, (int8_t)11, (int8_t)-1, (int8_t)10, (int8_t)9, - (int8_t)8, (int8_t)-1, (int8_t)8, (int8_t)7, (int8_t)6, (int8_t)-1, - (int8_t)9, (int8_t)8, (int8_t)7, (int8_t)-1, (int8_t)7, (int8_t)6, - (int8_t)5, (int8_t)-1, (int8_t)4, (int8_t)3, (int8_t)2, (int8_t)-1, - (int8_t)2, (int8_t)1, (int8_t)0)); - __m256i coefficients0 = libcrux_intrinsics_avx2_mm256_srlv_epi32( - coefficients, libcrux_intrinsics_avx2_mm256_set_epi32( - (int32_t)4, (int32_t)0, (int32_t)4, (int32_t)0, - (int32_t)4, (int32_t)0, (int32_t)4, (int32_t)0)); - __m256i coefficients1 = libcrux_intrinsics_avx2_mm256_and_si256( - coefficients0, - libcrux_intrinsics_avx2_mm256_set1_epi32( - LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1_TIMES_2_MASK)); - out[0U] = libcrux_intrinsics_avx2_mm256_sub_epi32( - libcrux_intrinsics_avx2_mm256_set1_epi32( - LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1), - coefficients1); +static KRML_MUSTINLINE size_t +libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_equals_4_22( + Eurydice_slice randomness, Eurydice_slice out) { + return libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_sample_ac( + randomness, out); } #define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 \ @@ -1280,127 +1124,517 @@ libcrux_ml_dsa_simd_avx2_encoding_gamma1_serialize_when_gamma1_is_2_pow_19( } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_dsa_simd_avx2_encoding_t0_change_interval(__m256i *simd_unit) { - __m256i interval_end = libcrux_intrinsics_avx2_mm256_set1_epi32( - (int32_t)1 - << (uint32_t)(LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T - - (size_t)1U)); - return libcrux_intrinsics_avx2_mm256_sub_epi32(interval_end, simd_unit[0U]); +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_encoding_gamma1_serialize( + __m256i *simd_unit, Eurydice_slice serialized, size_t gamma1_exponent) { + switch ((uint8_t)gamma1_exponent) { + case 17U: { + libcrux_ml_dsa_simd_avx2_encoding_gamma1_serialize_when_gamma1_is_2_pow_17( + simd_unit, serialized); + break; + } + case 19U: { + libcrux_ml_dsa_simd_avx2_encoding_gamma1_serialize_when_gamma1_is_2_pow_19( + simd_unit, serialized); + break; + } + default: { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "panic!"); + KRML_HOST_EXIT(255U); + } + } } -#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_T0_DESERIALIZE_COEFFICIENT_MASK \ - (((int32_t)1 << 13U) - (int32_t)1) +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::Vec256)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_gamma1_serialize_22( + __m256i *simd_unit, Eurydice_slice serialized, size_t gamma1_exponent) { + libcrux_ml_dsa_simd_avx2_encoding_gamma1_serialize(simd_unit, serialized, + gamma1_exponent); +} + +#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 \ + ((int32_t)1 << 17U) + +#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1_TIMES_2_MASK \ + ((LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 \ + << 1U) - \ + (int32_t)1) KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_encoding_t0_deserialize( +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_avx2_encoding_gamma1_deserialize_when_gamma1_is_2_pow_17( Eurydice_slice serialized, __m256i *out) { - uint8_t serialized_extended[16U] = {0U}; - Eurydice_slice_copy( - Eurydice_array_to_subslice2(serialized_extended, (size_t)0U, (size_t)13U, - uint8_t), - serialized, uint8_t); - __m128i serialized0 = libcrux_intrinsics_avx2_mm_loadu_si128( - Eurydice_array_to_slice((size_t)16U, serialized_extended, uint8_t)); - __m256i serialized1 = - libcrux_intrinsics_avx2_mm256_set_m128i(serialized0, serialized0); + __m128i serialized_lower = libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_slice_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t)); + __m128i serialized_upper = libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_slice_subslice2(serialized, (size_t)2U, (size_t)18U, uint8_t)); + __m256i serialized0 = libcrux_intrinsics_avx2_mm256_set_m128i( + serialized_upper, serialized_lower); __m256i coefficients = libcrux_intrinsics_avx2_mm256_shuffle_epi8( - serialized1, + serialized0, libcrux_intrinsics_avx2_mm256_set_epi8( - (int8_t)-1, (int8_t)-1, (int8_t)12, (int8_t)11, (int8_t)-1, - (int8_t)11, (int8_t)10, (int8_t)9, (int8_t)-1, (int8_t)-1, (int8_t)9, + (int8_t)-1, (int8_t)15, (int8_t)14, (int8_t)13, (int8_t)-1, + (int8_t)13, (int8_t)12, (int8_t)11, (int8_t)-1, (int8_t)11, + (int8_t)10, (int8_t)9, (int8_t)-1, (int8_t)9, (int8_t)8, (int8_t)7, + (int8_t)-1, (int8_t)8, (int8_t)7, (int8_t)6, (int8_t)-1, (int8_t)6, + (int8_t)5, (int8_t)4, (int8_t)-1, (int8_t)4, (int8_t)3, (int8_t)2, + (int8_t)-1, (int8_t)2, (int8_t)1, (int8_t)0)); + __m256i coefficients0 = libcrux_intrinsics_avx2_mm256_srlv_epi32( + coefficients, libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)6, (int32_t)4, (int32_t)2, (int32_t)0, + (int32_t)6, (int32_t)4, (int32_t)2, (int32_t)0)); + __m256i coefficients1 = libcrux_intrinsics_avx2_mm256_and_si256( + coefficients0, + libcrux_intrinsics_avx2_mm256_set1_epi32( + LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1_TIMES_2_MASK)); + out[0U] = libcrux_intrinsics_avx2_mm256_sub_epi32( + libcrux_intrinsics_avx2_mm256_set1_epi32( + LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1), + coefficients1); +} + +#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 \ + ((int32_t)1 << 19U) + +#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1_TIMES_2_MASK \ + ((LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 \ + << 1U) - \ + (int32_t)1) + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_avx2_encoding_gamma1_deserialize_when_gamma1_is_2_pow_19( + Eurydice_slice serialized, __m256i *out) { + __m128i serialized_lower = libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_slice_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t)); + __m128i serialized_upper = libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_slice_subslice2(serialized, (size_t)4U, (size_t)20U, uint8_t)); + __m256i serialized0 = libcrux_intrinsics_avx2_mm256_set_m128i( + serialized_upper, serialized_lower); + __m256i coefficients = libcrux_intrinsics_avx2_mm256_shuffle_epi8( + serialized0, + libcrux_intrinsics_avx2_mm256_set_epi8( + (int8_t)-1, (int8_t)15, (int8_t)14, (int8_t)13, (int8_t)-1, + (int8_t)13, (int8_t)12, (int8_t)11, (int8_t)-1, (int8_t)10, (int8_t)9, (int8_t)8, (int8_t)-1, (int8_t)8, (int8_t)7, (int8_t)6, (int8_t)-1, - (int8_t)6, (int8_t)5, (int8_t)4, (int8_t)-1, (int8_t)-1, (int8_t)4, - (int8_t)3, (int8_t)-1, (int8_t)3, (int8_t)2, (int8_t)1, (int8_t)-1, - (int8_t)-1, (int8_t)1, (int8_t)0)); + (int8_t)9, (int8_t)8, (int8_t)7, (int8_t)-1, (int8_t)7, (int8_t)6, + (int8_t)5, (int8_t)-1, (int8_t)4, (int8_t)3, (int8_t)2, (int8_t)-1, + (int8_t)2, (int8_t)1, (int8_t)0)); __m256i coefficients0 = libcrux_intrinsics_avx2_mm256_srlv_epi32( coefficients, libcrux_intrinsics_avx2_mm256_set_epi32( - (int32_t)3, (int32_t)6, (int32_t)1, (int32_t)4, - (int32_t)7, (int32_t)2, (int32_t)5, (int32_t)0)); + (int32_t)4, (int32_t)0, (int32_t)4, (int32_t)0, + (int32_t)4, (int32_t)0, (int32_t)4, (int32_t)0)); __m256i coefficients1 = libcrux_intrinsics_avx2_mm256_and_si256( coefficients0, libcrux_intrinsics_avx2_mm256_set1_epi32( - LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_T0_DESERIALIZE_COEFFICIENT_MASK)); - out[0U] = - libcrux_ml_dsa_simd_avx2_encoding_t0_change_interval(&coefficients1); + LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1_TIMES_2_MASK)); + out[0U] = libcrux_intrinsics_avx2_mm256_sub_epi32( + libcrux_intrinsics_avx2_mm256_set1_epi32( + LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1), + coefficients1); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_encoding_t0_serialize( +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_avx2_encoding_gamma1_deserialize(Eurydice_slice serialized, + __m256i *out, + size_t gamma1_exponent) { + switch ((uint8_t)gamma1_exponent) { + case 17U: { + libcrux_ml_dsa_simd_avx2_encoding_gamma1_deserialize_when_gamma1_is_2_pow_17( + serialized, out); + break; + } + case 19U: { + libcrux_ml_dsa_simd_avx2_encoding_gamma1_deserialize_when_gamma1_is_2_pow_19( + serialized, out); + break; + } + default: { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "panic!"); + KRML_HOST_EXIT(255U); + } + } +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::Vec256)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_gamma1_deserialize_22( + Eurydice_slice serialized, __m256i *out, size_t gamma1_exponent) { + libcrux_ml_dsa_simd_avx2_encoding_gamma1_deserialize(serialized, out, + gamma1_exponent); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_avx2_encoding_commitment_serialize(__m256i *simd_unit, + Eurydice_slice out) { + uint8_t serialized[19U] = {0U}; + switch ((uint8_t)Eurydice_slice_len(out, uint8_t)) { + case 4U: { + __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32( + simd_unit[0U], libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)0, (int32_t)28, (int32_t)0, (int32_t)28, + (int32_t)0, (int32_t)28, (int32_t)0, (int32_t)28)); + __m256i adjacent_2_combined0 = libcrux_intrinsics_avx2_mm256_srli_epi64( + (int32_t)28, adjacent_2_combined, __m256i); + __m256i adjacent_4_combined = + libcrux_intrinsics_avx2_mm256_permutevar8x32_epi32( + adjacent_2_combined0, + libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)6, + (int32_t)2, (int32_t)4, (int32_t)0)); + __m128i adjacent_4_combined0 = + libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_4_combined); + __m128i adjacent_4_combined1 = libcrux_intrinsics_avx2_mm_shuffle_epi8( + adjacent_4_combined0, + libcrux_intrinsics_avx2_mm_set_epi8(240U, 240U, 240U, 240U, 240U, + 240U, 240U, 240U, 240U, 240U, + 240U, 240U, 12U, 4U, 8U, 0U)); + libcrux_intrinsics_avx2_mm_storeu_bytes_si128( + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, + uint8_t), + adjacent_4_combined1); + Eurydice_slice uu____0 = out; + Eurydice_slice_copy(uu____0, + Eurydice_array_to_subslice2(serialized, (size_t)0U, + (size_t)4U, uint8_t), + uint8_t); + break; + } + case 6U: { + __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32( + simd_unit[0U], libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)0, (int32_t)26, (int32_t)0, (int32_t)26, + (int32_t)0, (int32_t)26, (int32_t)0, (int32_t)26)); + __m256i adjacent_2_combined0 = libcrux_intrinsics_avx2_mm256_srli_epi64( + (int32_t)26, adjacent_2_combined, __m256i); + __m256i adjacent_3_combined = libcrux_intrinsics_avx2_mm256_shuffle_epi8( + adjacent_2_combined0, + libcrux_intrinsics_avx2_mm256_set_epi8( + (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, + (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, + (int8_t)-1, (int8_t)-1, (int8_t)9, (int8_t)8, (int8_t)1, + (int8_t)0, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, + (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, + (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)9, (int8_t)8, + (int8_t)1, (int8_t)0)); + __m256i adjacent_3_combined0 = libcrux_intrinsics_avx2_mm256_mullo_epi16( + adjacent_3_combined, + libcrux_intrinsics_avx2_mm256_set_epi16( + (int16_t)1, (int16_t)1, (int16_t)1, (int16_t)1, (int16_t)1, + (int16_t)1, (int16_t)1, (int16_t)1 << 4U, (int16_t)1, (int16_t)1, + (int16_t)1, (int16_t)1, (int16_t)1, (int16_t)1, (int16_t)1, + (int16_t)1 << 4U)); + __m256i adjacent_3_combined1 = libcrux_intrinsics_avx2_mm256_srlv_epi32( + adjacent_3_combined0, + libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)4, (int32_t)0, + (int32_t)0, (int32_t)0, (int32_t)4)); + __m128i lower_3 = + libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_3_combined1); + libcrux_intrinsics_avx2_mm_storeu_bytes_si128( + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, + uint8_t), + lower_3); + __m128i upper_3 = libcrux_intrinsics_avx2_mm256_extracti128_si256( + (int32_t)1, adjacent_3_combined1, __m128i); + libcrux_intrinsics_avx2_mm_storeu_bytes_si128( + Eurydice_array_to_subslice2(serialized, (size_t)3U, (size_t)19U, + uint8_t), + upper_3); + Eurydice_slice uu____1 = out; + Eurydice_slice_copy(uu____1, + Eurydice_array_to_subslice2(serialized, (size_t)0U, + (size_t)6U, uint8_t), + uint8_t); + break; + } + default: { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "panic!"); + KRML_HOST_EXIT(255U); + } + } +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::Vec256)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_commitment_serialize_22( + __m256i *simd_unit, Eurydice_slice serialized) { + libcrux_ml_dsa_simd_avx2_encoding_commitment_serialize(simd_unit, serialized); +} + +#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_4_ETA \ + ((int32_t)4) + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_avx2_encoding_error_serialize_when_eta_is_4( __m256i *simd_unit, Eurydice_slice out) { uint8_t serialized[16U] = {0U}; - __m256i simd_unit0 = - libcrux_ml_dsa_simd_avx2_encoding_t0_change_interval(simd_unit); + __m256i simd_unit_shifted = libcrux_intrinsics_avx2_mm256_sub_epi32( + libcrux_intrinsics_avx2_mm256_set1_epi32( + LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_4_ETA), + simd_unit[0U]); __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32( - simd_unit0, libcrux_intrinsics_avx2_mm256_set_epi32( - (int32_t)0, (int32_t)19, (int32_t)0, (int32_t)19, - (int32_t)0, (int32_t)19, (int32_t)0, (int32_t)19)); + simd_unit_shifted, libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)0, (int32_t)28, (int32_t)0, (int32_t)28, + (int32_t)0, (int32_t)28, (int32_t)0, (int32_t)28)); __m256i adjacent_2_combined0 = libcrux_intrinsics_avx2_mm256_srli_epi64( - (int32_t)19, adjacent_2_combined, __m256i); + (int32_t)28, adjacent_2_combined, __m256i); __m256i adjacent_4_combined = libcrux_intrinsics_avx2_mm256_permutevar8x32_epi32( adjacent_2_combined0, libcrux_intrinsics_avx2_mm256_set_epi32( (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)6, - (int32_t)4, (int32_t)2, (int32_t)0)); - __m256i adjacent_4_combined0 = libcrux_intrinsics_avx2_mm256_sllv_epi32( - adjacent_4_combined, libcrux_intrinsics_avx2_mm256_set_epi32( - (int32_t)0, (int32_t)6, (int32_t)0, (int32_t)6, - (int32_t)0, (int32_t)6, (int32_t)0, (int32_t)6)); - __m256i adjacent_4_combined1 = libcrux_intrinsics_avx2_mm256_srli_epi64( - (int32_t)6, adjacent_4_combined0, __m256i); - __m256i second_4_combined = libcrux_intrinsics_avx2_mm256_bsrli_epi128( - (int32_t)8, adjacent_4_combined1, __m256i); - __m256i least_12_bits_shifted_up = libcrux_intrinsics_avx2_mm256_slli_epi64( - (int32_t)52, second_4_combined, __m256i); - __m256i bits_sequential = libcrux_intrinsics_avx2_mm256_add_epi64( - adjacent_4_combined1, least_12_bits_shifted_up); - __m256i bits_sequential0 = libcrux_intrinsics_avx2_mm256_srlv_epi64( - bits_sequential, libcrux_intrinsics_avx2_mm256_set_epi64x( - (int64_t)0, (int64_t)0, (int64_t)12, (int64_t)0)); - __m128i bits_sequential1 = - libcrux_intrinsics_avx2_mm256_castsi256_si128(bits_sequential0); + (int32_t)2, (int32_t)4, (int32_t)0)); + __m128i adjacent_4_combined0 = + libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_4_combined); + __m128i adjacent_4_combined1 = libcrux_intrinsics_avx2_mm_shuffle_epi8( + adjacent_4_combined0, libcrux_intrinsics_avx2_mm_set_epi8( + 240U, 240U, 240U, 240U, 240U, 240U, 240U, 240U, + 240U, 240U, 240U, 240U, 12U, 4U, 8U, 0U)); libcrux_intrinsics_avx2_mm_storeu_bytes_si128( - Eurydice_array_to_slice((size_t)16U, serialized, uint8_t), - bits_sequential1); + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t), + adjacent_4_combined1); Eurydice_slice uu____0 = out; Eurydice_slice_copy( uu____0, - Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)13U, uint8_t), + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)4U, uint8_t), uint8_t); } -#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_T1_DESERIALIZE_COEFFICIENT_MASK \ - (((int32_t)1 << 10U) - (int32_t)1) +#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA \ + ((int32_t)2) KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_encoding_t1_deserialize( - Eurydice_slice bytes, __m256i *out) { - uint8_t bytes_extended[16U] = {0U}; - Eurydice_slice_copy(Eurydice_array_to_subslice2(bytes_extended, (size_t)0U, - (size_t)10U, uint8_t), - bytes, uint8_t); - __m128i bytes_loaded = libcrux_intrinsics_avx2_mm_loadu_si128( - Eurydice_array_to_slice((size_t)16U, bytes_extended, uint8_t)); - __m256i bytes_loaded0 = - libcrux_intrinsics_avx2_mm256_set_m128i(bytes_loaded, bytes_loaded); +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_avx2_encoding_error_serialize_when_eta_is_2( + __m256i *simd_unit, Eurydice_slice out) { + uint8_t serialized[16U] = {0U}; + __m256i simd_unit_shifted = libcrux_intrinsics_avx2_mm256_sub_epi32( + libcrux_intrinsics_avx2_mm256_set1_epi32( + LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA), + simd_unit[0U]); + __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32( + simd_unit_shifted, libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)0, (int32_t)29, (int32_t)0, (int32_t)29, + (int32_t)0, (int32_t)29, (int32_t)0, (int32_t)29)); + __m256i adjacent_2_combined0 = libcrux_intrinsics_avx2_mm256_srli_epi64( + (int32_t)29, adjacent_2_combined, __m256i); + __m256i adjacent_4_combined = libcrux_intrinsics_avx2_mm256_shuffle_epi8( + adjacent_2_combined0, + libcrux_intrinsics_avx2_mm256_set_epi8( + (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, + (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, + (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)8, (int8_t)-1, (int8_t)0, + (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, + (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, + (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)8, (int8_t)-1, + (int8_t)0)); + __m256i adjacent_4_combined0 = libcrux_intrinsics_avx2_mm256_madd_epi16( + adjacent_4_combined, + libcrux_intrinsics_avx2_mm256_set_epi16( + (int16_t)0, (int16_t)0, (int16_t)0, (int16_t)0, (int16_t)0, + (int16_t)0, (int16_t)1 << 6U, (int16_t)1, (int16_t)0, (int16_t)0, + (int16_t)0, (int16_t)0, (int16_t)0, (int16_t)0, (int16_t)1 << 6U, + (int16_t)1)); + __m256i adjacent_6_combined = + libcrux_intrinsics_avx2_mm256_permutevar8x32_epi32( + adjacent_4_combined0, + libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)0, + (int32_t)0, (int32_t)4, (int32_t)0)); + __m128i adjacent_6_combined0 = + libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_6_combined); + __m128i adjacent_6_combined1 = libcrux_intrinsics_avx2_mm_sllv_epi32( + adjacent_6_combined0, + libcrux_intrinsics_avx2_mm_set_epi32((int32_t)0, (int32_t)0, (int32_t)0, + (int32_t)20)); + __m128i adjacent_6_combined2 = libcrux_intrinsics_avx2_mm_srli_epi64( + (int32_t)20, adjacent_6_combined1, __m128i); + libcrux_intrinsics_avx2_mm_storeu_bytes_si128( + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t), + adjacent_6_combined2); + Eurydice_slice uu____0 = out; + Eurydice_slice_copy( + uu____0, + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)3U, uint8_t), + uint8_t); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_encoding_error_serialize( + libcrux_ml_dsa_constants_Eta eta, __m256i *simd_unit, + Eurydice_slice serialized) { + void *uu____0 = (void *)0U; + if (!(eta == libcrux_ml_dsa_constants_Eta_Two)) { + libcrux_ml_dsa_simd_avx2_encoding_error_serialize_when_eta_is_4(simd_unit, + serialized); + return; + } + libcrux_ml_dsa_simd_avx2_encoding_error_serialize_when_eta_is_2(simd_unit, + serialized); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::Vec256)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_error_serialize_22( + libcrux_ml_dsa_constants_Eta eta, __m256i *simd_unit, + Eurydice_slice serialized) { + libcrux_ml_dsa_simd_avx2_encoding_error_serialize(eta, simd_unit, serialized); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_encoding_error_deserialize( + libcrux_ml_dsa_constants_Eta eta, Eurydice_slice serialized, __m256i *out) { + __m256i unsigned0 = + libcrux_ml_dsa_simd_avx2_encoding_error_deserialize_to_unsigned( + eta, serialized); + int32_t eta0; + if (eta == libcrux_ml_dsa_constants_Eta_Two) { + eta0 = (int32_t)2; + } else { + eta0 = (int32_t)4; + } + out[0U] = libcrux_intrinsics_avx2_mm256_sub_epi32( + libcrux_intrinsics_avx2_mm256_set1_epi32(eta0), unsigned0); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::Vec256)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_error_deserialize_22( + libcrux_ml_dsa_constants_Eta eta, Eurydice_slice serialized, __m256i *out) { + libcrux_ml_dsa_simd_avx2_encoding_error_deserialize(eta, serialized, out); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_ml_dsa_simd_avx2_encoding_t0_change_interval(__m256i *simd_unit) { + __m256i interval_end = libcrux_intrinsics_avx2_mm256_set1_epi32( + (int32_t)1 + << (uint32_t)(LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T - + (size_t)1U)); + return libcrux_intrinsics_avx2_mm256_sub_epi32(interval_end, simd_unit[0U]); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_encoding_t0_serialize( + __m256i *simd_unit, Eurydice_slice out) { + uint8_t serialized[16U] = {0U}; + __m256i simd_unit0 = + libcrux_ml_dsa_simd_avx2_encoding_t0_change_interval(simd_unit); + __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32( + simd_unit0, libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)0, (int32_t)19, (int32_t)0, (int32_t)19, + (int32_t)0, (int32_t)19, (int32_t)0, (int32_t)19)); + __m256i adjacent_2_combined0 = libcrux_intrinsics_avx2_mm256_srli_epi64( + (int32_t)19, adjacent_2_combined, __m256i); + __m256i adjacent_4_combined = + libcrux_intrinsics_avx2_mm256_permutevar8x32_epi32( + adjacent_2_combined0, + libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)6, + (int32_t)4, (int32_t)2, (int32_t)0)); + __m256i adjacent_4_combined0 = libcrux_intrinsics_avx2_mm256_sllv_epi32( + adjacent_4_combined, libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)0, (int32_t)6, (int32_t)0, (int32_t)6, + (int32_t)0, (int32_t)6, (int32_t)0, (int32_t)6)); + __m256i adjacent_4_combined1 = libcrux_intrinsics_avx2_mm256_srli_epi64( + (int32_t)6, adjacent_4_combined0, __m256i); + __m256i second_4_combined = libcrux_intrinsics_avx2_mm256_bsrli_epi128( + (int32_t)8, adjacent_4_combined1, __m256i); + __m256i least_12_bits_shifted_up = libcrux_intrinsics_avx2_mm256_slli_epi64( + (int32_t)52, second_4_combined, __m256i); + __m256i bits_sequential = libcrux_intrinsics_avx2_mm256_add_epi64( + adjacent_4_combined1, least_12_bits_shifted_up); + __m256i bits_sequential0 = libcrux_intrinsics_avx2_mm256_srlv_epi64( + bits_sequential, libcrux_intrinsics_avx2_mm256_set_epi64x( + (int64_t)0, (int64_t)0, (int64_t)12, (int64_t)0)); + __m128i bits_sequential1 = + libcrux_intrinsics_avx2_mm256_castsi256_si128(bits_sequential0); + libcrux_intrinsics_avx2_mm_storeu_bytes_si128( + Eurydice_array_to_slice((size_t)16U, serialized, uint8_t), + bits_sequential1); + Eurydice_slice uu____0 = out; + Eurydice_slice_copy( + uu____0, + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)13U, uint8_t), + uint8_t); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::Vec256)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_t0_serialize_22( + __m256i *simd_unit, Eurydice_slice out) { + libcrux_ml_dsa_simd_avx2_encoding_t0_serialize(simd_unit, out); +} + +#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_T0_DESERIALIZE_COEFFICIENT_MASK \ + (((int32_t)1 << 13U) - (int32_t)1) + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_encoding_t0_deserialize( + Eurydice_slice serialized, __m256i *out) { + uint8_t serialized_extended[16U] = {0U}; + Eurydice_slice_copy( + Eurydice_array_to_subslice2(serialized_extended, (size_t)0U, (size_t)13U, + uint8_t), + serialized, uint8_t); + __m128i serialized0 = libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_array_to_slice((size_t)16U, serialized_extended, uint8_t)); + __m256i serialized1 = + libcrux_intrinsics_avx2_mm256_set_m128i(serialized0, serialized0); __m256i coefficients = libcrux_intrinsics_avx2_mm256_shuffle_epi8( - bytes_loaded0, + serialized1, libcrux_intrinsics_avx2_mm256_set_epi8( - (int8_t)-1, (int8_t)-1, (int8_t)9, (int8_t)8, (int8_t)-1, (int8_t)-1, - (int8_t)8, (int8_t)7, (int8_t)-1, (int8_t)-1, (int8_t)7, (int8_t)6, - (int8_t)-1, (int8_t)-1, (int8_t)6, (int8_t)5, (int8_t)-1, (int8_t)-1, - (int8_t)4, (int8_t)3, (int8_t)-1, (int8_t)-1, (int8_t)3, (int8_t)2, - (int8_t)-1, (int8_t)-1, (int8_t)2, (int8_t)1, (int8_t)-1, (int8_t)-1, - (int8_t)1, (int8_t)0)); + (int8_t)-1, (int8_t)-1, (int8_t)12, (int8_t)11, (int8_t)-1, + (int8_t)11, (int8_t)10, (int8_t)9, (int8_t)-1, (int8_t)-1, (int8_t)9, + (int8_t)8, (int8_t)-1, (int8_t)8, (int8_t)7, (int8_t)6, (int8_t)-1, + (int8_t)6, (int8_t)5, (int8_t)4, (int8_t)-1, (int8_t)-1, (int8_t)4, + (int8_t)3, (int8_t)-1, (int8_t)3, (int8_t)2, (int8_t)1, (int8_t)-1, + (int8_t)-1, (int8_t)1, (int8_t)0)); __m256i coefficients0 = libcrux_intrinsics_avx2_mm256_srlv_epi32( coefficients, libcrux_intrinsics_avx2_mm256_set_epi32( - (int32_t)6, (int32_t)4, (int32_t)2, (int32_t)0, - (int32_t)6, (int32_t)4, (int32_t)2, (int32_t)0)); - out[0U] = libcrux_intrinsics_avx2_mm256_and_si256( + (int32_t)3, (int32_t)6, (int32_t)1, (int32_t)4, + (int32_t)7, (int32_t)2, (int32_t)5, (int32_t)0)); + __m256i coefficients1 = libcrux_intrinsics_avx2_mm256_and_si256( coefficients0, libcrux_intrinsics_avx2_mm256_set1_epi32( - LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_T1_DESERIALIZE_COEFFICIENT_MASK)); + LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_T0_DESERIALIZE_COEFFICIENT_MASK)); + out[0U] = + libcrux_ml_dsa_simd_avx2_encoding_t0_change_interval(&coefficients1); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::Vec256)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_t0_deserialize_22( + Eurydice_slice serialized, __m256i *out) { + libcrux_ml_dsa_simd_avx2_encoding_t0_deserialize(serialized, out); } KRML_ATTRIBUTE_TARGET("avx2") @@ -1443,2290 +1677,674 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_encoding_t1_serialize( uint8_t); } -typedef struct core_core_arch_x86___m256i_x2_s { - __m256i fst; - __m256i snd; -} core_core_arch_x86___m256i_x2; - +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::Vec256)} +*/ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE core_core_arch_x86___m256i_x2 -libcrux_ml_dsa_simd_avx2_invntt_simd_unit_invert_ntt_at_layer_0( - __m256i simd_unit0, __m256i simd_unit1, int32_t zeta00, int32_t zeta01, - int32_t zeta02, int32_t zeta03, int32_t zeta10, int32_t zeta11, - int32_t zeta12, int32_t zeta13) { - __m256i a_shuffled = libcrux_intrinsics_avx2_mm256_shuffle_epi32( - (int32_t)216, simd_unit0, __m256i); - __m256i b_shuffled0 = libcrux_intrinsics_avx2_mm256_shuffle_epi32( - (int32_t)216, simd_unit1, __m256i); - __m256i lo_values = - libcrux_intrinsics_avx2_mm256_unpacklo_epi64(a_shuffled, b_shuffled0); - __m256i hi_values = - libcrux_intrinsics_avx2_mm256_unpackhi_epi64(a_shuffled, b_shuffled0); - __m256i differences = hi_values; - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&differences, &lo_values); - libcrux_ml_dsa_simd_avx2_arithmetic_add(&lo_values, &hi_values); - __m256i sums = lo_values; - __m256i zetas = libcrux_intrinsics_avx2_mm256_set_epi32( - zeta13, zeta12, zeta03, zeta02, zeta11, zeta10, zeta01, zeta00); - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(&differences, &zetas); - __m256i a_shuffled0 = - libcrux_intrinsics_avx2_mm256_unpacklo_epi64(sums, differences); - __m256i b_shuffled = - libcrux_intrinsics_avx2_mm256_unpackhi_epi64(sums, differences); - __m256i a = libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)216, - a_shuffled0, __m256i); - __m256i b = libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)216, - b_shuffled, __m256i); - return (CLITERAL(core_core_arch_x86___m256i_x2){.fst = a, .snd = b}); +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_t1_serialize_22( + __m256i *simd_unit, Eurydice_slice out) { + libcrux_ml_dsa_simd_avx2_encoding_t1_serialize(simd_unit, out); } -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( - __m256i *re, size_t index, int32_t zeta00, int32_t zeta01, int32_t zeta02, - int32_t zeta03, int32_t zeta10, int32_t zeta11, int32_t zeta12, - int32_t zeta13) { - core_core_arch_x86___m256i_x2 uu____0 = - libcrux_ml_dsa_simd_avx2_invntt_simd_unit_invert_ntt_at_layer_0( - re[index], re[index + (size_t)1U], zeta00, zeta01, zeta02, zeta03, - zeta10, zeta11, zeta12, zeta13); - __m256i lhs0 = uu____0.fst; - __m256i lhs = uu____0.snd; - re[index] = lhs0; - re[index + (size_t)1U] = lhs; -} +#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_T1_DESERIALIZE_COEFFICIENT_MASK \ + (((int32_t)1 << 10U) - (int32_t)1) KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0( - __m256i *re) { - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( - re, (size_t)0U, (int32_t)1976782, (int32_t)-846154, (int32_t)1400424, - (int32_t)3937738, (int32_t)-1362209, (int32_t)-48306, (int32_t)3919660, - (int32_t)-554416); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( - re, (size_t)2U, (int32_t)-3545687, (int32_t)1612842, (int32_t)-976891, - (int32_t)183443, (int32_t)-2286327, (int32_t)-420899, (int32_t)-2235985, - (int32_t)-2939036); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( - re, (size_t)4U, (int32_t)-3833893, (int32_t)-260646, (int32_t)-1104333, - (int32_t)-1667432, (int32_t)1910376, (int32_t)-1803090, (int32_t)1723600, - (int32_t)-426683); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( - re, (size_t)6U, (int32_t)472078, (int32_t)1717735, (int32_t)-975884, - (int32_t)2213111, (int32_t)269760, (int32_t)3866901, (int32_t)3523897, - (int32_t)-3038916); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( - re, (size_t)8U, (int32_t)-1799107, (int32_t)-3694233, (int32_t)1652634, - (int32_t)810149, (int32_t)3014001, (int32_t)1616392, (int32_t)162844, - (int32_t)-3183426); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( - re, (size_t)10U, (int32_t)-1207385, (int32_t)185531, (int32_t)3369112, - (int32_t)1957272, (int32_t)-164721, (int32_t)2454455, (int32_t)2432395, - (int32_t)-2013608); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( - re, (size_t)12U, (int32_t)-3776993, (int32_t)594136, (int32_t)-3724270, - (int32_t)-2584293, (int32_t)-1846953, (int32_t)-1671176, - (int32_t)-2831860, (int32_t)-542412); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( - re, (size_t)14U, (int32_t)3406031, (int32_t)2235880, (int32_t)777191, - (int32_t)1500165, (int32_t)-1374803, (int32_t)-2546312, (int32_t)1917081, - (int32_t)-1279661); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( - re, (size_t)16U, (int32_t)-1962642, (int32_t)3306115, (int32_t)1312455, - (int32_t)-451100, (int32_t)-1430225, (int32_t)-3318210, (int32_t)1237275, - (int32_t)-1333058); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( - re, (size_t)18U, (int32_t)-1050970, (int32_t)1903435, (int32_t)1869119, - (int32_t)-2994039, (int32_t)-3548272, (int32_t)2635921, (int32_t)1250494, - (int32_t)-3767016); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( - re, (size_t)20U, (int32_t)1595974, (int32_t)2486353, (int32_t)1247620, - (int32_t)4055324, (int32_t)1265009, (int32_t)-2590150, (int32_t)2691481, - (int32_t)2842341); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( - re, (size_t)22U, (int32_t)203044, (int32_t)1735879, (int32_t)-3342277, - (int32_t)3437287, (int32_t)4108315, (int32_t)-2437823, (int32_t)286988, - (int32_t)342297); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( - re, (size_t)24U, (int32_t)-3595838, (int32_t)-768622, (int32_t)-525098, - (int32_t)-3556995, (int32_t)3207046, (int32_t)2031748, (int32_t)-3122442, - (int32_t)-655327); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( - re, (size_t)26U, (int32_t)-522500, (int32_t)-43260, (int32_t)-1613174, - (int32_t)495491, (int32_t)819034, (int32_t)909542, (int32_t)1859098, - (int32_t)900702); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( - re, (size_t)28U, (int32_t)-3193378, (int32_t)-1197226, (int32_t)-3759364, - (int32_t)-3520352, (int32_t)3513181, (int32_t)-1235728, (int32_t)2434439, - (int32_t)266997); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( - re, (size_t)30U, (int32_t)-3562462, (int32_t)-2446433, (int32_t)2244091, - (int32_t)-3342478, (int32_t)3817976, (int32_t)2316500, (int32_t)3407706, - (int32_t)2091667); -} - -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE core_core_arch_x86___m256i_x2 -libcrux_ml_dsa_simd_avx2_invntt_simd_unit_invert_ntt_at_layer_1( - __m256i simd_unit0, __m256i simd_unit1, int32_t zeta00, int32_t zeta01, - int32_t zeta10, int32_t zeta11) { - __m256i lo_values = - libcrux_intrinsics_avx2_mm256_unpacklo_epi64(simd_unit0, simd_unit1); - __m256i hi_values = - libcrux_intrinsics_avx2_mm256_unpackhi_epi64(simd_unit0, simd_unit1); - __m256i differences = hi_values; - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&differences, &lo_values); - libcrux_ml_dsa_simd_avx2_arithmetic_add(&lo_values, &hi_values); - __m256i sums = lo_values; - __m256i zetas = libcrux_intrinsics_avx2_mm256_set_epi32( - zeta11, zeta11, zeta01, zeta01, zeta10, zeta10, zeta00, zeta00); - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(&differences, &zetas); - __m256i a = libcrux_intrinsics_avx2_mm256_unpacklo_epi64(sums, differences); - __m256i b = libcrux_intrinsics_avx2_mm256_unpackhi_epi64(sums, differences); - return (CLITERAL(core_core_arch_x86___m256i_x2){.fst = a, .snd = b}); -} - -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( - __m256i *re, size_t index, int32_t zeta_00, int32_t zeta_01, - int32_t zeta_10, int32_t zeta_11) { - core_core_arch_x86___m256i_x2 uu____0 = - libcrux_ml_dsa_simd_avx2_invntt_simd_unit_invert_ntt_at_layer_1( - re[index], re[index + (size_t)1U], zeta_00, zeta_01, zeta_10, - zeta_11); - __m256i lhs0 = uu____0.fst; - __m256i lhs = uu____0.snd; - re[index] = lhs0; - re[index + (size_t)1U] = lhs; -} - -KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1( - __m256i *re) { - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( - re, (size_t)0U, (int32_t)3839961, (int32_t)-3628969, (int32_t)-3881060, - (int32_t)-3019102); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( - re, (size_t)2U, (int32_t)-1439742, (int32_t)-812732, (int32_t)-1584928, - (int32_t)1285669); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( - re, (size_t)4U, (int32_t)1341330, (int32_t)1315589, (int32_t)-177440, - (int32_t)-2409325); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( - re, (size_t)6U, (int32_t)-1851402, (int32_t)3159746, (int32_t)-3553272, - (int32_t)189548); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( - re, (size_t)8U, (int32_t)-1316856, (int32_t)759969, (int32_t)-210977, - (int32_t)2389356); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( - re, (size_t)10U, (int32_t)-3249728, (int32_t)1653064, (int32_t)-8578, - (int32_t)-3724342); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( - re, (size_t)12U, (int32_t)3958618, (int32_t)904516, (int32_t)-1100098, - (int32_t)44288); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( - re, (size_t)14U, (int32_t)3097992, (int32_t)508951, (int32_t)264944, - (int32_t)-3343383); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( - re, (size_t)16U, (int32_t)-1430430, (int32_t)1852771, (int32_t)1349076, - (int32_t)-381987); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( - re, (size_t)18U, (int32_t)-1308169, (int32_t)-22981, (int32_t)-1228525, - (int32_t)-671102); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( - re, (size_t)20U, (int32_t)-2477047, (int32_t)-411027, (int32_t)-3693493, - (int32_t)-2967645); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( - re, (size_t)22U, (int32_t)2715295, (int32_t)2147896, (int32_t)-983419, - (int32_t)3412210); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( - re, (size_t)24U, (int32_t)126922, (int32_t)-3632928, (int32_t)-3157330, - (int32_t)-3190144); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( - re, (size_t)26U, (int32_t)-1000202, (int32_t)-4083598, (int32_t)1939314, - (int32_t)-1257611); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( - re, (size_t)28U, (int32_t)-1585221, (int32_t)2176455, (int32_t)3475950, - (int32_t)-1452451); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( - re, (size_t)30U, (int32_t)-3041255, (int32_t)-3677745, (int32_t)-1528703, - (int32_t)-3930395); -} - -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE core_core_arch_x86___m256i_x2 -libcrux_ml_dsa_simd_avx2_invntt_simd_unit_invert_ntt_at_layer_2( - __m256i simd_unit0, __m256i simd_unit1, int32_t zeta0, int32_t zeta1) { - __m256i lo_values = libcrux_intrinsics_avx2_mm256_permute2x128_si256( - (int32_t)32, simd_unit0, simd_unit1, __m256i); - __m256i hi_values = libcrux_intrinsics_avx2_mm256_permute2x128_si256( - (int32_t)49, simd_unit0, simd_unit1, __m256i); - __m256i differences = hi_values; - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&differences, &lo_values); - libcrux_ml_dsa_simd_avx2_arithmetic_add(&lo_values, &hi_values); - __m256i sums = lo_values; - __m256i zetas = libcrux_intrinsics_avx2_mm256_set_epi32( - zeta1, zeta1, zeta1, zeta1, zeta0, zeta0, zeta0, zeta0); - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(&differences, &zetas); - __m256i a = libcrux_intrinsics_avx2_mm256_permute2x128_si256( - (int32_t)32, sums, differences, __m256i); - __m256i b = libcrux_intrinsics_avx2_mm256_permute2x128_si256( - (int32_t)49, sums, differences, __m256i); - return (CLITERAL(core_core_arch_x86___m256i_x2){.fst = a, .snd = b}); -} - -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round(__m256i *re, - size_t index, - int32_t zeta1, - int32_t zeta2) { - core_core_arch_x86___m256i_x2 uu____0 = - libcrux_ml_dsa_simd_avx2_invntt_simd_unit_invert_ntt_at_layer_2( - re[index], re[index + (size_t)1U], zeta1, zeta2); - __m256i lhs0 = uu____0.fst; - __m256i lhs = uu____0.snd; - re[index] = lhs0; - re[index + (size_t)1U] = lhs; -} - -KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2( - __m256i *re) { - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( - re, (size_t)0U, (int32_t)-2797779, (int32_t)2071892); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( - re, (size_t)2U, (int32_t)-2556880, (int32_t)3900724); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( - re, (size_t)4U, (int32_t)3881043, (int32_t)954230); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( - re, (size_t)6U, (int32_t)531354, (int32_t)811944); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( - re, (size_t)8U, (int32_t)3699596, (int32_t)-1600420); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( - re, (size_t)10U, (int32_t)-2140649, (int32_t)3507263); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( - re, (size_t)12U, (int32_t)-3821735, (int32_t)3505694); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( - re, (size_t)14U, (int32_t)-1643818, (int32_t)-1699267); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( - re, (size_t)16U, (int32_t)-539299, (int32_t)2348700); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( - re, (size_t)18U, (int32_t)-300467, (int32_t)3539968); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( - re, (size_t)20U, (int32_t)-2867647, (int32_t)3574422); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( - re, (size_t)22U, (int32_t)-3043716, (int32_t)-3861115); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( - re, (size_t)24U, (int32_t)3915439, (int32_t)-2537516); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( - re, (size_t)26U, (int32_t)-3592148, (int32_t)-1661693); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( - re, (size_t)28U, (int32_t)3530437, (int32_t)3077325); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( - re, (size_t)30U, (int32_t)95776, (int32_t)2706023); -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus -with const generics -- OFFSET= 0 -- STEP_BY= 1 -- ZETA= 280005 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_99( - __m256i *re) { - for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)1U; i++) { - size_t j = i; - __m256i rejs = re[j + (size_t)1U]; - __m256i a_minus_b = rejs; - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); - libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); - re[j + (size_t)1U] = - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)280005); - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus -with const generics -- OFFSET= 2 -- STEP_BY= 1 -- ZETA= 4010497 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_1c( - __m256i *re) { - for (size_t i = (size_t)2U; i < (size_t)2U + (size_t)1U; i++) { - size_t j = i; - __m256i rejs = re[j + (size_t)1U]; - __m256i a_minus_b = rejs; - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); - libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); - re[j + (size_t)1U] = - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)4010497); - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus -with const generics -- OFFSET= 4 -- STEP_BY= 1 -- ZETA= -19422 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_6b( - __m256i *re) { - for (size_t i = (size_t)4U; i < (size_t)4U + (size_t)1U; i++) { - size_t j = i; - __m256i rejs = re[j + (size_t)1U]; - __m256i a_minus_b = rejs; - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); - libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); - re[j + (size_t)1U] = - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)-19422); - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus -with const generics -- OFFSET= 6 -- STEP_BY= 1 -- ZETA= 1757237 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_44( - __m256i *re) { - for (size_t i = (size_t)6U; i < (size_t)6U + (size_t)1U; i++) { - size_t j = i; - __m256i rejs = re[j + (size_t)1U]; - __m256i a_minus_b = rejs; - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); - libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); - re[j + (size_t)1U] = - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)1757237); - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus -with const generics -- OFFSET= 8 -- STEP_BY= 1 -- ZETA= -3277672 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_a8( - __m256i *re) { - for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)1U; i++) { - size_t j = i; - __m256i rejs = re[j + (size_t)1U]; - __m256i a_minus_b = rejs; - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); - libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); - re[j + (size_t)1U] = - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)-3277672); - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus -with const generics -- OFFSET= 10 -- STEP_BY= 1 -- ZETA= -1399561 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_1f( - __m256i *re) { - for (size_t i = (size_t)10U; i < (size_t)10U + (size_t)1U; i++) { - size_t j = i; - __m256i rejs = re[j + (size_t)1U]; - __m256i a_minus_b = rejs; - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); - libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); - re[j + (size_t)1U] = - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)-1399561); - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus -with const generics -- OFFSET= 12 -- STEP_BY= 1 -- ZETA= -3859737 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_95( - __m256i *re) { - for (size_t i = (size_t)12U; i < (size_t)12U + (size_t)1U; i++) { - size_t j = i; - __m256i rejs = re[j + (size_t)1U]; - __m256i a_minus_b = rejs; - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); - libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); - re[j + (size_t)1U] = - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)-3859737); - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus -with const generics -- OFFSET= 14 -- STEP_BY= 1 -- ZETA= -2118186 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_3b( - __m256i *re) { - for (size_t i = (size_t)14U; i < (size_t)14U + (size_t)1U; i++) { - size_t j = i; - __m256i rejs = re[j + (size_t)1U]; - __m256i a_minus_b = rejs; - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); - libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); - re[j + (size_t)1U] = - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)-2118186); - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus -with const generics -- OFFSET= 16 -- STEP_BY= 1 -- ZETA= -2108549 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_7a( - __m256i *re) { - for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)1U; i++) { - size_t j = i; - __m256i rejs = re[j + (size_t)1U]; - __m256i a_minus_b = rejs; - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); - libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); - re[j + (size_t)1U] = - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)-2108549); - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus -with const generics -- OFFSET= 18 -- STEP_BY= 1 -- ZETA= 2619752 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_e4( - __m256i *re) { - for (size_t i = (size_t)18U; i < (size_t)18U + (size_t)1U; i++) { - size_t j = i; - __m256i rejs = re[j + (size_t)1U]; - __m256i a_minus_b = rejs; - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); - libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); - re[j + (size_t)1U] = - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)2619752); - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus -with const generics -- OFFSET= 20 -- STEP_BY= 1 -- ZETA= -1119584 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_de( - __m256i *re) { - for (size_t i = (size_t)20U; i < (size_t)20U + (size_t)1U; i++) { - size_t j = i; - __m256i rejs = re[j + (size_t)1U]; - __m256i a_minus_b = rejs; - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); - libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); - re[j + (size_t)1U] = - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)-1119584); - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus -with const generics -- OFFSET= 22 -- STEP_BY= 1 -- ZETA= -549488 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_05( - __m256i *re) { - for (size_t i = (size_t)22U; i < (size_t)22U + (size_t)1U; i++) { - size_t j = i; - __m256i rejs = re[j + (size_t)1U]; - __m256i a_minus_b = rejs; - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); - libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); - re[j + (size_t)1U] = - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)-549488); - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus -with const generics -- OFFSET= 24 -- STEP_BY= 1 -- ZETA= 3585928 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_d9( - __m256i *re) { - for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)1U; i++) { - size_t j = i; - __m256i rejs = re[j + (size_t)1U]; - __m256i a_minus_b = rejs; - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); - libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); - re[j + (size_t)1U] = - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)3585928); - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus -with const generics -- OFFSET= 26 -- STEP_BY= 1 -- ZETA= -1079900 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_3a( - __m256i *re) { - for (size_t i = (size_t)26U; i < (size_t)26U + (size_t)1U; i++) { - size_t j = i; - __m256i rejs = re[j + (size_t)1U]; - __m256i a_minus_b = rejs; - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); - libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); - re[j + (size_t)1U] = - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)-1079900); - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus -with const generics -- OFFSET= 28 -- STEP_BY= 1 -- ZETA= 1024112 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_3b0( - __m256i *re) { - for (size_t i = (size_t)28U; i < (size_t)28U + (size_t)1U; i++) { - size_t j = i; - __m256i rejs = re[j + (size_t)1U]; - __m256i a_minus_b = rejs; - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); - libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); - re[j + (size_t)1U] = - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)1024112); - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus -with const generics -- OFFSET= 30 -- STEP_BY= 1 -- ZETA= 2725464 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_a0( - __m256i *re) { - for (size_t i = (size_t)30U; i < (size_t)30U + (size_t)1U; i++) { - size_t j = i; - __m256i rejs = re[j + (size_t)1U]; - __m256i a_minus_b = rejs; - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); - libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); - re[j + (size_t)1U] = - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)2725464); - } -} - -KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_3( - __m256i *re) { - libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_99(re); - libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_1c(re); - libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_6b(re); - libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_44(re); - libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_a8(re); - libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_1f(re); - libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_95(re); - libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_3b(re); - libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_7a(re); - libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_e4(re); - libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_de(re); - libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_05(re); - libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_d9(re); - libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_3a(re); - libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_3b0(re); - libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_a0(re); -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus -with const generics -- OFFSET= 0 -- STEP_BY= 2 -- ZETA= 2680103 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_990( - __m256i *re) { - for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)2U; i++) { - size_t j = i; - __m256i rejs = re[j + (size_t)2U]; - __m256i a_minus_b = rejs; - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); - libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); - re[j + (size_t)2U] = - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)2680103); - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus -with const generics -- OFFSET= 4 -- STEP_BY= 2 -- ZETA= 3111497 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_6b0( - __m256i *re) { - for (size_t i = (size_t)4U; i < (size_t)4U + (size_t)2U; i++) { - size_t j = i; - __m256i rejs = re[j + (size_t)2U]; - __m256i a_minus_b = rejs; - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); - libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); - re[j + (size_t)2U] = - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)3111497); - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus -with const generics -- OFFSET= 8 -- STEP_BY= 2 -- ZETA= -2884855 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_a80( - __m256i *re) { - for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)2U; i++) { - size_t j = i; - __m256i rejs = re[j + (size_t)2U]; - __m256i a_minus_b = rejs; - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); - libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); - re[j + (size_t)2U] = - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)-2884855); - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus -with const generics -- OFFSET= 12 -- STEP_BY= 2 -- ZETA= 3119733 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_950( - __m256i *re) { - for (size_t i = (size_t)12U; i < (size_t)12U + (size_t)2U; i++) { - size_t j = i; - __m256i rejs = re[j + (size_t)2U]; - __m256i a_minus_b = rejs; - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); - libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); - re[j + (size_t)2U] = - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)3119733); - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus -with const generics -- OFFSET= 16 -- STEP_BY= 2 -- ZETA= -2091905 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_7a0( - __m256i *re) { - for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)2U; i++) { - size_t j = i; - __m256i rejs = re[j + (size_t)2U]; - __m256i a_minus_b = rejs; - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); - libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); - re[j + (size_t)2U] = - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)-2091905); - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus -with const generics -- OFFSET= 20 -- STEP_BY= 2 -- ZETA= -359251 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_de0( - __m256i *re) { - for (size_t i = (size_t)20U; i < (size_t)20U + (size_t)2U; i++) { - size_t j = i; - __m256i rejs = re[j + (size_t)2U]; - __m256i a_minus_b = rejs; - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); - libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); - re[j + (size_t)2U] = - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)-359251); - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus -with const generics -- OFFSET= 24 -- STEP_BY= 2 -- ZETA= 2353451 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_d90( - __m256i *re) { - for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)2U; i++) { - size_t j = i; - __m256i rejs = re[j + (size_t)2U]; - __m256i a_minus_b = rejs; - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); - libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); - re[j + (size_t)2U] = - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)2353451); - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus -with const generics -- OFFSET= 28 -- STEP_BY= 2 -- ZETA= 1826347 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_3b1( - __m256i *re) { - for (size_t i = (size_t)28U; i < (size_t)28U + (size_t)2U; i++) { - size_t j = i; - __m256i rejs = re[j + (size_t)2U]; - __m256i a_minus_b = rejs; - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); - libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); - re[j + (size_t)2U] = - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)1826347); - } -} - -KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_4( - __m256i *re) { - libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_990(re); - libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_6b0(re); - libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_a80(re); - libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_950(re); - libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_7a0(re); - libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_de0(re); - libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_d90(re); - libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_3b1(re); -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus -with const generics -- OFFSET= 0 -- STEP_BY= 4 -- ZETA= 466468 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_991( - __m256i *re) { - for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)4U; i++) { - size_t j = i; - __m256i rejs = re[j + (size_t)4U]; - __m256i a_minus_b = rejs; - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); - libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); - re[j + (size_t)4U] = - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)466468); - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus -with const generics -- OFFSET= 8 -- STEP_BY= 4 -- ZETA= -876248 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_a81( - __m256i *re) { - for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)4U; i++) { - size_t j = i; - __m256i rejs = re[j + (size_t)4U]; - __m256i a_minus_b = rejs; - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); - libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); - re[j + (size_t)4U] = - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)-876248); - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus -with const generics -- OFFSET= 16 -- STEP_BY= 4 -- ZETA= -777960 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_7a1( - __m256i *re) { - for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)4U; i++) { - size_t j = i; - __m256i rejs = re[j + (size_t)4U]; - __m256i a_minus_b = rejs; - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); - libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); - re[j + (size_t)4U] = - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)-777960); - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus -with const generics -- OFFSET= 24 -- STEP_BY= 4 -- ZETA= 237124 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_d91( - __m256i *re) { - for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)4U; i++) { - size_t j = i; - __m256i rejs = re[j + (size_t)4U]; - __m256i a_minus_b = rejs; - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); - libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); - re[j + (size_t)4U] = - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)237124); - } -} - -KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_5( - __m256i *re) { - libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_991(re); - libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_a81(re); - libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_7a1(re); - libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_d91(re); -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus -with const generics -- OFFSET= 0 -- STEP_BY= 8 -- ZETA= -518909 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_992( - __m256i *re) { - for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)8U; i++) { - size_t j = i; - __m256i rejs = re[j + (size_t)8U]; - __m256i a_minus_b = rejs; - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); - libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); - re[j + (size_t)8U] = - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)-518909); - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus -with const generics -- OFFSET= 16 -- STEP_BY= 8 -- ZETA= -2608894 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_7a2( - __m256i *re) { - for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)8U; i++) { - size_t j = i; - __m256i rejs = re[j + (size_t)8U]; - __m256i a_minus_b = rejs; - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); - libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); - re[j + (size_t)8U] = - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)-2608894); - } -} - -KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_6( - __m256i *re) { - libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_992(re); - libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_7a2(re); -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus -with const generics -- OFFSET= 0 -- STEP_BY= 16 -- ZETA= 25847 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_993( - __m256i *re) { - for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)16U; i++) { - size_t j = i; - __m256i rejs = re[j + (size_t)16U]; - __m256i a_minus_b = rejs; - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&a_minus_b, &re[j]); - libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &rejs); - re[j + (size_t)16U] = - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( - a_minus_b, (int32_t)25847); - } -} - -KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_7( - __m256i *re) { - libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_993(re); -} - -#define LIBCRUX_ML_DSA_SIMD_AVX2_INVNTT_INVERT_NTT_MONTGOMERY_FACTOR \ - ((int32_t)41978) - -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_montgomery(__m256i *re) { - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0(re); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1(re); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2(re); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_3(re); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_4(re); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_5(re); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_6(re); - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_7(re); - for (size_t i = (size_t)0U; - i < Eurydice_slice_len(Eurydice_array_to_slice((size_t)32U, re, __m256i), - __m256i); - i++) { - size_t i0 = i; - re[i0] = - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( - re[i0], - LIBCRUX_ML_DSA_SIMD_AVX2_INVNTT_INVERT_NTT_MONTGOMERY_FACTOR); - } -} - -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE core_core_arch_x86___m256i_x2 -libcrux_ml_dsa_simd_avx2_ntt_butterfly_2(__m256i a, __m256i b, int32_t zeta_a0, - int32_t zeta_a1, int32_t zeta_a2, - int32_t zeta_a3, int32_t zeta_b0, - int32_t zeta_b1, int32_t zeta_b2, - int32_t zeta_b3) { - __m256i a_shuffled = - libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)216, a, __m256i); - __m256i b_shuffled = - libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)216, b, __m256i); - __m256i summands = - libcrux_intrinsics_avx2_mm256_unpacklo_epi64(a_shuffled, b_shuffled); - __m256i zeta_products = - libcrux_intrinsics_avx2_mm256_unpackhi_epi64(a_shuffled, b_shuffled); - __m256i zetas = libcrux_intrinsics_avx2_mm256_set_epi32( - zeta_b3, zeta_b2, zeta_a3, zeta_a2, zeta_b1, zeta_b0, zeta_a1, zeta_a0); - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(&zeta_products, - &zetas); - __m256i sub_terms = summands; - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&sub_terms, &zeta_products); - libcrux_ml_dsa_simd_avx2_arithmetic_add(&summands, &zeta_products); - __m256i add_terms = summands; - __m256i a_terms_shuffled = - libcrux_intrinsics_avx2_mm256_unpacklo_epi64(add_terms, sub_terms); - __m256i b_terms_shuffled = - libcrux_intrinsics_avx2_mm256_unpackhi_epi64(add_terms, sub_terms); - __m256i a_out = libcrux_intrinsics_avx2_mm256_shuffle_epi32( - (int32_t)216, a_terms_shuffled, __m256i); - __m256i b_out = libcrux_intrinsics_avx2_mm256_shuffle_epi32( - (int32_t)216, b_terms_shuffled, __m256i); - return (CLITERAL(core_core_arch_x86___m256i_x2){.fst = a_out, .snd = b_out}); -} - -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE core_core_arch_x86___m256i_x2 -libcrux_ml_dsa_simd_avx2_ntt_butterfly_4(__m256i a, __m256i b, int32_t zeta_a0, - int32_t zeta_a1, int32_t zeta_b0, - int32_t zeta_b1) { - __m256i summands = libcrux_intrinsics_avx2_mm256_unpacklo_epi64(a, b); - __m256i zeta_products = libcrux_intrinsics_avx2_mm256_unpackhi_epi64(a, b); - __m256i zetas = libcrux_intrinsics_avx2_mm256_set_epi32( - zeta_b1, zeta_b1, zeta_a1, zeta_a1, zeta_b0, zeta_b0, zeta_a0, zeta_a0); - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(&zeta_products, - &zetas); - __m256i sub_terms = summands; - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&sub_terms, &zeta_products); - libcrux_ml_dsa_simd_avx2_arithmetic_add(&summands, &zeta_products); - __m256i add_terms = summands; - __m256i a_out = - libcrux_intrinsics_avx2_mm256_unpacklo_epi64(add_terms, sub_terms); - __m256i b_out = - libcrux_intrinsics_avx2_mm256_unpackhi_epi64(add_terms, sub_terms); - return (CLITERAL(core_core_arch_x86___m256i_x2){.fst = a_out, .snd = b_out}); -} - -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE core_core_arch_x86___m256i_x2 -libcrux_ml_dsa_simd_avx2_ntt_butterfly_8(__m256i a, __m256i b, int32_t zeta0, - int32_t zeta1) { - __m256i summands = libcrux_intrinsics_avx2_mm256_set_m128i( - libcrux_intrinsics_avx2_mm256_castsi256_si128(b), - libcrux_intrinsics_avx2_mm256_castsi256_si128(a)); - __m256i zeta_products = libcrux_intrinsics_avx2_mm256_permute2x128_si256( - (int32_t)19, b, a, __m256i); - __m256i zetas = libcrux_intrinsics_avx2_mm256_set_epi32( - zeta1, zeta1, zeta1, zeta1, zeta0, zeta0, zeta0, zeta0); - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(&zeta_products, - &zetas); - __m256i sub_terms = summands; - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&sub_terms, &zeta_products); - libcrux_ml_dsa_simd_avx2_arithmetic_add(&summands, &zeta_products); - __m256i add_terms = summands; - __m256i a_out = libcrux_intrinsics_avx2_mm256_set_m128i( - libcrux_intrinsics_avx2_mm256_castsi256_si128(sub_terms), - libcrux_intrinsics_avx2_mm256_castsi256_si128(add_terms)); - __m256i b_out = libcrux_intrinsics_avx2_mm256_permute2x128_si256( - (int32_t)19, sub_terms, add_terms, __m256i); - return (CLITERAL(core_core_arch_x86___m256i_x2){.fst = a_out, .snd = b_out}); -} - -#define LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7 \ - ((size_t)2U * LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT) - -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - __m256i *re, size_t index, __m256i zeta, size_t step_by, - __m256i field_modulus, __m256i inverse_of_modulus_mod_montgomery_r) { - __m256i prod02 = - libcrux_intrinsics_avx2_mm256_mul_epi32(re[index + step_by], zeta); - __m256i prod13 = libcrux_intrinsics_avx2_mm256_mul_epi32( - libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)245, - re[index + step_by], __m256i), - libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)245, zeta, __m256i)); - __m256i k02 = libcrux_intrinsics_avx2_mm256_mul_epi32( - prod02, inverse_of_modulus_mod_montgomery_r); - __m256i k13 = libcrux_intrinsics_avx2_mm256_mul_epi32( - prod13, inverse_of_modulus_mod_montgomery_r); - __m256i c02 = libcrux_intrinsics_avx2_mm256_mul_epi32(k02, field_modulus); - __m256i c13 = libcrux_intrinsics_avx2_mm256_mul_epi32(k13, field_modulus); - __m256i res02 = libcrux_intrinsics_avx2_mm256_sub_epi32(prod02, c02); - __m256i res13 = libcrux_intrinsics_avx2_mm256_sub_epi32(prod13, c13); - __m256i res02_shifted = - libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)245, res02, __m256i); - __m256i t = libcrux_intrinsics_avx2_mm256_blend_epi32( - (int32_t)170, res02_shifted, res13, __m256i); - re[index + step_by] = re[index]; - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&re[index + step_by], &t); - libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[index], &t); -} - -#define LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6 \ - (((size_t)1U << 6U) / LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT) - -/** - This is equivalent to the pqclean 0 and 1 - - This does 32 Montgomery multiplications (192 multiplications). - This is the same as in pqclean. The only difference is locality of registers. -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6( - __m256i *re) { - __m256i field_modulus = libcrux_intrinsics_avx2_mm256_set1_epi32( - LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS); - __m256i inverse_of_modulus_mod_montgomery_r = - libcrux_intrinsics_avx2_mm256_set1_epi32( - (int32_t) - LIBCRUX_ML_DSA_SIMD_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R); - __m256i zeta7 = libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)25847); - __m256i zeta60 = libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)-2608894); - __m256i zeta61 = libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)-518909); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)0U, zeta7, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)0U + (size_t)1U, zeta7, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)0U + (size_t)2U, zeta7, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)0U + (size_t)3U, zeta7, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)8U, zeta7, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)8U + (size_t)1U, zeta7, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)8U + (size_t)2U, zeta7, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)8U + (size_t)3U, zeta7, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)0U, zeta60, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)0U + (size_t)1U, zeta60, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)0U + (size_t)2U, zeta60, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)0U + (size_t)3U, zeta60, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)16U, zeta61, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)16U + (size_t)1U, zeta61, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)16U + (size_t)2U, zeta61, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)16U + (size_t)3U, zeta61, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)4U, zeta7, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)4U + (size_t)1U, zeta7, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)4U + (size_t)2U, zeta7, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)4U + (size_t)3U, zeta7, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)12U, zeta7, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)12U + (size_t)1U, zeta7, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)12U + (size_t)2U, zeta7, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)12U + (size_t)3U, zeta7, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)4U, zeta60, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)4U + (size_t)1U, zeta60, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)4U + (size_t)2U, zeta60, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)4U + (size_t)3U, zeta60, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)20U, zeta61, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)20U + (size_t)1U, zeta61, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)20U + (size_t)2U, zeta61, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, - field_modulus, inverse_of_modulus_mod_montgomery_r); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( - re, (size_t)20U + (size_t)3U, zeta61, - LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, - field_modulus, inverse_of_modulus_mod_montgomery_r); -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.ntt.ntt_at_layer_5_to_3.round -with const generics -- STEP= 32 -- STEP_BY= 4 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_f6(__m256i *re, - size_t index, - int32_t zeta) { - __m256i rhs = libcrux_intrinsics_avx2_mm256_set1_epi32(zeta); - size_t offset = index * (size_t)32U * (size_t)2U / - LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT; - for (size_t i = offset; i < offset + (size_t)4U; i++) { - size_t j = i; - __m256i t = re[j + (size_t)4U]; - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(&t, &rhs); - re[j + (size_t)4U] = re[j]; - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&re[j + (size_t)4U], &t); - libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &t); - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.ntt.ntt_at_layer_5_to_3.round -with const generics -- STEP= 16 -- STEP_BY= 2 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(__m256i *re, - size_t index, - int32_t zeta) { - __m256i rhs = libcrux_intrinsics_avx2_mm256_set1_epi32(zeta); - size_t offset = index * (size_t)16U * (size_t)2U / - LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT; - for (size_t i = offset; i < offset + (size_t)2U; i++) { - size_t j = i; - __m256i t = re[j + (size_t)2U]; - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(&t, &rhs); - re[j + (size_t)2U] = re[j]; - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&re[j + (size_t)2U], &t); - libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &t); - } -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.ntt.ntt_at_layer_5_to_3.round -with const generics -- STEP= 8 -- STEP_BY= 1 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(__m256i *re, - size_t index, - int32_t zeta) { - __m256i rhs = libcrux_intrinsics_avx2_mm256_set1_epi32(zeta); - size_t offset = index * (size_t)8U * (size_t)2U / - LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT; - for (size_t i = offset; i < offset + (size_t)1U; i++) { - size_t j = i; - __m256i t = re[j + (size_t)1U]; - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(&t, &rhs); - re[j + (size_t)1U] = re[j]; - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&re[j + (size_t)1U], &t); - libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[j], &t); - } -} - -/** - Layer 5, 4, 3 - - Each layer does 16 Montgomery multiplications -> 3*16 = 48 total - pqclean does 4 * 4 on each layer -> 48 total | plus 4 * 4 shuffles every time - (48) -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3( - __m256i *re) { - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_f6(re, (size_t)0U, - (int32_t)237124); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_f6(re, (size_t)1U, - (int32_t)-777960); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_f6(re, (size_t)2U, - (int32_t)-876248); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_f6(re, (size_t)3U, - (int32_t)466468); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)0U, - (int32_t)1826347); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)1U, - (int32_t)2353451); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)2U, - (int32_t)-359251); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)3U, - (int32_t)-2091905); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)4U, - (int32_t)3119733); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)5U, - (int32_t)-2884855); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)6U, - (int32_t)3111497); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)7U, - (int32_t)2680103); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)0U, - (int32_t)2725464); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)1U, - (int32_t)1024112); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)2U, - (int32_t)-1079900); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)3U, - (int32_t)3585928); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)4U, - (int32_t)-549488); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)5U, - (int32_t)-1119584); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)6U, - (int32_t)2619752); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)7U, - (int32_t)-2108549); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)8U, - (int32_t)-2118186); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)9U, - (int32_t)-3859737); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)10U, - (int32_t)-1399561); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)11U, - (int32_t)-3277672); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)12U, - (int32_t)1757237); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)13U, - (int32_t)-19422); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)14U, - (int32_t)4010497); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)15U, - (int32_t)280005); -} - -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( - __m256i *re, size_t index, int32_t zeta_0, int32_t zeta_1) { - core_core_arch_x86___m256i_x2 uu____0 = - libcrux_ml_dsa_simd_avx2_ntt_butterfly_8( - re[index], re[index + (size_t)1U], zeta_0, zeta_1); - __m256i a = uu____0.fst; - __m256i b = uu____0.snd; - re[index] = a; - re[index + (size_t)1U] = b; -} - -KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2(__m256i *re) { - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( - re, (size_t)0U, (int32_t)2706023, (int32_t)95776); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( - re, (size_t)2U, (int32_t)3077325, (int32_t)3530437); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( - re, (size_t)4U, (int32_t)-1661693, (int32_t)-3592148); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( - re, (size_t)6U, (int32_t)-2537516, (int32_t)3915439); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( - re, (size_t)8U, (int32_t)-3861115, (int32_t)-3043716); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( - re, (size_t)10U, (int32_t)3574422, (int32_t)-2867647); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( - re, (size_t)12U, (int32_t)3539968, (int32_t)-300467); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( - re, (size_t)14U, (int32_t)2348700, (int32_t)-539299); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( - re, (size_t)16U, (int32_t)-1699267, (int32_t)-1643818); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( - re, (size_t)18U, (int32_t)3505694, (int32_t)-3821735); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( - re, (size_t)20U, (int32_t)3507263, (int32_t)-2140649); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( - re, (size_t)22U, (int32_t)-1600420, (int32_t)3699596); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( - re, (size_t)24U, (int32_t)811944, (int32_t)531354); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( - re, (size_t)26U, (int32_t)954230, (int32_t)3881043); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( - re, (size_t)28U, (int32_t)3900724, (int32_t)-2556880); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( - re, (size_t)30U, (int32_t)2071892, (int32_t)-2797779); -} - -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( - __m256i *re, size_t index, int32_t zeta_0, int32_t zeta_1, int32_t zeta_2, - int32_t zeta_3) { - core_core_arch_x86___m256i_x2 uu____0 = - libcrux_ml_dsa_simd_avx2_ntt_butterfly_4( - re[index], re[index + (size_t)1U], zeta_0, zeta_1, zeta_2, zeta_3); - __m256i a = uu____0.fst; - __m256i b = uu____0.snd; - re[index] = a; - re[index + (size_t)1U] = b; -} - -KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1(__m256i *re) { - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( - re, (size_t)0U, (int32_t)-3930395, (int32_t)-1528703, (int32_t)-3677745, - (int32_t)-3041255); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( - re, (size_t)2U, (int32_t)-1452451, (int32_t)3475950, (int32_t)2176455, - (int32_t)-1585221); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( - re, (size_t)4U, (int32_t)-1257611, (int32_t)1939314, (int32_t)-4083598, - (int32_t)-1000202); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( - re, (size_t)6U, (int32_t)-3190144, (int32_t)-3157330, (int32_t)-3632928, - (int32_t)126922); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( - re, (size_t)8U, (int32_t)3412210, (int32_t)-983419, (int32_t)2147896, - (int32_t)2715295); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( - re, (size_t)10U, (int32_t)-2967645, (int32_t)-3693493, (int32_t)-411027, - (int32_t)-2477047); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( - re, (size_t)12U, (int32_t)-671102, (int32_t)-1228525, (int32_t)-22981, - (int32_t)-1308169); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( - re, (size_t)14U, (int32_t)-381987, (int32_t)1349076, (int32_t)1852771, - (int32_t)-1430430); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( - re, (size_t)16U, (int32_t)-3343383, (int32_t)264944, (int32_t)508951, - (int32_t)3097992); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( - re, (size_t)18U, (int32_t)44288, (int32_t)-1100098, (int32_t)904516, - (int32_t)3958618); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( - re, (size_t)20U, (int32_t)-3724342, (int32_t)-8578, (int32_t)1653064, - (int32_t)-3249728); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( - re, (size_t)22U, (int32_t)2389356, (int32_t)-210977, (int32_t)759969, - (int32_t)-1316856); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( - re, (size_t)24U, (int32_t)189548, (int32_t)-3553272, (int32_t)3159746, - (int32_t)-1851402); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( - re, (size_t)26U, (int32_t)-2409325, (int32_t)-177440, (int32_t)1315589, - (int32_t)1341330); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( - re, (size_t)28U, (int32_t)1285669, (int32_t)-1584928, (int32_t)-812732, - (int32_t)-1439742); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( - re, (size_t)30U, (int32_t)-3019102, (int32_t)-3881060, (int32_t)-3628969, - (int32_t)3839961); -} - -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( - __m256i *re, size_t index, int32_t zeta_0, int32_t zeta_1, int32_t zeta_2, - int32_t zeta_3, int32_t zeta_4, int32_t zeta_5, int32_t zeta_6, - int32_t zeta_7) { - core_core_arch_x86___m256i_x2 uu____0 = - libcrux_ml_dsa_simd_avx2_ntt_butterfly_2( - re[index], re[index + (size_t)1U], zeta_0, zeta_1, zeta_2, zeta_3, - zeta_4, zeta_5, zeta_6, zeta_7); - __m256i a = uu____0.fst; - __m256i b = uu____0.snd; - re[index] = a; - re[index + (size_t)1U] = b; -} - -KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0(__m256i *re) { - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( - re, (size_t)0U, (int32_t)2091667, (int32_t)3407706, (int32_t)2316500, - (int32_t)3817976, (int32_t)-3342478, (int32_t)2244091, (int32_t)-2446433, - (int32_t)-3562462); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( - re, (size_t)2U, (int32_t)266997, (int32_t)2434439, (int32_t)-1235728, - (int32_t)3513181, (int32_t)-3520352, (int32_t)-3759364, (int32_t)-1197226, - (int32_t)-3193378); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( - re, (size_t)4U, (int32_t)900702, (int32_t)1859098, (int32_t)909542, - (int32_t)819034, (int32_t)495491, (int32_t)-1613174, (int32_t)-43260, - (int32_t)-522500); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( - re, (size_t)6U, (int32_t)-655327, (int32_t)-3122442, (int32_t)2031748, - (int32_t)3207046, (int32_t)-3556995, (int32_t)-525098, (int32_t)-768622, - (int32_t)-3595838); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( - re, (size_t)8U, (int32_t)342297, (int32_t)286988, (int32_t)-2437823, - (int32_t)4108315, (int32_t)3437287, (int32_t)-3342277, (int32_t)1735879, - (int32_t)203044); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( - re, (size_t)10U, (int32_t)2842341, (int32_t)2691481, (int32_t)-2590150, - (int32_t)1265009, (int32_t)4055324, (int32_t)1247620, (int32_t)2486353, - (int32_t)1595974); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( - re, (size_t)12U, (int32_t)-3767016, (int32_t)1250494, (int32_t)2635921, - (int32_t)-3548272, (int32_t)-2994039, (int32_t)1869119, (int32_t)1903435, - (int32_t)-1050970); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( - re, (size_t)14U, (int32_t)-1333058, (int32_t)1237275, (int32_t)-3318210, - (int32_t)-1430225, (int32_t)-451100, (int32_t)1312455, (int32_t)3306115, - (int32_t)-1962642); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( - re, (size_t)16U, (int32_t)-1279661, (int32_t)1917081, (int32_t)-2546312, - (int32_t)-1374803, (int32_t)1500165, (int32_t)777191, (int32_t)2235880, - (int32_t)3406031); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( - re, (size_t)18U, (int32_t)-542412, (int32_t)-2831860, (int32_t)-1671176, - (int32_t)-1846953, (int32_t)-2584293, (int32_t)-3724270, (int32_t)594136, - (int32_t)-3776993); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( - re, (size_t)20U, (int32_t)-2013608, (int32_t)2432395, (int32_t)2454455, - (int32_t)-164721, (int32_t)1957272, (int32_t)3369112, (int32_t)185531, - (int32_t)-1207385); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( - re, (size_t)22U, (int32_t)-3183426, (int32_t)162844, (int32_t)1616392, - (int32_t)3014001, (int32_t)810149, (int32_t)1652634, (int32_t)-3694233, - (int32_t)-1799107); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( - re, (size_t)24U, (int32_t)-3038916, (int32_t)3523897, (int32_t)3866901, - (int32_t)269760, (int32_t)2213111, (int32_t)-975884, (int32_t)1717735, - (int32_t)472078); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( - re, (size_t)26U, (int32_t)-426683, (int32_t)1723600, (int32_t)-1803090, - (int32_t)1910376, (int32_t)-1667432, (int32_t)-1104333, (int32_t)-260646, - (int32_t)-3833893); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( - re, (size_t)28U, (int32_t)-2939036, (int32_t)-2235985, (int32_t)-420899, - (int32_t)-2286327, (int32_t)183443, (int32_t)-976891, (int32_t)1612842, - (int32_t)-3545687); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( - re, (size_t)30U, (int32_t)-554416, (int32_t)3919660, (int32_t)-48306, - (int32_t)-1362209, (int32_t)3937738, (int32_t)1400424, (int32_t)-846154, - (int32_t)1976782); -} - -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_ntt_ntt(__m256i *re) { - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6(re); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3(re); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2(re); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1(re); - libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0(re); -} - -static const uint8_t - libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_SHUFFLE_TABLE - [16U][16U] = {{255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, - 255U, 255U, 255U, 255U, 255U, 255U, 255U}, - {0U, 1U, 2U, 3U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, - 255U, 255U, 255U, 255U, 255U}, - {4U, 5U, 6U, 7U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, - 255U, 255U, 255U, 255U, 255U}, - {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 255U, 255U, 255U, 255U, - 255U, 255U, 255U, 255U}, - {8U, 9U, 10U, 11U, 255U, 255U, 255U, 255U, 255U, 255U, - 255U, 255U, 255U, 255U, 255U, 255U}, - {0U, 1U, 2U, 3U, 8U, 9U, 10U, 11U, 255U, 255U, 255U, 255U, - 255U, 255U, 255U, 255U}, - {4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 255U, 255U, 255U, 255U, - 255U, 255U, 255U, 255U}, - {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 255U, - 255U, 255U, 255U}, - {12U, 13U, 14U, 15U, 255U, 255U, 255U, 255U, 255U, 255U, - 255U, 255U, 255U, 255U, 255U, 255U}, - {0U, 1U, 2U, 3U, 12U, 13U, 14U, 15U, 255U, 255U, 255U, - 255U, 255U, 255U, 255U, 255U}, - {4U, 5U, 6U, 7U, 12U, 13U, 14U, 15U, 255U, 255U, 255U, - 255U, 255U, 255U, 255U, 255U}, - {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 12U, 13U, 14U, 15U, 255U, - 255U, 255U, 255U}, - {8U, 9U, 10U, 11U, 12U, 13U, 14U, 15U, 255U, 255U, 255U, - 255U, 255U, 255U, 255U, 255U}, - {0U, 1U, 2U, 3U, 8U, 9U, 10U, 11U, 12U, 13U, 14U, 15U, - 255U, 255U, 255U, 255U}, - {4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 12U, 13U, 14U, 15U, - 255U, 255U, 255U, 255U}, - {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 12U, - 13U, 14U, 15U}}; - -#define LIBCRUX_ML_DSA_SIMD_AVX2_REJECTION_SAMPLE_LESS_THAN_FIELD_MODULUS_BYTESTREAM_TO_POTENTIAL_COEFFICIENTS_COEFFICIENT_MASK \ - (((int32_t)1 << 23U) - (int32_t)1) - -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus_bytestream_to_potential_coefficients( - Eurydice_slice serialized) { - uint8_t serialized_extended[32U] = {0U}; - Eurydice_slice uu____0 = Eurydice_array_to_subslice_to( - (size_t)32U, serialized_extended, (size_t)24U, uint8_t, size_t); - Eurydice_slice_copy(uu____0, serialized, uint8_t); - __m256i coefficients = libcrux_intrinsics_avx2_mm256_loadu_si256_u8( - Eurydice_array_to_slice((size_t)32U, serialized_extended, uint8_t)); - __m256i coefficients0 = libcrux_intrinsics_avx2_mm256_permutevar8x32_epi32( - coefficients, libcrux_intrinsics_avx2_mm256_set_epi32( - (int32_t)0, (int32_t)5, (int32_t)4, (int32_t)3, - (int32_t)0, (int32_t)2, (int32_t)1, (int32_t)0)); - __m256i coefficients1 = libcrux_intrinsics_avx2_mm256_shuffle_epi8( - coefficients0, - libcrux_intrinsics_avx2_mm256_set_epi8( - (int8_t)-1, (int8_t)11, (int8_t)10, (int8_t)9, (int8_t)-1, (int8_t)8, - (int8_t)7, (int8_t)6, (int8_t)-1, (int8_t)5, (int8_t)4, (int8_t)3, - (int8_t)-1, (int8_t)2, (int8_t)1, (int8_t)0, (int8_t)-1, (int8_t)11, - (int8_t)10, (int8_t)9, (int8_t)-1, (int8_t)8, (int8_t)7, (int8_t)6, - (int8_t)-1, (int8_t)5, (int8_t)4, (int8_t)3, (int8_t)-1, (int8_t)2, - (int8_t)1, (int8_t)0)); - return libcrux_intrinsics_avx2_mm256_and_si256( - coefficients1, - libcrux_intrinsics_avx2_mm256_set1_epi32( - LIBCRUX_ML_DSA_SIMD_AVX2_REJECTION_SAMPLE_LESS_THAN_FIELD_MODULUS_BYTESTREAM_TO_POTENTIAL_COEFFICIENTS_COEFFICIENT_MASK)); -} - -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE size_t -libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus_sample( - Eurydice_slice input, Eurydice_slice output) { - __m256i field_modulus = libcrux_intrinsics_avx2_mm256_set1_epi32( - LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS); - __m256i potential_coefficients = - libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus_bytestream_to_potential_coefficients( - input); - __m256i compare_with_field_modulus = - libcrux_intrinsics_avx2_mm256_cmpgt_epi32(field_modulus, - potential_coefficients); - int32_t good = libcrux_intrinsics_avx2_mm256_movemask_ps( - libcrux_intrinsics_avx2_mm256_castsi256_ps(compare_with_field_modulus)); - int32_t good_lower_half = good & (int32_t)15; - int32_t good_upper_half = good >> 4U; - uint8_t lower_shuffles[16U]; - memcpy(lower_shuffles, - libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_SHUFFLE_TABLE[( - size_t)good_lower_half], - (size_t)16U * sizeof(uint8_t)); - __m128i lower_shuffles0 = libcrux_intrinsics_avx2_mm_loadu_si128( - Eurydice_array_to_slice((size_t)16U, lower_shuffles, uint8_t)); - __m128i lower_coefficients = - libcrux_intrinsics_avx2_mm256_castsi256_si128(potential_coefficients); - __m128i lower_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( - lower_coefficients, lower_shuffles0); - libcrux_intrinsics_avx2_mm_storeu_si128_i32( - Eurydice_slice_subslice2(output, (size_t)0U, (size_t)4U, int32_t), - lower_coefficients0); - size_t sampled_count = (size_t)core_num__i32_2__count_ones(good_lower_half); - uint8_t upper_shuffles[16U]; - memcpy(upper_shuffles, - libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_SHUFFLE_TABLE[( - size_t)good_upper_half], - (size_t)16U * sizeof(uint8_t)); - __m128i upper_shuffles0 = libcrux_intrinsics_avx2_mm_loadu_si128( - Eurydice_array_to_slice((size_t)16U, upper_shuffles, uint8_t)); - __m128i upper_coefficients = libcrux_intrinsics_avx2_mm256_extracti128_si256( - (int32_t)1, potential_coefficients, __m128i); - __m128i upper_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( - upper_coefficients, upper_shuffles0); - libcrux_intrinsics_avx2_mm_storeu_si128_i32( - Eurydice_slice_subslice2(output, sampled_count, - sampled_count + (size_t)4U, int32_t), - upper_coefficients0); - size_t uu____0 = sampled_count; - return uu____0 + (size_t)core_num__i32_2__count_ones(good_upper_half); -} - -KRML_ATTRIBUTE_TARGET("avx2") -static inline bool -libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_is_bit_set( - size_t number, uint8_t bit_position) { - return (number & (size_t)1U << (uint32_t)bit_position) >> - (uint32_t)bit_position == - (size_t)1U; -} - -KRML_ATTRIBUTE_TARGET("avx2") -static inline void -libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_generate_shuffle_table( - uint8_t ret[16U][16U]) { - uint8_t byte_shuffles[16U][16U] = { - {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, - 255U, 255U, 255U, 255U}, - {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, - 255U, 255U, 255U, 255U}, - {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, - 255U, 255U, 255U, 255U}, - {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, - 255U, 255U, 255U, 255U}, - {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, - 255U, 255U, 255U, 255U}, - {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, - 255U, 255U, 255U, 255U}, - {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, - 255U, 255U, 255U, 255U}, - {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, - 255U, 255U, 255U, 255U}, - {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, - 255U, 255U, 255U, 255U}, - {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, - 255U, 255U, 255U, 255U}, - {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, - 255U, 255U, 255U, 255U}, - {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, - 255U, 255U, 255U, 255U}, - {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, - 255U, 255U, 255U, 255U}, - {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, - 255U, 255U, 255U, 255U}, - {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, - 255U, 255U, 255U, 255U}, - {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, - 255U, 255U, 255U, 255U}}; - for (size_t i0 = (size_t)0U; i0 < (size_t)1U << 4U; i0++) { - size_t bit_pattern = i0; - size_t byte_shuffles_index = (size_t)0U; - for (uint8_t i = 0U; i < 4U; i = (uint32_t)i + 1U) { - uint8_t bit_position = i; - if (libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_is_bit_set( - bit_pattern, bit_position)) { - byte_shuffles[bit_pattern][byte_shuffles_index] = - (uint32_t)bit_position * 4U; - byte_shuffles_index++; - byte_shuffles[bit_pattern][byte_shuffles_index] = - (uint32_t)bit_position * 4U + 1U; - byte_shuffles_index++; - byte_shuffles[bit_pattern][byte_shuffles_index] = - (uint32_t)bit_position * 4U + 2U; - byte_shuffles_index++; - byte_shuffles[bit_pattern][byte_shuffles_index] = - (uint32_t)bit_position * 4U + 3U; - byte_shuffles_index++; - } - } - } - memcpy(ret, byte_shuffles, (size_t)16U * sizeof(uint8_t[16U])); -} - -KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i -libcrux_ml_dsa_simd_avx2_vector_type_from_coefficient_array( - Eurydice_slice coefficient_array) { - return libcrux_intrinsics_avx2_mm256_loadu_si256_i32(coefficient_array); -} - -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_avx2_vector_type_to_coefficient_array(__m256i *value, - Eurydice_slice out) { - libcrux_intrinsics_avx2_mm256_storeu_si256_i32(out, value[0U]); -} - -/** -This function found in impl {(core::clone::Clone for -libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_ml_dsa_simd_avx2_vector_type_clone_ca(void **self) {} - -/** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_add_a2(__m256i *lhs, - __m256i *rhs) { - libcrux_ml_dsa_simd_avx2_arithmetic_add(lhs, rhs); -} - -/** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_commitment_serialize_a2( - __m256i *simd_unit, Eurydice_slice serialized) { - libcrux_ml_dsa_simd_avx2_encoding_commitment_serialize(simd_unit, serialized); -} - -/** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_dsa_simd_avx2_from_coefficient_array_a2( - Eurydice_slice coefficient_array) { - return libcrux_ml_dsa_simd_avx2_vector_type_from_coefficient_array( - coefficient_array); -} - -/** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE bool libcrux_ml_dsa_simd_avx2_infinity_norm_exceeds_a2( - __m256i *simd_unit, int32_t bound) { - return libcrux_ml_dsa_simd_avx2_arithmetic_infinity_norm_exceeds(simd_unit, - bound); -} - -/** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invert_ntt_montgomery_a2( - __m256i *simd_units) { - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_montgomery(simd_units); -} - -/** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_montgomery_multiply_a2( - __m256i *lhs, __m256i *rhs) { - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(lhs, rhs); -} - -/** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_ntt_a2( - __m256i *simd_units) { - libcrux_ml_dsa_simd_avx2_ntt_ntt(simd_units); +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_encoding_t1_deserialize( + Eurydice_slice bytes, __m256i *out) { + uint8_t bytes_extended[16U] = {0U}; + Eurydice_slice_copy(Eurydice_array_to_subslice2(bytes_extended, (size_t)0U, + (size_t)10U, uint8_t), + bytes, uint8_t); + __m128i bytes_loaded = libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_array_to_slice((size_t)16U, bytes_extended, uint8_t)); + __m256i bytes_loaded0 = + libcrux_intrinsics_avx2_mm256_set_m128i(bytes_loaded, bytes_loaded); + __m256i coefficients = libcrux_intrinsics_avx2_mm256_shuffle_epi8( + bytes_loaded0, + libcrux_intrinsics_avx2_mm256_set_epi8( + (int8_t)-1, (int8_t)-1, (int8_t)9, (int8_t)8, (int8_t)-1, (int8_t)-1, + (int8_t)8, (int8_t)7, (int8_t)-1, (int8_t)-1, (int8_t)7, (int8_t)6, + (int8_t)-1, (int8_t)-1, (int8_t)6, (int8_t)5, (int8_t)-1, (int8_t)-1, + (int8_t)4, (int8_t)3, (int8_t)-1, (int8_t)-1, (int8_t)3, (int8_t)2, + (int8_t)-1, (int8_t)-1, (int8_t)2, (int8_t)1, (int8_t)-1, (int8_t)-1, + (int8_t)1, (int8_t)0)); + __m256i coefficients0 = libcrux_intrinsics_avx2_mm256_srlv_epi32( + coefficients, libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)6, (int32_t)4, (int32_t)2, (int32_t)0, + (int32_t)6, (int32_t)4, (int32_t)2, (int32_t)0)); + out[0U] = libcrux_intrinsics_avx2_mm256_and_si256( + coefficients0, + libcrux_intrinsics_avx2_mm256_set1_epi32( + LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_T1_DESERIALIZE_COEFFICIENT_MASK)); } /** This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_power2round_a2( - __m256i *t0, __m256i *t1) { - libcrux_ml_dsa_simd_avx2_arithmetic_power2round(t0, t1); -} - -/** -A monomorphic instance of -libcrux_ml_dsa.simd.avx2.encoding.error.deserialize_to_unsigned with const -generics -- ETA= 4 +libcrux_ml_dsa::simd::avx2::vector_type::Vec256)} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_dsa_simd_avx2_encoding_error_deserialize_to_unsigned_ac( - Eurydice_slice serialized) { - return libcrux_ml_dsa_simd_avx2_encoding_error_deserialize_to_unsigned_when_eta_is_4( - serialized); +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_t1_deserialize_22( + Eurydice_slice serialized, __m256i *out) { + libcrux_ml_dsa_simd_avx2_encoding_t1_deserialize(serialized, out); } -/** -A monomorphic instance of -libcrux_ml_dsa.simd.avx2.rejection_sample.less_than_eta.shift_interval with -const generics -- ETA= 2 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_shift_interval_fd( - __m256i coefficients) { - __m256i uu____0; - __m256i quotient = libcrux_intrinsics_avx2_mm256_mullo_epi32( - coefficients, libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)26)); - __m256i quotient0 = - libcrux_intrinsics_avx2_mm256_srai_epi32((int32_t)7, quotient, __m256i); - __m256i quotient1 = libcrux_intrinsics_avx2_mm256_mullo_epi32( - quotient0, libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)5)); - __m256i coefficients_mod_5 = - libcrux_intrinsics_avx2_mm256_sub_epi32(coefficients, quotient1); - uu____0 = libcrux_intrinsics_avx2_mm256_sub_epi32( - libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)(size_t)2U), - coefficients_mod_5); - return uu____0; -} +#define LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7 \ + ((size_t)2U * LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT) -/** -A monomorphic instance of -libcrux_ml_dsa.simd.avx2.rejection_sample.less_than_eta.sample with const -generics -- ETA= 2 -*/ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE size_t -libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_sample_fd( - Eurydice_slice input, Eurydice_slice output) { - __m256i potential_coefficients = - libcrux_ml_dsa_simd_avx2_encoding_error_deserialize_to_unsigned_ac(input); - int32_t interval_boundary; - interval_boundary = (int32_t)15; - __m256i compare_with_interval_boundary = - libcrux_intrinsics_avx2_mm256_cmpgt_epi32( - libcrux_intrinsics_avx2_mm256_set1_epi32(interval_boundary), - potential_coefficients); - int32_t good = libcrux_intrinsics_avx2_mm256_movemask_ps( - libcrux_intrinsics_avx2_mm256_castsi256_ps( - compare_with_interval_boundary)); - int32_t good_lower_half = good & (int32_t)15; - int32_t good_upper_half = good >> 4U; - __m256i shifted = - libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_shift_interval_fd( - potential_coefficients); - uint8_t lower_shuffles[16U]; - memcpy(lower_shuffles, - libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_SHUFFLE_TABLE[( - size_t)good_lower_half], - (size_t)16U * sizeof(uint8_t)); - __m128i lower_shuffles0 = libcrux_intrinsics_avx2_mm_loadu_si128( - Eurydice_array_to_slice((size_t)16U, lower_shuffles, uint8_t)); - __m128i lower_coefficients = - libcrux_intrinsics_avx2_mm256_castsi256_si128(shifted); - __m128i lower_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( - lower_coefficients, lower_shuffles0); - libcrux_intrinsics_avx2_mm_storeu_si128_i32( - Eurydice_slice_subslice2(output, (size_t)0U, (size_t)4U, int32_t), - lower_coefficients0); - size_t sampled_count = (size_t)core_num__i32_2__count_ones(good_lower_half); - uint8_t upper_shuffles[16U]; - memcpy(upper_shuffles, - libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_SHUFFLE_TABLE[( - size_t)good_upper_half], - (size_t)16U * sizeof(uint8_t)); - __m128i upper_shuffles0 = libcrux_intrinsics_avx2_mm_loadu_si128( - Eurydice_array_to_slice((size_t)16U, upper_shuffles, uint8_t)); - __m128i upper_coefficients = libcrux_intrinsics_avx2_mm256_extracti128_si256( - (int32_t)1, shifted, __m128i); - __m128i upper_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( - upper_coefficients, upper_shuffles0); - libcrux_intrinsics_avx2_mm_storeu_si128_i32( - Eurydice_slice_subslice2(output, sampled_count, - sampled_count + (size_t)4U, int32_t), - upper_coefficients0); - size_t uu____0 = sampled_count; - return uu____0 + (size_t)core_num__i32_2__count_ones(good_upper_half); +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + __m256i *re, size_t index, __m256i zeta, size_t step_by, + __m256i field_modulus, __m256i inverse_of_modulus_mod_montgomery_r) { + __m256i prod02 = + libcrux_intrinsics_avx2_mm256_mul_epi32(re[index + step_by], zeta); + __m256i prod13 = libcrux_intrinsics_avx2_mm256_mul_epi32( + libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)245, + re[index + step_by], __m256i), + libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)245, zeta, __m256i)); + __m256i k02 = libcrux_intrinsics_avx2_mm256_mul_epi32( + prod02, inverse_of_modulus_mod_montgomery_r); + __m256i k13 = libcrux_intrinsics_avx2_mm256_mul_epi32( + prod13, inverse_of_modulus_mod_montgomery_r); + __m256i c02 = libcrux_intrinsics_avx2_mm256_mul_epi32(k02, field_modulus); + __m256i c13 = libcrux_intrinsics_avx2_mm256_mul_epi32(k13, field_modulus); + __m256i res02 = libcrux_intrinsics_avx2_mm256_sub_epi32(prod02, c02); + __m256i res13 = libcrux_intrinsics_avx2_mm256_sub_epi32(prod13, c13); + __m256i res02_shifted = + libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)245, res02, __m256i); + __m256i t = libcrux_intrinsics_avx2_mm256_blend_epi32( + (int32_t)170, res02_shifted, res13, __m256i); + re[index + step_by] = re[index]; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&re[index + step_by], &t); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&re[index], &t); } +#define LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6 \ + (((size_t)1U << 6U) / LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT) + /** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} + This is equivalent to the pqclean 0 and 1 + + This does 32 Montgomery multiplications (192 multiplications). + This is the same as in pqclean. The only difference is locality of registers. */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE size_t -libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_equals_2_a2( - Eurydice_slice randomness, Eurydice_slice out) { - return libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_sample_fd( - randomness, out); +static inline void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6( + __m256i *re) { + __m256i field_modulus = libcrux_intrinsics_avx2_mm256_set1_epi32( + LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS); + __m256i inverse_of_modulus_mod_montgomery_r = + libcrux_intrinsics_avx2_mm256_set1_epi32( + (int32_t) + LIBCRUX_ML_DSA_SIMD_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R); + __m256i zeta7 = libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)25847); + __m256i zeta60 = libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)-2608894); + __m256i zeta61 = libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)-518909); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)0U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)0U + (size_t)1U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)0U + (size_t)2U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)0U + (size_t)3U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)8U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)8U + (size_t)1U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)8U + (size_t)2U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)8U + (size_t)3U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)0U, zeta60, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)0U + (size_t)1U, zeta60, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)0U + (size_t)2U, zeta60, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)0U + (size_t)3U, zeta60, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)16U, zeta61, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)16U + (size_t)1U, zeta61, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)16U + (size_t)2U, zeta61, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)16U + (size_t)3U, zeta61, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)4U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)4U + (size_t)1U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)4U + (size_t)2U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)4U + (size_t)3U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)12U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)12U + (size_t)1U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)12U + (size_t)2U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)12U + (size_t)3U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)4U, zeta60, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)4U + (size_t)1U, zeta60, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)4U + (size_t)2U, zeta60, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)4U + (size_t)3U, zeta60, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)20U, zeta61, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)20U + (size_t)1U, zeta61, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)20U + (size_t)2U, zeta61, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)20U + (size_t)3U, zeta61, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); } /** -A monomorphic instance of -libcrux_ml_dsa.simd.avx2.rejection_sample.less_than_eta.shift_interval with -const generics -- ETA= 4 +A monomorphic instance of libcrux_ml_dsa.simd.avx2.ntt.ntt_at_layer_5_to_3.round +with const generics +- STEP= 32 +- STEP_BY= 4 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_shift_interval_ac( - __m256i coefficients) { - return libcrux_intrinsics_avx2_mm256_sub_epi32( - libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)(size_t)4U), - coefficients); +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_f6(__m256i *re, + size_t index, + int32_t zeta) { + __m256i rhs = libcrux_intrinsics_avx2_mm256_set1_epi32(zeta); + size_t offset = index * (size_t)32U * (size_t)2U / + LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT; + for (size_t i = offset; i < offset + (size_t)4U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(&re[j + (size_t)4U], + &rhs); + __m256i tmp = + libcrux_intrinsics_avx2_mm256_sub_epi32(re[j], re[j + (size_t)4U]); + re[j] = libcrux_intrinsics_avx2_mm256_add_epi32(re[j], re[j + (size_t)4U]); + re[j + (size_t)4U] = tmp; + } } /** -A monomorphic instance of -libcrux_ml_dsa.simd.avx2.rejection_sample.less_than_eta.sample with const -generics -- ETA= 4 +A monomorphic instance of libcrux_ml_dsa.simd.avx2.ntt.ntt_at_layer_5_to_3.round +with const generics +- STEP= 16 +- STEP_BY= 2 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE size_t -libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_sample_ac( - Eurydice_slice input, Eurydice_slice output) { - __m256i potential_coefficients = - libcrux_ml_dsa_simd_avx2_encoding_error_deserialize_to_unsigned_ac(input); - int32_t interval_boundary; - interval_boundary = (int32_t)9; - __m256i compare_with_interval_boundary = - libcrux_intrinsics_avx2_mm256_cmpgt_epi32( - libcrux_intrinsics_avx2_mm256_set1_epi32(interval_boundary), - potential_coefficients); - int32_t good = libcrux_intrinsics_avx2_mm256_movemask_ps( - libcrux_intrinsics_avx2_mm256_castsi256_ps( - compare_with_interval_boundary)); - int32_t good_lower_half = good & (int32_t)15; - int32_t good_upper_half = good >> 4U; - __m256i shifted = - libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_shift_interval_ac( - potential_coefficients); - uint8_t lower_shuffles[16U]; - memcpy(lower_shuffles, - libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_SHUFFLE_TABLE[( - size_t)good_lower_half], - (size_t)16U * sizeof(uint8_t)); - __m128i lower_shuffles0 = libcrux_intrinsics_avx2_mm_loadu_si128( - Eurydice_array_to_slice((size_t)16U, lower_shuffles, uint8_t)); - __m128i lower_coefficients = - libcrux_intrinsics_avx2_mm256_castsi256_si128(shifted); - __m128i lower_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( - lower_coefficients, lower_shuffles0); - libcrux_intrinsics_avx2_mm_storeu_si128_i32( - Eurydice_slice_subslice2(output, (size_t)0U, (size_t)4U, int32_t), - lower_coefficients0); - size_t sampled_count = (size_t)core_num__i32_2__count_ones(good_lower_half); - uint8_t upper_shuffles[16U]; - memcpy(upper_shuffles, - libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_SHUFFLE_TABLE[( - size_t)good_upper_half], - (size_t)16U * sizeof(uint8_t)); - __m128i upper_shuffles0 = libcrux_intrinsics_avx2_mm_loadu_si128( - Eurydice_array_to_slice((size_t)16U, upper_shuffles, uint8_t)); - __m128i upper_coefficients = libcrux_intrinsics_avx2_mm256_extracti128_si256( - (int32_t)1, shifted, __m128i); - __m128i upper_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( - upper_coefficients, upper_shuffles0); - libcrux_intrinsics_avx2_mm_storeu_si128_i32( - Eurydice_slice_subslice2(output, sampled_count, - sampled_count + (size_t)4U, int32_t), - upper_coefficients0); - size_t uu____0 = sampled_count; - return uu____0 + (size_t)core_num__i32_2__count_ones(good_upper_half); +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(__m256i *re, + size_t index, + int32_t zeta) { + __m256i rhs = libcrux_intrinsics_avx2_mm256_set1_epi32(zeta); + size_t offset = index * (size_t)16U * (size_t)2U / + LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT; + for (size_t i = offset; i < offset + (size_t)2U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(&re[j + (size_t)2U], + &rhs); + __m256i tmp = + libcrux_intrinsics_avx2_mm256_sub_epi32(re[j], re[j + (size_t)2U]); + re[j] = libcrux_intrinsics_avx2_mm256_add_epi32(re[j], re[j + (size_t)2U]); + re[j + (size_t)2U] = tmp; + } } /** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +A monomorphic instance of libcrux_ml_dsa.simd.avx2.ntt.ntt_at_layer_5_to_3.round +with const generics +- STEP= 8 +- STEP_BY= 1 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE size_t -libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_equals_4_a2( - Eurydice_slice randomness, Eurydice_slice out) { - return libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_sample_ac( - randomness, out); +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(__m256i *re, + size_t index, + int32_t zeta) { + __m256i rhs = libcrux_intrinsics_avx2_mm256_set1_epi32(zeta); + size_t offset = index * (size_t)8U * (size_t)2U / + LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT; + for (size_t i = offset; i < offset + (size_t)1U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(&re[j + (size_t)1U], + &rhs); + __m256i tmp = + libcrux_intrinsics_avx2_mm256_sub_epi32(re[j], re[j + (size_t)1U]); + re[j] = libcrux_intrinsics_avx2_mm256_add_epi32(re[j], re[j + (size_t)1U]); + re[j + (size_t)1U] = tmp; + } } /** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} + Layer 5, 4, 3 + + Each layer does 16 Montgomery multiplications -> 3*16 = 48 total + pqclean does 4 * 4 on each layer -> 48 total | plus 4 * 4 shuffles every time + (48) */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE size_t -libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus_a2( - Eurydice_slice randomness, Eurydice_slice out) { - return libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus_sample( - randomness, out); +static inline void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3( + __m256i *re) { + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_f6(re, (size_t)0U, + (int32_t)237124); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_f6(re, (size_t)1U, + (int32_t)-777960); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_f6(re, (size_t)2U, + (int32_t)-876248); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_f6(re, (size_t)3U, + (int32_t)466468); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)0U, + (int32_t)1826347); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)1U, + (int32_t)2353451); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)2U, + (int32_t)-359251); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)3U, + (int32_t)-2091905); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)4U, + (int32_t)3119733); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)5U, + (int32_t)-2884855); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)6U, + (int32_t)3111497); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)7U, + (int32_t)2680103); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)0U, + (int32_t)2725464); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)1U, + (int32_t)1024112); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)2U, + (int32_t)-1079900); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)3U, + (int32_t)3585928); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)4U, + (int32_t)-549488); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)5U, + (int32_t)-1119584); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)6U, + (int32_t)2619752); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)7U, + (int32_t)-2108549); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)8U, + (int32_t)-2118186); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)9U, + (int32_t)-3859737); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)10U, + (int32_t)-1399561); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)11U, + (int32_t)-3277672); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)12U, + (int32_t)1757237); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)13U, + (int32_t)-19422); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)14U, + (int32_t)4010497); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)15U, + (int32_t)280005); } -/** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} -*/ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_subtract_a2(__m256i *lhs, - __m256i *rhs) { - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(lhs, rhs); +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_ntt_butterfly_8( + __m256i *re, size_t index, int32_t zeta0, int32_t zeta1) { + __m256i summands = libcrux_intrinsics_avx2_mm256_set_m128i( + libcrux_intrinsics_avx2_mm256_castsi256_si128(re[index + (size_t)1U]), + libcrux_intrinsics_avx2_mm256_castsi256_si128(re[index])); + __m256i zeta_products = libcrux_intrinsics_avx2_mm256_permute2x128_si256( + (int32_t)19, re[index + (size_t)1U], re[index], __m256i); + __m256i zetas = libcrux_intrinsics_avx2_mm256_set_epi32( + zeta1, zeta1, zeta1, zeta1, zeta0, zeta0, zeta0, zeta0); + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(&zeta_products, + &zetas); + __m256i sub_terms = + libcrux_intrinsics_avx2_mm256_sub_epi32(summands, zeta_products); + __m256i add_terms = + libcrux_intrinsics_avx2_mm256_add_epi32(summands, zeta_products); + re[index] = libcrux_intrinsics_avx2_mm256_set_m128i( + libcrux_intrinsics_avx2_mm256_castsi256_si128(sub_terms), + libcrux_intrinsics_avx2_mm256_castsi256_si128(add_terms)); + re[index + (size_t)1U] = libcrux_intrinsics_avx2_mm256_permute2x128_si256( + (int32_t)19, sub_terms, add_terms, __m256i); } -/** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} -*/ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_t0_deserialize_a2( - Eurydice_slice serialized, __m256i *out) { - libcrux_ml_dsa_simd_avx2_encoding_t0_deserialize(serialized, out); +static inline void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2(__m256i *re) { + libcrux_ml_dsa_simd_avx2_ntt_butterfly_8(re, (size_t)0U, (int32_t)2706023, + (int32_t)95776); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_8(re, (size_t)2U, (int32_t)3077325, + (int32_t)3530437); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_8(re, (size_t)4U, (int32_t)-1661693, + (int32_t)-3592148); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_8(re, (size_t)6U, (int32_t)-2537516, + (int32_t)3915439); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_8(re, (size_t)8U, (int32_t)-3861115, + (int32_t)-3043716); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_8(re, (size_t)10U, (int32_t)3574422, + (int32_t)-2867647); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_8(re, (size_t)12U, (int32_t)3539968, + (int32_t)-300467); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_8(re, (size_t)14U, (int32_t)2348700, + (int32_t)-539299); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_8(re, (size_t)16U, (int32_t)-1699267, + (int32_t)-1643818); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_8(re, (size_t)18U, (int32_t)3505694, + (int32_t)-3821735); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_8(re, (size_t)20U, (int32_t)3507263, + (int32_t)-2140649); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_8(re, (size_t)22U, (int32_t)-1600420, + (int32_t)3699596); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_8(re, (size_t)24U, (int32_t)811944, + (int32_t)531354); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_8(re, (size_t)26U, (int32_t)954230, + (int32_t)3881043); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_8(re, (size_t)28U, (int32_t)3900724, + (int32_t)-2556880); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_8(re, (size_t)30U, (int32_t)2071892, + (int32_t)-2797779); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_ntt_butterfly_4( + __m256i *re, size_t index, int32_t zeta_a0, int32_t zeta_a1, + int32_t zeta_b0, int32_t zeta_b1) { + __m256i summands = libcrux_intrinsics_avx2_mm256_unpacklo_epi64( + re[index], re[index + (size_t)1U]); + __m256i zeta_products = libcrux_intrinsics_avx2_mm256_unpackhi_epi64( + re[index], re[index + (size_t)1U]); + __m256i zetas = libcrux_intrinsics_avx2_mm256_set_epi32( + zeta_b1, zeta_b1, zeta_a1, zeta_a1, zeta_b0, zeta_b0, zeta_a0, zeta_a0); + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(&zeta_products, + &zetas); + __m256i sub_terms = + libcrux_intrinsics_avx2_mm256_sub_epi32(summands, zeta_products); + __m256i add_terms = + libcrux_intrinsics_avx2_mm256_add_epi32(summands, zeta_products); + re[index] = + libcrux_intrinsics_avx2_mm256_unpacklo_epi64(add_terms, sub_terms); + re[index + (size_t)1U] = + libcrux_intrinsics_avx2_mm256_unpackhi_epi64(add_terms, sub_terms); } -/** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} -*/ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_t0_serialize_a2( - __m256i *simd_unit, Eurydice_slice out) { - libcrux_ml_dsa_simd_avx2_encoding_t0_serialize(simd_unit, out); +static inline void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1(__m256i *re) { + libcrux_ml_dsa_simd_avx2_ntt_butterfly_4(re, (size_t)0U, (int32_t)-3930395, + (int32_t)-1528703, (int32_t)-3677745, + (int32_t)-3041255); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_4(re, (size_t)2U, (int32_t)-1452451, + (int32_t)3475950, (int32_t)2176455, + (int32_t)-1585221); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_4(re, (size_t)4U, (int32_t)-1257611, + (int32_t)1939314, (int32_t)-4083598, + (int32_t)-1000202); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_4(re, (size_t)6U, (int32_t)-3190144, + (int32_t)-3157330, (int32_t)-3632928, + (int32_t)126922); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_4(re, (size_t)8U, (int32_t)3412210, + (int32_t)-983419, (int32_t)2147896, + (int32_t)2715295); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_4(re, (size_t)10U, (int32_t)-2967645, + (int32_t)-3693493, (int32_t)-411027, + (int32_t)-2477047); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_4(re, (size_t)12U, (int32_t)-671102, + (int32_t)-1228525, (int32_t)-22981, + (int32_t)-1308169); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_4(re, (size_t)14U, (int32_t)-381987, + (int32_t)1349076, (int32_t)1852771, + (int32_t)-1430430); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_4(re, (size_t)16U, (int32_t)-3343383, + (int32_t)264944, (int32_t)508951, + (int32_t)3097992); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_4(re, (size_t)18U, (int32_t)44288, + (int32_t)-1100098, (int32_t)904516, + (int32_t)3958618); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_4(re, (size_t)20U, (int32_t)-3724342, + (int32_t)-8578, (int32_t)1653064, + (int32_t)-3249728); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_4(re, (size_t)22U, (int32_t)2389356, + (int32_t)-210977, (int32_t)759969, + (int32_t)-1316856); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_4(re, (size_t)24U, (int32_t)189548, + (int32_t)-3553272, (int32_t)3159746, + (int32_t)-1851402); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_4(re, (size_t)26U, (int32_t)-2409325, + (int32_t)-177440, (int32_t)1315589, + (int32_t)1341330); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_4(re, (size_t)28U, (int32_t)1285669, + (int32_t)-1584928, (int32_t)-812732, + (int32_t)-1439742); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_4(re, (size_t)30U, (int32_t)-3019102, + (int32_t)-3881060, (int32_t)-3628969, + (int32_t)3839961); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_ntt_butterfly_2( + __m256i *re, size_t index, int32_t zeta_a0, int32_t zeta_a1, + int32_t zeta_a2, int32_t zeta_a3, int32_t zeta_b0, int32_t zeta_b1, + int32_t zeta_b2, int32_t zeta_b3) { + __m256i a = libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)216, + re[index], __m256i); + __m256i b = libcrux_intrinsics_avx2_mm256_shuffle_epi32( + (int32_t)216, re[index + (size_t)1U], __m256i); + __m256i summands = libcrux_intrinsics_avx2_mm256_unpacklo_epi64(a, b); + __m256i zeta_products = libcrux_intrinsics_avx2_mm256_unpackhi_epi64(a, b); + __m256i zetas = libcrux_intrinsics_avx2_mm256_set_epi32( + zeta_b3, zeta_b2, zeta_a3, zeta_a2, zeta_b1, zeta_b0, zeta_a1, zeta_a0); + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(&zeta_products, + &zetas); + __m256i sub_terms = + libcrux_intrinsics_avx2_mm256_sub_epi32(summands, zeta_products); + __m256i add_terms = + libcrux_intrinsics_avx2_mm256_add_epi32(summands, zeta_products); + __m256i a_terms_shuffled = + libcrux_intrinsics_avx2_mm256_unpacklo_epi64(add_terms, sub_terms); + __m256i b_terms_shuffled = + libcrux_intrinsics_avx2_mm256_unpackhi_epi64(add_terms, sub_terms); + re[index] = libcrux_intrinsics_avx2_mm256_shuffle_epi32( + (int32_t)216, a_terms_shuffled, __m256i); + re[index + (size_t)1U] = libcrux_intrinsics_avx2_mm256_shuffle_epi32( + (int32_t)216, b_terms_shuffled, __m256i); } -/** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} -*/ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_t1_deserialize_a2( - Eurydice_slice serialized, __m256i *out) { - libcrux_ml_dsa_simd_avx2_encoding_t1_deserialize(serialized, out); +static inline void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0(__m256i *re) { + libcrux_ml_dsa_simd_avx2_ntt_butterfly_2( + re, (size_t)0U, (int32_t)2091667, (int32_t)3407706, (int32_t)2316500, + (int32_t)3817976, (int32_t)-3342478, (int32_t)2244091, (int32_t)-2446433, + (int32_t)-3562462); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_2( + re, (size_t)2U, (int32_t)266997, (int32_t)2434439, (int32_t)-1235728, + (int32_t)3513181, (int32_t)-3520352, (int32_t)-3759364, (int32_t)-1197226, + (int32_t)-3193378); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_2( + re, (size_t)4U, (int32_t)900702, (int32_t)1859098, (int32_t)909542, + (int32_t)819034, (int32_t)495491, (int32_t)-1613174, (int32_t)-43260, + (int32_t)-522500); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_2( + re, (size_t)6U, (int32_t)-655327, (int32_t)-3122442, (int32_t)2031748, + (int32_t)3207046, (int32_t)-3556995, (int32_t)-525098, (int32_t)-768622, + (int32_t)-3595838); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_2( + re, (size_t)8U, (int32_t)342297, (int32_t)286988, (int32_t)-2437823, + (int32_t)4108315, (int32_t)3437287, (int32_t)-3342277, (int32_t)1735879, + (int32_t)203044); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_2( + re, (size_t)10U, (int32_t)2842341, (int32_t)2691481, (int32_t)-2590150, + (int32_t)1265009, (int32_t)4055324, (int32_t)1247620, (int32_t)2486353, + (int32_t)1595974); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_2( + re, (size_t)12U, (int32_t)-3767016, (int32_t)1250494, (int32_t)2635921, + (int32_t)-3548272, (int32_t)-2994039, (int32_t)1869119, (int32_t)1903435, + (int32_t)-1050970); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_2( + re, (size_t)14U, (int32_t)-1333058, (int32_t)1237275, (int32_t)-3318210, + (int32_t)-1430225, (int32_t)-451100, (int32_t)1312455, (int32_t)3306115, + (int32_t)-1962642); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_2( + re, (size_t)16U, (int32_t)-1279661, (int32_t)1917081, (int32_t)-2546312, + (int32_t)-1374803, (int32_t)1500165, (int32_t)777191, (int32_t)2235880, + (int32_t)3406031); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_2( + re, (size_t)18U, (int32_t)-542412, (int32_t)-2831860, (int32_t)-1671176, + (int32_t)-1846953, (int32_t)-2584293, (int32_t)-3724270, (int32_t)594136, + (int32_t)-3776993); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_2( + re, (size_t)20U, (int32_t)-2013608, (int32_t)2432395, (int32_t)2454455, + (int32_t)-164721, (int32_t)1957272, (int32_t)3369112, (int32_t)185531, + (int32_t)-1207385); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_2( + re, (size_t)22U, (int32_t)-3183426, (int32_t)162844, (int32_t)1616392, + (int32_t)3014001, (int32_t)810149, (int32_t)1652634, (int32_t)-3694233, + (int32_t)-1799107); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_2( + re, (size_t)24U, (int32_t)-3038916, (int32_t)3523897, (int32_t)3866901, + (int32_t)269760, (int32_t)2213111, (int32_t)-975884, (int32_t)1717735, + (int32_t)472078); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_2( + re, (size_t)26U, (int32_t)-426683, (int32_t)1723600, (int32_t)-1803090, + (int32_t)1910376, (int32_t)-1667432, (int32_t)-1104333, (int32_t)-260646, + (int32_t)-3833893); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_2( + re, (size_t)28U, (int32_t)-2939036, (int32_t)-2235985, (int32_t)-420899, + (int32_t)-2286327, (int32_t)183443, (int32_t)-976891, (int32_t)1612842, + (int32_t)-3545687); + libcrux_ml_dsa_simd_avx2_ntt_butterfly_2( + re, (size_t)30U, (int32_t)-554416, (int32_t)3919660, (int32_t)-48306, + (int32_t)-1362209, (int32_t)3937738, (int32_t)1400424, (int32_t)-846154, + (int32_t)1976782); } -/** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} -*/ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_t1_serialize_a2( - __m256i *simd_unit, Eurydice_slice out) { - libcrux_ml_dsa_simd_avx2_encoding_t1_serialize(simd_unit, out); +static inline void libcrux_ml_dsa_simd_avx2_ntt_ntt_avx2_ntt(__m256i *re) { + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6(re); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3(re); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2(re); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1(re); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0(re); } -/** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} -*/ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_to_coefficient_array_a2( - __m256i *value, Eurydice_slice out) { - libcrux_ml_dsa_simd_avx2_vector_type_to_coefficient_array(value, out); +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_ntt_ntt(__m256i *re) { + libcrux_ml_dsa_simd_avx2_ntt_ntt_avx2_ntt(re); } /** This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +libcrux_ml_dsa::simd::avx2::vector_type::Vec256)} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_ntt_a2( - __m256i simd_units[32U], __m256i ret[32U]) { - __m256i re[32U]; - for (size_t i = (size_t)0U; i < (size_t)32U; i++) { - re[i] = libcrux_intrinsics_avx2_mm256_setzero_si256(); - } - for (size_t i = (size_t)0U; - i < LIBCRUX_ML_DSA_SIMD_TRAITS_SIMD_UNITS_IN_RING_ELEMENT; i++) { - size_t i0 = i; - re[i0] = simd_units[i0]; - } - /* Passing arrays by value in Rust generates a copy in C */ - __m256i copy_of_re[32U]; - memcpy(copy_of_re, re, (size_t)32U * sizeof(__m256i)); - __m256i result[32U]; - libcrux_ml_dsa_simd_avx2_ntt_ntt(copy_of_re, result); - __m256i out[32U]; - for (size_t i = (size_t)0U; i < (size_t)32U; i++) { - out[i] = libcrux_ml_dsa_simd_avx2_vector_type_ZERO(); - } - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice((size_t)32U, result, __m256i), __m256i); - i++) { - size_t i0 = i; - out[i0] = result[i0]; - } - memcpy(ret, out, (size_t)32U * sizeof(__m256i)); +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_ntt_22( + __m256i *simd_units) { + libcrux_ml_dsa_simd_avx2_ntt_ntt(simd_units); } +typedef struct libcrux_ml_dsa_simd_avx2_vector_type_Vec256_x2_s { + __m256i fst; + __m256i snd; +} libcrux_ml_dsa_simd_avx2_vector_type_Vec256_x2; + KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE core_core_arch_x86___m256i_x2 +static KRML_MUSTINLINE libcrux_ml_dsa_simd_avx2_vector_type_Vec256_x2 libcrux_ml_dsa_simd_avx2_invntt_simd_unit_invert_ntt_at_layer_0( __m256i simd_unit0, __m256i simd_unit1, int32_t zeta00, int32_t zeta01, int32_t zeta02, int32_t zeta03, int32_t zeta10, int32_t zeta11, int32_t zeta12, int32_t zeta13) { - __m256i a_shuffled0 = libcrux_intrinsics_avx2_mm256_shuffle_epi32( + __m256i a_shuffled = libcrux_intrinsics_avx2_mm256_shuffle_epi32( (int32_t)216, simd_unit0, __m256i); __m256i b_shuffled0 = libcrux_intrinsics_avx2_mm256_shuffle_epi32( (int32_t)216, simd_unit1, __m256i); __m256i lo_values = - libcrux_intrinsics_avx2_mm256_unpacklo_epi64(a_shuffled0, b_shuffled0); + libcrux_intrinsics_avx2_mm256_unpacklo_epi64(a_shuffled, b_shuffled0); __m256i hi_values = - libcrux_intrinsics_avx2_mm256_unpackhi_epi64(a_shuffled0, b_shuffled0); - __m256i sums = libcrux_ml_dsa_simd_avx2_arithmetic_add(lo_values, hi_values); - __m256i differences = - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(hi_values, lo_values); + libcrux_intrinsics_avx2_mm256_unpackhi_epi64(a_shuffled, b_shuffled0); + __m256i differences = hi_values; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&differences, &lo_values); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&lo_values, &hi_values); + __m256i sums = lo_values; __m256i zetas = libcrux_intrinsics_avx2_mm256_set_epi32( zeta13, zeta12, zeta03, zeta02, zeta11, zeta10, zeta01, zeta00); - __m256i products = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply( - differences, zetas); - __m256i a_shuffled = - libcrux_intrinsics_avx2_mm256_unpacklo_epi64(sums, products); + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(&differences, &zetas); + __m256i a_shuffled0 = + libcrux_intrinsics_avx2_mm256_unpacklo_epi64(sums, differences); __m256i b_shuffled = - libcrux_intrinsics_avx2_mm256_unpackhi_epi64(sums, products); + libcrux_intrinsics_avx2_mm256_unpackhi_epi64(sums, differences); __m256i a = libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)216, - a_shuffled, __m256i); + a_shuffled0, __m256i); __m256i b = libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)216, b_shuffled, __m256i); - return (CLITERAL(core_core_arch_x86___m256i_x2){.fst = a, .snd = b}); + return (CLITERAL(libcrux_ml_dsa_simd_avx2_vector_type_Vec256_x2){.fst = a, + .snd = b}); } KRML_ATTRIBUTE_TARGET("avx2") @@ -3735,7 +2353,7 @@ libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( __m256i *re, size_t index, int32_t zeta00, int32_t zeta01, int32_t zeta02, int32_t zeta03, int32_t zeta10, int32_t zeta11, int32_t zeta12, int32_t zeta13) { - core_core_arch_x86___m256i_x2 uu____0 = + libcrux_ml_dsa_simd_avx2_vector_type_Vec256_x2 uu____0 = libcrux_ml_dsa_simd_avx2_invntt_simd_unit_invert_ntt_at_layer_0( re[index], re[index + (size_t)1U], zeta00, zeta01, zeta02, zeta03, zeta10, zeta11, zeta12, zeta13); @@ -3815,7 +2433,7 @@ static inline void libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0( } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE core_core_arch_x86___m256i_x2 +static KRML_MUSTINLINE libcrux_ml_dsa_simd_avx2_vector_type_Vec256_x2 libcrux_ml_dsa_simd_avx2_invntt_simd_unit_invert_ntt_at_layer_1( __m256i simd_unit0, __m256i simd_unit1, int32_t zeta00, int32_t zeta01, int32_t zeta10, int32_t zeta11) { @@ -3823,16 +2441,17 @@ libcrux_ml_dsa_simd_avx2_invntt_simd_unit_invert_ntt_at_layer_1( libcrux_intrinsics_avx2_mm256_unpacklo_epi64(simd_unit0, simd_unit1); __m256i hi_values = libcrux_intrinsics_avx2_mm256_unpackhi_epi64(simd_unit0, simd_unit1); - __m256i sums = libcrux_ml_dsa_simd_avx2_arithmetic_add(lo_values, hi_values); - __m256i differences = - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(hi_values, lo_values); + __m256i differences = hi_values; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&differences, &lo_values); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&lo_values, &hi_values); + __m256i sums = lo_values; __m256i zetas = libcrux_intrinsics_avx2_mm256_set_epi32( zeta11, zeta11, zeta01, zeta01, zeta10, zeta10, zeta00, zeta00); - __m256i products = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply( - differences, zetas); - __m256i a = libcrux_intrinsics_avx2_mm256_unpacklo_epi64(sums, products); - __m256i b = libcrux_intrinsics_avx2_mm256_unpackhi_epi64(sums, products); - return (CLITERAL(core_core_arch_x86___m256i_x2){.fst = a, .snd = b}); + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(&differences, &zetas); + __m256i a = libcrux_intrinsics_avx2_mm256_unpacklo_epi64(sums, differences); + __m256i b = libcrux_intrinsics_avx2_mm256_unpackhi_epi64(sums, differences); + return (CLITERAL(libcrux_ml_dsa_simd_avx2_vector_type_Vec256_x2){.fst = a, + .snd = b}); } KRML_ATTRIBUTE_TARGET("avx2") @@ -3840,7 +2459,7 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( __m256i *re, size_t index, int32_t zeta_00, int32_t zeta_01, int32_t zeta_10, int32_t zeta_11) { - core_core_arch_x86___m256i_x2 uu____0 = + libcrux_ml_dsa_simd_avx2_vector_type_Vec256_x2 uu____0 = libcrux_ml_dsa_simd_avx2_invntt_simd_unit_invert_ntt_at_layer_1( re[index], re[index + (size_t)1U], zeta_00, zeta_01, zeta_10, zeta_11); @@ -3904,25 +2523,26 @@ static inline void libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1( } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE core_core_arch_x86___m256i_x2 +static KRML_MUSTINLINE libcrux_ml_dsa_simd_avx2_vector_type_Vec256_x2 libcrux_ml_dsa_simd_avx2_invntt_simd_unit_invert_ntt_at_layer_2( __m256i simd_unit0, __m256i simd_unit1, int32_t zeta0, int32_t zeta1) { __m256i lo_values = libcrux_intrinsics_avx2_mm256_permute2x128_si256( (int32_t)32, simd_unit0, simd_unit1, __m256i); __m256i hi_values = libcrux_intrinsics_avx2_mm256_permute2x128_si256( (int32_t)49, simd_unit0, simd_unit1, __m256i); - __m256i sums = libcrux_ml_dsa_simd_avx2_arithmetic_add(lo_values, hi_values); - __m256i differences = - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(hi_values, lo_values); + __m256i differences = hi_values; + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(&differences, &lo_values); + libcrux_ml_dsa_simd_avx2_arithmetic_add(&lo_values, &hi_values); + __m256i sums = lo_values; __m256i zetas = libcrux_intrinsics_avx2_mm256_set_epi32( zeta1, zeta1, zeta1, zeta1, zeta0, zeta0, zeta0, zeta0); - __m256i products = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply( - differences, zetas); + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(&differences, &zetas); __m256i a = libcrux_intrinsics_avx2_mm256_permute2x128_si256( - (int32_t)32, sums, products, __m256i); + (int32_t)32, sums, differences, __m256i); __m256i b = libcrux_intrinsics_avx2_mm256_permute2x128_si256( - (int32_t)49, sums, products, __m256i); - return (CLITERAL(core_core_arch_x86___m256i_x2){.fst = a, .snd = b}); + (int32_t)49, sums, differences, __m256i); + return (CLITERAL(libcrux_ml_dsa_simd_avx2_vector_type_Vec256_x2){.fst = a, + .snd = b}); } KRML_ATTRIBUTE_TARGET("avx2") @@ -3931,7 +2551,7 @@ libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round(__m256i *re, size_t index, int32_t zeta1, int32_t zeta2) { - core_core_arch_x86___m256i_x2 uu____0 = + libcrux_ml_dsa_simd_avx2_vector_type_Vec256_x2 uu____0 = libcrux_ml_dsa_simd_avx2_invntt_simd_unit_invert_ntt_at_layer_2( re[index], re[index + (size_t)1U], zeta1, zeta2); __m256i lhs0 = uu____0.fst; @@ -4019,8 +2639,8 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_99( for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)1U; i++) { size_t j = i; __m256i a_minus_b = - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]); - re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]); + libcrux_intrinsics_avx2_mm256_sub_epi32(re[j + (size_t)1U], re[j]); + re[j] = libcrux_intrinsics_avx2_mm256_add_epi32(re[j], re[j + (size_t)1U]); re[j + (size_t)1U] = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( a_minus_b, (int32_t)280005); @@ -4040,8 +2660,8 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_1c( for (size_t i = (size_t)2U; i < (size_t)2U + (size_t)1U; i++) { size_t j = i; __m256i a_minus_b = - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]); - re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]); + libcrux_intrinsics_avx2_mm256_sub_epi32(re[j + (size_t)1U], re[j]); + re[j] = libcrux_intrinsics_avx2_mm256_add_epi32(re[j], re[j + (size_t)1U]); re[j + (size_t)1U] = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( a_minus_b, (int32_t)4010497); @@ -4061,8 +2681,8 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_6b( for (size_t i = (size_t)4U; i < (size_t)4U + (size_t)1U; i++) { size_t j = i; __m256i a_minus_b = - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]); - re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]); + libcrux_intrinsics_avx2_mm256_sub_epi32(re[j + (size_t)1U], re[j]); + re[j] = libcrux_intrinsics_avx2_mm256_add_epi32(re[j], re[j + (size_t)1U]); re[j + (size_t)1U] = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( a_minus_b, (int32_t)-19422); @@ -4082,8 +2702,8 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_44( for (size_t i = (size_t)6U; i < (size_t)6U + (size_t)1U; i++) { size_t j = i; __m256i a_minus_b = - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]); - re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]); + libcrux_intrinsics_avx2_mm256_sub_epi32(re[j + (size_t)1U], re[j]); + re[j] = libcrux_intrinsics_avx2_mm256_add_epi32(re[j], re[j + (size_t)1U]); re[j + (size_t)1U] = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( a_minus_b, (int32_t)1757237); @@ -4103,8 +2723,8 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_a8( for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)1U; i++) { size_t j = i; __m256i a_minus_b = - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]); - re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]); + libcrux_intrinsics_avx2_mm256_sub_epi32(re[j + (size_t)1U], re[j]); + re[j] = libcrux_intrinsics_avx2_mm256_add_epi32(re[j], re[j + (size_t)1U]); re[j + (size_t)1U] = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( a_minus_b, (int32_t)-3277672); @@ -4124,8 +2744,8 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_1f( for (size_t i = (size_t)10U; i < (size_t)10U + (size_t)1U; i++) { size_t j = i; __m256i a_minus_b = - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]); - re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]); + libcrux_intrinsics_avx2_mm256_sub_epi32(re[j + (size_t)1U], re[j]); + re[j] = libcrux_intrinsics_avx2_mm256_add_epi32(re[j], re[j + (size_t)1U]); re[j + (size_t)1U] = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( a_minus_b, (int32_t)-1399561); @@ -4145,8 +2765,8 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_95( for (size_t i = (size_t)12U; i < (size_t)12U + (size_t)1U; i++) { size_t j = i; __m256i a_minus_b = - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]); - re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]); + libcrux_intrinsics_avx2_mm256_sub_epi32(re[j + (size_t)1U], re[j]); + re[j] = libcrux_intrinsics_avx2_mm256_add_epi32(re[j], re[j + (size_t)1U]); re[j + (size_t)1U] = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( a_minus_b, (int32_t)-3859737); @@ -4166,8 +2786,8 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_3b( for (size_t i = (size_t)14U; i < (size_t)14U + (size_t)1U; i++) { size_t j = i; __m256i a_minus_b = - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]); - re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]); + libcrux_intrinsics_avx2_mm256_sub_epi32(re[j + (size_t)1U], re[j]); + re[j] = libcrux_intrinsics_avx2_mm256_add_epi32(re[j], re[j + (size_t)1U]); re[j + (size_t)1U] = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( a_minus_b, (int32_t)-2118186); @@ -4187,8 +2807,8 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_7a( for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)1U; i++) { size_t j = i; __m256i a_minus_b = - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]); - re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]); + libcrux_intrinsics_avx2_mm256_sub_epi32(re[j + (size_t)1U], re[j]); + re[j] = libcrux_intrinsics_avx2_mm256_add_epi32(re[j], re[j + (size_t)1U]); re[j + (size_t)1U] = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( a_minus_b, (int32_t)-2108549); @@ -4208,8 +2828,8 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_e4( for (size_t i = (size_t)18U; i < (size_t)18U + (size_t)1U; i++) { size_t j = i; __m256i a_minus_b = - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]); - re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]); + libcrux_intrinsics_avx2_mm256_sub_epi32(re[j + (size_t)1U], re[j]); + re[j] = libcrux_intrinsics_avx2_mm256_add_epi32(re[j], re[j + (size_t)1U]); re[j + (size_t)1U] = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( a_minus_b, (int32_t)2619752); @@ -4229,8 +2849,8 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_de( for (size_t i = (size_t)20U; i < (size_t)20U + (size_t)1U; i++) { size_t j = i; __m256i a_minus_b = - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]); - re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]); + libcrux_intrinsics_avx2_mm256_sub_epi32(re[j + (size_t)1U], re[j]); + re[j] = libcrux_intrinsics_avx2_mm256_add_epi32(re[j], re[j + (size_t)1U]); re[j + (size_t)1U] = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( a_minus_b, (int32_t)-1119584); @@ -4250,8 +2870,8 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_05( for (size_t i = (size_t)22U; i < (size_t)22U + (size_t)1U; i++) { size_t j = i; __m256i a_minus_b = - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]); - re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]); + libcrux_intrinsics_avx2_mm256_sub_epi32(re[j + (size_t)1U], re[j]); + re[j] = libcrux_intrinsics_avx2_mm256_add_epi32(re[j], re[j + (size_t)1U]); re[j + (size_t)1U] = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( a_minus_b, (int32_t)-549488); @@ -4271,8 +2891,8 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_d9( for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)1U; i++) { size_t j = i; __m256i a_minus_b = - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]); - re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]); + libcrux_intrinsics_avx2_mm256_sub_epi32(re[j + (size_t)1U], re[j]); + re[j] = libcrux_intrinsics_avx2_mm256_add_epi32(re[j], re[j + (size_t)1U]); re[j + (size_t)1U] = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( a_minus_b, (int32_t)3585928); @@ -4292,8 +2912,8 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_3a( for (size_t i = (size_t)26U; i < (size_t)26U + (size_t)1U; i++) { size_t j = i; __m256i a_minus_b = - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]); - re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]); + libcrux_intrinsics_avx2_mm256_sub_epi32(re[j + (size_t)1U], re[j]); + re[j] = libcrux_intrinsics_avx2_mm256_add_epi32(re[j], re[j + (size_t)1U]); re[j + (size_t)1U] = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( a_minus_b, (int32_t)-1079900); @@ -4313,8 +2933,8 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_3b0( for (size_t i = (size_t)28U; i < (size_t)28U + (size_t)1U; i++) { size_t j = i; __m256i a_minus_b = - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]); - re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]); + libcrux_intrinsics_avx2_mm256_sub_epi32(re[j + (size_t)1U], re[j]); + re[j] = libcrux_intrinsics_avx2_mm256_add_epi32(re[j], re[j + (size_t)1U]); re[j + (size_t)1U] = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( a_minus_b, (int32_t)1024112); @@ -4334,8 +2954,8 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_a0( for (size_t i = (size_t)30U; i < (size_t)30U + (size_t)1U; i++) { size_t j = i; __m256i a_minus_b = - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]); - re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]); + libcrux_intrinsics_avx2_mm256_sub_epi32(re[j + (size_t)1U], re[j]); + re[j] = libcrux_intrinsics_avx2_mm256_add_epi32(re[j], re[j + (size_t)1U]); re[j + (size_t)1U] = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( a_minus_b, (int32_t)2725464); @@ -4376,8 +2996,8 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_990( for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)2U; i++) { size_t j = i; __m256i a_minus_b = - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)2U], re[j]); - re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)2U]); + libcrux_intrinsics_avx2_mm256_sub_epi32(re[j + (size_t)2U], re[j]); + re[j] = libcrux_intrinsics_avx2_mm256_add_epi32(re[j], re[j + (size_t)2U]); re[j + (size_t)2U] = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( a_minus_b, (int32_t)2680103); @@ -4397,8 +3017,8 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_6b0( for (size_t i = (size_t)4U; i < (size_t)4U + (size_t)2U; i++) { size_t j = i; __m256i a_minus_b = - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)2U], re[j]); - re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)2U]); + libcrux_intrinsics_avx2_mm256_sub_epi32(re[j + (size_t)2U], re[j]); + re[j] = libcrux_intrinsics_avx2_mm256_add_epi32(re[j], re[j + (size_t)2U]); re[j + (size_t)2U] = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( a_minus_b, (int32_t)3111497); @@ -4418,8 +3038,8 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_a80( for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)2U; i++) { size_t j = i; __m256i a_minus_b = - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)2U], re[j]); - re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)2U]); + libcrux_intrinsics_avx2_mm256_sub_epi32(re[j + (size_t)2U], re[j]); + re[j] = libcrux_intrinsics_avx2_mm256_add_epi32(re[j], re[j + (size_t)2U]); re[j + (size_t)2U] = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( a_minus_b, (int32_t)-2884855); @@ -4439,8 +3059,8 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_950( for (size_t i = (size_t)12U; i < (size_t)12U + (size_t)2U; i++) { size_t j = i; __m256i a_minus_b = - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)2U], re[j]); - re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)2U]); + libcrux_intrinsics_avx2_mm256_sub_epi32(re[j + (size_t)2U], re[j]); + re[j] = libcrux_intrinsics_avx2_mm256_add_epi32(re[j], re[j + (size_t)2U]); re[j + (size_t)2U] = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( a_minus_b, (int32_t)3119733); @@ -4460,8 +3080,8 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_7a0( for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)2U; i++) { size_t j = i; __m256i a_minus_b = - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)2U], re[j]); - re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)2U]); + libcrux_intrinsics_avx2_mm256_sub_epi32(re[j + (size_t)2U], re[j]); + re[j] = libcrux_intrinsics_avx2_mm256_add_epi32(re[j], re[j + (size_t)2U]); re[j + (size_t)2U] = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( a_minus_b, (int32_t)-2091905); @@ -4481,8 +3101,8 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_de0( for (size_t i = (size_t)20U; i < (size_t)20U + (size_t)2U; i++) { size_t j = i; __m256i a_minus_b = - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)2U], re[j]); - re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)2U]); + libcrux_intrinsics_avx2_mm256_sub_epi32(re[j + (size_t)2U], re[j]); + re[j] = libcrux_intrinsics_avx2_mm256_add_epi32(re[j], re[j + (size_t)2U]); re[j + (size_t)2U] = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( a_minus_b, (int32_t)-359251); @@ -4502,8 +3122,8 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_d90( for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)2U; i++) { size_t j = i; __m256i a_minus_b = - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)2U], re[j]); - re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)2U]); + libcrux_intrinsics_avx2_mm256_sub_epi32(re[j + (size_t)2U], re[j]); + re[j] = libcrux_intrinsics_avx2_mm256_add_epi32(re[j], re[j + (size_t)2U]); re[j + (size_t)2U] = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( a_minus_b, (int32_t)2353451); @@ -4523,8 +3143,8 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_3b1( for (size_t i = (size_t)28U; i < (size_t)28U + (size_t)2U; i++) { size_t j = i; __m256i a_minus_b = - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)2U], re[j]); - re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)2U]); + libcrux_intrinsics_avx2_mm256_sub_epi32(re[j + (size_t)2U], re[j]); + re[j] = libcrux_intrinsics_avx2_mm256_add_epi32(re[j], re[j + (size_t)2U]); re[j + (size_t)2U] = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( a_minus_b, (int32_t)1826347); @@ -4557,8 +3177,8 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_991( for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)4U; i++) { size_t j = i; __m256i a_minus_b = - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)4U], re[j]); - re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)4U]); + libcrux_intrinsics_avx2_mm256_sub_epi32(re[j + (size_t)4U], re[j]); + re[j] = libcrux_intrinsics_avx2_mm256_add_epi32(re[j], re[j + (size_t)4U]); re[j + (size_t)4U] = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( a_minus_b, (int32_t)466468); @@ -4578,8 +3198,8 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_a81( for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)4U; i++) { size_t j = i; __m256i a_minus_b = - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)4U], re[j]); - re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)4U]); + libcrux_intrinsics_avx2_mm256_sub_epi32(re[j + (size_t)4U], re[j]); + re[j] = libcrux_intrinsics_avx2_mm256_add_epi32(re[j], re[j + (size_t)4U]); re[j + (size_t)4U] = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( a_minus_b, (int32_t)-876248); @@ -4599,8 +3219,8 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_7a1( for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)4U; i++) { size_t j = i; __m256i a_minus_b = - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)4U], re[j]); - re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)4U]); + libcrux_intrinsics_avx2_mm256_sub_epi32(re[j + (size_t)4U], re[j]); + re[j] = libcrux_intrinsics_avx2_mm256_add_epi32(re[j], re[j + (size_t)4U]); re[j + (size_t)4U] = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( a_minus_b, (int32_t)-777960); @@ -4620,8 +3240,8 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_d91( for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)4U; i++) { size_t j = i; __m256i a_minus_b = - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)4U], re[j]); - re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)4U]); + libcrux_intrinsics_avx2_mm256_sub_epi32(re[j + (size_t)4U], re[j]); + re[j] = libcrux_intrinsics_avx2_mm256_add_epi32(re[j], re[j + (size_t)4U]); re[j + (size_t)4U] = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( a_minus_b, (int32_t)237124); @@ -4650,8 +3270,8 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_992( for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)8U; i++) { size_t j = i; __m256i a_minus_b = - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)8U], re[j]); - re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)8U]); + libcrux_intrinsics_avx2_mm256_sub_epi32(re[j + (size_t)8U], re[j]); + re[j] = libcrux_intrinsics_avx2_mm256_add_epi32(re[j], re[j + (size_t)8U]); re[j + (size_t)8U] = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( a_minus_b, (int32_t)-518909); @@ -4671,8 +3291,8 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_7a2( for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)8U; i++) { size_t j = i; __m256i a_minus_b = - libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)8U], re[j]); - re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)8U]); + libcrux_intrinsics_avx2_mm256_sub_epi32(re[j + (size_t)8U], re[j]); + re[j] = libcrux_intrinsics_avx2_mm256_add_epi32(re[j], re[j + (size_t)8U]); re[j + (size_t)8U] = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( a_minus_b, (int32_t)-2608894); @@ -4698,9 +3318,9 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_993( __m256i *re) { for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)16U; i++) { size_t j = i; - __m256i a_minus_b = libcrux_ml_dsa_simd_avx2_arithmetic_subtract( - re[j + (size_t)16U], re[j]); - re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)16U]); + __m256i a_minus_b = + libcrux_intrinsics_avx2_mm256_sub_epi32(re[j + (size_t)16U], re[j]); + re[j] = libcrux_intrinsics_avx2_mm256_add_epi32(re[j], re[j + (size_t)16U]); re[j + (size_t)16U] = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( a_minus_b, (int32_t)25847); @@ -4713,10 +3333,12 @@ static inline void libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_7( libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_993(re); } +#define LIBCRUX_ML_DSA_SIMD_AVX2_INVNTT_INVERT_NTT_MONTGOMERY_INV_INNER_FACTOR \ + ((int32_t)41978) + KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_montgomery(__m256i re[32U], - __m256i ret[32U]) { +static inline void +libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_montgomery_inv_inner(__m256i *re) { libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0(re); libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1(re); libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2(re); @@ -4730,56 +3352,36 @@ libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_montgomery(__m256i re[32U], __m256i); i++) { size_t i0 = i; - re[i0] = - libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( - re[i0], (int32_t)41978); - } - memcpy(ret, re, (size_t)32U * sizeof(__m256i)); -} - -/** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invert_ntt_montgomery_a2( - __m256i simd_units[32U], __m256i ret[32U]) { - __m256i re[32U]; - for (size_t i = (size_t)0U; i < (size_t)32U; i++) { - re[i] = libcrux_intrinsics_avx2_mm256_setzero_si256(); - } - for (size_t i = (size_t)0U; - i < LIBCRUX_ML_DSA_SIMD_TRAITS_SIMD_UNITS_IN_RING_ELEMENT; i++) { - size_t i0 = i; - re[i0] = simd_units[i0]; - } - /* Passing arrays by value in Rust generates a copy in C */ - __m256i copy_of_re[32U]; - memcpy(copy_of_re, re, (size_t)32U * sizeof(__m256i)); - __m256i result[32U]; - libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_montgomery(copy_of_re, result); - __m256i out[32U]; - for (size_t i = (size_t)0U; i < (size_t)32U; i++) { - out[i] = libcrux_ml_dsa_simd_avx2_vector_type_ZERO(); - } - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice((size_t)32U, result, __m256i), __m256i); - i++) { - size_t i0 = i; - out[i0] = result[i0]; + re[i0] = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + re[i0], + LIBCRUX_ML_DSA_SIMD_AVX2_INVNTT_INVERT_NTT_MONTGOMERY_INV_INNER_FACTOR); } - memcpy(ret, out, (size_t)32U * sizeof(__m256i)); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_montgomery(__m256i *re) { + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_montgomery_inv_inner(re); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::Vec256)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invert_ntt_montgomery_22( + __m256i *simd_units) { + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_montgomery(simd_units); } /** A monomorphic instance of libcrux_ml_dsa.polynomial.PolynomialRingElement -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256 */ -typedef struct libcrux_ml_dsa_polynomial_PolynomialRingElement_24_s { +typedef struct libcrux_ml_dsa_polynomial_PolynomialRingElement_4b_s { __m256i simd_units[32U]; -} libcrux_ml_dsa_polynomial_PolynomialRingElement_24; +} libcrux_ml_dsa_polynomial_PolynomialRingElement_4b; /** This function found in impl @@ -4787,59 +3389,59 @@ This function found in impl TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_dsa.polynomial.ZERO_ff -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit -with const generics - -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static inline libcrux_ml_dsa_polynomial_PolynomialRingElement_24 -libcrux_ml_dsa_polynomial_ZERO_ff_ea(void) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 lit; - lit.simd_units[0U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); - lit.simd_units[1U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); - lit.simd_units[2U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); - lit.simd_units[3U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); - lit.simd_units[4U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); - lit.simd_units[5U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); - lit.simd_units[6U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); - lit.simd_units[7U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); - lit.simd_units[8U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); - lit.simd_units[9U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); - lit.simd_units[10U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); - lit.simd_units[11U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); - lit.simd_units[12U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); - lit.simd_units[13U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); - lit.simd_units[14U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); - lit.simd_units[15U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); - lit.simd_units[16U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); - lit.simd_units[17U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); - lit.simd_units[18U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); - lit.simd_units[19U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); - lit.simd_units[20U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); - lit.simd_units[21U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); - lit.simd_units[22U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); - lit.simd_units[23U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); - lit.simd_units[24U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); - lit.simd_units[25U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); - lit.simd_units[26U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); - lit.simd_units[27U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); - lit.simd_units[28U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); - lit.simd_units[29U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); - lit.simd_units[30U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); - lit.simd_units[31U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); +A monomorphic instance of libcrux_ml_dsa.polynomial.zero_ff +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256 +with const generics + +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline libcrux_ml_dsa_polynomial_PolynomialRingElement_4b +libcrux_ml_dsa_polynomial_zero_ff_21(void) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b lit; + lit.simd_units[0U] = libcrux_ml_dsa_simd_avx2_zero_22(); + lit.simd_units[1U] = libcrux_ml_dsa_simd_avx2_zero_22(); + lit.simd_units[2U] = libcrux_ml_dsa_simd_avx2_zero_22(); + lit.simd_units[3U] = libcrux_ml_dsa_simd_avx2_zero_22(); + lit.simd_units[4U] = libcrux_ml_dsa_simd_avx2_zero_22(); + lit.simd_units[5U] = libcrux_ml_dsa_simd_avx2_zero_22(); + lit.simd_units[6U] = libcrux_ml_dsa_simd_avx2_zero_22(); + lit.simd_units[7U] = libcrux_ml_dsa_simd_avx2_zero_22(); + lit.simd_units[8U] = libcrux_ml_dsa_simd_avx2_zero_22(); + lit.simd_units[9U] = libcrux_ml_dsa_simd_avx2_zero_22(); + lit.simd_units[10U] = libcrux_ml_dsa_simd_avx2_zero_22(); + lit.simd_units[11U] = libcrux_ml_dsa_simd_avx2_zero_22(); + lit.simd_units[12U] = libcrux_ml_dsa_simd_avx2_zero_22(); + lit.simd_units[13U] = libcrux_ml_dsa_simd_avx2_zero_22(); + lit.simd_units[14U] = libcrux_ml_dsa_simd_avx2_zero_22(); + lit.simd_units[15U] = libcrux_ml_dsa_simd_avx2_zero_22(); + lit.simd_units[16U] = libcrux_ml_dsa_simd_avx2_zero_22(); + lit.simd_units[17U] = libcrux_ml_dsa_simd_avx2_zero_22(); + lit.simd_units[18U] = libcrux_ml_dsa_simd_avx2_zero_22(); + lit.simd_units[19U] = libcrux_ml_dsa_simd_avx2_zero_22(); + lit.simd_units[20U] = libcrux_ml_dsa_simd_avx2_zero_22(); + lit.simd_units[21U] = libcrux_ml_dsa_simd_avx2_zero_22(); + lit.simd_units[22U] = libcrux_ml_dsa_simd_avx2_zero_22(); + lit.simd_units[23U] = libcrux_ml_dsa_simd_avx2_zero_22(); + lit.simd_units[24U] = libcrux_ml_dsa_simd_avx2_zero_22(); + lit.simd_units[25U] = libcrux_ml_dsa_simd_avx2_zero_22(); + lit.simd_units[26U] = libcrux_ml_dsa_simd_avx2_zero_22(); + lit.simd_units[27U] = libcrux_ml_dsa_simd_avx2_zero_22(); + lit.simd_units[28U] = libcrux_ml_dsa_simd_avx2_zero_22(); + lit.simd_units[29U] = libcrux_ml_dsa_simd_avx2_zero_22(); + lit.simd_units[30U] = libcrux_ml_dsa_simd_avx2_zero_22(); + lit.simd_units[31U] = libcrux_ml_dsa_simd_avx2_zero_22(); return lit; } /** A monomorphic instance of libcrux_ml_dsa.sample.rejection_sample_less_than_field_modulus with types -libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit with const generics +libcrux_ml_dsa_simd_avx2_vector_type_Vec256 with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE bool -libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( +libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_21( Eurydice_slice randomness, size_t *sampled_coefficients, int32_t *out) { bool done = false; for (size_t i = (size_t)0U; @@ -4851,7 +3453,7 @@ libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( if (!done) { Eurydice_slice uu____0 = random_bytes; size_t sampled = - libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus_a2( + libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus_22( uu____0, Eurydice_array_to_subslice_from((size_t)263U, out, sampled_coefficients[0U], int32_t, size_t)); @@ -4865,20 +3467,6 @@ libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( return done; } -/** -A monomorphic instance of libcrux_ml_dsa.sample.update_matrix -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit -with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_ml_dsa_sample_update_matrix_fe( - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 (*m)[5U], size_t i, - size_t j, libcrux_ml_dsa_polynomial_PolynomialRingElement_24 v) { - m[i][j] = v; -} - /** This function found in impl {libcrux_ml_dsa::polynomial::PolynomialRingElement[TraitClause@0, @@ -4886,26 +3474,25 @@ TraitClause@1]} */ /** A monomorphic instance of libcrux_ml_dsa.polynomial.from_i32_array_ff -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256 with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static inline libcrux_ml_dsa_polynomial_PolynomialRingElement_24 -libcrux_ml_dsa_polynomial_from_i32_array_ff_ea(Eurydice_slice array) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 result = - libcrux_ml_dsa_polynomial_ZERO_ff_ea(); +static inline void libcrux_ml_dsa_polynomial_from_i32_array_ff_21( + Eurydice_slice array, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *result) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_DSA_SIMD_TRAITS_SIMD_UNITS_IN_RING_ELEMENT; i++) { size_t i0 = i; - result.simd_units[i0] = libcrux_ml_dsa_simd_avx2_from_coefficient_array_a2( + libcrux_ml_dsa_simd_avx2_from_coefficient_array_22( Eurydice_slice_subslice2( array, i0 * LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT, (i0 + (size_t)1U) * LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT, - int32_t)); + int32_t), + &result->simd_units[i0]); } - return result; } /** @@ -4919,28 +3506,43 @@ libcrux_ml_dsa_polynomial_from_i32_array_ff_ea(Eurydice_slice array) { `rand_stack` is a working buffer that holds initial Shake output. */ /** -A monomorphic instance of libcrux_ml_dsa.sample.sample_up_to_four_ring_elements -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, +A monomorphic instance of +libcrux_ml_dsa.sample.sample_up_to_four_ring_elements_flat with types +libcrux_ml_dsa_simd_avx2_vector_type_Vec256, libcrux_ml_dsa_hash_functions_simd256_Shake128x4 with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 + */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( - Eurydice_slice seed, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 (*matrix)[5U], +libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_flat_0a( + size_t columns, Eurydice_slice seed, Eurydice_slice matrix, uint8_t *rand_stack0, uint8_t *rand_stack1, uint8_t *rand_stack2, - uint8_t *rand_stack3, Eurydice_slice tmp_stack, uint8_t_x2 *indices, + uint8_t *rand_stack3, Eurydice_slice tmp_stack, size_t start_index, size_t elements_requested) { uint8_t seed0[34U]; - libcrux_ml_dsa_sample_add_domain_separator(seed, indices[0U], seed0); + libcrux_ml_dsa_sample_add_domain_separator( + seed, + libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_flat_xy(start_index, + columns), + seed0); uint8_t seed1[34U]; - libcrux_ml_dsa_sample_add_domain_separator(seed, indices[1U], seed1); + libcrux_ml_dsa_sample_add_domain_separator( + seed, + libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_flat_xy( + start_index + (size_t)1U, columns), + seed1); uint8_t seed2[34U]; - libcrux_ml_dsa_sample_add_domain_separator(seed, indices[2U], seed2); + libcrux_ml_dsa_sample_add_domain_separator( + seed, + libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_flat_xy( + start_index + (size_t)2U, columns), + seed2); uint8_t seed3[34U]; - libcrux_ml_dsa_sample_add_domain_separator(seed, indices[3U], seed3); + libcrux_ml_dsa_sample_add_domain_separator( + seed, + libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_flat_xy( + start_index + (size_t)3U, columns), + seed3); libcrux_sha3_avx2_x4_incremental_KeccakState state = libcrux_ml_dsa_hash_functions_simd256_init_absorb_7b( Eurydice_array_to_slice((size_t)34U, seed0, uint8_t), @@ -4954,25 +3556,25 @@ libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( size_t sampled2 = (size_t)0U; size_t sampled3 = (size_t)0U; bool done0 = - libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_21( Eurydice_array_to_slice((size_t)840U, rand_stack0, uint8_t), &sampled0, Eurydice_slice_index(tmp_stack, (size_t)0U, int32_t[263U], int32_t(*)[263U])); bool done1 = - libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_21( Eurydice_array_to_slice((size_t)840U, rand_stack1, uint8_t), &sampled1, Eurydice_slice_index(tmp_stack, (size_t)1U, int32_t[263U], int32_t(*)[263U])); bool done2 = - libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_21( Eurydice_array_to_slice((size_t)840U, rand_stack2, uint8_t), &sampled2, Eurydice_slice_index(tmp_stack, (size_t)2U, int32_t[263U], int32_t(*)[263U])); bool done3 = - libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_21( Eurydice_array_to_slice((size_t)840U, rand_stack3, uint8_t), &sampled3, Eurydice_slice_index(tmp_stack, (size_t)3U, int32_t[263U], @@ -4989,7 +3591,7 @@ libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( &state); if (!done0) { done0 = - libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_21( Eurydice_array_to_slice((size_t)168U, randomnesses.fst, uint8_t), &sampled0, @@ -4998,7 +3600,7 @@ libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( } if (!done1) { done1 = - libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_21( Eurydice_array_to_slice((size_t)168U, randomnesses.snd, uint8_t), &sampled1, @@ -5007,7 +3609,7 @@ libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( } if (!done2) { done2 = - libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_21( Eurydice_array_to_slice((size_t)168U, randomnesses.thd, uint8_t), &sampled2, @@ -5016,7 +3618,7 @@ libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( } if (!done3) { done3 = - libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_21( Eurydice_array_to_slice((size_t)168U, randomnesses.f3, uint8_t), &sampled3, @@ -5030,7 +3632,7 @@ libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( &state); if (!done0) { done0 = - libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_21( Eurydice_array_to_slice((size_t)168U, randomnesses.fst, uint8_t), &sampled0, @@ -5039,7 +3641,7 @@ libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( } if (!done1) { done1 = - libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_21( Eurydice_array_to_slice((size_t)168U, randomnesses.snd, uint8_t), &sampled1, @@ -5048,7 +3650,7 @@ libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( } if (!done2) { done2 = - libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_21( Eurydice_array_to_slice((size_t)168U, randomnesses.thd, uint8_t), &sampled2, @@ -5057,7 +3659,7 @@ libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( } if (!done3) { done3 = - libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_21( Eurydice_array_to_slice((size_t)168U, randomnesses.f3, uint8_t), &sampled3, @@ -5070,7 +3672,7 @@ libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_7b(&state); if (!done0) { done0 = - libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_21( Eurydice_array_to_slice((size_t)168U, randomnesses.fst, uint8_t), &sampled0, @@ -5079,7 +3681,7 @@ libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( } if (!done1) { done1 = - libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_21( Eurydice_array_to_slice((size_t)168U, randomnesses.snd, uint8_t), &sampled1, @@ -5088,7 +3690,7 @@ libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( } if (!done2) { done2 = - libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_21( Eurydice_array_to_slice((size_t)168U, randomnesses.thd, uint8_t), &sampled2, @@ -5097,7 +3699,7 @@ libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( } if (!done3) { done3 = - libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_21( Eurydice_array_to_slice((size_t)168U, randomnesses.f3, uint8_t), &sampled3, @@ -5110,7 +3712,7 @@ libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_7b(&state); if (!done0) { done0 = - libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_21( Eurydice_array_to_slice((size_t)168U, randomnesses.fst, uint8_t), &sampled0, @@ -5119,7 +3721,7 @@ libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( } if (!done1) { done1 = - libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_21( Eurydice_array_to_slice((size_t)168U, randomnesses.snd, uint8_t), &sampled1, @@ -5128,7 +3730,7 @@ libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( } if (!done2) { done2 = - libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_21( Eurydice_array_to_slice((size_t)168U, randomnesses.thd, uint8_t), &sampled2, @@ -5137,7 +3739,7 @@ libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( } if (!done3) { done3 = - libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_21( Eurydice_array_to_slice((size_t)168U, randomnesses.f3, uint8_t), &sampled3, Eurydice_slice_index(tmp_stack, (size_t)3U, int32_t[263U], @@ -5145,252 +3747,431 @@ libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( } } } - for (size_t i0 = (size_t)0U; i0 < elements_requested; i0++) { - size_t k = i0; - size_t uu____0 = k; - uint8_t i = indices[uu____0].fst; - uint8_t j = indices[uu____0].snd; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24(*uu____1)[5U] = matrix; - size_t uu____2 = (size_t)i; - size_t uu____3 = (size_t)j; - libcrux_ml_dsa_sample_update_matrix_fe( - uu____1, uu____2, uu____3, - libcrux_ml_dsa_polynomial_from_i32_array_ff_ea(Eurydice_array_to_slice( + for (size_t i = (size_t)0U; i < elements_requested; i++) { + size_t k = i; + libcrux_ml_dsa_polynomial_from_i32_array_ff_21( + Eurydice_array_to_slice( (size_t)263U, Eurydice_slice_index(tmp_stack, k, int32_t[263U], int32_t(*)[263U]), - int32_t))); + int32_t), + &Eurydice_slice_index( + matrix, start_index + k, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *)); } } /** -A monomorphic instance of libcrux_ml_dsa.samplex4.matrix_6_by_5 -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, +A monomorphic instance of libcrux_ml_dsa.samplex4.matrix_flat +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256, libcrux_ml_dsa_hash_functions_simd256_Shake128x4 with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 + */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_matrix_6_by_5_f4( - Eurydice_slice seed, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 (*matrix)[5U]) { +static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_matrix_flat_0a( + size_t columns, Eurydice_slice seed, Eurydice_slice matrix) { uint8_t rand_stack0[840U] = {0U}; uint8_t rand_stack1[840U] = {0U}; uint8_t rand_stack2[840U] = {0U}; uint8_t rand_stack3[840U] = {0U}; int32_t tmp_stack[4U][263U] = {{0U}}; - uint8_t_x2 buf[4U] = {(CLITERAL(uint8_t_x2){.fst = 0U, .snd = 0U}), - (CLITERAL(uint8_t_x2){.fst = 0U, .snd = 1U}), - (CLITERAL(uint8_t_x2){.fst = 0U, .snd = 2U}), - (CLITERAL(uint8_t_x2){.fst = 0U, .snd = 3U})}; - libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( - seed, matrix, rand_stack0, rand_stack1, rand_stack2, rand_stack3, - Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf, - (size_t)4U); - uint8_t_x2 buf0[4U] = {(CLITERAL(uint8_t_x2){.fst = 0U, .snd = 4U}), - (CLITERAL(uint8_t_x2){.fst = 1U, .snd = 0U}), - (CLITERAL(uint8_t_x2){.fst = 1U, .snd = 1U}), - (CLITERAL(uint8_t_x2){.fst = 1U, .snd = 2U})}; - libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( - seed, matrix, rand_stack0, rand_stack1, rand_stack2, rand_stack3, - Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf0, - (size_t)4U); - uint8_t_x2 buf1[4U] = {(CLITERAL(uint8_t_x2){.fst = 1U, .snd = 3U}), - (CLITERAL(uint8_t_x2){.fst = 1U, .snd = 4U}), - (CLITERAL(uint8_t_x2){.fst = 2U, .snd = 0U}), - (CLITERAL(uint8_t_x2){.fst = 2U, .snd = 1U})}; - libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( - seed, matrix, rand_stack0, rand_stack1, rand_stack2, rand_stack3, - Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf1, - (size_t)4U); - uint8_t_x2 buf2[4U] = {(CLITERAL(uint8_t_x2){.fst = 2U, .snd = 2U}), - (CLITERAL(uint8_t_x2){.fst = 2U, .snd = 3U}), - (CLITERAL(uint8_t_x2){.fst = 2U, .snd = 4U}), - (CLITERAL(uint8_t_x2){.fst = 3U, .snd = 0U})}; - libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( - seed, matrix, rand_stack0, rand_stack1, rand_stack2, rand_stack3, - Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf2, - (size_t)4U); - uint8_t_x2 buf3[4U] = {(CLITERAL(uint8_t_x2){.fst = 3U, .snd = 1U}), - (CLITERAL(uint8_t_x2){.fst = 3U, .snd = 2U}), - (CLITERAL(uint8_t_x2){.fst = 3U, .snd = 3U}), - (CLITERAL(uint8_t_x2){.fst = 3U, .snd = 4U})}; - libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( - seed, matrix, rand_stack0, rand_stack1, rand_stack2, rand_stack3, - Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf3, - (size_t)4U); - uint8_t_x2 buf4[4U] = {(CLITERAL(uint8_t_x2){.fst = 4U, .snd = 0U}), - (CLITERAL(uint8_t_x2){.fst = 4U, .snd = 1U}), - (CLITERAL(uint8_t_x2){.fst = 4U, .snd = 2U}), - (CLITERAL(uint8_t_x2){.fst = 4U, .snd = 3U})}; - libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( - seed, matrix, rand_stack0, rand_stack1, rand_stack2, rand_stack3, - Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf4, - (size_t)4U); - uint8_t_x2 buf5[4U] = {(CLITERAL(uint8_t_x2){.fst = 4U, .snd = 4U}), - (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 0U}), - (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 1U}), - (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 2U})}; - libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( - seed, matrix, rand_stack0, rand_stack1, rand_stack2, rand_stack3, - Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf5, - (size_t)4U); - uint8_t_x2 buf6[4U] = {(CLITERAL(uint8_t_x2){.fst = 5U, .snd = 3U}), - (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 4U}), - (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 5U}), - (CLITERAL(uint8_t_x2){.fst = 5U, .snd = 6U})}; - libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_f4( - seed, matrix, rand_stack0, rand_stack1, rand_stack2, rand_stack3, - Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), buf6, - (size_t)2U); -} - -/** -A monomorphic instance of libcrux_ml_dsa.samplex4.avx2.matrix_avx2 -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + matrix, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b) / + (size_t)4U; + i++) { + size_t start_index = i; + size_t start_index0 = start_index * (size_t)4U; + size_t uu____0 = start_index0 + (size_t)4U; + size_t elements_requested; + if (uu____0 <= + Eurydice_slice_len( + matrix, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b)) { + elements_requested = (size_t)4U; + } else { + elements_requested = + Eurydice_slice_len( + matrix, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b) - + start_index0; + } + libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_flat_0a( + columns, seed, matrix, rand_stack0, rand_stack1, rand_stack2, + rand_stack3, + Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), + start_index0, elements_requested); + } +} + +/** +This function found in impl {(libcrux_ml_dsa::samplex4::X4Sampler for +libcrux_ml_dsa::samplex4::avx2::AVX2Sampler)} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.samplex4.avx2.matrix_flat.inner_b8 +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256 with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 + */ KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_ml_dsa_samplex4_avx2_matrix_avx2_fe( - Eurydice_slice seed, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 (*matrix)[5U]) { - uint8_t_x2 uu____0 = {.fst = (uint8_t)(size_t)6U, .snd = (uint8_t)(size_t)5U}; - switch (uu____0.fst) { - case 6U: { - switch (uu____0.snd) { - case 5U: { - libcrux_ml_dsa_samplex4_matrix_6_by_5_f4(seed, matrix); - return; - } - default: { - } +static inline void libcrux_ml_dsa_samplex4_avx2_matrix_flat_inner_b8_21( + size_t columns, Eurydice_slice seed, Eurydice_slice matrix) { + libcrux_ml_dsa_samplex4_matrix_flat_0a(columns, seed, matrix); +} + +/** +This function found in impl {(libcrux_ml_dsa::samplex4::X4Sampler for +libcrux_ml_dsa::samplex4::avx2::AVX2Sampler)} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.samplex4.avx2.matrix_flat_b8 +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256 +with const generics + +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline void libcrux_ml_dsa_samplex4_avx2_matrix_flat_b8_21( + size_t columns, Eurydice_slice seed, Eurydice_slice matrix) { + libcrux_ml_dsa_samplex4_avx2_matrix_flat_inner_b8_21(columns, seed, matrix); +} + +/** +A monomorphic instance of +libcrux_ml_dsa.sample.rejection_sample_less_than_eta_equals_4 with types +libcrux_ml_dsa_simd_avx2_vector_type_Vec256 with const generics + +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE bool +libcrux_ml_dsa_sample_rejection_sample_less_than_eta_equals_4_21( + Eurydice_slice randomness, size_t *sampled_coefficients, int32_t *out) { + bool done = false; + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(randomness, uint8_t) / (size_t)4U; i++) { + size_t _cloop_i = i; + Eurydice_slice random_bytes = + Eurydice_slice_subslice2(randomness, _cloop_i * (size_t)4U, + _cloop_i * (size_t)4U + (size_t)4U, uint8_t); + if (!done) { + Eurydice_slice uu____0 = random_bytes; + size_t sampled = + libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_equals_4_22( + uu____0, Eurydice_array_to_subslice_from((size_t)263U, out, + sampled_coefficients[0U], + int32_t, size_t)); + sampled_coefficients[0U] = sampled_coefficients[0U] + sampled; + if (sampled_coefficients[0U] >= + LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { + done = true; } - break; - } - default: { } } - KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "panic!"); - KRML_HOST_EXIT(255U); + return done; } /** -This function found in impl {(libcrux_ml_dsa::samplex4::X4Sampler for -libcrux_ml_dsa::samplex4::avx2::AVX2Sampler)} +A monomorphic instance of +libcrux_ml_dsa.sample.rejection_sample_less_than_eta_equals_2 with types +libcrux_ml_dsa_simd_avx2_vector_type_Vec256 with const generics + */ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE bool +libcrux_ml_dsa_sample_rejection_sample_less_than_eta_equals_2_21( + Eurydice_slice randomness, size_t *sampled_coefficients, int32_t *out) { + bool done = false; + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(randomness, uint8_t) / (size_t)4U; i++) { + size_t _cloop_i = i; + Eurydice_slice random_bytes = + Eurydice_slice_subslice2(randomness, _cloop_i * (size_t)4U, + _cloop_i * (size_t)4U + (size_t)4U, uint8_t); + if (!done) { + Eurydice_slice uu____0 = random_bytes; + size_t sampled = + libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_equals_2_22( + uu____0, Eurydice_array_to_subslice_from((size_t)263U, out, + sampled_coefficients[0U], + int32_t, size_t)); + sampled_coefficients[0U] = sampled_coefficients[0U] + sampled; + if (sampled_coefficients[0U] >= + LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { + done = true; + } + } + } + return done; +} + /** -A monomorphic instance of libcrux_ml_dsa.samplex4.avx2.matrix_b8 -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +A monomorphic instance of libcrux_ml_dsa.sample.rejection_sample_less_than_eta +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256 with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 + */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_avx2_matrix_b8_fe( - Eurydice_slice seed, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 (*matrix)[5U]) { - libcrux_ml_dsa_samplex4_avx2_matrix_avx2_fe(seed, matrix); +static KRML_MUSTINLINE bool +libcrux_ml_dsa_sample_rejection_sample_less_than_eta_21( + libcrux_ml_dsa_constants_Eta eta, Eurydice_slice randomness, + size_t *sampled, int32_t *out) { + if (!(eta == libcrux_ml_dsa_constants_Eta_Two)) { + return libcrux_ml_dsa_sample_rejection_sample_less_than_eta_equals_4_21( + randomness, sampled, out); + } + return libcrux_ml_dsa_sample_rejection_sample_less_than_eta_equals_2_21( + randomness, sampled, out); } /** A monomorphic instance of libcrux_ml_dsa.sample.sample_four_error_ring_elements -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256, libcrux_ml_dsa_hash_functions_simd256_Shake256x4 with const generics -- ETA= 4 + */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_dsa_sample_sample_four_error_ring_elements_cb(Eurydice_slice seed, - uint16_t start_index, - Eurydice_slice re) { - KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "Eurydice error: Failure(\"Error looking trait impl: " - "core::cmp::impls::{core::cmp::Ord for usize}#59 min\")\n"); - KRML_HOST_EXIT(255U); +libcrux_ml_dsa_sample_sample_four_error_ring_elements_fc( + libcrux_ml_dsa_constants_Eta eta, Eurydice_slice seed, uint16_t start_index, + Eurydice_slice re) { + uint8_t seed0[66U]; + libcrux_ml_dsa_sample_add_error_domain_separator(seed, start_index, seed0); + uint8_t seed1[66U]; + libcrux_ml_dsa_sample_add_error_domain_separator( + seed, (uint32_t)start_index + 1U, seed1); + uint8_t seed2[66U]; + libcrux_ml_dsa_sample_add_error_domain_separator( + seed, (uint32_t)start_index + 2U, seed2); + uint8_t seed3[66U]; + libcrux_ml_dsa_sample_add_error_domain_separator( + seed, (uint32_t)start_index + 3U, seed3); + libcrux_sha3_avx2_x4_incremental_KeccakState state = + libcrux_ml_dsa_hash_functions_simd256_init_absorb_x4_fb( + Eurydice_array_to_slice((size_t)66U, seed0, uint8_t), + Eurydice_array_to_slice((size_t)66U, seed1, uint8_t), + Eurydice_array_to_slice((size_t)66U, seed2, uint8_t), + Eurydice_array_to_slice((size_t)66U, seed3, uint8_t)); + uint8_t_136size_t__x4 randomnesses0 = + libcrux_ml_dsa_hash_functions_simd256_squeeze_first_block_x4_fb(&state); + int32_t out[4U][263U] = {{0U}}; + size_t sampled0 = (size_t)0U; + size_t sampled1 = (size_t)0U; + size_t sampled2 = (size_t)0U; + size_t sampled3 = (size_t)0U; + bool done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_21( + eta, Eurydice_array_to_slice((size_t)136U, randomnesses0.fst, uint8_t), + &sampled0, out[0U]); + bool done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_21( + eta, Eurydice_array_to_slice((size_t)136U, randomnesses0.snd, uint8_t), + &sampled1, out[1U]); + bool done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_21( + eta, Eurydice_array_to_slice((size_t)136U, randomnesses0.thd, uint8_t), + &sampled2, out[2U]); + bool done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_21( + eta, Eurydice_array_to_slice((size_t)136U, randomnesses0.f3, uint8_t), + &sampled3, out[3U]); + while (true) { + if (done0) { + if (done1) { + if (done2) { + if (done3) { + break; + } else { + uint8_t_136size_t__x4 randomnesses = + libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_x4_fb( + &state); + if (!done0) { + done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_21( + eta, + Eurydice_array_to_slice((size_t)136U, randomnesses.fst, + uint8_t), + &sampled0, out[0U]); + } + if (!done1) { + done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_21( + eta, + Eurydice_array_to_slice((size_t)136U, randomnesses.snd, + uint8_t), + &sampled1, out[1U]); + } + if (!done2) { + done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_21( + eta, + Eurydice_array_to_slice((size_t)136U, randomnesses.thd, + uint8_t), + &sampled2, out[2U]); + } + if (!done3) { + done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_21( + eta, + Eurydice_array_to_slice((size_t)136U, randomnesses.f3, + uint8_t), + &sampled3, out[3U]); + } + } + } else { + uint8_t_136size_t__x4 randomnesses = + libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_x4_fb( + &state); + if (!done0) { + done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_21( + eta, + Eurydice_array_to_slice((size_t)136U, randomnesses.fst, + uint8_t), + &sampled0, out[0U]); + } + if (!done1) { + done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_21( + eta, + Eurydice_array_to_slice((size_t)136U, randomnesses.snd, + uint8_t), + &sampled1, out[1U]); + } + if (!done2) { + done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_21( + eta, + Eurydice_array_to_slice((size_t)136U, randomnesses.thd, + uint8_t), + &sampled2, out[2U]); + } + if (!done3) { + done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_21( + eta, + Eurydice_array_to_slice((size_t)136U, randomnesses.f3, uint8_t), + &sampled3, out[3U]); + } + } + } else { + uint8_t_136size_t__x4 randomnesses = + libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_x4_fb( + &state); + if (!done0) { + done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_21( + eta, + Eurydice_array_to_slice((size_t)136U, randomnesses.fst, uint8_t), + &sampled0, out[0U]); + } + if (!done1) { + done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_21( + eta, + Eurydice_array_to_slice((size_t)136U, randomnesses.snd, uint8_t), + &sampled1, out[1U]); + } + if (!done2) { + done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_21( + eta, + Eurydice_array_to_slice((size_t)136U, randomnesses.thd, uint8_t), + &sampled2, out[2U]); + } + if (!done3) { + done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_21( + eta, + Eurydice_array_to_slice((size_t)136U, randomnesses.f3, uint8_t), + &sampled3, out[3U]); + } + } + } else { + uint8_t_136size_t__x4 randomnesses = + libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_x4_fb( + &state); + if (!done0) { + done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_21( + eta, + Eurydice_array_to_slice((size_t)136U, randomnesses.fst, uint8_t), + &sampled0, out[0U]); + } + if (!done1) { + done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_21( + eta, + Eurydice_array_to_slice((size_t)136U, randomnesses.snd, uint8_t), + &sampled1, out[1U]); + } + if (!done2) { + done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_21( + eta, + Eurydice_array_to_slice((size_t)136U, randomnesses.thd, uint8_t), + &sampled2, out[2U]); + } + if (!done3) { + done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_21( + eta, + Eurydice_array_to_slice((size_t)136U, randomnesses.f3, uint8_t), + &sampled3, out[3U]); + } + } + } + size_t max0 = (size_t)start_index + (size_t)4U; + size_t max; + if (Eurydice_slice_len( + re, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b) < max0) { + max = Eurydice_slice_len( + re, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b); + } else { + max = max0; + } + for (size_t i = (size_t)start_index; i < max; i++) { + size_t i0 = i; + libcrux_ml_dsa_polynomial_from_i32_array_ff_21( + Eurydice_array_to_slice((size_t)263U, out[i0 % (size_t)4U], int32_t), + &Eurydice_slice_index( + re, i0, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *)); + } } /** A monomorphic instance of libcrux_ml_dsa.samplex4.sample_s1_and_s2 -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256, libcrux_ml_dsa_hash_functions_simd256_Shake256x4 with const generics -- ETA= 4 -- ROW_COLUMN= 11 + */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_sample_s1_and_s2_31( - Eurydice_slice seed, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *s1_s2) { - for (size_t i = (size_t)0U; - i < core_num__usize_11__div_ceil((size_t)11U, (size_t)4U); i++) { +static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_sample_s1_and_s2_fc( + libcrux_ml_dsa_constants_Eta eta, Eurydice_slice seed, + Eurydice_slice s1_s2) { + size_t len = Eurydice_slice_len( + s1_s2, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b); + for (size_t i = (size_t)0U; i < len / (size_t)4U; i++) { size_t i0 = i; - libcrux_ml_dsa_sample_sample_four_error_ring_elements_cb( - seed, 4U * (uint32_t)(uint16_t)i0, - Eurydice_array_to_slice( - (size_t)11U, s1_s2, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + libcrux_ml_dsa_sample_sample_four_error_ring_elements_fc( + eta, seed, 4U * (uint32_t)(uint16_t)i0, s1_s2); + } + size_t remainder = len % (size_t)4U; + if (remainder != (size_t)0U) { + libcrux_ml_dsa_sample_sample_four_error_ring_elements_fc( + eta, seed, (uint16_t)(len - remainder), s1_s2); } } /** A monomorphic instance of libcrux_ml_dsa.ntt.ntt -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256 with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_dsa_polynomial_PolynomialRingElement_24 -libcrux_ml_dsa_ntt_ntt_ea( - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 re) { - __m256i uu____0[32U]; - memcpy(uu____0, re.simd_units, (size_t)32U * sizeof(__m256i)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 lit; - __m256i ret[32U]; - libcrux_ml_dsa_simd_avx2_ntt_a2(uu____0, ret); - memcpy(lit.simd_units, ret, (size_t)32U * sizeof(__m256i)); - return lit; -} - -/** -A monomorphic instance of libcrux_ml_dsa.matrix.compute_As1_plus_s2.closure -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit -with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static inline libcrux_ml_dsa_polynomial_PolynomialRingElement_24 -libcrux_ml_dsa_matrix_compute_As1_plus_s2_closure_fe(Eurydice_slice *state, - size_t i) { - return libcrux_ml_dsa_ntt_ntt_ea(Eurydice_slice_index( - state[0U], i, libcrux_ml_dsa_polynomial_PolynomialRingElement_24, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *)); +static KRML_MUSTINLINE void libcrux_ml_dsa_ntt_ntt_21( + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *re) { + libcrux_ml_dsa_simd_avx2_ntt_22(re->simd_units); } /** A monomorphic instance of libcrux_ml_dsa.ntt.ntt_multiply_montgomery -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256 with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_dsa_polynomial_PolynomialRingElement_24 -libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ea( - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *lhs, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *rhs) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 out = - libcrux_ml_dsa_polynomial_ZERO_ff_ea(); +static KRML_MUSTINLINE void libcrux_ml_dsa_ntt_ntt_multiply_montgomery_21( + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *lhs, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *rhs) { for (size_t i = (size_t)0U; i < Eurydice_slice_len( - Eurydice_array_to_slice((size_t)32U, out.simd_units, __m256i), + Eurydice_array_to_slice((size_t)32U, lhs->simd_units, __m256i), __m256i); i++) { size_t i0 = i; - out.simd_units[i0] = libcrux_ml_dsa_simd_avx2_montgomery_multiply_a2( - lhs->simd_units[i0], rhs->simd_units[i0]); + libcrux_ml_dsa_simd_avx2_montgomery_multiply_22(&lhs->simd_units[i0], + &rhs->simd_units[i0]); } - return out; } /** @@ -5400,199 +4181,157 @@ TraitClause@1]} */ /** A monomorphic instance of libcrux_ml_dsa.polynomial.add_ff -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256 with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_dsa_polynomial_PolynomialRingElement_24 -libcrux_ml_dsa_polynomial_add_ff_ea( - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *self, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *rhs) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 sum = - libcrux_ml_dsa_polynomial_ZERO_ff_ea(); +static KRML_MUSTINLINE void libcrux_ml_dsa_polynomial_add_ff_21( + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *self, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *rhs) { for (size_t i = (size_t)0U; i < Eurydice_slice_len( - Eurydice_array_to_slice((size_t)32U, sum.simd_units, __m256i), + Eurydice_array_to_slice((size_t)32U, self->simd_units, __m256i), __m256i); i++) { size_t i0 = i; - sum.simd_units[i0] = libcrux_ml_dsa_simd_avx2_add_a2(&self->simd_units[i0], - &rhs->simd_units[i0]); + libcrux_ml_dsa_simd_avx2_add_22(&self->simd_units[i0], + &rhs->simd_units[i0]); } - return sum; } /** A monomorphic instance of libcrux_ml_dsa.ntt.invert_ntt_montgomery -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256 with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_dsa_polynomial_PolynomialRingElement_24 -libcrux_ml_dsa_ntt_invert_ntt_montgomery_ea( - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 re) { - __m256i uu____0[32U]; - memcpy(uu____0, re.simd_units, (size_t)32U * sizeof(__m256i)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 lit; - __m256i ret[32U]; - libcrux_ml_dsa_simd_avx2_invert_ntt_montgomery_a2(uu____0, ret); - memcpy(lit.simd_units, ret, (size_t)32U * sizeof(__m256i)); - return lit; +static KRML_MUSTINLINE void libcrux_ml_dsa_ntt_invert_ntt_montgomery_21( + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *re) { + libcrux_ml_dsa_simd_avx2_invert_ntt_montgomery_22(re->simd_units); } /** Compute InvertNTT(Â ◦ ŝ₁) + s₂ */ /** -A monomorphic instance of libcrux_ml_dsa.matrix.compute_As1_plus_s2 -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +A monomorphic instance of libcrux_ml_dsa.matrix.compute_as1_plus_s2 +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256 with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 + */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_compute_As1_plus_s2_fe( - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 (*a_as_ntt)[5U], - Eurydice_slice s1_s2, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *result) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s1_ntt[5U]; - for (size_t i = (size_t)0U; i < (size_t)5U; i++) { - s1_ntt[i] = libcrux_ml_dsa_ntt_ntt_ea(Eurydice_slice_index( - s1_s2, i, libcrux_ml_dsa_polynomial_PolynomialRingElement_24, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *)); - } - for (size_t i0 = (size_t)0U; i0 < (size_t)6U; i0++) { +static inline void libcrux_ml_dsa_matrix_compute_as1_plus_s2_21( + size_t rows_in_a, size_t columns_in_a, Eurydice_slice a_as_ntt, + Eurydice_slice s1_ntt, Eurydice_slice s1_s2, Eurydice_slice result) { + for (size_t i0 = (size_t)0U; i0 < rows_in_a; i0++) { size_t i1 = i0; - for (size_t i = (size_t)0U; i < (size_t)5U; i++) { + for (size_t i = (size_t)0U; i < columns_in_a; i++) { size_t j = i; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 product = - libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ea(&a_as_ntt[i1][j], - &s1_ntt[j]); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____0 = - libcrux_ml_dsa_polynomial_add_ff_ea(&result[i1], &product); - result[i1] = uu____0; + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b product = + Eurydice_slice_index( + a_as_ntt, i1 * columns_in_a + j, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *); + libcrux_ml_dsa_ntt_ntt_multiply_montgomery_21( + &product, + &Eurydice_slice_index( + s1_ntt, j, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *)); + libcrux_ml_dsa_polynomial_add_ff_21( + &Eurydice_slice_index( + result, i1, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *), + &product); } } for (size_t i = (size_t)0U; i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)6U, result, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24), - libcrux_ml_dsa_polynomial_PolynomialRingElement_24); + result, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b); i++) { size_t i0 = i; - result[i0] = libcrux_ml_dsa_ntt_invert_ntt_montgomery_ea(result[i0]); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____2 = - libcrux_ml_dsa_polynomial_add_ff_ea( - &result[i0], - &Eurydice_slice_index( - s1_s2, (size_t)5U + i0, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *)); - result[i0] = uu____2; + libcrux_ml_dsa_ntt_invert_ntt_montgomery_21(&Eurydice_slice_index( + result, i0, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *)); + libcrux_ml_dsa_polynomial_add_ff_21( + &Eurydice_slice_index( + result, i0, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *), + &Eurydice_slice_index( + s1_s2, columns_in_a + i0, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *)); } } -typedef struct - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_6size_t__x2_s { - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 fst[6U]; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 snd[6U]; -} libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_6size_t__x2; - /** A monomorphic instance of libcrux_ml_dsa.arithmetic.power2round_vector -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256 with const generics -- DIMENSION= 6 + */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_6size_t__x2 - libcrux_ml_dsa_arithmetic_power2round_vector_a3( - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t[6U]) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t0[6U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - t0[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - } - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t1[6U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - t1[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - } +static KRML_MUSTINLINE void libcrux_ml_dsa_arithmetic_power2round_vector_21( + Eurydice_slice t, Eurydice_slice t1) { for (size_t i0 = (size_t)0U; i0 < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)6U, t, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24), - libcrux_ml_dsa_polynomial_PolynomialRingElement_24); + t, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b); i0++) { size_t i1 = i0; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *ring_element = &t[i1]; for (size_t i = (size_t)0U; i < - Eurydice_slice_len(Eurydice_array_to_slice( - (size_t)32U, ring_element->simd_units, __m256i), - __m256i); + Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)32U, + Eurydice_slice_index( + t, i1, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *) + .simd_units, + __m256i), + __m256i); i++) { size_t j = i; - __m256i *simd_unit = &ring_element->simd_units[j]; - libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x2 uu____0 = - libcrux_ml_dsa_simd_avx2_power2round_a2(simd_unit[0U]); - __m256i t0_unit = uu____0.fst; - __m256i t1_unit = uu____0.snd; - t0[i1].simd_units[j] = t0_unit; - t1[i1].simd_units[j] = t1_unit; + libcrux_ml_dsa_simd_avx2_power2round_22( + &Eurydice_slice_index( + t, i1, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *) + .simd_units[j], + &Eurydice_slice_index( + t1, i1, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *) + .simd_units[j]); } } - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_t0[6U]; - memcpy( - copy_of_t0, t0, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_t1[6U]; - memcpy( - copy_of_t1, t1, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_6size_t__x2 - lit; - memcpy( - lit.fst, copy_of_t0, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - memcpy( - lit.snd, copy_of_t1, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - return lit; } /** A monomorphic instance of libcrux_ml_dsa.encoding.t1.serialize -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256 with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_t1_serialize_ea( - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 re, uint8_t ret[320U]) { +static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_t1_serialize_21( + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *re, uint8_t ret[320U]) { uint8_t serialized[320U] = {0U}; for (size_t i = (size_t)0U; i < Eurydice_slice_len( - Eurydice_array_to_slice((size_t)32U, re.simd_units, __m256i), + Eurydice_array_to_slice((size_t)32U, re->simd_units, __m256i), __m256i); i++) { size_t i0 = i; - __m256i *simd_unit = &re.simd_units[i0]; - Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - serialized, - i0 * LIBCRUX_ML_DSA_ENCODING_T1_SERIALIZE_OUTPUT_BYTES_PER_SIMD_UNIT, - (i0 + (size_t)1U) * - LIBCRUX_ML_DSA_ENCODING_T1_SERIALIZE_OUTPUT_BYTES_PER_SIMD_UNIT, - uint8_t); - uint8_t ret0[10U]; - libcrux_ml_dsa_simd_avx2_t1_serialize_a2(simd_unit[0U], ret0); - Eurydice_slice_copy( - uu____0, Eurydice_array_to_slice((size_t)10U, ret0, uint8_t), uint8_t); + __m256i *simd_unit = &re->simd_units[i0]; + __m256i *uu____0 = simd_unit; + libcrux_ml_dsa_simd_avx2_t1_serialize_22( + uu____0, + Eurydice_array_to_subslice2( + serialized, + i0 * + LIBCRUX_ML_DSA_ENCODING_T1_SERIALIZE_OUTPUT_BYTES_PER_SIMD_UNIT, + (i0 + (size_t)1U) * + LIBCRUX_ML_DSA_ENCODING_T1_SERIALIZE_OUTPUT_BYTES_PER_SIMD_UNIT, + uint8_t)); } memcpy(ret, serialized, (size_t)320U * sizeof(uint8_t)); } @@ -5600,41 +4339,37 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_t1_serialize_ea( /** A monomorphic instance of libcrux_ml_dsa.encoding.verification_key.generate_serialized with types -libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit with const generics -- ROWS_IN_A= 6 -- VERIFICATION_KEY_SIZE= 1952 +libcrux_ml_dsa_simd_avx2_vector_type_Vec256 with const generics + */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_dsa_encoding_verification_key_generate_serialized_fe( - Eurydice_slice seed_for_A, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t1[6U], - uint8_t ret[1952U]) { - uint8_t verification_key_serialized[1952U] = {0U}; - Eurydice_slice_copy(Eurydice_array_to_subslice2( +libcrux_ml_dsa_encoding_verification_key_generate_serialized_21( + Eurydice_slice seed, Eurydice_slice t1, + Eurydice_slice verification_key_serialized) { + Eurydice_slice_copy(Eurydice_slice_subslice2( verification_key_serialized, (size_t)0U, LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE, uint8_t), - seed_for_A, uint8_t); + seed, uint8_t); for (size_t i = (size_t)0U; i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)6U, t1, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24), - libcrux_ml_dsa_polynomial_PolynomialRingElement_24); + t1, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b); i++) { size_t i0 = i; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *ring_element = &t1[i0]; + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *ring_element = + &Eurydice_slice_index( + t1, i0, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *); size_t offset = LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE + i0 * LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T1S_SIZE; - Eurydice_slice uu____0 = Eurydice_array_to_subslice2( + Eurydice_slice uu____0 = Eurydice_slice_subslice2( verification_key_serialized, offset, offset + LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T1S_SIZE, uint8_t); - uint8_t ret0[320U]; - libcrux_ml_dsa_encoding_t1_serialize_ea(ring_element[0U], ret0); + uint8_t ret[320U]; + libcrux_ml_dsa_encoding_t1_serialize_21(ring_element, ret); Eurydice_slice_copy( - uu____0, Eurydice_array_to_slice((size_t)320U, ret0, uint8_t), uint8_t); + uu____0, Eurydice_array_to_slice((size_t)320U, ret, uint8_t), uint8_t); } - memcpy(ret, verification_key_serialized, (size_t)1952U * sizeof(uint8_t)); } /** @@ -5656,56 +4391,28 @@ for libcrux_ml_dsa::hash_functions::simd256::Shake256)#1} /** A monomorphic instance of libcrux_ml_dsa.hash_functions.simd256.shake256_d9 with const generics -- OUTPUT_LENGTH= 64 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void -libcrux_ml_dsa_hash_functions_simd256_shake256_d9_24(Eurydice_slice input, - uint8_t *out) { - libcrux_ml_dsa_hash_functions_simd256_shake256_24(input, out); -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.encoding.error.serialize -with const generics -- ETA= 4 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_avx2_encoding_error_serialize_ac( - __m256i simd_unit, Eurydice_slice serialized) { - libcrux_ml_dsa_simd_avx2_encoding_error_serialize_when_eta_is_4(simd_unit, - serialized); -} - -/** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} -*/ -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.error_serialize_a2 -with const generics -- ETA= 4 +- OUTPUT_LENGTH= 64 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_error_serialize_a2_ac( - __m256i simd_unit, Eurydice_slice serialized) { - libcrux_ml_dsa_simd_avx2_encoding_error_serialize_ac(simd_unit, serialized); +static KRML_MUSTINLINE void +libcrux_ml_dsa_hash_functions_simd256_shake256_d9_24(Eurydice_slice input, + uint8_t *out) { + libcrux_ml_dsa_hash_functions_simd256_shake256_24(input, out); } /** A monomorphic instance of libcrux_ml_dsa.encoding.error.serialize -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256 with const generics -- ETA= 4 -- OUTPUT_SIZE= 128 + */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_error_serialize_a8( - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *re, +static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_error_serialize_21( + libcrux_ml_dsa_constants_Eta eta, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *re, Eurydice_slice serialized) { - size_t output_bytes_per_simd_unit; - output_bytes_per_simd_unit = (size_t)4U; + size_t output_bytes_per_simd_unit = + libcrux_ml_dsa_encoding_error_chunk_size(eta); for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice((size_t)32U, re->simd_units, __m256i), @@ -5713,8 +4420,8 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_error_serialize_a8( i++) { size_t i0 = i; __m256i *simd_unit = &re->simd_units[i0]; - libcrux_ml_dsa_simd_avx2_error_serialize_a2_ac( - simd_unit[0U], + libcrux_ml_dsa_simd_avx2_error_serialize_22( + eta, simd_unit, Eurydice_slice_subslice2(serialized, i0 * output_bytes_per_simd_unit, (i0 + (size_t)1U) * output_bytes_per_simd_unit, uint8_t)); @@ -5723,141 +4430,126 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_error_serialize_a8( /** A monomorphic instance of libcrux_ml_dsa.encoding.t0.serialize -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256 with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_t0_serialize_ea( - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 re, +static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_t0_serialize_21( + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *re, Eurydice_slice serialized) { for (size_t i = (size_t)0U; i < Eurydice_slice_len( - Eurydice_array_to_slice((size_t)32U, re.simd_units, __m256i), + Eurydice_array_to_slice((size_t)32U, re->simd_units, __m256i), __m256i); i++) { size_t i0 = i; - __m256i *simd_unit = &re.simd_units[i0]; - Eurydice_slice uu____0 = Eurydice_slice_subslice2( - serialized, i0 * LIBCRUX_ML_DSA_ENCODING_T0_OUTPUT_BYTES_PER_SIMD_UNIT, - (i0 + (size_t)1U) * - LIBCRUX_ML_DSA_ENCODING_T0_OUTPUT_BYTES_PER_SIMD_UNIT, - uint8_t); - uint8_t ret[13U]; - libcrux_ml_dsa_simd_avx2_t0_serialize_a2(simd_unit[0U], ret); - Eurydice_slice_copy( - uu____0, Eurydice_array_to_slice((size_t)13U, ret, uint8_t), uint8_t); + __m256i *simd_unit = &re->simd_units[i0]; + libcrux_ml_dsa_simd_avx2_t0_serialize_22( + simd_unit, + Eurydice_slice_subslice2( + serialized, + i0 * LIBCRUX_ML_DSA_ENCODING_T0_OUTPUT_BYTES_PER_SIMD_UNIT, + (i0 + (size_t)1U) * + LIBCRUX_ML_DSA_ENCODING_T0_OUTPUT_BYTES_PER_SIMD_UNIT, + uint8_t)); } } /** A monomorphic instance of libcrux_ml_dsa.encoding.signing_key.generate_serialized with types -libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, +libcrux_ml_dsa_simd_avx2_vector_type_Vec256, libcrux_ml_dsa_hash_functions_simd256_Shake256 with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- ETA= 4 -- ERROR_RING_ELEMENT_SIZE= 128 -- SIGNING_KEY_SIZE= 4032 + */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_dsa_encoding_signing_key_generate_serialized_a9( - Eurydice_slice seed_for_A, Eurydice_slice seed_for_signing, - Eurydice_slice verification_key, Eurydice_slice s1_2, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t0[6U], - uint8_t ret[4032U]) { - uint8_t signing_key_serialized[4032U] = {0U}; +libcrux_ml_dsa_encoding_signing_key_generate_serialized_18( + libcrux_ml_dsa_constants_Eta eta, size_t error_ring_element_size, + Eurydice_slice seed_matrix, Eurydice_slice seed_signing, + Eurydice_slice verification_key, Eurydice_slice s1_2, Eurydice_slice t0, + Eurydice_slice signing_key_serialized) { size_t offset = (size_t)0U; Eurydice_slice_copy( - Eurydice_array_to_subslice2( + Eurydice_slice_subslice2( signing_key_serialized, offset, offset + LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE, uint8_t), - seed_for_A, uint8_t); + seed_matrix, uint8_t); offset = offset + LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE; Eurydice_slice_copy( - Eurydice_array_to_subslice2( + Eurydice_slice_subslice2( signing_key_serialized, offset, offset + LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_SIGNING_SIZE, uint8_t), - seed_for_signing, uint8_t); + seed_signing, uint8_t); offset = offset + LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_SIGNING_SIZE; uint8_t verification_key_hash[64U] = {0U}; libcrux_ml_dsa_hash_functions_simd256_shake256_d9_24(verification_key, verification_key_hash); - Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - signing_key_serialized, offset, - offset + LIBCRUX_ML_DSA_CONSTANTS_BYTES_FOR_VERIFICATION_KEY_HASH, - uint8_t); Eurydice_slice_copy( - uu____0, + Eurydice_slice_subslice2( + signing_key_serialized, offset, + offset + LIBCRUX_ML_DSA_CONSTANTS_BYTES_FOR_VERIFICATION_KEY_HASH, + uint8_t), Eurydice_array_to_slice((size_t)64U, verification_key_hash, uint8_t), uint8_t); offset = offset + LIBCRUX_ML_DSA_CONSTANTS_BYTES_FOR_VERIFICATION_KEY_HASH; for (size_t i = (size_t)0U; i < Eurydice_slice_len( - s1_2, libcrux_ml_dsa_polynomial_PolynomialRingElement_24); + s1_2, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b); i++) { size_t i0 = i; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *uu____1 = + libcrux_ml_dsa_encoding_error_serialize_21( + eta, &Eurydice_slice_index( - s1_2, i0, libcrux_ml_dsa_polynomial_PolynomialRingElement_24, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *); - libcrux_ml_dsa_encoding_error_serialize_a8( - uu____1, Eurydice_array_to_subslice2(signing_key_serialized, offset, - offset + (size_t)128U, uint8_t)); - offset = offset + (size_t)128U; + s1_2, i0, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *), + Eurydice_slice_subslice2(signing_key_serialized, offset, + offset + error_ring_element_size, uint8_t)); + offset = offset + error_ring_element_size; } for (size_t i = (size_t)0U; i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)6U, t0, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24), - libcrux_ml_dsa_polynomial_PolynomialRingElement_24); + t0, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b); i++) { size_t _cloop_j = i; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *ring_element = - &t0[_cloop_j]; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____2 = - ring_element[0U]; - libcrux_ml_dsa_encoding_t0_serialize_ea( - uu____2, Eurydice_array_to_subslice2( - signing_key_serialized, offset, - offset + LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE, - uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *ring_element = + &Eurydice_slice_index( + t0, _cloop_j, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *); + libcrux_ml_dsa_encoding_t0_serialize_21( + ring_element, + Eurydice_slice_subslice2( + signing_key_serialized, offset, + offset + LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE, + uint8_t)); offset = offset + LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE; } - memcpy(ret, signing_key_serialized, (size_t)4032U * sizeof(uint8_t)); } /** - Generate a key pair. -*/ -/** -A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.generate_key_pair -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, +A monomorphic instance of +libcrux_ml_dsa.ml_dsa_generic.ml_dsa_65.generate_key_pair with types +libcrux_ml_dsa_simd_avx2_vector_type_Vec256, libcrux_ml_dsa_samplex4_avx2_AVX2Sampler, libcrux_ml_dsa_hash_functions_simd256_Shake128x4, libcrux_ml_dsa_hash_functions_simd256_Shake256, libcrux_ml_dsa_hash_functions_portable_Shake256Xof, libcrux_ml_dsa_hash_functions_simd256_Shake256x4 with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- ROW_COLUMN= 11 -- ETA= 4 -- ERROR_RING_ELEMENT_SIZE= 128 -- SIGNING_KEY_SIZE= 4032 -- VERIFICATION_KEY_SIZE= 1952 + */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE tuple_a0 -libcrux_ml_dsa_ml_dsa_generic_generate_key_pair_99(uint8_t randomness[32U]) { +static KRML_MUSTINLINE void +libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_generate_key_pair_07( + uint8_t randomness[32U], Eurydice_slice signing_key, + Eurydice_slice verification_key) { uint8_t seed_expanded0[128U] = {0U}; libcrux_sha3_portable_incremental_Shake256Xof shake = libcrux_ml_dsa_hash_functions_portable_init_83(); libcrux_ml_dsa_hash_functions_portable_absorb_83( &shake, Eurydice_array_to_slice((size_t)32U, randomness, uint8_t)); - uint8_t buf[2U] = {(uint8_t)(size_t)6U, (uint8_t)(size_t)5U}; + uint8_t buf[2U] = {(uint8_t)LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ROWS_IN_A, + (uint8_t)LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_COLUMNS_IN_A}; libcrux_ml_dsa_hash_functions_portable_absorb_final_83( &shake, Eurydice_array_to_slice((size_t)2U, buf, uint8_t)); libcrux_ml_dsa_hash_functions_portable_squeeze_83( @@ -5873,362 +4565,237 @@ libcrux_ml_dsa_ml_dsa_generic_generate_key_pair_99(uint8_t randomness[32U]) { uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice seed_for_error_vectors = uu____1.fst; Eurydice_slice seed_for_signing = uu____1.snd; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 a_as_ntt[6U][5U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - a_as_ntt[i][0U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - a_as_ntt[i][1U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - a_as_ntt[i][2U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - a_as_ntt[i][3U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - a_as_ntt[i][4U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b a_as_ntt[30U]; + for (size_t i = (size_t)0U; i < (size_t)30U; i++) { + a_as_ntt[i] = libcrux_ml_dsa_polynomial_zero_ff_21(); } - libcrux_ml_dsa_samplex4_avx2_matrix_b8_fe(seed_for_a, a_as_ntt); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s1_s2[11U]; + libcrux_ml_dsa_samplex4_avx2_matrix_flat_b8_21( + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_COLUMNS_IN_A, seed_for_a, + Eurydice_array_to_slice( + (size_t)30U, a_as_ntt, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b s1_s2[11U]; for (size_t i = (size_t)0U; i < (size_t)11U; i++) { - s1_s2[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + s1_s2[i] = libcrux_ml_dsa_polynomial_zero_ff_21(); } - libcrux_ml_dsa_samplex4_sample_s1_and_s2_31(seed_for_error_vectors, s1_s2); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t[6U]; + libcrux_ml_dsa_samplex4_sample_s1_and_s2_fc( + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ETA, seed_for_error_vectors, + Eurydice_array_to_slice( + (size_t)11U, s1_s2, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b t0[6U]; for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - t[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + t0[i] = libcrux_ml_dsa_polynomial_zero_ff_21(); + } + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b s1_ntt[5U]; + for (size_t i = (size_t)0U; i < (size_t)5U; i++) { + s1_ntt[i] = libcrux_ml_dsa_polynomial_zero_ff_21(); + } + Eurydice_slice uu____2 = Eurydice_array_to_slice( + (size_t)5U, s1_ntt, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b); + Eurydice_slice_copy( + uu____2, + Eurydice_array_to_subslice2( + s1_s2, (size_t)0U, LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_COLUMNS_IN_A, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b), + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)5U, s1_ntt, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b), + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b); + i++) { + size_t i0 = i; + libcrux_ml_dsa_ntt_ntt_21(&s1_ntt[i0]); } - libcrux_ml_dsa_matrix_compute_As1_plus_s2_fe( - a_as_ntt, + libcrux_ml_dsa_matrix_compute_as1_plus_s2_21( + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ROWS_IN_A, + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_COLUMNS_IN_A, + Eurydice_array_to_slice( + (size_t)30U, a_as_ntt, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b), + Eurydice_array_to_slice( + (size_t)5U, s1_ntt, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b), Eurydice_array_to_slice( (size_t)11U, s1_s2, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24), - t); - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_t[6U]; - memcpy( - copy_of_t, t, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_6size_t__x2 - uu____3 = libcrux_ml_dsa_arithmetic_power2round_vector_a3(copy_of_t); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t0[6U]; - memcpy( - t0, uu____3.fst, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t1[6U]; - memcpy( - t1, uu____3.snd, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - Eurydice_slice uu____4 = seed_for_a; - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_t1[6U]; - memcpy( - copy_of_t1, t1, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - uint8_t verification_key_serialized[1952U]; - libcrux_ml_dsa_encoding_verification_key_generate_serialized_fe( - uu____4, copy_of_t1, verification_key_serialized); - Eurydice_slice uu____6 = seed_for_a; - Eurydice_slice uu____7 = seed_for_signing; - Eurydice_slice uu____8 = Eurydice_array_to_slice( - (size_t)1952U, verification_key_serialized, uint8_t); - Eurydice_slice uu____9 = Eurydice_array_to_slice( - (size_t)11U, s1_s2, libcrux_ml_dsa_polynomial_PolynomialRingElement_24); - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_t0[6U]; - memcpy( - copy_of_t0, t0, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - uint8_t signing_key_serialized[4032U]; - libcrux_ml_dsa_encoding_signing_key_generate_serialized_a9( - uu____6, uu____7, uu____8, uu____9, copy_of_t0, signing_key_serialized); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_signing_key_serialized[4032U]; - memcpy(copy_of_signing_key_serialized, signing_key_serialized, - (size_t)4032U * sizeof(uint8_t)); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_verification_key_serialized[1952U]; - memcpy(copy_of_verification_key_serialized, verification_key_serialized, - (size_t)1952U * sizeof(uint8_t)); - tuple_a0 lit; - memcpy(lit.fst, copy_of_signing_key_serialized, - (size_t)4032U * sizeof(uint8_t)); - memcpy(lit.snd, copy_of_verification_key_serialized, - (size_t)1952U * sizeof(uint8_t)); - return lit; + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b), + Eurydice_array_to_slice( + (size_t)6U, t0, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b t1[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + t1[i] = libcrux_ml_dsa_polynomial_zero_ff_21(); + } + libcrux_ml_dsa_arithmetic_power2round_vector_21( + Eurydice_array_to_slice( + (size_t)6U, t0, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b), + Eurydice_array_to_slice( + (size_t)6U, t1, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b)); + libcrux_ml_dsa_encoding_verification_key_generate_serialized_21( + seed_for_a, + Eurydice_array_to_slice( + (size_t)6U, t1, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b), + verification_key); + libcrux_ml_dsa_encoding_signing_key_generate_serialized_18( + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ETA, + LIBCRUX_ML_DSA_ML_DSA_GENERIC_ML_DSA_65_ERROR_RING_ELEMENT_SIZE, + seed_for_a, seed_for_signing, verification_key, + Eurydice_array_to_slice( + (size_t)11U, s1_s2, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b), + Eurydice_array_to_slice( + (size_t)6U, t0, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b), + signing_key); } /** - Generate key pair. -*/ -/** -A monomorphic instance of -libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.avx2_feature.generate_key_pair -with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- ROW_COLUMN= 11 -- ETA= 4 -- ERROR_RING_ELEMENT_SIZE= 128 -- SIGNING_KEY_SIZE= 4032 -- VERIFICATION_KEY_SIZE= 1952 + Key Generation. */ KRML_ATTRIBUTE_TARGET("avx2") -static inline tuple_a0 -libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_generate_key_pair_c9( - uint8_t randomness[32U]) { +static inline void +libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_ml_dsa_65_generate_key_pair__inner( + uint8_t randomness[32U], Eurydice_slice signing_key, + Eurydice_slice verification_key) { /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_dsa_ml_dsa_generic_generate_key_pair_99(copy_of_randomness); + libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_generate_key_pair_07( + copy_of_randomness, signing_key, verification_key); } -/** - Generate key pair. -*/ -/** -A monomorphic instance of -libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.generate_key_pair with const -generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- ROW_COLUMN= 11 -- ETA= 4 -- ERROR_RING_ELEMENT_SIZE= 128 -- SIGNING_KEY_SIZE= 4032 -- VERIFICATION_KEY_SIZE= 1952 -*/ KRML_ATTRIBUTE_TARGET("avx2") -static inline tuple_a0 -libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_generate_key_pair_c9( - uint8_t randomness[32U]) { +static inline void +libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_ml_dsa_65_generate_key_pair( + uint8_t randomness[32U], Eurydice_slice signing_key, + Eurydice_slice verification_key) { /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_generate_key_pair_c9( - copy_of_randomness); + libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_ml_dsa_65_generate_key_pair__inner( + copy_of_randomness, signing_key, verification_key); } /** Generate an ML-DSA-65 Key Pair */ KRML_ATTRIBUTE_TARGET("avx2") -static inline libcrux_ml_dsa_ml_dsa_65_MLDSA65KeyPair +static inline libcrux_ml_dsa_types_MLDSAKeyPair_06 libcrux_ml_dsa_ml_dsa_65_avx2_generate_key_pair(uint8_t randomness[32U]) { - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_randomness[32U]; - memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - tuple_a0 uu____1 = - libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_generate_key_pair_c9( - copy_of_randomness); - uint8_t signing_key[4032U]; - memcpy(signing_key, uu____1.fst, (size_t)4032U * sizeof(uint8_t)); - uint8_t verification_key[1952U]; - memcpy(verification_key, uu____1.snd, (size_t)1952U * sizeof(uint8_t)); + uint8_t signing_key[4032U] = {0U}; + uint8_t verification_key[1952U] = {0U}; + uint8_t uu____0[32U]; + memcpy(uu____0, randomness, (size_t)32U * sizeof(uint8_t)); + libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_ml_dsa_65_generate_key_pair( + uu____0, Eurydice_array_to_slice((size_t)4032U, signing_key, uint8_t), + Eurydice_array_to_slice((size_t)1952U, verification_key, uint8_t)); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_signing_key[4032U]; memcpy(copy_of_signing_key, signing_key, (size_t)4032U * sizeof(uint8_t)); - libcrux_ml_dsa_types_MLDSASigningKey_22 uu____3 = + libcrux_ml_dsa_types_MLDSASigningKey_22 uu____2 = libcrux_ml_dsa_types_new_9b_09(copy_of_signing_key); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_verification_key[1952U]; memcpy(copy_of_verification_key, verification_key, (size_t)1952U * sizeof(uint8_t)); - libcrux_ml_dsa_ml_dsa_65_MLDSA65KeyPair lit; - lit.signing_key = uu____3; + libcrux_ml_dsa_types_MLDSAKeyPair_06 lit; + lit.signing_key = uu____2; lit.verification_key = libcrux_ml_dsa_types_new_66_97(copy_of_verification_key); return lit; } -/** -A monomorphic instance of K. -with types size_t, core_core_arch_x86___m256i - -*/ -typedef struct tuple_bb_s { - size_t fst; - __m256i snd; -} tuple_bb; - -/** -A monomorphic instance of K. -with types uint8_t[32size_t], uint8_t[32size_t], uint8_t[64size_t], -libcrux_ml_dsa_polynomial_PolynomialRingElement -libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit[5size_t], -libcrux_ml_dsa_polynomial_PolynomialRingElement -libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit[6size_t], -libcrux_ml_dsa_polynomial_PolynomialRingElement -libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit[6size_t] - -*/ -typedef struct tuple_f00_s { - uint8_t fst[32U]; - uint8_t snd[32U]; - uint8_t thd[64U]; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 f3[5U]; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 f4[6U]; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 f5[6U]; -} tuple_f00; - -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.encoding.error.deserialize -with const generics -- ETA= 4 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_dsa_simd_avx2_encoding_error_deserialize_ac( - Eurydice_slice serialized) { - __m256i deserialized = - libcrux_ml_dsa_simd_avx2_encoding_error_deserialize_to_unsigned_ac( - serialized); - return libcrux_intrinsics_avx2_mm256_sub_epi32( - libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)(size_t)4U), - deserialized); -} - -/** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} -*/ -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.error_deserialize_a2 -with const generics -- ETA= 4 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_dsa_simd_avx2_error_deserialize_a2_ac(Eurydice_slice serialized) { - return libcrux_ml_dsa_simd_avx2_encoding_error_deserialize_ac(serialized); -} - /** A monomorphic instance of libcrux_ml_dsa.encoding.error.deserialize -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256 with const generics -- ETA= 4 + */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_error_deserialize_4d( - Eurydice_slice serialized, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *result) { - size_t chunk_size; - chunk_size = (size_t)4U; +static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_error_deserialize_21( + libcrux_ml_dsa_constants_Eta eta, Eurydice_slice serialized, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *result) { + size_t chunk_size = libcrux_ml_dsa_encoding_error_chunk_size(eta); for (size_t i = (size_t)0U; i < Eurydice_slice_len(Eurydice_array_to_slice( (size_t)32U, result->simd_units, __m256i), __m256i); i++) { size_t i0 = i; - __m256i uu____0 = libcrux_ml_dsa_simd_avx2_error_deserialize_a2_ac( + libcrux_ml_dsa_simd_avx2_error_deserialize_22( + eta, Eurydice_slice_subslice2(serialized, i0 * chunk_size, - (i0 + (size_t)1U) * chunk_size, uint8_t)); - result->simd_units[i0] = uu____0; + (i0 + (size_t)1U) * chunk_size, uint8_t), + &result->simd_units[i0]); } } /** A monomorphic instance of libcrux_ml_dsa.encoding.error.deserialize_to_vector_then_ntt with types -libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit with const generics -- DIMENSION= 5 -- ETA= 4 -- RING_ELEMENT_SIZE= 128 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void -libcrux_ml_dsa_encoding_error_deserialize_to_vector_then_ntt_5b( - Eurydice_slice serialized, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[5U]) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ring_elements[5U]; - for (size_t i = (size_t)0U; i < (size_t)5U; i++) { - ring_elements[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - } - for (size_t i = (size_t)0U; - i < Eurydice_slice_len(serialized, uint8_t) / (size_t)128U; i++) { - size_t i0 = i; - Eurydice_slice bytes = - Eurydice_slice_subslice2(serialized, i0 * (size_t)128U, - i0 * (size_t)128U + (size_t)128U, uint8_t); - libcrux_ml_dsa_encoding_error_deserialize_4d(bytes, &ring_elements[i0]); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____0 = - libcrux_ml_dsa_ntt_ntt_ea(ring_elements[i0]); - ring_elements[i0] = uu____0; - } - memcpy( - ret, ring_elements, - (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); -} +libcrux_ml_dsa_simd_avx2_vector_type_Vec256 with const generics -/** -A monomorphic instance of -libcrux_ml_dsa.encoding.error.deserialize_to_vector_then_ntt with types -libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit with const generics -- DIMENSION= 6 -- ETA= 4 -- RING_ELEMENT_SIZE= 128 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_dsa_encoding_error_deserialize_to_vector_then_ntt_ef( - Eurydice_slice serialized, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[6U]) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ring_elements[6U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - ring_elements[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - } +libcrux_ml_dsa_encoding_error_deserialize_to_vector_then_ntt_21( + libcrux_ml_dsa_constants_Eta eta, size_t ring_element_size, + Eurydice_slice serialized, Eurydice_slice ring_elements) { for (size_t i = (size_t)0U; - i < Eurydice_slice_len(serialized, uint8_t) / (size_t)128U; i++) { + i < Eurydice_slice_len(serialized, uint8_t) / ring_element_size; i++) { size_t i0 = i; - Eurydice_slice bytes = - Eurydice_slice_subslice2(serialized, i0 * (size_t)128U, - i0 * (size_t)128U + (size_t)128U, uint8_t); - libcrux_ml_dsa_encoding_error_deserialize_4d(bytes, &ring_elements[i0]); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____0 = - libcrux_ml_dsa_ntt_ntt_ea(ring_elements[i0]); - ring_elements[i0] = uu____0; + Eurydice_slice bytes = Eurydice_slice_subslice2( + serialized, i0 * ring_element_size, + i0 * ring_element_size + ring_element_size, uint8_t); + libcrux_ml_dsa_encoding_error_deserialize_21( + eta, bytes, + &Eurydice_slice_index( + ring_elements, i0, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *)); + libcrux_ml_dsa_ntt_ntt_21(&Eurydice_slice_index( + ring_elements, i0, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *)); } - memcpy( - ret, ring_elements, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); } /** A monomorphic instance of libcrux_ml_dsa.encoding.t0.deserialize -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256 with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_t0_deserialize_ea( +static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_t0_deserialize_21( Eurydice_slice serialized, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *result) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *result) { for (size_t i = (size_t)0U; i < Eurydice_slice_len(Eurydice_array_to_slice( (size_t)32U, result->simd_units, __m256i), __m256i); i++) { size_t i0 = i; - __m256i uu____0 = - libcrux_ml_dsa_simd_avx2_t0_deserialize_a2(Eurydice_slice_subslice2( + libcrux_ml_dsa_simd_avx2_t0_deserialize_22( + Eurydice_slice_subslice2( serialized, i0 * LIBCRUX_ML_DSA_ENCODING_T0_OUTPUT_BYTES_PER_SIMD_UNIT, (i0 + (size_t)1U) * LIBCRUX_ML_DSA_ENCODING_T0_OUTPUT_BYTES_PER_SIMD_UNIT, - uint8_t)); - result->simd_units[i0] = uu____0; + uint8_t), + &result->simd_units[i0]); } } /** A monomorphic instance of libcrux_ml_dsa.encoding.t0.deserialize_to_vector_then_ntt with types -libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit with const generics -- DIMENSION= 6 +libcrux_ml_dsa_simd_avx2_vector_type_Vec256 with const generics + */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_dsa_encoding_t0_deserialize_to_vector_then_ntt_a3( - Eurydice_slice serialized, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[6U]) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ring_elements[6U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - ring_elements[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - } +libcrux_ml_dsa_encoding_t0_deserialize_to_vector_then_ntt_21( + Eurydice_slice serialized, Eurydice_slice ring_elements) { for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE; @@ -6239,121 +4806,27 @@ libcrux_ml_dsa_encoding_t0_deserialize_to_vector_then_ntt_a3( i0 * LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE + LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE, uint8_t); - libcrux_ml_dsa_encoding_t0_deserialize_ea(bytes, &ring_elements[i0]); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____0 = - libcrux_ml_dsa_ntt_ntt_ea(ring_elements[i0]); - ring_elements[i0] = uu____0; + libcrux_ml_dsa_encoding_t0_deserialize_21( + bytes, &Eurydice_slice_index( + ring_elements, i0, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *)); + libcrux_ml_dsa_ntt_ntt_21(&Eurydice_slice_index( + ring_elements, i0, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *)); } - memcpy( - ret, ring_elements, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); -} - -/** -A monomorphic instance of -libcrux_ml_dsa.encoding.signing_key.deserialize_then_ntt with types -libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- ETA= 4 -- ERROR_RING_ELEMENT_SIZE= 128 -- SIGNING_KEY_SIZE= 4032 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE tuple_f00 -libcrux_ml_dsa_encoding_signing_key_deserialize_then_ntt_b6( - uint8_t *serialized) { - Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( - Eurydice_array_to_slice((size_t)4032U, serialized, uint8_t), - LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE, uint8_t, - Eurydice_slice_uint8_t_x2); - Eurydice_slice seed_for_A = uu____0.fst; - Eurydice_slice remaining_serialized0 = uu____0.snd; - Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( - remaining_serialized0, LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_SIGNING_SIZE, - uint8_t, Eurydice_slice_uint8_t_x2); - Eurydice_slice seed_for_signing = uu____1.fst; - Eurydice_slice remaining_serialized1 = uu____1.snd; - Eurydice_slice_uint8_t_x2 uu____2 = Eurydice_slice_split_at( - remaining_serialized1, - LIBCRUX_ML_DSA_CONSTANTS_BYTES_FOR_VERIFICATION_KEY_HASH, uint8_t, - Eurydice_slice_uint8_t_x2); - Eurydice_slice verification_key_hash = uu____2.fst; - Eurydice_slice remaining_serialized2 = uu____2.snd; - Eurydice_slice_uint8_t_x2 uu____3 = - Eurydice_slice_split_at(remaining_serialized2, (size_t)128U * (size_t)5U, - uint8_t, Eurydice_slice_uint8_t_x2); - Eurydice_slice s1_serialized = uu____3.fst; - Eurydice_slice remaining_serialized = uu____3.snd; - Eurydice_slice_uint8_t_x2 uu____4 = - Eurydice_slice_split_at(remaining_serialized, (size_t)128U * (size_t)6U, - uint8_t, Eurydice_slice_uint8_t_x2); - Eurydice_slice s2_serialized = uu____4.fst; - Eurydice_slice t0_serialized = uu____4.snd; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s1_as_ntt[5U]; - libcrux_ml_dsa_encoding_error_deserialize_to_vector_then_ntt_5b(s1_serialized, - s1_as_ntt); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s2_as_ntt[6U]; - libcrux_ml_dsa_encoding_error_deserialize_to_vector_then_ntt_ef(s2_serialized, - s2_as_ntt); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t0_as_ntt[6U]; - libcrux_ml_dsa_encoding_t0_deserialize_to_vector_then_ntt_a3(t0_serialized, - t0_as_ntt); - uint8_t uu____5[32U]; - Result_fb dst0; - Eurydice_slice_to_array2(&dst0, seed_for_A, Eurydice_slice, uint8_t[32U]); - unwrap_26_b3(dst0, uu____5); - uint8_t uu____6[32U]; - Result_fb dst1; - Eurydice_slice_to_array2(&dst1, seed_for_signing, Eurydice_slice, - uint8_t[32U]); - unwrap_26_b3(dst1, uu____6); - uint8_t uu____7[64U]; - Result_f2 dst; - Eurydice_slice_to_array2(&dst, verification_key_hash, Eurydice_slice, - uint8_t[64U]); - unwrap_26_4b(dst, uu____7); - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_s1_as_ntt[5U]; - memcpy( - copy_of_s1_as_ntt, s1_as_ntt, - (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_s2_as_ntt[6U]; - memcpy( - copy_of_s2_as_ntt, s2_as_ntt, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_t0_as_ntt[6U]; - memcpy( - copy_of_t0_as_ntt, t0_as_ntt, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - tuple_f00 lit; - memcpy(lit.fst, uu____5, (size_t)32U * sizeof(uint8_t)); - memcpy(lit.snd, uu____6, (size_t)32U * sizeof(uint8_t)); - memcpy(lit.thd, uu____7, (size_t)64U * sizeof(uint8_t)); - memcpy( - lit.f3, copy_of_s1_as_ntt, - (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - memcpy( - lit.f4, copy_of_s2_as_ntt, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - memcpy( - lit.f5, copy_of_t0_as_ntt, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - return lit; } /** A monomorphic instance of core.option.Option with types libcrux_ml_dsa_polynomial_PolynomialRingElement -libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit[5size_t] +libcrux_ml_dsa_simd_avx2_vector_type_Vec256[5size_t] */ -typedef struct Option_a4_s { +typedef struct Option_7e_s { Option_d8_tags tag; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 f0[5U]; -} Option_a4; + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b f0[5U]; +} Option_7e; /** A monomorphic instance of libcrux_ml_dsa.hash_functions.simd256.shake256_x4 @@ -6393,55 +4866,27 @@ libcrux_ml_dsa_hash_functions_simd256_shake256_x4_fb_1b( input0, input1, input2, input3, out0, out1, out2, out3); } -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.encoding.gamma1.deserialize -with const generics -- GAMMA1_EXPONENT= 19 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_dsa_simd_avx2_encoding_gamma1_deserialize_36( - Eurydice_slice serialized) { - return libcrux_ml_dsa_simd_avx2_encoding_gamma1_deserialize_when_gamma1_is_2_pow_19( - serialized); -} - -/** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} -*/ -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.gamma1_deserialize_a2 -with const generics -- GAMMA1_EXPONENT= 19 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_dsa_simd_avx2_gamma1_deserialize_a2_36(Eurydice_slice serialized) { - return libcrux_ml_dsa_simd_avx2_encoding_gamma1_deserialize_36(serialized); -} - /** A monomorphic instance of libcrux_ml_dsa.encoding.gamma1.deserialize -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256 with const generics -- GAMMA1_EXPONENT= 19 + */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_gamma1_deserialize_05( - Eurydice_slice serialized, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *result) { +static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_gamma1_deserialize_21( + size_t gamma1_exponent, Eurydice_slice serialized, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *result) { for (size_t i = (size_t)0U; i < Eurydice_slice_len(Eurydice_array_to_slice( (size_t)32U, result->simd_units, __m256i), __m256i); i++) { size_t i0 = i; - __m256i uu____0 = libcrux_ml_dsa_simd_avx2_gamma1_deserialize_a2_36( - Eurydice_slice_subslice2(serialized, i0 * ((size_t)19U + (size_t)1U), - (i0 + (size_t)1U) * ((size_t)19U + (size_t)1U), - uint8_t)); - result->simd_units[i0] = uu____0; + libcrux_ml_dsa_simd_avx2_gamma1_deserialize_22( + Eurydice_slice_subslice2( + serialized, i0 * (gamma1_exponent + (size_t)1U), + (i0 + (size_t)1U) * (gamma1_exponent + (size_t)1U), uint8_t), + &result->simd_units[i0], gamma1_exponent); } } @@ -6541,214 +4986,142 @@ libcrux_ml_dsa_hash_functions_simd256_shake256_d9_c8(Eurydice_slice input, /** A monomorphic instance of libcrux_ml_dsa.sample.sample_mask_ring_element -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256, libcrux_ml_dsa_hash_functions_simd256_Shake256 with const generics -- GAMMA1_EXPONENT= 19 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_sample_sample_mask_ring_element_d9( - uint8_t seed[66U], - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *result) { - uint8_t out[640U] = {0U}; - libcrux_ml_dsa_hash_functions_simd256_shake256_d9_c8( - Eurydice_array_to_slice((size_t)66U, seed, uint8_t), out); - libcrux_ml_dsa_encoding_gamma1_deserialize_05( - Eurydice_array_to_slice((size_t)640U, out, uint8_t), result); -} - -/** -A monomorphic instance of libcrux_ml_dsa.sample.sample_mask_vector -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, -libcrux_ml_dsa_hash_functions_simd256_Shake256, -libcrux_ml_dsa_hash_functions_simd256_Shake256x4 with const generics -- DIMENSION= 5 -- GAMMA1_EXPONENT= 19 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_sample_sample_mask_vector_51( - uint8_t seed[66U], uint16_t *domain_separator, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[5U]) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 mask[5U]; - for (size_t i = (size_t)0U; i < (size_t)5U; i++) { - mask[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - } - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed0[66U]; - memcpy(copy_of_seed0, seed, (size_t)66U * sizeof(uint8_t)); - uint8_t seed0[66U]; - libcrux_ml_dsa_sample_update_seed(copy_of_seed0, domain_separator, seed0); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed1[66U]; - memcpy(copy_of_seed1, seed, (size_t)66U * sizeof(uint8_t)); - uint8_t seed1[66U]; - libcrux_ml_dsa_sample_update_seed(copy_of_seed1, domain_separator, seed1); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed2[66U]; - memcpy(copy_of_seed2, seed, (size_t)66U * sizeof(uint8_t)); - uint8_t seed2[66U]; - libcrux_ml_dsa_sample_update_seed(copy_of_seed2, domain_separator, seed2); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed3[66U]; - memcpy(copy_of_seed3, seed, (size_t)66U * sizeof(uint8_t)); - uint8_t seed3[66U]; - libcrux_ml_dsa_sample_update_seed(copy_of_seed3, domain_separator, seed3); - uint8_t out0[640U] = {0U}; - uint8_t out1[640U] = {0U}; - uint8_t out2[640U] = {0U}; - uint8_t out3[640U] = {0U}; - libcrux_ml_dsa_hash_functions_simd256_shake256_x4_fb_c8( - Eurydice_array_to_slice((size_t)66U, seed0, uint8_t), - Eurydice_array_to_slice((size_t)66U, seed1, uint8_t), - Eurydice_array_to_slice((size_t)66U, seed2, uint8_t), - Eurydice_array_to_slice((size_t)66U, seed3, uint8_t), out0, out1, out2, - out3); - libcrux_ml_dsa_encoding_gamma1_deserialize_05( - Eurydice_array_to_slice((size_t)640U, out0, uint8_t), mask); - libcrux_ml_dsa_encoding_gamma1_deserialize_05( - Eurydice_array_to_slice((size_t)640U, out1, uint8_t), &mask[1U]); - libcrux_ml_dsa_encoding_gamma1_deserialize_05( - Eurydice_array_to_slice((size_t)640U, out2, uint8_t), &mask[2U]); - libcrux_ml_dsa_encoding_gamma1_deserialize_05( - Eurydice_array_to_slice((size_t)640U, out3, uint8_t), &mask[3U]); - for (size_t i = (size_t)4U; i < (size_t)5U; i++) { - size_t i0 = i; - seed[64U] = (uint8_t)domain_separator[0U]; - seed[65U] = (uint8_t)((uint32_t)domain_separator[0U] >> 8U); - domain_separator[0U] = (uint32_t)domain_separator[0U] + 1U; - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed[66U]; - memcpy(copy_of_seed, seed, (size_t)66U * sizeof(uint8_t)); - libcrux_ml_dsa_sample_sample_mask_ring_element_d9(copy_of_seed, &mask[i0]); - } - memcpy( - ret, mask, - (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); -} - -/** -A monomorphic instance of libcrux_ml_dsa.matrix.compute_A_times_mask.closure -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit -with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static inline libcrux_ml_dsa_polynomial_PolynomialRingElement_24 -libcrux_ml_dsa_matrix_compute_A_times_mask_closure_fe( - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s) { - return libcrux_ml_dsa_ntt_ntt_ea(s); -} -/** - Compute InvertNTT(Â ◦ ŷ) -*/ -/** -A monomorphic instance of libcrux_ml_dsa.matrix.compute_A_times_mask -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit -with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 */ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_compute_A_times_mask_fe( - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 (*A_as_ntt)[5U], - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *mask, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[6U]) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 result[6U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - } - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_mask[5U]; - memcpy( - copy_of_mask, mask, - (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 mask_ntt[5U]; - for (size_t i = (size_t)0U; i < (size_t)5U; i++) { - mask_ntt[i] = - libcrux_ml_dsa_matrix_compute_A_times_mask_closure_fe(copy_of_mask[i]); - } - for (size_t i0 = (size_t)0U; - i0 < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)6U, A_as_ntt, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24[5U]), - libcrux_ml_dsa_polynomial_PolynomialRingElement_24[5U]); - i0++) { - size_t i1 = i0; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *row = A_as_ntt[i1]; - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)5U, row, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24), - libcrux_ml_dsa_polynomial_PolynomialRingElement_24); - i++) { - size_t j = i; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *ring_element = - &row[j]; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 product = - libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ea(ring_element, - &mask_ntt[j]); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____1 = - libcrux_ml_dsa_polynomial_add_ff_ea(&result[i1], &product); - result[i1] = uu____1; +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_sample_sample_mask_ring_element_18( + uint8_t *seed, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *result, + size_t gamma1_exponent) { + switch ((uint8_t)gamma1_exponent) { + case 17U: { + uint8_t out[576U] = {0U}; + libcrux_ml_dsa_hash_functions_simd256_shake256_d9_1b( + Eurydice_array_to_slice((size_t)66U, seed, uint8_t), out); + libcrux_ml_dsa_encoding_gamma1_deserialize_21( + gamma1_exponent, Eurydice_array_to_slice((size_t)576U, out, uint8_t), + result); + break; + } + case 19U: { + uint8_t out[640U] = {0U}; + libcrux_ml_dsa_hash_functions_simd256_shake256_d9_c8( + Eurydice_array_to_slice((size_t)66U, seed, uint8_t), out); + libcrux_ml_dsa_encoding_gamma1_deserialize_21( + gamma1_exponent, Eurydice_array_to_slice((size_t)640U, out, uint8_t), + result); + break; + } + default: { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "panic!"); + KRML_HOST_EXIT(255U); } - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____2 = - libcrux_ml_dsa_ntt_invert_ntt_montgomery_ea(result[i1]); - result[i1] = uu____2; } - memcpy( - ret, result, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); } /** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.arithmetic.decompose -with const generics -- GAMMA2= 261888 +A monomorphic instance of libcrux_ml_dsa.sample.sample_mask_vector +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256, +libcrux_ml_dsa_hash_functions_simd256_Shake256, +libcrux_ml_dsa_hash_functions_simd256_Shake256x4 with const generics + */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE core_core_arch_x86___m256i_x2 -libcrux_ml_dsa_simd_avx2_arithmetic_decompose_80(__m256i r) { - __m256i r2 = - libcrux_ml_dsa_simd_avx2_arithmetic_to_unsigned_representatives(r); - __m256i field_modulus_halved = libcrux_intrinsics_avx2_mm256_set1_epi32( - (LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS - (int32_t)1) / (int32_t)2); - int32_t ALPHA = (int32_t)261888 * (int32_t)2; - __m256i ceil_of_r_by_128 = libcrux_intrinsics_avx2_mm256_add_epi32( - r2, libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)127)); - __m256i ceil_of_r_by_1280 = libcrux_intrinsics_avx2_mm256_srai_epi32( - (int32_t)7, ceil_of_r_by_128, __m256i); - __m256i r1; - switch (ALPHA) { - case 190464: { - __m256i result = libcrux_intrinsics_avx2_mm256_mullo_epi32( - ceil_of_r_by_1280, - libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)11275)); - __m256i result0 = libcrux_intrinsics_avx2_mm256_add_epi32( - result, libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)1 << 23U)); - __m256i result1 = libcrux_intrinsics_avx2_mm256_srai_epi32( - (int32_t)24, result0, __m256i); - __m256i mask = libcrux_intrinsics_avx2_mm256_sub_epi32( - libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)43), result1); - __m256i mask0 = - libcrux_intrinsics_avx2_mm256_srai_epi32((int32_t)31, mask, __m256i); - __m256i not_result = - libcrux_intrinsics_avx2_mm256_xor_si256(result1, mask0); - r1 = libcrux_intrinsics_avx2_mm256_and_si256(result1, not_result); +static KRML_MUSTINLINE void libcrux_ml_dsa_sample_sample_mask_vector_f4( + size_t dimension, size_t gamma1_exponent, uint8_t *seed, + uint16_t *domain_separator, Eurydice_slice mask) { + uint8_t seed0[66U]; + libcrux_ml_dsa_sample_add_error_domain_separator( + Eurydice_array_to_slice((size_t)64U, seed, uint8_t), domain_separator[0U], + seed0); + uint8_t seed1[66U]; + libcrux_ml_dsa_sample_add_error_domain_separator( + Eurydice_array_to_slice((size_t)64U, seed, uint8_t), + (uint32_t)domain_separator[0U] + 1U, seed1); + uint8_t seed2[66U]; + libcrux_ml_dsa_sample_add_error_domain_separator( + Eurydice_array_to_slice((size_t)64U, seed, uint8_t), + (uint32_t)domain_separator[0U] + 2U, seed2); + uint8_t seed3[66U]; + libcrux_ml_dsa_sample_add_error_domain_separator( + Eurydice_array_to_slice((size_t)64U, seed, uint8_t), + (uint32_t)domain_separator[0U] + 3U, seed3); + domain_separator[0U] = (uint32_t)domain_separator[0U] + 4U; + switch ((uint8_t)gamma1_exponent) { + case 17U: { + uint8_t out0[576U] = {0U}; + uint8_t out1[576U] = {0U}; + uint8_t out2[576U] = {0U}; + uint8_t out3[576U] = {0U}; + libcrux_ml_dsa_hash_functions_simd256_shake256_x4_fb_1b( + Eurydice_array_to_slice((size_t)66U, seed0, uint8_t), + Eurydice_array_to_slice((size_t)66U, seed1, uint8_t), + Eurydice_array_to_slice((size_t)66U, seed2, uint8_t), + Eurydice_array_to_slice((size_t)66U, seed3, uint8_t), out0, out1, + out2, out3); + libcrux_ml_dsa_encoding_gamma1_deserialize_21( + gamma1_exponent, Eurydice_array_to_slice((size_t)576U, out0, uint8_t), + &Eurydice_slice_index( + mask, (size_t)0U, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *)); + libcrux_ml_dsa_encoding_gamma1_deserialize_21( + gamma1_exponent, Eurydice_array_to_slice((size_t)576U, out1, uint8_t), + &Eurydice_slice_index( + mask, (size_t)1U, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *)); + libcrux_ml_dsa_encoding_gamma1_deserialize_21( + gamma1_exponent, Eurydice_array_to_slice((size_t)576U, out2, uint8_t), + &Eurydice_slice_index( + mask, (size_t)2U, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *)); + libcrux_ml_dsa_encoding_gamma1_deserialize_21( + gamma1_exponent, Eurydice_array_to_slice((size_t)576U, out3, uint8_t), + &Eurydice_slice_index( + mask, (size_t)3U, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *)); break; } - case 523776: { - __m256i result = libcrux_intrinsics_avx2_mm256_mullo_epi32( - ceil_of_r_by_1280, - libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)1025)); - __m256i result0 = libcrux_intrinsics_avx2_mm256_add_epi32( - result, libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)1 << 21U)); - __m256i result1 = libcrux_intrinsics_avx2_mm256_srai_epi32( - (int32_t)22, result0, __m256i); - r1 = libcrux_intrinsics_avx2_mm256_and_si256( - result1, libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)15)); + case 19U: { + uint8_t out0[640U] = {0U}; + uint8_t out1[640U] = {0U}; + uint8_t out2[640U] = {0U}; + uint8_t out3[640U] = {0U}; + libcrux_ml_dsa_hash_functions_simd256_shake256_x4_fb_c8( + Eurydice_array_to_slice((size_t)66U, seed0, uint8_t), + Eurydice_array_to_slice((size_t)66U, seed1, uint8_t), + Eurydice_array_to_slice((size_t)66U, seed2, uint8_t), + Eurydice_array_to_slice((size_t)66U, seed3, uint8_t), out0, out1, + out2, out3); + libcrux_ml_dsa_encoding_gamma1_deserialize_21( + gamma1_exponent, Eurydice_array_to_slice((size_t)640U, out0, uint8_t), + &Eurydice_slice_index( + mask, (size_t)0U, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *)); + libcrux_ml_dsa_encoding_gamma1_deserialize_21( + gamma1_exponent, Eurydice_array_to_slice((size_t)640U, out1, uint8_t), + &Eurydice_slice_index( + mask, (size_t)1U, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *)); + libcrux_ml_dsa_encoding_gamma1_deserialize_21( + gamma1_exponent, Eurydice_array_to_slice((size_t)640U, out2, uint8_t), + &Eurydice_slice_index( + mask, (size_t)2U, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *)); + libcrux_ml_dsa_encoding_gamma1_deserialize_21( + gamma1_exponent, Eurydice_array_to_slice((size_t)640U, out3, uint8_t), + &Eurydice_slice_index( + mask, (size_t)3U, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *)); break; } default: { @@ -6757,120 +5130,124 @@ libcrux_ml_dsa_simd_avx2_arithmetic_decompose_80(__m256i r) { KRML_HOST_EXIT(255U); } } - __m256i r0 = libcrux_intrinsics_avx2_mm256_mullo_epi32( - r1, libcrux_intrinsics_avx2_mm256_set1_epi32(ALPHA)); - __m256i r00 = libcrux_intrinsics_avx2_mm256_sub_epi32(r2, r0); - __m256i mask = - libcrux_intrinsics_avx2_mm256_sub_epi32(field_modulus_halved, r00); - __m256i mask0 = - libcrux_intrinsics_avx2_mm256_srai_epi32((int32_t)31, mask, __m256i); - __m256i field_modulus_and_mask = libcrux_intrinsics_avx2_mm256_and_si256( - mask0, libcrux_intrinsics_avx2_mm256_set1_epi32( - LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS)); - __m256i r01 = - libcrux_intrinsics_avx2_mm256_sub_epi32(r00, field_modulus_and_mask); - return (CLITERAL(core_core_arch_x86___m256i_x2){.fst = r01, .snd = r1}); + for (size_t i = (size_t)4U; i < dimension; i++) { + size_t i0 = i; + uint8_t seed4[66U]; + libcrux_ml_dsa_sample_add_error_domain_separator( + Eurydice_array_to_slice((size_t)64U, seed, uint8_t), + domain_separator[0U], seed4); + domain_separator[0U] = (uint32_t)domain_separator[0U] + 1U; + libcrux_ml_dsa_sample_sample_mask_ring_element_18( + seed4, + &Eurydice_slice_index( + mask, i0, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *), + gamma1_exponent); + } } /** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} + Compute InvertNTT(Â ◦ ŷ) */ /** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.decompose_a2 +A monomorphic instance of libcrux_ml_dsa.matrix.compute_matrix_x_mask +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256 with const generics -- GAMMA2= 261888 + */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x2 -libcrux_ml_dsa_simd_avx2_decompose_a2_80(__m256i simd_unit) { - core_core_arch_x86___m256i_x2 uu____0 = - libcrux_ml_dsa_simd_avx2_arithmetic_decompose_80(simd_unit); - __m256i lower = uu____0.fst; - __m256i upper = uu____0.snd; - return (CLITERAL(libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x2){ - .fst = lower, .snd = upper}); +static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_compute_matrix_x_mask_21( + size_t rows_in_a, size_t columns_in_a, Eurydice_slice matrix, + Eurydice_slice mask, Eurydice_slice result) { + for (size_t i0 = (size_t)0U; i0 < rows_in_a; i0++) { + size_t i1 = i0; + for (size_t i = (size_t)0U; i < columns_in_a; i++) { + size_t j = i; + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b product = + Eurydice_slice_index( + mask, j, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *); + libcrux_ml_dsa_ntt_ntt_multiply_montgomery_21( + &product, &Eurydice_slice_index( + matrix, i1 * columns_in_a + j, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *)); + libcrux_ml_dsa_polynomial_add_ff_21( + &Eurydice_slice_index( + result, i1, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *), + &product); + } + libcrux_ml_dsa_ntt_invert_ntt_montgomery_21(&Eurydice_slice_index( + result, i1, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *)); + } } /** A monomorphic instance of libcrux_ml_dsa.arithmetic.decompose_vector -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256 with const generics -- DIMENSION= 6 -- GAMMA2= 261888 + */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_6size_t__x2 - libcrux_ml_dsa_arithmetic_decompose_vector_fe( - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t[6U]) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 vector_low[6U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - vector_low[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - } - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 vector_high[6U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - vector_high[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - } - for (size_t i0 = (size_t)0U; i0 < (size_t)6U; i0++) { +static KRML_MUSTINLINE void libcrux_ml_dsa_arithmetic_decompose_vector_21( + size_t dimension, int32_t gamma2, Eurydice_slice t, Eurydice_slice low, + Eurydice_slice high) { + for (size_t i0 = (size_t)0U; i0 < dimension; i0++) { size_t i1 = i0; for (size_t i = (size_t)0U; - i < - Eurydice_slice_len(Eurydice_array_to_slice( - (size_t)32U, vector_low->simd_units, __m256i), - __m256i); + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)32U, + Eurydice_slice_index( + low, (size_t)0U, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *) + .simd_units, + __m256i), + __m256i); i++) { size_t j = i; - libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x2 uu____0 = - libcrux_ml_dsa_simd_avx2_decompose_a2_80(t[i1].simd_units[j]); - __m256i low = uu____0.fst; - __m256i high = uu____0.snd; - vector_low[i1].simd_units[j] = low; - vector_high[i1].simd_units[j] = high; + libcrux_ml_dsa_simd_avx2_decompose_22( + gamma2, + &Eurydice_slice_index( + t, i1, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *) + .simd_units[j], + &Eurydice_slice_index( + low, i1, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *) + .simd_units[j], + &Eurydice_slice_index( + high, i1, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *) + .simd_units[j]); } } - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_vector_low[6U]; - memcpy( - copy_of_vector_low, vector_low, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_vector_high[6U]; - memcpy( - copy_of_vector_high, vector_high, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_6size_t__x2 - lit; - memcpy( - lit.fst, copy_of_vector_low, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - memcpy( - lit.snd, copy_of_vector_high, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - return lit; } /** A monomorphic instance of libcrux_ml_dsa.encoding.commitment.serialize -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256 with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_commitment_serialize_ea( - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 re, +static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_commitment_serialize_21( + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *re, Eurydice_slice serialized) { size_t output_bytes_per_simd_unit = Eurydice_slice_len(serialized, uint8_t) / ((size_t)8U * (size_t)4U); for (size_t i = (size_t)0U; i < Eurydice_slice_len( - Eurydice_array_to_slice((size_t)32U, re.simd_units, __m256i), + Eurydice_array_to_slice((size_t)32U, re->simd_units, __m256i), __m256i); i++) { size_t i0 = i; - __m256i *simd_unit = &re.simd_units[i0]; - libcrux_ml_dsa_simd_avx2_commitment_serialize_a2( - simd_unit[0U], + __m256i *simd_unit = &re->simd_units[i0]; + libcrux_ml_dsa_simd_avx2_commitment_serialize_22( + simd_unit, Eurydice_slice_subslice2(serialized, i0 * output_bytes_per_simd_unit, (i0 + (size_t)1U) * output_bytes_per_simd_unit, uint8_t)); @@ -6879,52 +5256,47 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_commitment_serialize_ea( /** A monomorphic instance of libcrux_ml_dsa.encoding.commitment.serialize_vector -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256 with const generics -- DIMENSION= 6 -- RING_ELEMENT_SIZE= 128 -- OUTPUT_SIZE= 768 + */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_dsa_encoding_commitment_serialize_vector_ef( - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 vector[6U], - uint8_t ret[768U]) { - uint8_t serialized[768U] = {0U}; +libcrux_ml_dsa_encoding_commitment_serialize_vector_21( + size_t ring_element_size, Eurydice_slice vector, + Eurydice_slice serialized) { size_t offset = (size_t)0U; for (size_t i = (size_t)0U; i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)6U, vector, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24), - libcrux_ml_dsa_polynomial_PolynomialRingElement_24); + vector, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b); i++) { size_t _cloop_j = i; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *ring_element = - &vector[_cloop_j]; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____0 = - ring_element[0U]; - libcrux_ml_dsa_encoding_commitment_serialize_ea( - uu____0, Eurydice_array_to_subslice2(serialized, offset, - offset + (size_t)128U, uint8_t)); - offset = offset + (size_t)128U; + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *ring_element = + &Eurydice_slice_index( + vector, _cloop_j, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *); + libcrux_ml_dsa_encoding_commitment_serialize_21( + ring_element, + Eurydice_slice_subslice2(serialized, offset, offset + ring_element_size, + uint8_t)); + offset = offset + ring_element_size; } - memcpy(ret, serialized, (size_t)768U * sizeof(uint8_t)); } /** A monomorphic instance of libcrux_ml_dsa.sample.sample_challenge_ring_element -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256, libcrux_ml_dsa_hash_functions_simd256_Shake256 with const generics -- NUMBER_OF_ONES= 49 -- SEED_SIZE= 48 + */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_dsa_polynomial_PolynomialRingElement_24 -libcrux_ml_dsa_sample_sample_challenge_ring_element_8a(uint8_t seed[48U]) { +static KRML_MUSTINLINE void +libcrux_ml_dsa_sample_sample_challenge_ring_element_18( + Eurydice_slice seed, size_t number_of_ones, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *re) { libcrux_sha3_portable_KeccakState state = - libcrux_ml_dsa_hash_functions_simd256_init_absorb_final_d9( - Eurydice_array_to_slice((size_t)48U, seed, uint8_t)); + libcrux_ml_dsa_hash_functions_simd256_init_absorb_final_d9(seed); uint8_t randomness0[136U]; libcrux_ml_dsa_hash_functions_simd256_squeeze_first_block_d9(&state, randomness0); @@ -6940,7 +5312,7 @@ libcrux_ml_dsa_sample_sample_challenge_ring_element_8a(uint8_t seed[48U]) { size_t out_index = Eurydice_slice_len(Eurydice_array_to_slice((size_t)256U, result, int32_t), int32_t) - - (size_t)49U; + number_of_ones; Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( (size_t)136U, randomness0, (size_t)8U, uint8_t, size_t); bool done = libcrux_ml_dsa_sample_inside_out_shuffle(uu____0, &out_index, @@ -6957,106 +5329,55 @@ libcrux_ml_dsa_sample_sample_challenge_ring_element_8a(uint8_t seed[48U]) { &out_index, &signs, result); } } - return libcrux_ml_dsa_polynomial_from_i32_array_ff_ea( - Eurydice_array_to_slice((size_t)256U, result, int32_t)); + libcrux_ml_dsa_polynomial_from_i32_array_ff_21( + Eurydice_array_to_slice((size_t)256U, result, int32_t), re); } /** A monomorphic instance of libcrux_ml_dsa.matrix.vector_times_ring_element -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256 with const generics -- DIMENSION= 5 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_vector_times_ring_element_1f( - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *vector, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *ring_element, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[5U]) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 result[5U]; - for (size_t i = (size_t)0U; i < (size_t)5U; i++) { - result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - } - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)5U, vector, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24), - libcrux_ml_dsa_polynomial_PolynomialRingElement_24); - i++) { - size_t i0 = i; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *vector_ring_element = - &vector[i0]; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____0 = - libcrux_ml_dsa_ntt_invert_ntt_montgomery_ea( - libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ea(vector_ring_element, - ring_element)); - result[i0] = uu____0; - } - memcpy( - ret, result, - (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); -} -/** -A monomorphic instance of libcrux_ml_dsa.matrix.vector_times_ring_element -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit -with const generics -- DIMENSION= 6 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_vector_times_ring_element_a3( - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *vector, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *ring_element, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[6U]) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 result[6U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - } +static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_vector_times_ring_element_21( + Eurydice_slice vector, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *ring_element) { for (size_t i = (size_t)0U; i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)6U, vector, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24), - libcrux_ml_dsa_polynomial_PolynomialRingElement_24); + vector, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b); i++) { size_t i0 = i; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *vector_ring_element = - &vector[i0]; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____0 = - libcrux_ml_dsa_ntt_invert_ntt_montgomery_ea( - libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ea(vector_ring_element, - ring_element)); - result[i0] = uu____0; + libcrux_ml_dsa_ntt_ntt_multiply_montgomery_21( + &Eurydice_slice_index( + vector, i0, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *), + ring_element); + libcrux_ml_dsa_ntt_invert_ntt_montgomery_21(&Eurydice_slice_index( + vector, i0, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *)); } - memcpy( - ret, result, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); } /** A monomorphic instance of libcrux_ml_dsa.matrix.add_vectors -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256 with const generics -- DIMENSION= 5 + */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_add_vectors_1f( - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *lhs, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *rhs, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[5U]) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 result[5U]; - for (size_t i = (size_t)0U; i < (size_t)5U; i++) { - result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - } - for (size_t i = (size_t)0U; i < (size_t)5U; i++) { +static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_add_vectors_21( + size_t dimension, Eurydice_slice lhs, Eurydice_slice rhs) { + for (size_t i = (size_t)0U; i < dimension; i++) { size_t i0 = i; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____0 = - libcrux_ml_dsa_polynomial_add_ff_ea(&lhs[i0], &rhs[i0]); - result[i0] = uu____0; + libcrux_ml_dsa_polynomial_add_ff_21( + &Eurydice_slice_index( + lhs, i0, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *), + &Eurydice_slice_index( + rhs, i0, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *)); } - memcpy( - ret, result, - (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); } /** @@ -7066,53 +5387,44 @@ TraitClause@1]} */ /** A monomorphic instance of libcrux_ml_dsa.polynomial.subtract_ff -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256 with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_dsa_polynomial_PolynomialRingElement_24 -libcrux_ml_dsa_polynomial_subtract_ff_ea( - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *self, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *rhs) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 difference = - libcrux_ml_dsa_polynomial_ZERO_ff_ea(); +static KRML_MUSTINLINE void libcrux_ml_dsa_polynomial_subtract_ff_21( + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *self, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *rhs) { for (size_t i = (size_t)0U; - i < Eurydice_slice_len(Eurydice_array_to_slice( - (size_t)32U, difference.simd_units, __m256i), - __m256i); + i < Eurydice_slice_len( + Eurydice_array_to_slice((size_t)32U, self->simd_units, __m256i), + __m256i); i++) { size_t i0 = i; - difference.simd_units[i0] = libcrux_ml_dsa_simd_avx2_subtract_a2( - &self->simd_units[i0], &rhs->simd_units[i0]); + libcrux_ml_dsa_simd_avx2_subtract_22(&self->simd_units[i0], + &rhs->simd_units[i0]); } - return difference; } /** A monomorphic instance of libcrux_ml_dsa.matrix.subtract_vectors -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256 with const generics -- DIMENSION= 6 + */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_subtract_vectors_a3( - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *lhs, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *rhs, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[6U]) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 result[6U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - } - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { +static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_subtract_vectors_21( + size_t dimension, Eurydice_slice lhs, Eurydice_slice rhs) { + for (size_t i = (size_t)0U; i < dimension; i++) { size_t i0 = i; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____0 = - libcrux_ml_dsa_polynomial_subtract_ff_ea(&lhs[i0], &rhs[i0]); - result[i0] = uu____0; + libcrux_ml_dsa_polynomial_subtract_ff_21( + &Eurydice_slice_index( + lhs, i0, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *), + &Eurydice_slice_index( + rhs, i0, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *)); } - memcpy( - ret, result, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); } /** @@ -7122,14 +5434,15 @@ TraitClause@1]} */ /** A monomorphic instance of libcrux_ml_dsa.polynomial.infinity_norm_exceeds_ff -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256 with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static inline bool libcrux_ml_dsa_polynomial_infinity_norm_exceeds_ff_ea( - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *self, int32_t bound) { - bool exceeds = false; +static KRML_MUSTINLINE bool +libcrux_ml_dsa_polynomial_infinity_norm_exceeds_ff_21( + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *self, int32_t bound) { + bool result = false; for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice((size_t)32U, self->simd_units, __m256i), @@ -7137,166 +5450,90 @@ static inline bool libcrux_ml_dsa_polynomial_infinity_norm_exceeds_ff_ea( i++) { size_t i0 = i; bool uu____0; - if (exceeds) { + if (result) { uu____0 = true; } else { - uu____0 = libcrux_ml_dsa_simd_avx2_infinity_norm_exceeds_a2( - self->simd_units[i0], bound); + uu____0 = libcrux_ml_dsa_simd_avx2_infinity_norm_exceeds_22( + &self->simd_units[i0], bound); } - exceeds = uu____0; + result = uu____0; } - return exceeds; + return result; } /** A monomorphic instance of libcrux_ml_dsa.arithmetic.vector_infinity_norm_exceeds -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256 with const generics -- DIMENSION= 5 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE bool -libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_1f( - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 vector[5U], - int32_t bound) { - bool exceeds = false; - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)5U, vector, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24), - libcrux_ml_dsa_polynomial_PolynomialRingElement_24); - i++) { - size_t _cloop_j = i; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *ring_element = - &vector[_cloop_j]; - bool uu____0; - if (exceeds) { - uu____0 = true; - } else { - uu____0 = libcrux_ml_dsa_polynomial_infinity_norm_exceeds_ff_ea( - ring_element, bound); - } - exceeds = uu____0; - } - return exceeds; -} -/** -A monomorphic instance of libcrux_ml_dsa.arithmetic.vector_infinity_norm_exceeds -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit -with const generics -- DIMENSION= 6 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE bool -libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_a3( - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 vector[6U], - int32_t bound) { - bool exceeds = false; +libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_21(Eurydice_slice vector, + int32_t bound) { + bool result = false; for (size_t i = (size_t)0U; i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)6U, vector, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24), - libcrux_ml_dsa_polynomial_PolynomialRingElement_24); + vector, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b); i++) { size_t _cloop_j = i; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *ring_element = - &vector[_cloop_j]; - bool uu____0; - if (exceeds) { - uu____0 = true; - } else { - uu____0 = libcrux_ml_dsa_polynomial_infinity_norm_exceeds_ff_ea( - ring_element, bound); + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *ring_element = + &Eurydice_slice_index( + vector, _cloop_j, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *); + if (!result) { + if (libcrux_ml_dsa_polynomial_infinity_norm_exceeds_ff_21(ring_element, + bound)) { + result = true; + continue; + } } - exceeds = uu____0; - } - return exceeds; -} - -/** -A monomorphic instance of libcrux_ml_dsa.matrix.add_vectors -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit -with const generics -- DIMENSION= 6 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_add_vectors_a3( - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *lhs, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *rhs, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[6U]) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 result[6U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); } - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - size_t i0 = i; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____0 = - libcrux_ml_dsa_polynomial_add_ff_ea(&lhs[i0], &rhs[i0]); - result[i0] = uu____0; - } - memcpy( - ret, result, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + return result; } -/** -A monomorphic instance of K. -with types size_t, libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit - -*/ -typedef struct tuple_25_s { - size_t fst; - __m256i snd; -} tuple_25; - /** A monomorphic instance of libcrux_ml_dsa.simd.avx2.arithmetic.compute_hint with const generics - GAMMA2= 261888 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE tuple_bb -libcrux_ml_dsa_simd_avx2_arithmetic_compute_hint_80(__m256i low, __m256i high) { +static KRML_MUSTINLINE size_t +libcrux_ml_dsa_simd_avx2_arithmetic_compute_hint_80(__m256i *low, __m256i *high, + __m256i *hint) { __m256i gamma2 = libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)261888); __m256i minus_gamma2 = libcrux_intrinsics_avx2_mm256_set1_epi32(-(int32_t)261888); __m256i low_within_bound = libcrux_intrinsics_avx2_mm256_cmpgt_epi32( - libcrux_intrinsics_avx2_mm256_abs_epi32(low), gamma2); + libcrux_intrinsics_avx2_mm256_abs_epi32(low[0U]), gamma2); __m256i low_equals_minus_gamma2 = - libcrux_intrinsics_avx2_mm256_cmpeq_epi32(low, minus_gamma2); + libcrux_intrinsics_avx2_mm256_cmpeq_epi32(low[0U], minus_gamma2); __m256i low_equals_minus_gamma2_and_high_is_nonzero = - libcrux_intrinsics_avx2_mm256_sign_epi32(low_equals_minus_gamma2, high); - __m256i hints = libcrux_intrinsics_avx2_mm256_or_si256( + libcrux_intrinsics_avx2_mm256_sign_epi32(low_equals_minus_gamma2, + high[0U]); + hint[0U] = libcrux_intrinsics_avx2_mm256_or_si256( low_within_bound, low_equals_minus_gamma2_and_high_is_nonzero); int32_t hints_mask = libcrux_intrinsics_avx2_mm256_movemask_ps( - libcrux_intrinsics_avx2_mm256_castsi256_ps(hints)); - uint32_t uu____0 = core_num__i32_2__count_ones(hints_mask); - return (CLITERAL(tuple_bb){ - .fst = (size_t)uu____0, - .snd = libcrux_intrinsics_avx2_mm256_and_si256( - hints, libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)1))}); + libcrux_intrinsics_avx2_mm256_castsi256_ps(hint[0U])); + hint[0U] = libcrux_intrinsics_avx2_mm256_and_si256( + hint[0U], libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)1)); + return (size_t)core_num__i32_2__count_ones(hints_mask); } /** This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +libcrux_ml_dsa::simd::avx2::vector_type::Vec256)} */ /** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.compute_hint_a2 +A monomorphic instance of libcrux_ml_dsa.simd.avx2.compute_hint_22 with const generics - GAMMA2= 261888 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE tuple_25 -libcrux_ml_dsa_simd_avx2_compute_hint_a2_80(__m256i low, __m256i high) { - tuple_bb uu____0 = - libcrux_ml_dsa_simd_avx2_arithmetic_compute_hint_80(low, high); - size_t count = uu____0.fst; - __m256i hint = uu____0.snd; - return (CLITERAL(tuple_25){.fst = count, .snd = hint}); +static KRML_MUSTINLINE size_t libcrux_ml_dsa_simd_avx2_compute_hint_22_80( + __m256i *low, __m256i *high, __m256i *hint) { + return libcrux_ml_dsa_simd_avx2_arithmetic_compute_hint_80(low, high, hint); } /** @@ -7306,13 +5543,13 @@ TraitClause@1]} */ /** A monomorphic instance of libcrux_ml_dsa.polynomial.to_i32_array_ff -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256 with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_ml_dsa_polynomial_to_i32_array_ff_ea( - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *self, +static inline void libcrux_ml_dsa_polynomial_to_i32_array_ff_21( + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *self, int32_t ret[256U]) { int32_t result[256U] = {0U}; for (size_t i = (size_t)0U; @@ -7322,259 +5559,226 @@ static inline void libcrux_ml_dsa_polynomial_to_i32_array_ff_ea( i++) { size_t i0 = i; __m256i *simd_unit = &self->simd_units[i0]; - Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - result, i0 * LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT, - (i0 + (size_t)1U) * - LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT, - int32_t); - int32_t ret0[8U]; - libcrux_ml_dsa_simd_avx2_to_coefficient_array_a2(simd_unit, ret0); - Eurydice_slice_copy( - uu____0, Eurydice_array_to_slice((size_t)8U, ret0, int32_t), int32_t); + __m256i *uu____0 = simd_unit; + libcrux_ml_dsa_simd_avx2_to_coefficient_array_22( + uu____0, + Eurydice_array_to_subslice2( + result, i0 * LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT, + (i0 + (size_t)1U) * + LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT, + int32_t)); } memcpy(ret, result, (size_t)256U * sizeof(int32_t)); } /** A monomorphic instance of libcrux_ml_dsa.arithmetic.make_hint -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256 with const generics - DIMENSION= 6 - GAMMA2= 261888 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE tuple_e6 libcrux_ml_dsa_arithmetic_make_hint_fe( - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 low[6U], - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 high[6U]) { - int32_t hint[6U][256U] = {{0U}}; +static KRML_MUSTINLINE size_t libcrux_ml_dsa_arithmetic_make_hint_d7( + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *low, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *high, + int32_t (*hint)[256U]) { size_t true_hints = (size_t)0U; + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b hint_simd = + libcrux_ml_dsa_polynomial_zero_ff_21(); for (size_t i0 = (size_t)0U; i0 < (size_t)6U; i0++) { size_t i1 = i0; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 hint_simd = - libcrux_ml_dsa_polynomial_ZERO_ff_ea(); for (size_t i = (size_t)0U; i < Eurydice_slice_len(Eurydice_array_to_slice( (size_t)32U, hint_simd.simd_units, __m256i), __m256i); i++) { size_t j = i; - tuple_25 uu____0 = libcrux_ml_dsa_simd_avx2_compute_hint_a2_80( - low[i1].simd_units[j], high[i1].simd_units[j]); - size_t one_hints_count = uu____0.fst; - __m256i current_hint = uu____0.snd; - hint_simd.simd_units[j] = current_hint; + size_t one_hints_count = libcrux_ml_dsa_simd_avx2_compute_hint_22_80( + &low[i1].simd_units[j], &high[i1].simd_units[j], + &hint_simd.simd_units[j]); true_hints = true_hints + one_hints_count; } - int32_t uu____1[256U]; - libcrux_ml_dsa_polynomial_to_i32_array_ff_ea(&hint_simd, uu____1); - memcpy(hint[i1], uu____1, (size_t)256U * sizeof(int32_t)); + int32_t uu____0[256U]; + libcrux_ml_dsa_polynomial_to_i32_array_ff_21(&hint_simd, uu____0); + memcpy(hint[i1], uu____0, (size_t)256U * sizeof(int32_t)); } - /* Passing arrays by value in Rust generates a copy in C */ - int32_t copy_of_hint[6U][256U]; - memcpy(copy_of_hint, hint, (size_t)6U * sizeof(int32_t[256U])); - tuple_e6 lit; - memcpy(lit.fst, copy_of_hint, (size_t)6U * sizeof(int32_t[256U])); - lit.snd = true_hints; - return lit; -} - -/** -A monomorphic instance of libcrux_ml_dsa.encoding.signature.Signature -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit -with const generics -- $48size_t -- $5size_t -- $6size_t -*/ -typedef struct libcrux_ml_dsa_encoding_signature_Signature_ca_s { - uint8_t commitment_hash[48U]; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 signer_response[5U]; - int32_t hint[6U][256U]; -} libcrux_ml_dsa_encoding_signature_Signature_ca; - -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.encoding.gamma1.serialize -with const generics -- GAMMA1_EXPONENT= 19 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_avx2_encoding_gamma1_serialize_36( - __m256i simd_unit, Eurydice_slice serialized) { - libcrux_ml_dsa_simd_avx2_encoding_gamma1_serialize_when_gamma1_is_2_pow_19( - simd_unit, serialized); -} - -/** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} -*/ -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.gamma1_serialize_a2 -with const generics -- GAMMA1_EXPONENT= 19 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_gamma1_serialize_a2_36( - __m256i simd_unit, Eurydice_slice serialized) { - libcrux_ml_dsa_simd_avx2_encoding_gamma1_serialize_36(simd_unit, serialized); + return true_hints; } /** A monomorphic instance of libcrux_ml_dsa.encoding.gamma1.serialize -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256 with const generics -- GAMMA1_EXPONENT= 19 + */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_gamma1_serialize_05( - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 re, - Eurydice_slice serialized) { +static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_gamma1_serialize_21( + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *re, + Eurydice_slice serialized, size_t gamma1_exponent) { for (size_t i = (size_t)0U; i < Eurydice_slice_len( - Eurydice_array_to_slice((size_t)32U, re.simd_units, __m256i), + Eurydice_array_to_slice((size_t)32U, re->simd_units, __m256i), __m256i); i++) { size_t i0 = i; - __m256i *simd_unit = &re.simd_units[i0]; - libcrux_ml_dsa_simd_avx2_gamma1_serialize_a2_36( - simd_unit[0U], - Eurydice_slice_subslice2(serialized, i0 * ((size_t)19U + (size_t)1U), - (i0 + (size_t)1U) * ((size_t)19U + (size_t)1U), - uint8_t)); + __m256i *simd_unit = &re->simd_units[i0]; + libcrux_ml_dsa_simd_avx2_gamma1_serialize_22( + simd_unit, + Eurydice_slice_subslice2( + serialized, i0 * (gamma1_exponent + (size_t)1U), + (i0 + (size_t)1U) * (gamma1_exponent + (size_t)1U), uint8_t), + gamma1_exponent); } } /** -This function found in impl -{libcrux_ml_dsa::encoding::signature::Signature[TraitClause@0, TraitClause@1]} -*/ -/** -A monomorphic instance of libcrux_ml_dsa.encoding.signature.serialize_92 -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +A monomorphic instance of libcrux_ml_dsa.encoding.signature.serialize +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256 with const generics -- COMMITMENT_HASH_SIZE= 48 -- COLUMNS_IN_A= 5 -- ROWS_IN_A= 6 -- GAMMA1_EXPONENT= 19 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- MAX_ONES_IN_HINT= 55 -- SIGNATURE_SIZE= 3309 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_signature_serialize_92_cc( - libcrux_ml_dsa_encoding_signature_Signature_ca *self, uint8_t ret[3309U]) { - uint8_t signature[3309U] = {0U}; + +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_signature_serialize_21( + Eurydice_slice commitment_hash, Eurydice_slice signer_response, + Eurydice_slice hint, size_t commitment_hash_size, size_t columns_in_a, + size_t rows_in_a, size_t gamma1_exponent, size_t gamma1_ring_element_size, + size_t max_ones_in_hint, Eurydice_slice signature) { size_t offset = (size_t)0U; - Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - signature, offset, offset + (size_t)48U, uint8_t); Eurydice_slice_copy( - uu____0, - Eurydice_array_to_slice((size_t)48U, self->commitment_hash, uint8_t), - uint8_t); - offset = offset + (size_t)48U; - for (size_t i = (size_t)0U; i < (size_t)5U; i++) { + Eurydice_slice_subslice2(signature, offset, offset + commitment_hash_size, + uint8_t), + commitment_hash, uint8_t); + offset = offset + commitment_hash_size; + for (size_t i = (size_t)0U; i < columns_in_a; i++) { size_t i0 = i; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____1 = - self->signer_response[i0]; - libcrux_ml_dsa_encoding_gamma1_serialize_05( - uu____1, Eurydice_array_to_subslice2(signature, offset, - offset + (size_t)640U, uint8_t)); - offset = offset + (size_t)640U; + libcrux_ml_dsa_encoding_gamma1_serialize_21( + &Eurydice_slice_index( + signer_response, i0, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *), + Eurydice_slice_subslice2(signature, offset, + offset + gamma1_ring_element_size, uint8_t), + gamma1_exponent); + offset = offset + gamma1_ring_element_size; } size_t true_hints_seen = (size_t)0U; - for (size_t i0 = (size_t)0U; i0 < (size_t)6U; i0++) { + for (size_t i0 = (size_t)0U; i0 < rows_in_a; i0++) { size_t i1 = i0; for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice((size_t)256U, self->hint[i1], int32_t), - int32_t); + i < + Eurydice_slice_len(Eurydice_array_to_slice( + (size_t)256U, + Eurydice_slice_index(hint, i1, int32_t[256U], + int32_t(*)[256U]), + int32_t), + int32_t); i++) { size_t j = i; - if (self->hint[i1][j] == (int32_t)1) { - signature[offset + true_hints_seen] = (uint8_t)j; + if (Eurydice_slice_index(hint, i1, int32_t[256U], int32_t(*)[256U])[j] == + (int32_t)1) { + Eurydice_slice_index(signature, offset + true_hints_seen, uint8_t, + uint8_t *) = (uint8_t)j; true_hints_seen++; } } - signature[offset + (size_t)55U + i1] = (uint8_t)true_hints_seen; + Eurydice_slice_index(signature, offset + max_ones_in_hint + i1, uint8_t, + uint8_t *) = (uint8_t)true_hints_seen; } - memcpy(ret, signature, (size_t)3309U * sizeof(uint8_t)); } /** - The internal signing API. - - If no `domain_separation_context` is supplied, it is assumed that - `message` already contains the domain separation. -*/ -/** -A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.sign_internal -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, +A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.ml_dsa_65.sign_internal +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256, libcrux_ml_dsa_samplex4_avx2_AVX2Sampler, libcrux_ml_dsa_hash_functions_simd256_Shake128x4, libcrux_ml_dsa_hash_functions_simd256_Shake256, libcrux_ml_dsa_hash_functions_portable_Shake256Xof, libcrux_ml_dsa_hash_functions_simd256_Shake256x4 with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- ETA= 4 -- ERROR_RING_ELEMENT_SIZE= 128 -- GAMMA1_EXPONENT= 19 -- GAMMA2= 261888 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- SIGNING_KEY_SIZE= 4032 -- SIGNATURE_SIZE= 3309 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_internal_6b( - uint8_t *signing_key, Eurydice_slice message, + +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE Result_2e +libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_internal_07( + Eurydice_slice signing_key, Eurydice_slice message, Option_84 domain_separation_context, uint8_t randomness[32U]) { - tuple_f00 uu____0 = - libcrux_ml_dsa_encoding_signing_key_deserialize_then_ntt_b6(signing_key); - uint8_t seed_for_a[32U]; - memcpy(seed_for_a, uu____0.fst, (size_t)32U * sizeof(uint8_t)); - uint8_t seed_for_signing[32U]; - memcpy(seed_for_signing, uu____0.snd, (size_t)32U * sizeof(uint8_t)); - uint8_t verification_key_hash[64U]; - memcpy(verification_key_hash, uu____0.thd, (size_t)64U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s1_as_ntt[5U]; - memcpy( - s1_as_ntt, uu____0.f3, - (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s2_as_ntt[6U]; - memcpy( - s2_as_ntt, uu____0.f4, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t0_as_ntt[6U]; - memcpy( - t0_as_ntt, uu____0.f5, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 matrix[6U][5U]; + Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( + signing_key, LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE, uint8_t, + Eurydice_slice_uint8_t_x2); + Eurydice_slice seed_for_a = uu____0.fst; + Eurydice_slice remaining_serialized0 = uu____0.snd; + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( + remaining_serialized0, LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_SIGNING_SIZE, + uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice seed_for_signing = uu____1.fst; + Eurydice_slice remaining_serialized1 = uu____1.snd; + Eurydice_slice_uint8_t_x2 uu____2 = Eurydice_slice_split_at( + remaining_serialized1, + LIBCRUX_ML_DSA_CONSTANTS_BYTES_FOR_VERIFICATION_KEY_HASH, uint8_t, + Eurydice_slice_uint8_t_x2); + Eurydice_slice verification_key_hash = uu____2.fst; + Eurydice_slice remaining_serialized2 = uu____2.snd; + Eurydice_slice_uint8_t_x2 uu____3 = Eurydice_slice_split_at( + remaining_serialized2, + LIBCRUX_ML_DSA_ML_DSA_GENERIC_ML_DSA_65_ERROR_RING_ELEMENT_SIZE * + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_COLUMNS_IN_A, + uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice s1_serialized = uu____3.fst; + Eurydice_slice remaining_serialized = uu____3.snd; + Eurydice_slice_uint8_t_x2 uu____4 = Eurydice_slice_split_at( + remaining_serialized, + LIBCRUX_ML_DSA_ML_DSA_GENERIC_ML_DSA_65_ERROR_RING_ELEMENT_SIZE * + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ROWS_IN_A, + uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice s2_serialized = uu____4.fst; + Eurydice_slice t0_serialized = uu____4.snd; + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b s1_as_ntt[5U]; + for (size_t i = (size_t)0U; i < (size_t)5U; i++) { + s1_as_ntt[i] = libcrux_ml_dsa_polynomial_zero_ff_21(); + } + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b s2_as_ntt[6U]; for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - matrix[i][0U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - matrix[i][1U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - matrix[i][2U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - matrix[i][3U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - matrix[i][4U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + s2_as_ntt[i] = libcrux_ml_dsa_polynomial_zero_ff_21(); } - libcrux_ml_dsa_samplex4_avx2_matrix_b8_fe( - Eurydice_array_to_slice((size_t)32U, seed_for_a, uint8_t), matrix); + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b t0_as_ntt[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + t0_as_ntt[i] = libcrux_ml_dsa_polynomial_zero_ff_21(); + } + libcrux_ml_dsa_encoding_error_deserialize_to_vector_then_ntt_21( + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ETA, + LIBCRUX_ML_DSA_ML_DSA_GENERIC_ML_DSA_65_ERROR_RING_ELEMENT_SIZE, + s1_serialized, + Eurydice_array_to_slice( + (size_t)5U, s1_as_ntt, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b)); + libcrux_ml_dsa_encoding_error_deserialize_to_vector_then_ntt_21( + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ETA, + LIBCRUX_ML_DSA_ML_DSA_GENERIC_ML_DSA_65_ERROR_RING_ELEMENT_SIZE, + s2_serialized, + Eurydice_array_to_slice( + (size_t)6U, s2_as_ntt, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b)); + libcrux_ml_dsa_encoding_t0_deserialize_to_vector_then_ntt_21( + t0_serialized, Eurydice_array_to_slice( + (size_t)6U, t0_as_ntt, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b matrix[30U]; + for (size_t i = (size_t)0U; i < (size_t)30U; i++) { + matrix[i] = libcrux_ml_dsa_polynomial_zero_ff_21(); + } + libcrux_ml_dsa_samplex4_avx2_matrix_flat_b8_21( + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_COLUMNS_IN_A, seed_for_a, + Eurydice_array_to_slice( + (size_t)30U, matrix, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b)); uint8_t message_representative[64U] = {0U}; - uint8_t uu____1[64U]; - memcpy(uu____1, verification_key_hash, (size_t)64U * sizeof(uint8_t)); libcrux_ml_dsa_ml_dsa_generic_derive_message_representative_7b( - uu____1, domain_separation_context, message, message_representative); + verification_key_hash, &domain_separation_context, message, + message_representative); uint8_t mask_seed[64U] = {0U}; libcrux_sha3_portable_incremental_Shake256Xof shake0 = libcrux_ml_dsa_hash_functions_portable_init_83(); - libcrux_ml_dsa_hash_functions_portable_absorb_83( - &shake0, Eurydice_array_to_slice((size_t)32U, seed_for_signing, uint8_t)); + libcrux_ml_dsa_hash_functions_portable_absorb_83(&shake0, seed_for_signing); libcrux_ml_dsa_hash_functions_portable_absorb_83( &shake0, Eurydice_array_to_slice((size_t)32U, randomness, uint8_t)); libcrux_ml_dsa_hash_functions_portable_absorb_final_83( @@ -7583,46 +5787,80 @@ static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_internal_6b( libcrux_ml_dsa_hash_functions_portable_squeeze_83( &shake0, Eurydice_array_to_slice((size_t)64U, mask_seed, uint8_t)); uint16_t domain_separator_for_mask = 0U; - int32_t BETA = (int32_t)((size_t)49U * (size_t)4U); size_t attempt = (size_t)0U; Option_67 commitment_hash0 = {.tag = None}; - Option_a4 signer_response0 = {.tag = None}; + Option_7e signer_response0 = {.tag = None}; Option_f0 hint0 = {.tag = None}; while (attempt < LIBCRUX_ML_DSA_CONSTANTS_REJECTION_SAMPLE_BOUND_SIGN) { attempt++; - uint8_t uu____2[66U]; - libcrux_ml_dsa_utils_into_padded_array_20( - Eurydice_array_to_slice((size_t)64U, mask_seed, uint8_t), uu____2); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 mask[5U]; - libcrux_ml_dsa_sample_sample_mask_vector_51( - uu____2, &domain_separator_for_mask, mask); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 A_times_mask[6U]; - libcrux_ml_dsa_matrix_compute_A_times_mask_fe(A_as_ntt, mask, A_times_mask); - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_A_times_mask[6U]; - memcpy(copy_of_A_times_mask, A_times_mask, - (size_t)6U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_6size_t__x2 - uu____4 = - libcrux_ml_dsa_arithmetic_decompose_vector_fe(copy_of_A_times_mask); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 w0[6U]; - memcpy(w0, uu____4.fst, - (size_t)6U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 commitment[6U]; - memcpy(commitment, uu____4.snd, - (size_t)6U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b mask[5U]; + for (size_t i = (size_t)0U; i < (size_t)5U; i++) { + mask[i] = libcrux_ml_dsa_polynomial_zero_ff_21(); + } + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b w0[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + w0[i] = libcrux_ml_dsa_polynomial_zero_ff_21(); + } + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b commitment[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + commitment[i] = libcrux_ml_dsa_polynomial_zero_ff_21(); + } + libcrux_ml_dsa_sample_sample_mask_vector_f4( + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_COLUMNS_IN_A, + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_GAMMA1_EXPONENT, mask_seed, + &domain_separator_for_mask, + Eurydice_array_to_slice( + (size_t)5U, mask, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b a_x_mask[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + a_x_mask[i] = libcrux_ml_dsa_polynomial_zero_ff_21(); + } + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b mask_ntt[5U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)5U, mask, mask_ntt, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, void *); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)5U, mask_ntt, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b), + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b); + i++) { + size_t i0 = i; + libcrux_ml_dsa_ntt_ntt_21(&mask_ntt[i0]); + } + libcrux_ml_dsa_matrix_compute_matrix_x_mask_21( + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ROWS_IN_A, + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_COLUMNS_IN_A, + Eurydice_array_to_slice( + (size_t)30U, matrix, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b), + Eurydice_array_to_slice( + (size_t)5U, mask_ntt, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b), + Eurydice_array_to_slice( + (size_t)6U, a_x_mask, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b)); + libcrux_ml_dsa_arithmetic_decompose_vector_21( + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ROWS_IN_A, + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_GAMMA2, + Eurydice_array_to_slice( + (size_t)6U, a_x_mask, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b), + Eurydice_array_to_slice( + (size_t)6U, w0, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b), + Eurydice_array_to_slice( + (size_t)6U, commitment, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b)); uint8_t commitment_hash_candidate[48U] = {0U}; - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_commitment0[6U]; - memcpy(copy_of_commitment0, commitment, - (size_t)6U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - uint8_t commitment_serialized[768U]; - libcrux_ml_dsa_encoding_commitment_serialize_vector_ef( - copy_of_commitment0, commitment_serialized); + uint8_t commitment_serialized[768U] = {0U}; + libcrux_ml_dsa_encoding_commitment_serialize_vector_21( + LIBCRUX_ML_DSA_ML_DSA_GENERIC_ML_DSA_65_COMMITMENT_RING_ELEMENT_SIZE, + Eurydice_array_to_slice( + (size_t)6U, commitment, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b), + Eurydice_array_to_slice((size_t)768U, commitment_serialized, uint8_t)); libcrux_sha3_portable_incremental_Shake256Xof shake = libcrux_ml_dsa_hash_functions_portable_init_83(); libcrux_ml_dsa_hash_functions_portable_absorb_83( @@ -7634,107 +5872,110 @@ static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_internal_6b( libcrux_ml_dsa_hash_functions_portable_squeeze_83( &shake, Eurydice_array_to_slice((size_t)48U, commitment_hash_candidate, uint8_t)); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_commitment_hash_candidate[48U]; - memcpy(copy_of_commitment_hash_candidate, commitment_hash_candidate, - (size_t)48U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 - verifier_challenge_as_ntt = libcrux_ml_dsa_ntt_ntt_ea( - libcrux_ml_dsa_sample_sample_challenge_ring_element_8a( - copy_of_commitment_hash_candidate)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 challenge_times_s1[5U]; - libcrux_ml_dsa_matrix_vector_times_ring_element_1f( - s1_as_ntt, &verifier_challenge_as_ntt, challenge_times_s1); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 challenge_times_s2[6U]; - libcrux_ml_dsa_matrix_vector_times_ring_element_a3( - s2_as_ntt, &verifier_challenge_as_ntt, challenge_times_s2); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 - signer_response_candidate[5U]; - libcrux_ml_dsa_matrix_add_vectors_1f(mask, challenge_times_s1, - signer_response_candidate); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 - w0_minus_challenge_times_s2[6U]; - libcrux_ml_dsa_matrix_subtract_vectors_a3(w0, challenge_times_s2, - w0_minus_challenge_times_s2); - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 - copy_of_signer_response_candidate[5U]; - memcpy(copy_of_signer_response_candidate, signer_response_candidate, - (size_t)5U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - if (!libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_1f( - copy_of_signer_response_candidate, - ((int32_t)1 << (uint32_t)(size_t)19U) - BETA)) { - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 - copy_of_w0_minus_challenge_times_s2[6U]; - memcpy(copy_of_w0_minus_challenge_times_s2, w0_minus_challenge_times_s2, - (size_t)6U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - if (!libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_a3( - copy_of_w0_minus_challenge_times_s2, (int32_t)261888 - BETA)) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b verifier_challenge = + libcrux_ml_dsa_polynomial_zero_ff_21(); + libcrux_ml_dsa_sample_sample_challenge_ring_element_18( + Eurydice_array_to_slice((size_t)48U, commitment_hash_candidate, + uint8_t), + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ONES_IN_VERIFIER_CHALLENGE, + &verifier_challenge); + libcrux_ml_dsa_ntt_ntt_21(&verifier_challenge); + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b challenge_times_s1[5U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)5U, s1_as_ntt, challenge_times_s1, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, void *); + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b challenge_times_s2[6U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)6U, s2_as_ntt, challenge_times_s2, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, void *); + libcrux_ml_dsa_matrix_vector_times_ring_element_21( + Eurydice_array_to_slice( + (size_t)5U, challenge_times_s1, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b), + &verifier_challenge); + libcrux_ml_dsa_matrix_vector_times_ring_element_21( + Eurydice_array_to_slice( + (size_t)6U, challenge_times_s2, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b), + &verifier_challenge); + libcrux_ml_dsa_matrix_add_vectors_21( + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_COLUMNS_IN_A, + Eurydice_array_to_slice( + (size_t)5U, mask, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b), + Eurydice_array_to_slice( + (size_t)5U, challenge_times_s1, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b)); + libcrux_ml_dsa_matrix_subtract_vectors_21( + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ROWS_IN_A, + Eurydice_array_to_slice( + (size_t)6U, w0, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b), + Eurydice_array_to_slice( + (size_t)6U, challenge_times_s2, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b)); + if (!libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_21( + Eurydice_array_to_slice( + (size_t)5U, mask, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b), + ((int32_t)1 << (uint32_t) + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_GAMMA1_EXPONENT) - + LIBCRUX_ML_DSA_ML_DSA_GENERIC_ML_DSA_65_BETA)) { + if (!libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_21( + Eurydice_array_to_slice( + (size_t)6U, w0, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b), + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_GAMMA2 - + LIBCRUX_ML_DSA_ML_DSA_GENERIC_ML_DSA_65_BETA)) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b challenge_times_t0[6U]; - libcrux_ml_dsa_matrix_vector_times_ring_element_a3( - t0_as_ntt, &verifier_challenge_as_ntt, challenge_times_t0); - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 - copy_of_challenge_times_t0[6U]; - memcpy(copy_of_challenge_times_t0, challenge_times_t0, - (size_t)6U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - if (!libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_a3( - copy_of_challenge_times_t0, (int32_t)261888)) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 - w0_minus_c_times_s2_plus_c_times_t0[6U]; - libcrux_ml_dsa_matrix_add_vectors_a3( - w0_minus_challenge_times_s2, challenge_times_t0, - w0_minus_c_times_s2_plus_c_times_t0); - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 - copy_of_w0_minus_c_times_s2_plus_c_times_t0[6U]; - memcpy( - copy_of_w0_minus_c_times_s2_plus_c_times_t0, - w0_minus_c_times_s2_plus_c_times_t0, - (size_t)6U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 - copy_of_commitment[6U]; - memcpy( - copy_of_commitment, commitment, - (size_t)6U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - tuple_e6 uu____12 = libcrux_ml_dsa_arithmetic_make_hint_fe( - copy_of_w0_minus_c_times_s2_plus_c_times_t0, copy_of_commitment); - int32_t hint_candidate[6U][256U]; - memcpy(hint_candidate, uu____12.fst, - (size_t)6U * sizeof(int32_t[256U])); - size_t ones_in_hint = uu____12.snd; - if (!(ones_in_hint > (size_t)55U)) { + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)6U, t0_as_ntt, challenge_times_t0, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, void *); + libcrux_ml_dsa_matrix_vector_times_ring_element_21( + Eurydice_array_to_slice( + (size_t)6U, challenge_times_t0, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b), + &verifier_challenge); + if (!libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_21( + Eurydice_array_to_slice( + (size_t)6U, challenge_times_t0, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b), + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_GAMMA2)) { + libcrux_ml_dsa_matrix_add_vectors_21( + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ROWS_IN_A, + Eurydice_array_to_slice( + (size_t)6U, w0, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b), + Eurydice_array_to_slice( + (size_t)6U, challenge_times_t0, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b)); + int32_t hint_candidate[6U][256U] = {{0U}}; + size_t ones_in_hint = libcrux_ml_dsa_arithmetic_make_hint_d7( + w0, commitment, hint_candidate); + if (!(ones_in_hint > + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_MAX_ONES_IN_HINT)) { attempt = LIBCRUX_ML_DSA_CONSTANTS_REJECTION_SAMPLE_BOUND_SIGN; /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_commitment_hash_candidate0[48U]; - memcpy(copy_of_commitment_hash_candidate0, - commitment_hash_candidate, (size_t)48U * sizeof(uint8_t)); + uint8_t copy_of_commitment_hash_candidate[48U]; + memcpy(copy_of_commitment_hash_candidate, commitment_hash_candidate, + (size_t)48U * sizeof(uint8_t)); Option_67 lit0; lit0.tag = Some; - memcpy(lit0.f0, copy_of_commitment_hash_candidate0, + memcpy(lit0.f0, copy_of_commitment_hash_candidate, (size_t)48U * sizeof(uint8_t)); commitment_hash0 = lit0; /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 - copy_of_signer_response_candidate0[5U]; + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b copy_of_mask[5U]; memcpy( - copy_of_signer_response_candidate0, signer_response_candidate, + copy_of_mask, mask, (size_t)5U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - Option_a4 lit1; + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_4b)); + Option_7e lit1; lit1.tag = Some; memcpy( - lit1.f0, copy_of_signer_response_candidate0, + lit1.f0, copy_of_mask, (size_t)5U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_4b)); signer_response0 = lit1; /* Passing arrays by value in Rust generates a copy in C */ int32_t copy_of_hint_candidate[6U][256U]; @@ -7750,9 +5991,9 @@ static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_internal_6b( } } } - Result_2e uu____16; + Result_2e uu____8; if (commitment_hash0.tag == None) { - uu____16 = (CLITERAL(Result_2e){ + uu____8 = (CLITERAL(Result_2e){ .tag = Err, .val = {.case_Err = libcrux_ml_dsa_types_SigningError_RejectionSamplingError}}); @@ -7763,22 +6004,22 @@ static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_internal_6b( uint8_t commitment_hash[48U]; memcpy(commitment_hash, commitment_hash1, (size_t)48U * sizeof(uint8_t)); if (signer_response0.tag == None) { - uu____16 = (CLITERAL(Result_2e){ + uu____8 = (CLITERAL(Result_2e){ .tag = Err, .val = { .case_Err = libcrux_ml_dsa_types_SigningError_RejectionSamplingError}}); } else { - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 signer_response1[5U]; + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b signer_response1[5U]; memcpy(signer_response1, signer_response0.f0, (size_t)5U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 signer_response[5U]; + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_4b)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b signer_response[5U]; memcpy(signer_response, signer_response1, (size_t)5U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_4b)); if (hint0.tag == None) { - uu____16 = (CLITERAL(Result_2e){ + uu____8 = (CLITERAL(Result_2e){ .tag = Err, .val = { .case_Err = @@ -7788,30 +6029,20 @@ static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_internal_6b( memcpy(hint1, hint0.f0, (size_t)6U * sizeof(int32_t[256U])); int32_t hint[6U][256U]; memcpy(hint, hint1, (size_t)6U * sizeof(int32_t[256U])); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_commitment_hash[48U]; - memcpy(copy_of_commitment_hash, commitment_hash, - (size_t)48U * sizeof(uint8_t)); - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 - copy_of_signer_response[5U]; - memcpy(copy_of_signer_response, signer_response, - (size_t)5U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - /* Passing arrays by value in Rust generates a copy in C */ - int32_t copy_of_hint[6U][256U]; - memcpy(copy_of_hint, hint, (size_t)6U * sizeof(int32_t[256U])); - uint8_t signature[3309U]; - libcrux_ml_dsa_encoding_signature_Signature_ca lit0; - memcpy(lit0.commitment_hash, copy_of_commitment_hash, - (size_t)48U * sizeof(uint8_t)); - memcpy(lit0.signer_response, copy_of_signer_response, - (size_t)5U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - memcpy(lit0.hint, copy_of_hint, (size_t)6U * sizeof(int32_t[256U])); - /* original Rust expression is not an lvalue in C */ - libcrux_ml_dsa_encoding_signature_Signature_ca lvalue = lit0; - libcrux_ml_dsa_encoding_signature_serialize_92_cc(&lvalue, signature); + uint8_t signature[3309U] = {0U}; + libcrux_ml_dsa_encoding_signature_serialize_21( + Eurydice_array_to_slice((size_t)48U, commitment_hash, uint8_t), + Eurydice_array_to_slice( + (size_t)5U, signer_response, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b), + Eurydice_array_to_slice((size_t)6U, hint, int32_t[256U]), + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_COMMITMENT_HASH_SIZE, + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_COLUMNS_IN_A, + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ROWS_IN_A, + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_GAMMA1_EXPONENT, + LIBCRUX_ML_DSA_ML_DSA_GENERIC_ML_DSA_65_GAMMA1_RING_ELEMENT_SIZE, + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_MAX_ONES_IN_HINT, + Eurydice_array_to_slice((size_t)3309U, signature, uint8_t)); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_signature[3309U]; memcpy(copy_of_signature, signature, (size_t)3309U * sizeof(uint8_t)); @@ -7822,36 +6053,25 @@ static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_internal_6b( } } } - return uu____16; + return uu____8; } /** -A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.sign -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, +A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.ml_dsa_65.sign +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256, libcrux_ml_dsa_samplex4_avx2_AVX2Sampler, libcrux_ml_dsa_hash_functions_simd256_Shake128x4, libcrux_ml_dsa_hash_functions_simd256_Shake256, libcrux_ml_dsa_hash_functions_portable_Shake256Xof, libcrux_ml_dsa_hash_functions_simd256_Shake256x4 with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- ETA= 4 -- ERROR_RING_ELEMENT_SIZE= 128 -- GAMMA1_EXPONENT= 19 -- GAMMA2= 261888 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- SIGNING_KEY_SIZE= 4032 -- SIGNATURE_SIZE= 3309 + */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_6b( - uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, - uint8_t randomness[32U]) { +static KRML_MUSTINLINE Result_2e +libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_07(Eurydice_slice signing_key, + Eurydice_slice message, + Eurydice_slice context, + uint8_t randomness[32U]) { Result_a8 uu____0 = libcrux_ml_dsa_pre_hash_new_45( context, (CLITERAL(Option_30){.tag = None})); if (!(uu____0.tag == Ok)) { @@ -7863,77 +6083,38 @@ static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_6b( libcrux_ml_dsa_pre_hash_DomainSeparationContext dsc = uu____0.val.case_Ok; libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context = dsc; - uint8_t *uu____1 = signing_key; + Eurydice_slice uu____1 = signing_key; Eurydice_slice uu____2 = message; Option_84 uu____3 = {.tag = Some, .f0 = domain_separation_context}; /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_dsa_ml_dsa_generic_sign_internal_6b( + return libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_internal_07( uu____1, uu____2, uu____3, copy_of_randomness); } -/** - Sign. -*/ -/** -A monomorphic instance of -libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.avx2_feature.sign with const -generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- ETA= 4 -- ERROR_RING_ELEMENT_SIZE= 128 -- GAMMA1_EXPONENT= 19 -- GAMMA2= 261888 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- SIGNING_KEY_SIZE= 4032 -- SIGNATURE_SIZE= 3309 -*/ KRML_ATTRIBUTE_TARGET("avx2") static inline Result_2e -libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_sign_f3( +libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_ml_dsa_65_sign__inner( uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, uint8_t randomness[32U]) { - uint8_t *uu____0 = signing_key; + Eurydice_slice uu____0 = + Eurydice_array_to_slice((size_t)4032U, signing_key, uint8_t); Eurydice_slice uu____1 = message; Eurydice_slice uu____2 = context; /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_dsa_ml_dsa_generic_sign_6b(uu____0, uu____1, uu____2, - copy_of_randomness); + return libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_07( + uu____0, uu____1, uu____2, copy_of_randomness); } /** Sign. */ -/** -A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.sign -with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- ETA= 4 -- ERROR_RING_ELEMENT_SIZE= 128 -- GAMMA1_EXPONENT= 19 -- GAMMA2= 261888 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- SIGNING_KEY_SIZE= 4032 -- SIGNATURE_SIZE= 3309 -*/ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE Result_2e -libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_sign_f3( +static inline Result_2e +libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_ml_dsa_65_sign( uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, uint8_t randomness[32U]) { uint8_t *uu____0 = signing_key; @@ -7942,7 +6123,7 @@ libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_sign_f3( /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_sign_f3( + return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_ml_dsa_65_sign__inner( uu____0, uu____1, uu____2, copy_of_randomness); } @@ -7963,13 +6144,14 @@ static inline Result_2e libcrux_ml_dsa_ml_dsa_65_avx2_sign( /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_sign_f3( + return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_ml_dsa_65_sign( uu____0, uu____1, uu____2, copy_of_randomness); } /** -A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.sign_pre_hashed -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, +A monomorphic instance of +libcrux_ml_dsa.ml_dsa_generic.ml_dsa_65.sign_pre_hashed with types +libcrux_ml_dsa_simd_avx2_vector_type_Vec256, libcrux_ml_dsa_samplex4_avx2_AVX2Sampler, libcrux_ml_dsa_hash_functions_portable_Shake128, libcrux_ml_dsa_hash_functions_simd256_Shake128x4, @@ -7977,37 +6159,21 @@ libcrux_ml_dsa_hash_functions_simd256_Shake256, libcrux_ml_dsa_hash_functions_portable_Shake256Xof, libcrux_ml_dsa_hash_functions_simd256_Shake256x4, libcrux_ml_dsa_pre_hash_SHAKE128_PH with const generics -- PH_DIGEST_LEN= 256 -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- ETA= 4 -- ERROR_RING_ELEMENT_SIZE= 128 -- GAMMA1_EXPONENT= 19 -- GAMMA2= 261888 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- SIGNING_KEY_SIZE= 4032 -- SIGNATURE_SIZE= 3309 + */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE Result_2e -libcrux_ml_dsa_ml_dsa_generic_sign_pre_hashed_b7(uint8_t *signing_key, - Eurydice_slice message, - Eurydice_slice context, - uint8_t randomness[32U]) { +libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_pre_hashed_37( + Eurydice_slice signing_key, Eurydice_slice message, Eurydice_slice context, + Eurydice_slice pre_hash_buffer, uint8_t randomness[32U]) { if (!(Eurydice_slice_len(context, uint8_t) > LIBCRUX_ML_DSA_CONSTANTS_CONTEXT_MAX_LEN)) { - uint8_t pre_hashed_message[256U]; - libcrux_ml_dsa_pre_hash_hash_bd_54(message, pre_hashed_message); + libcrux_ml_dsa_pre_hash_hash_3e_cc(message, pre_hash_buffer); Eurydice_slice uu____0 = context; Option_30 lit; lit.tag = Some; uint8_t ret[11U]; - libcrux_ml_dsa_pre_hash_oid_bd(ret); + libcrux_ml_dsa_pre_hash_oid_3e(ret); memcpy(lit.f0, ret, (size_t)11U * sizeof(uint8_t)); Result_a8 uu____1 = libcrux_ml_dsa_pre_hash_new_45(uu____0, lit); if (!(uu____1.tag == Ok)) { @@ -8019,14 +6185,13 @@ libcrux_ml_dsa_ml_dsa_generic_sign_pre_hashed_b7(uint8_t *signing_key, libcrux_ml_dsa_pre_hash_DomainSeparationContext dsc = uu____1.val.case_Ok; libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context = dsc; - uint8_t *uu____2 = signing_key; - Eurydice_slice uu____3 = - Eurydice_array_to_slice((size_t)256U, pre_hashed_message, uint8_t); + Eurydice_slice uu____2 = signing_key; + Eurydice_slice uu____3 = pre_hash_buffer; Option_84 uu____4 = {.tag = Some, .f0 = domain_separation_context}; /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_dsa_ml_dsa_generic_sign_internal_6b( + return libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_internal_07( uu____2, uu____3, uu____4, copy_of_randomness); } return (CLITERAL(Result_2e){ @@ -8035,78 +6200,40 @@ libcrux_ml_dsa_ml_dsa_generic_sign_pre_hashed_b7(uint8_t *signing_key, libcrux_ml_dsa_types_SigningError_ContextTooLongError}}); } -/** - Sign (pre-hashed). -*/ -/** -A monomorphic instance of -libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.avx2_feature.sign_pre_hashed_shake128 -with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- ETA= 4 -- ERROR_RING_ELEMENT_SIZE= 128 -- GAMMA1_EXPONENT= 19 -- GAMMA2= 261888 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- SIGNING_KEY_SIZE= 4032 -- SIGNATURE_SIZE= 3309 -*/ KRML_ATTRIBUTE_TARGET("avx2") static inline Result_2e -libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_sign_pre_hashed_shake128_f3( +libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_ml_dsa_65_sign_pre_hashed_shake128__inner( uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, - uint8_t randomness[32U]) { - uint8_t *uu____0 = signing_key; + Eurydice_slice pre_hash_buffer, uint8_t randomness[32U]) { + Eurydice_slice uu____0 = + Eurydice_array_to_slice((size_t)4032U, signing_key, uint8_t); Eurydice_slice uu____1 = message; Eurydice_slice uu____2 = context; + Eurydice_slice uu____3 = pre_hash_buffer; /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_dsa_ml_dsa_generic_sign_pre_hashed_b7( - uu____0, uu____1, uu____2, copy_of_randomness); + return libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_pre_hashed_37( + uu____0, uu____1, uu____2, uu____3, copy_of_randomness); } /** Sign (pre-hashed). */ -/** -A monomorphic instance of -libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.sign_pre_hashed_shake128 with -const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- ETA= 4 -- ERROR_RING_ELEMENT_SIZE= 128 -- GAMMA1_EXPONENT= 19 -- GAMMA2= 261888 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- SIGNING_KEY_SIZE= 4032 -- SIGNATURE_SIZE= 3309 -*/ KRML_ATTRIBUTE_TARGET("avx2") static inline Result_2e -libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_sign_pre_hashed_shake128_f3( +libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_ml_dsa_65_sign_pre_hashed_shake128( uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, - uint8_t randomness[32U]) { + Eurydice_slice pre_hash_buffer, uint8_t randomness[32U]) { uint8_t *uu____0 = signing_key; Eurydice_slice uu____1 = message; Eurydice_slice uu____2 = context; + Eurydice_slice uu____3 = pre_hash_buffer; /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_sign_pre_hashed_shake128_f3( - uu____0, uu____1, uu____2, copy_of_randomness); + return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_ml_dsa_65_sign_pre_hashed_shake128__inner( + uu____0, uu____1, uu____2, uu____3, copy_of_randomness); } /** @@ -8120,166 +6247,116 @@ KRML_ATTRIBUTE_TARGET("avx2") static inline Result_2e libcrux_ml_dsa_ml_dsa_65_avx2_sign_pre_hashed_shake128( libcrux_ml_dsa_types_MLDSASigningKey_22 *signing_key, Eurydice_slice message, Eurydice_slice context, uint8_t randomness[32U]) { + uint8_t pre_hash_buffer[256U] = {0U}; uint8_t *uu____0 = libcrux_ml_dsa_types_as_ref_9b_09(signing_key); Eurydice_slice uu____1 = message; Eurydice_slice uu____2 = context; + Eurydice_slice uu____3 = + Eurydice_array_to_slice((size_t)256U, pre_hash_buffer, uint8_t); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_sign_pre_hashed_shake128_f3( - uu____0, uu____1, uu____2, copy_of_randomness); + return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_ml_dsa_65_sign_pre_hashed_shake128( + uu____0, uu____1, uu____2, uu____3, copy_of_randomness); } -/** -A monomorphic instance of K. -with types uint8_t[32size_t], libcrux_ml_dsa_polynomial_PolynomialRingElement -libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit[6size_t] - -*/ -typedef struct tuple_930_s { - uint8_t fst[32U]; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 snd[6U]; -} tuple_930; - /** A monomorphic instance of libcrux_ml_dsa.encoding.t1.deserialize -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256 with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_ml_dsa_encoding_t1_deserialize_ea( +static inline void libcrux_ml_dsa_encoding_t1_deserialize_21( Eurydice_slice serialized, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *result) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *result) { for (size_t i = (size_t)0U; i < Eurydice_slice_len(Eurydice_array_to_slice( (size_t)32U, result->simd_units, __m256i), __m256i); i++) { size_t i0 = i; - __m256i uu____0 = - libcrux_ml_dsa_simd_avx2_t1_deserialize_a2(Eurydice_slice_subslice2( + libcrux_ml_dsa_simd_avx2_t1_deserialize_22( + Eurydice_slice_subslice2( serialized, i0 * LIBCRUX_ML_DSA_ENCODING_T1_DESERIALIZE_WINDOW, (i0 + (size_t)1U) * LIBCRUX_ML_DSA_ENCODING_T1_DESERIALIZE_WINDOW, - uint8_t)); - result->simd_units[i0] = uu____0; + uint8_t), + &result->simd_units[i0]); } } /** A monomorphic instance of libcrux_ml_dsa.encoding.verification_key.deserialize -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256 with const generics -- ROWS_IN_A= 6 -- VERIFICATION_KEY_SIZE= 1952 + */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE tuple_930 -libcrux_ml_dsa_encoding_verification_key_deserialize_fe(uint8_t *serialized) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t1[6U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - t1[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - } - Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( - Eurydice_array_to_slice((size_t)1952U, serialized, uint8_t), - LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE, uint8_t, - Eurydice_slice_uint8_t_x2); - Eurydice_slice seed_for_A = uu____0.fst; - Eurydice_slice serialized_remaining = uu____0.snd; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { +static KRML_MUSTINLINE void +libcrux_ml_dsa_encoding_verification_key_deserialize_21( + size_t rows_in_a, size_t verification_key_size, Eurydice_slice serialized, + Eurydice_slice t1) { + for (size_t i = (size_t)0U; i < rows_in_a; i++) { size_t i0 = i; - libcrux_ml_dsa_encoding_t1_deserialize_ea( + libcrux_ml_dsa_encoding_t1_deserialize_21( Eurydice_slice_subslice2( - serialized_remaining, - i0 * LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T1S_SIZE, + serialized, i0 * LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T1S_SIZE, (i0 + (size_t)1U) * LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T1S_SIZE, uint8_t), - &t1[i0]); + &Eurydice_slice_index( + t1, i0, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *)); } - uint8_t uu____1[32U]; - Result_fb dst; - Eurydice_slice_to_array2(&dst, seed_for_A, Eurydice_slice, uint8_t[32U]); - unwrap_26_b3(dst, uu____1); - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_t1[6U]; - memcpy( - copy_of_t1, t1, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - tuple_930 lit; - memcpy(lit.fst, uu____1, (size_t)32U * sizeof(uint8_t)); - memcpy( - lit.snd, copy_of_t1, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - return lit; } /** -A monomorphic instance of core.result.Result -with types libcrux_ml_dsa_encoding_signature_Signature -libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit[[$6size_t]][[$5size_t]][[$48size_t]], -libcrux_ml_dsa_types_VerificationError - -*/ -typedef struct Result_ef0_s { - Result_a9_tags tag; - union { - libcrux_ml_dsa_encoding_signature_Signature_ca case_Ok; - libcrux_ml_dsa_types_VerificationError case_Err; - } val; -} Result_ef0; - -/** -This function found in impl -{libcrux_ml_dsa::encoding::signature::Signature[TraitClause@0, TraitClause@1]} -*/ -/** -A monomorphic instance of libcrux_ml_dsa.encoding.signature.deserialize_92 -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +A monomorphic instance of libcrux_ml_dsa.encoding.signature.deserialize +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256 with const generics -- COMMITMENT_HASH_SIZE= 48 -- COLUMNS_IN_A= 5 -- ROWS_IN_A= 6 -- GAMMA1_EXPONENT= 19 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- MAX_ONES_IN_HINT= 55 -- SIGNATURE_SIZE= 3309 + */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE Result_ef0 -libcrux_ml_dsa_encoding_signature_deserialize_92_cc(uint8_t *serialized) { +static KRML_MUSTINLINE Result_41 +libcrux_ml_dsa_encoding_signature_deserialize_21( + size_t columns_in_a, size_t rows_in_a, size_t commitment_hash_size, + size_t gamma1_exponent, size_t gamma1_ring_element_size, + size_t max_ones_in_hint, size_t signature_size, Eurydice_slice serialized, + Eurydice_slice out_commitment_hash, Eurydice_slice out_signer_response, + Eurydice_slice out_hint) { Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( - Eurydice_array_to_slice((size_t)3309U, serialized, uint8_t), (size_t)48U, - uint8_t, Eurydice_slice_uint8_t_x2); + serialized, commitment_hash_size, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice commitment_hash = uu____0.fst; Eurydice_slice rest_of_serialized = uu____0.snd; - Eurydice_slice_uint8_t_x2 uu____1 = - Eurydice_slice_split_at(rest_of_serialized, (size_t)640U * (size_t)5U, - uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice_copy(Eurydice_slice_subslice2(out_commitment_hash, (size_t)0U, + commitment_hash_size, uint8_t), + commitment_hash, uint8_t); + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( + rest_of_serialized, gamma1_ring_element_size * columns_in_a, uint8_t, + Eurydice_slice_uint8_t_x2); Eurydice_slice signer_response_serialized = uu____1.fst; Eurydice_slice hint_serialized = uu____1.snd; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 signer_response[5U]; - for (size_t i = (size_t)0U; i < (size_t)5U; i++) { - signer_response[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - } - for (size_t i = (size_t)0U; i < (size_t)5U; i++) { + for (size_t i = (size_t)0U; i < columns_in_a; i++) { size_t i0 = i; - libcrux_ml_dsa_encoding_gamma1_deserialize_05( - Eurydice_slice_subslice2(signer_response_serialized, i0 * (size_t)640U, - (i0 + (size_t)1U) * (size_t)640U, uint8_t), - &signer_response[i0]); + libcrux_ml_dsa_encoding_gamma1_deserialize_21( + gamma1_exponent, + Eurydice_slice_subslice2( + signer_response_serialized, i0 * gamma1_ring_element_size, + (i0 + (size_t)1U) * gamma1_ring_element_size, uint8_t), + &Eurydice_slice_index( + out_signer_response, i0, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *)); } - int32_t hint[6U][256U] = {{0U}}; size_t previous_true_hints_seen = (size_t)0U; size_t i = (size_t)0U; bool malformed_hint = false; - while (i < (size_t)6U) { + while (i < rows_in_a) { if (malformed_hint) { break; } else { size_t current_true_hints_seen = (size_t)Eurydice_slice_index( - hint_serialized, (size_t)55U + i, uint8_t, uint8_t *); + hint_serialized, max_ones_in_hint + i, uint8_t, uint8_t *); size_t j; bool uu____2; bool uu____3; @@ -8296,13 +6373,14 @@ libcrux_ml_dsa_encoding_signature_deserialize_92_cc(uint8_t *serialized) { size_t uu____14; bool uu____15; size_t uu____16; - size_t uu____17; - uint8_t uu____18; - size_t uu____19; - bool uu____20; - size_t uu____21; + Eurydice_slice *uu____17; + size_t uu____18; + uint8_t uu____19; + size_t uu____20; + bool uu____21; + size_t uu____22; if (!(current_true_hints_seen < previous_true_hints_seen)) { - if (!(previous_true_hints_seen > (size_t)55U)) { + if (!(previous_true_hints_seen > max_ones_in_hint)) { j = previous_true_hints_seen; while (true) { uu____2 = malformed_hint; @@ -8330,11 +6408,14 @@ libcrux_ml_dsa_encoding_signature_deserialize_92_cc(uint8_t *serialized) { uu____15 = malformed_hint; if (!uu____15) { uu____16 = i; - uu____19 = j; - uu____18 = Eurydice_slice_index(hint_serialized, uu____19, + uu____17 = &out_hint; + uu____20 = j; + uu____19 = Eurydice_slice_index(hint_serialized, uu____20, uint8_t, uint8_t *); - uu____17 = (size_t)uu____18; - hint[uu____16][uu____17] = (int32_t)1; + uu____18 = (size_t)uu____19; + Eurydice_slice_index(out_hint, uu____16, int32_t[256U], + int32_t(*)[256U])[uu____18] = + (int32_t)1; j++; } continue; @@ -8343,11 +6424,13 @@ libcrux_ml_dsa_encoding_signature_deserialize_92_cc(uint8_t *serialized) { uu____15 = malformed_hint; if (!uu____15) { uu____16 = i; - uu____19 = j; - uu____18 = Eurydice_slice_index(hint_serialized, uu____19, + uu____17 = &out_hint; + uu____20 = j; + uu____19 = Eurydice_slice_index(hint_serialized, uu____20, uint8_t, uint8_t *); - uu____17 = (size_t)uu____18; - hint[uu____16][uu____17] = (int32_t)1; + uu____18 = (size_t)uu____19; + Eurydice_slice_index(out_hint, uu____16, int32_t[256U], + int32_t(*)[256U])[uu____18] = (int32_t)1; j++; } } else { @@ -8355,10 +6438,10 @@ libcrux_ml_dsa_encoding_signature_deserialize_92_cc(uint8_t *serialized) { } } } - uu____20 = malformed_hint; - if (!uu____20) { - uu____21 = current_true_hints_seen; - previous_true_hints_seen = uu____21; + uu____21 = malformed_hint; + if (!uu____21) { + uu____22 = current_true_hints_seen; + previous_true_hints_seen = uu____22; i++; } continue; @@ -8392,11 +6475,13 @@ libcrux_ml_dsa_encoding_signature_deserialize_92_cc(uint8_t *serialized) { uu____15 = malformed_hint; if (!uu____15) { uu____16 = i; - uu____19 = j; - uu____18 = Eurydice_slice_index(hint_serialized, uu____19, + uu____17 = &out_hint; + uu____20 = j; + uu____19 = Eurydice_slice_index(hint_serialized, uu____20, uint8_t, uint8_t *); - uu____17 = (size_t)uu____18; - hint[uu____16][uu____17] = (int32_t)1; + uu____18 = (size_t)uu____19; + Eurydice_slice_index(out_hint, uu____16, int32_t[256U], + int32_t(*)[256U])[uu____18] = (int32_t)1; j++; } continue; @@ -8405,11 +6490,13 @@ libcrux_ml_dsa_encoding_signature_deserialize_92_cc(uint8_t *serialized) { uu____15 = malformed_hint; if (!uu____15) { uu____16 = i; - uu____19 = j; - uu____18 = Eurydice_slice_index(hint_serialized, uu____19, + uu____17 = &out_hint; + uu____20 = j; + uu____19 = Eurydice_slice_index(hint_serialized, uu____20, uint8_t, uint8_t *); - uu____17 = (size_t)uu____18; - hint[uu____16][uu____17] = (int32_t)1; + uu____18 = (size_t)uu____19; + Eurydice_slice_index(out_hint, uu____16, int32_t[256U], + int32_t(*)[256U])[uu____18] = (int32_t)1; j++; } } else { @@ -8417,16 +6504,16 @@ libcrux_ml_dsa_encoding_signature_deserialize_92_cc(uint8_t *serialized) { } } } - uu____20 = malformed_hint; - if (!uu____20) { - uu____21 = current_true_hints_seen; - previous_true_hints_seen = uu____21; + uu____21 = malformed_hint; + if (!uu____21) { + uu____22 = current_true_hints_seen; + previous_true_hints_seen = uu____22; i++; } } } i = previous_true_hints_seen; - while (i < (size_t)55U) { + while (i < max_ones_in_hint) { if (malformed_hint) { break; } else { @@ -8437,35 +6524,11 @@ libcrux_ml_dsa_encoding_signature_deserialize_92_cc(uint8_t *serialized) { } } if (!malformed_hint) { - uint8_t uu____22[48U]; - Result_ae dst; - Eurydice_slice_to_array2(&dst, commitment_hash, Eurydice_slice, - uint8_t[48U]); - unwrap_26_28(dst, uu____22); - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 - copy_of_signer_response[5U]; - memcpy(copy_of_signer_response, signer_response, - (size_t)5U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - /* Passing arrays by value in Rust generates a copy in C */ - int32_t copy_of_hint[6U][256U]; - memcpy(copy_of_hint, hint, (size_t)6U * sizeof(int32_t[256U])); - Result_ef0 lit; - lit.tag = Ok; - memcpy(lit.val.case_Ok.commitment_hash, uu____22, - (size_t)48U * sizeof(uint8_t)); - memcpy(lit.val.case_Ok.signer_response, copy_of_signer_response, - (size_t)5U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - memcpy(lit.val.case_Ok.hint, copy_of_hint, - (size_t)6U * sizeof(int32_t[256U])); - return lit; + return (CLITERAL(Result_41){.tag = Ok}); } - return (CLITERAL(Result_ef0){ + return (CLITERAL(Result_41){ .tag = Err, - .val = {.case_Err = - libcrux_ml_dsa_types_VerificationError_MalformedHintError}}); + .f0 = libcrux_ml_dsa_types_VerificationError_MalformedHintError}); } /** @@ -8474,11 +6537,11 @@ libcrux_ml_dsa.simd.avx2.arithmetic.shift_left_then_reduce with const generics - SHIFT_BY= 13 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_arithmetic_shift_left_then_reduce_84( - __m256i simd_unit) { - __m256i shifted = - libcrux_intrinsics_avx2_mm256_slli_epi32((int32_t)13, simd_unit, __m256i); + __m256i *simd_unit) { + __m256i shifted = libcrux_intrinsics_avx2_mm256_slli_epi32( + (int32_t)13, simd_unit[0U], __m256i); __m256i quotient = libcrux_intrinsics_avx2_mm256_add_epi32( shifted, libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)1 << 22U)); __m256i quotient0 = @@ -8487,49 +6550,42 @@ libcrux_ml_dsa_simd_avx2_arithmetic_shift_left_then_reduce_84( libcrux_intrinsics_avx2_mm256_mullo_epi32( quotient0, libcrux_intrinsics_avx2_mm256_set1_epi32( LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS)); - return libcrux_intrinsics_avx2_mm256_sub_epi32(shifted, - quotient_times_field_modulus); + simd_unit[0U] = libcrux_intrinsics_avx2_mm256_sub_epi32( + shifted, quotient_times_field_modulus); } /** This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +libcrux_ml_dsa::simd::avx2::vector_type::Vec256)} */ /** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.shift_left_then_reduce_a2 +A monomorphic instance of libcrux_ml_dsa.simd.avx2.shift_left_then_reduce_22 with const generics - SHIFT_BY= 13 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_dsa_simd_avx2_shift_left_then_reduce_a2_84(__m256i simd_unit) { - return libcrux_ml_dsa_simd_avx2_arithmetic_shift_left_then_reduce_84( - simd_unit); +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_avx2_shift_left_then_reduce_22_84(__m256i *simd_unit) { + libcrux_ml_dsa_simd_avx2_arithmetic_shift_left_then_reduce_84(simd_unit); } /** A monomorphic instance of libcrux_ml_dsa.arithmetic.shift_left_then_reduce -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256 with const generics - SHIFT_BY= 13 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_dsa_polynomial_PolynomialRingElement_24 -libcrux_ml_dsa_arithmetic_shift_left_then_reduce_68( - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 re) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 out = - libcrux_ml_dsa_polynomial_ZERO_ff_ea(); +static KRML_MUSTINLINE void libcrux_ml_dsa_arithmetic_shift_left_then_reduce_3a( + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *re) { for (size_t i = (size_t)0U; i < Eurydice_slice_len( - Eurydice_array_to_slice((size_t)32U, re.simd_units, __m256i), + Eurydice_array_to_slice((size_t)32U, re->simd_units, __m256i), __m256i); i++) { size_t i0 = i; - __m256i *simd_unit = &re.simd_units[i0]; - out.simd_units[i0] = - libcrux_ml_dsa_simd_avx2_shift_left_then_reduce_a2_84(simd_unit[0U]); + libcrux_ml_dsa_simd_avx2_shift_left_then_reduce_22_84(&re->simd_units[i0]); } - return out; } /** @@ -8537,271 +6593,240 @@ libcrux_ml_dsa_arithmetic_shift_left_then_reduce_68( */ /** A monomorphic instance of libcrux_ml_dsa.matrix.compute_w_approx -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256 with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_compute_w_approx_fe( - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 (*A_as_ntt)[5U], - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 signer_response[5U], - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 - verifier_challenge_as_ntt, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t1[6U], - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[6U]) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 result[6U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - } - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)5U, signer_response, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24), - libcrux_ml_dsa_polynomial_PolynomialRingElement_24); - i++) { - size_t i0 = i; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____0 = - libcrux_ml_dsa_ntt_ntt_ea(signer_response[i0]); - signer_response[i0] = uu____0; - } - for (size_t i0 = (size_t)0U; - i0 < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)6U, A_as_ntt, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24[5U]), - libcrux_ml_dsa_polynomial_PolynomialRingElement_24[5U]); - i0++) { + +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_compute_w_approx_21( + size_t rows_in_a, size_t columns_in_a, Eurydice_slice matrix, + Eurydice_slice signer_response, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b + *verifier_challenge_as_ntt, + Eurydice_slice t1) { + for (size_t i0 = (size_t)0U; i0 < rows_in_a; i0++) { size_t i1 = i0; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *row = A_as_ntt[i1]; - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)5U, row, - libcrux_ml_dsa_polynomial_PolynomialRingElement_24), - libcrux_ml_dsa_polynomial_PolynomialRingElement_24); - i++) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b inner_result = + libcrux_ml_dsa_polynomial_zero_ff_21(); + for (size_t i = (size_t)0U; i < columns_in_a; i++) { size_t j = i; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *ring_element = - &row[j]; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 product = - libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ea(ring_element, - &signer_response[j]); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____1 = - libcrux_ml_dsa_polynomial_add_ff_ea(&result[i1], &product); - result[i1] = uu____1; + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b product = + Eurydice_slice_index( + matrix, i1 * columns_in_a + j, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *); + libcrux_ml_dsa_ntt_ntt_multiply_montgomery_21( + &product, &Eurydice_slice_index( + signer_response, j, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *)); + libcrux_ml_dsa_polynomial_add_ff_21(&inner_result, &product); } - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t1_shifted = - libcrux_ml_dsa_arithmetic_shift_left_then_reduce_68(t1[i1]); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t1_shifted0 = - libcrux_ml_dsa_ntt_ntt_ea(t1_shifted); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 - challenge_times_t1_shifted = - libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ea( - &verifier_challenge_as_ntt, &t1_shifted0); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____2 = - libcrux_ml_dsa_ntt_invert_ntt_montgomery_ea( - libcrux_ml_dsa_polynomial_subtract_ff_ea( - &result[i1], &challenge_times_t1_shifted)); - result[i1] = uu____2; + libcrux_ml_dsa_arithmetic_shift_left_then_reduce_3a(&Eurydice_slice_index( + t1, i1, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *)); + libcrux_ml_dsa_ntt_ntt_21(&Eurydice_slice_index( + t1, i1, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *)); + libcrux_ml_dsa_ntt_ntt_multiply_montgomery_21( + &Eurydice_slice_index( + t1, i1, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *), + verifier_challenge_as_ntt); + libcrux_ml_dsa_polynomial_subtract_ff_21( + &inner_result, + &Eurydice_slice_index( + t1, i1, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *)); + Eurydice_slice_index( + t1, i1, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *) = inner_result; + libcrux_ml_dsa_ntt_invert_ntt_montgomery_21(&Eurydice_slice_index( + t1, i1, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *)); } - memcpy( - ret, result, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.arithmetic.use_hint -with const generics -- GAMMA2= 261888 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_dsa_simd_avx2_arithmetic_use_hint_80(__m256i r, __m256i hint) { - core_core_arch_x86___m256i_x2 uu____0 = - libcrux_ml_dsa_simd_avx2_arithmetic_decompose_80(r); - __m256i r0 = uu____0.fst; - __m256i r1 = uu____0.snd; - __m256i all_zeros = libcrux_intrinsics_avx2_mm256_setzero_si256(); - __m256i negate_hints = - libcrux_intrinsics_avx2_vec256_blendv_epi32(all_zeros, hint, r0); - __m256i negate_hints0 = libcrux_intrinsics_avx2_mm256_slli_epi32( - (int32_t)1, negate_hints, __m256i); - __m256i hints = libcrux_intrinsics_avx2_mm256_sub_epi32(hint, negate_hints0); - __m256i r1_plus_hints = libcrux_intrinsics_avx2_mm256_add_epi32(r1, hints); - return libcrux_intrinsics_avx2_mm256_and_si256( - r1_plus_hints, libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)15)); -} - -/** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} -*/ -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.use_hint_a2 -with const generics -- GAMMA2= 261888 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_dsa_simd_avx2_use_hint_a2_80(__m256i simd_unit, __m256i hint) { - return libcrux_ml_dsa_simd_avx2_arithmetic_use_hint_80(simd_unit, hint); } /** A monomorphic instance of libcrux_ml_dsa.arithmetic.use_hint -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256 with const generics -- DIMENSION= 6 -- GAMMA2= 261888 + */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_dsa_arithmetic_use_hint_fe( - int32_t hint[6U][256U], - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 re_vector[6U], - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[6U]) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 result[6U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - } - for (size_t i0 = (size_t)0U; i0 < (size_t)6U; i0++) { +static KRML_MUSTINLINE void libcrux_ml_dsa_arithmetic_use_hint_21( + int32_t gamma2, Eurydice_slice hint, Eurydice_slice re_vector) { + for (size_t i0 = (size_t)0U; + i0 < Eurydice_slice_len( + re_vector, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b); + i0++) { size_t i1 = i0; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 hint_simd = - libcrux_ml_dsa_polynomial_from_i32_array_ff_ea( - Eurydice_array_to_slice((size_t)256U, hint[i1], int32_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b tmp = + libcrux_ml_dsa_polynomial_zero_ff_21(); + libcrux_ml_dsa_polynomial_from_i32_array_ff_21( + Eurydice_array_to_slice( + (size_t)256U, + Eurydice_slice_index(hint, i1, int32_t[256U], int32_t(*)[256U]), + int32_t), + &tmp); for (size_t i = (size_t)0U; - i < Eurydice_slice_len(Eurydice_array_to_slice( - (size_t)32U, result->simd_units, __m256i), - __m256i); + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)32U, + Eurydice_slice_index( + re_vector, (size_t)0U, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *) + .simd_units, + __m256i), + __m256i); i++) { size_t j = i; - __m256i uu____0 = libcrux_ml_dsa_simd_avx2_use_hint_a2_80( - re_vector[i1].simd_units[j], hint_simd.simd_units[j]); - result[i1].simd_units[j] = uu____0; + libcrux_ml_dsa_simd_avx2_use_hint_22( + gamma2, + &Eurydice_slice_index( + re_vector, i1, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *) + .simd_units[j], + &tmp.simd_units[j]); } + Eurydice_slice_index( + re_vector, i1, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *) = tmp; } - memcpy( - ret, result, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); } /** - The internal verification API. - - If no `domain_separation_context` is supplied, it is assumed that - `message` already contains the domain separation. -*/ -/** -A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.verify_internal -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, +A monomorphic instance of +libcrux_ml_dsa.ml_dsa_generic.ml_dsa_65.verify_internal with types +libcrux_ml_dsa_simd_avx2_vector_type_Vec256, libcrux_ml_dsa_samplex4_avx2_AVX2Sampler, libcrux_ml_dsa_hash_functions_simd256_Shake128x4, libcrux_ml_dsa_hash_functions_simd256_Shake256, libcrux_ml_dsa_hash_functions_portable_Shake256Xof with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- SIGNATURE_SIZE= 3309 -- VERIFICATION_KEY_SIZE= 1952 -- GAMMA1_EXPONENT= 19 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- GAMMA2= 261888 -- BETA= 196 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 + */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE Result_41 -libcrux_ml_dsa_ml_dsa_generic_verify_internal_44( - uint8_t *verification_key_serialized, Eurydice_slice message, +libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_verify_internal_07( + uint8_t *verification_key, Eurydice_slice message, Option_84 domain_separation_context, uint8_t *signature_serialized) { - tuple_930 uu____0 = libcrux_ml_dsa_encoding_verification_key_deserialize_fe( - verification_key_serialized); - uint8_t seed_for_a[32U]; - memcpy(seed_for_a, uu____0.fst, (size_t)32U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t1[6U]; - memcpy( - t1, uu____0.snd, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - Result_ef0 uu____1 = - libcrux_ml_dsa_encoding_signature_deserialize_92_cc(signature_serialized); + Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)1952U, verification_key, uint8_t), + LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE, uint8_t, + Eurydice_slice_uint8_t_x2); + Eurydice_slice seed_for_a = uu____0.fst; + Eurydice_slice t1_serialized = uu____0.snd; + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b t1[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + t1[i] = libcrux_ml_dsa_polynomial_zero_ff_21(); + } + libcrux_ml_dsa_encoding_verification_key_deserialize_21( + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ROWS_IN_A, + LIBCRUX_ML_DSA_ML_DSA_GENERIC_ML_DSA_65_VERIFICATION_KEY_SIZE, + t1_serialized, + Eurydice_array_to_slice( + (size_t)6U, t1, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b)); + uint8_t deserialized_commitment_hash[48U] = {0U}; + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b + deserialized_signer_response[5U]; + for (size_t i = (size_t)0U; i < (size_t)5U; i++) { + deserialized_signer_response[i] = libcrux_ml_dsa_polynomial_zero_ff_21(); + } + int32_t deserialized_hint[6U][256U] = {{0U}}; + Result_41 uu____1 = libcrux_ml_dsa_encoding_signature_deserialize_21( + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_COLUMNS_IN_A, + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ROWS_IN_A, + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_COMMITMENT_HASH_SIZE, + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_GAMMA1_EXPONENT, + LIBCRUX_ML_DSA_ML_DSA_GENERIC_ML_DSA_65_GAMMA1_RING_ELEMENT_SIZE, + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_MAX_ONES_IN_HINT, + LIBCRUX_ML_DSA_ML_DSA_GENERIC_ML_DSA_65_SIGNATURE_SIZE, + Eurydice_array_to_slice((size_t)3309U, signature_serialized, uint8_t), + Eurydice_array_to_slice((size_t)48U, deserialized_commitment_hash, + uint8_t), + Eurydice_array_to_slice( + (size_t)5U, deserialized_signer_response, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b), + Eurydice_array_to_slice((size_t)6U, deserialized_hint, int32_t[256U])); Result_41 uu____2; if (uu____1.tag == Ok) { - libcrux_ml_dsa_encoding_signature_Signature_ca s = uu____1.val.case_Ok; - libcrux_ml_dsa_encoding_signature_Signature_ca signature = s; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____3[5U]; - memcpy(uu____3, signature.signer_response, - (size_t)5U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - if (libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_1f( - uu____3, ((int32_t)2 << (uint32_t)(size_t)19U) - (int32_t)196)) { + if (libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_21( + Eurydice_array_to_slice( + (size_t)5U, deserialized_signer_response, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b), + ((int32_t)2 << (uint32_t) + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_GAMMA1_EXPONENT) - + LIBCRUX_ML_DSA_ML_DSA_GENERIC_ML_DSA_65_BETA)) { uu____2 = (CLITERAL(Result_41){ .tag = Err, .f0 = libcrux_ml_dsa_types_VerificationError_SignerResponseExceedsBoundError}); } else { - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 matrix[6U][5U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - matrix[i][0U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - matrix[i][1U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - matrix[i][2U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - matrix[i][3U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - matrix[i][4U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b matrix[30U]; + for (size_t i = (size_t)0U; i < (size_t)30U; i++) { + matrix[i] = libcrux_ml_dsa_polynomial_zero_ff_21(); } - libcrux_ml_dsa_samplex4_avx2_matrix_b8_fe( - Eurydice_array_to_slice((size_t)32U, seed_for_a, uint8_t), matrix); + libcrux_ml_dsa_samplex4_avx2_matrix_flat_b8_21( + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_COLUMNS_IN_A, seed_for_a, + Eurydice_array_to_slice( + (size_t)30U, matrix, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b)); uint8_t verification_key_hash[64U] = {0U}; libcrux_ml_dsa_hash_functions_simd256_shake256_d9_24( - Eurydice_array_to_slice((size_t)1952U, verification_key_serialized, - uint8_t), + Eurydice_array_to_slice((size_t)1952U, verification_key, uint8_t), verification_key_hash); uint8_t message_representative[64U] = {0U}; - uint8_t uu____4[64U]; - memcpy(uu____4, verification_key_hash, (size_t)64U * sizeof(uint8_t)); libcrux_ml_dsa_ml_dsa_generic_derive_message_representative_7b( - uu____4, domain_separation_context, message, message_representative); - uint8_t uu____5[48U]; - memcpy(uu____5, signature.commitment_hash, (size_t)48U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 - verifier_challenge_as_ntt = libcrux_ml_dsa_ntt_ntt_ea( - libcrux_ml_dsa_sample_sample_challenge_ring_element_8a(uu____5)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24(*uu____6)[5U] = matrix; - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____7[5U]; - memcpy(uu____7, signature.signer_response, - (size_t)5U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____8 = - verifier_challenge_as_ntt; - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_t1[6U]; - memcpy(copy_of_t1, t1, - (size_t)6U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 w_approx[6U]; - libcrux_ml_dsa_matrix_compute_w_approx_fe(uu____6, uu____7, uu____8, - copy_of_t1, w_approx); - uint8_t commitment_hash[48U] = {0U}; - int32_t uu____10[6U][256U]; - memcpy(uu____10, signature.hint, (size_t)6U * sizeof(int32_t[256U])); - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_w_approx[6U]; - memcpy(copy_of_w_approx, w_approx, - (size_t)6U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 commitment[6U]; - libcrux_ml_dsa_arithmetic_use_hint_fe(uu____10, copy_of_w_approx, - commitment); - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_commitment[6U]; - memcpy(copy_of_commitment, commitment, - (size_t)6U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - uint8_t commitment_serialized[768U]; - libcrux_ml_dsa_encoding_commitment_serialize_vector_ef( - copy_of_commitment, commitment_serialized); + Eurydice_array_to_slice((size_t)64U, verification_key_hash, uint8_t), + &domain_separation_context, message, message_representative); + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b verifier_challenge = + libcrux_ml_dsa_polynomial_zero_ff_21(); + libcrux_ml_dsa_sample_sample_challenge_ring_element_18( + Eurydice_array_to_slice((size_t)48U, deserialized_commitment_hash, + uint8_t), + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ONES_IN_VERIFIER_CHALLENGE, + &verifier_challenge); + libcrux_ml_dsa_ntt_ntt_21(&verifier_challenge); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)5U, deserialized_signer_response, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b), + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b); + i++) { + size_t i0 = i; + libcrux_ml_dsa_ntt_ntt_21(&deserialized_signer_response[i0]); + } + libcrux_ml_dsa_matrix_compute_w_approx_21( + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ROWS_IN_A, + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_COLUMNS_IN_A, + Eurydice_array_to_slice( + (size_t)30U, matrix, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b), + Eurydice_array_to_slice( + (size_t)5U, deserialized_signer_response, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b), + &verifier_challenge, + Eurydice_array_to_slice( + (size_t)6U, t1, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b)); + uint8_t recomputed_commitment_hash[48U] = {0U}; + libcrux_ml_dsa_arithmetic_use_hint_21( + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_GAMMA2, + Eurydice_array_to_slice((size_t)6U, deserialized_hint, int32_t[256U]), + Eurydice_array_to_slice( + (size_t)6U, t1, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b)); + uint8_t commitment_serialized[768U] = {0U}; + libcrux_ml_dsa_encoding_commitment_serialize_vector_21( + LIBCRUX_ML_DSA_ML_DSA_GENERIC_ML_DSA_65_COMMITMENT_RING_ELEMENT_SIZE, + Eurydice_array_to_slice( + (size_t)6U, t1, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b), + Eurydice_array_to_slice((size_t)768U, commitment_serialized, + uint8_t)); libcrux_sha3_portable_incremental_Shake256Xof shake = libcrux_ml_dsa_hash_functions_portable_init_83(); libcrux_ml_dsa_hash_functions_portable_absorb_83( @@ -8811,11 +6836,11 @@ libcrux_ml_dsa_ml_dsa_generic_verify_internal_44( &shake, Eurydice_array_to_slice((size_t)768U, commitment_serialized, uint8_t)); libcrux_ml_dsa_hash_functions_portable_squeeze_83( - &shake, - Eurydice_array_to_slice((size_t)48U, commitment_hash, uint8_t)); + &shake, Eurydice_array_to_slice((size_t)48U, + recomputed_commitment_hash, uint8_t)); if (core_array_equality___core__cmp__PartialEq__Array_U__N___for__Array_T__N____eq( - (size_t)48U, signature.commitment_hash, commitment_hash, uint8_t, - uint8_t, bool)) { + (size_t)48U, deserialized_commitment_hash, + recomputed_commitment_hash, uint8_t, uint8_t, bool)) { uu____2 = (CLITERAL(Result_41){.tag = Ok}); } else { uu____2 = (CLITERAL(Result_41){ @@ -8825,35 +6850,24 @@ libcrux_ml_dsa_ml_dsa_generic_verify_internal_44( } } } else { - libcrux_ml_dsa_types_VerificationError e = uu____1.val.case_Err; + libcrux_ml_dsa_types_VerificationError e = uu____1.f0; uu____2 = (CLITERAL(Result_41){.tag = Err, .f0 = e}); } return uu____2; } /** -A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.verify -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, +A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.ml_dsa_65.verify +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256, libcrux_ml_dsa_samplex4_avx2_AVX2Sampler, libcrux_ml_dsa_hash_functions_simd256_Shake128x4, libcrux_ml_dsa_hash_functions_simd256_Shake256, libcrux_ml_dsa_hash_functions_portable_Shake256Xof with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- SIGNATURE_SIZE= 3309 -- VERIFICATION_KEY_SIZE= 1952 -- GAMMA1_EXPONENT= 19 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- GAMMA2= 261888 -- BETA= 196 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 + */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE Result_41 libcrux_ml_dsa_ml_dsa_generic_verify_44( +static KRML_MUSTINLINE Result_41 +libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_verify_07( uint8_t *verification_key_serialized, Eurydice_slice message, Eurydice_slice context, uint8_t *signature_serialized) { Result_a8 uu____0 = libcrux_ml_dsa_pre_hash_new_45( @@ -8867,68 +6881,30 @@ static KRML_MUSTINLINE Result_41 libcrux_ml_dsa_ml_dsa_generic_verify_44( libcrux_ml_dsa_pre_hash_DomainSeparationContext dsc = uu____0.val.case_Ok; libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context = dsc; - return libcrux_ml_dsa_ml_dsa_generic_verify_internal_44( + return libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_verify_internal_07( verification_key_serialized, message, (CLITERAL(Option_84){.tag = Some, .f0 = domain_separation_context}), signature_serialized); } -/** - Verify. -*/ -/** -A monomorphic instance of -libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.avx2_feature.verify with const -generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- SIGNATURE_SIZE= 3309 -- VERIFICATION_KEY_SIZE= 1952 -- GAMMA1_EXPONENT= 19 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- GAMMA2= 261888 -- BETA= 196 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 -*/ KRML_ATTRIBUTE_TARGET("avx2") static inline Result_41 -libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_verify_01( +libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_ml_dsa_65_verify__inner( uint8_t *verification_key, Eurydice_slice message, Eurydice_slice context, uint8_t *signature) { - return libcrux_ml_dsa_ml_dsa_generic_verify_44(verification_key, message, - context, signature); + return libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_verify_07( + verification_key, message, context, signature); } /** Verify. */ -/** -A monomorphic instance of -libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.verify with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- SIGNATURE_SIZE= 3309 -- VERIFICATION_KEY_SIZE= 1952 -- GAMMA1_EXPONENT= 19 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- GAMMA2= 261888 -- BETA= 196 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 -*/ KRML_ATTRIBUTE_TARGET("avx2") static inline Result_41 -libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_verify_01( +libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_ml_dsa_65_verify( uint8_t *verification_key, Eurydice_slice message, Eurydice_slice context, uint8_t *signature) { - return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_verify_01( + return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_ml_dsa_65_verify__inner( verification_key, message, context, signature); } @@ -8943,48 +6919,36 @@ KRML_ATTRIBUTE_TARGET("avx2") static inline Result_41 libcrux_ml_dsa_ml_dsa_65_avx2_verify( libcrux_ml_dsa_types_MLDSAVerificationKey_ea *verification_key, Eurydice_slice message, Eurydice_slice context, - libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature *signature) { - return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_verify_01( + libcrux_ml_dsa_types_MLDSASignature_8f *signature) { + return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_ml_dsa_65_verify( libcrux_ml_dsa_types_as_ref_66_97(verification_key), message, context, libcrux_ml_dsa_types_as_ref_8f_fa(signature)); } /** -A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.verify_pre_hashed -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, +A monomorphic instance of +libcrux_ml_dsa.ml_dsa_generic.ml_dsa_65.verify_pre_hashed with types +libcrux_ml_dsa_simd_avx2_vector_type_Vec256, libcrux_ml_dsa_samplex4_avx2_AVX2Sampler, libcrux_ml_dsa_hash_functions_portable_Shake128, libcrux_ml_dsa_hash_functions_simd256_Shake128x4, libcrux_ml_dsa_hash_functions_simd256_Shake256, libcrux_ml_dsa_hash_functions_portable_Shake256Xof, libcrux_ml_dsa_pre_hash_SHAKE128_PH with const generics -- PH_DIGEST_LEN= 256 -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- SIGNATURE_SIZE= 3309 -- VERIFICATION_KEY_SIZE= 1952 -- GAMMA1_EXPONENT= 19 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- GAMMA2= 261888 -- BETA= 196 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 + */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE Result_41 -libcrux_ml_dsa_ml_dsa_generic_verify_pre_hashed_f8( +libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_verify_pre_hashed_37( uint8_t *verification_key_serialized, Eurydice_slice message, - Eurydice_slice context, uint8_t *signature_serialized) { - uint8_t pre_hashed_message[256U]; - libcrux_ml_dsa_pre_hash_hash_bd_54(message, pre_hashed_message); + Eurydice_slice context, Eurydice_slice pre_hash_buffer, + uint8_t *signature_serialized) { + libcrux_ml_dsa_pre_hash_hash_3e_cc(message, pre_hash_buffer); Eurydice_slice uu____0 = context; Option_30 lit; lit.tag = Some; uint8_t ret[11U]; - libcrux_ml_dsa_pre_hash_oid_bd(ret); + libcrux_ml_dsa_pre_hash_oid_3e(ret); memcpy(lit.f0, ret, (size_t)11U * sizeof(uint8_t)); Result_a8 uu____1 = libcrux_ml_dsa_pre_hash_new_45(uu____0, lit); if (!(uu____1.tag == Ok)) { @@ -8996,71 +6960,31 @@ libcrux_ml_dsa_ml_dsa_generic_verify_pre_hashed_f8( libcrux_ml_dsa_pre_hash_DomainSeparationContext dsc = uu____1.val.case_Ok; libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context = dsc; - return libcrux_ml_dsa_ml_dsa_generic_verify_internal_44( - verification_key_serialized, - Eurydice_array_to_slice((size_t)256U, pre_hashed_message, uint8_t), + return libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_verify_internal_07( + verification_key_serialized, pre_hash_buffer, (CLITERAL(Option_84){.tag = Some, .f0 = domain_separation_context}), signature_serialized); } -/** - Verify (pre-hashed with SHAKE-128). -*/ -/** -A monomorphic instance of -libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.avx2_feature.verify_pre_hashed_shake128 -with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- SIGNATURE_SIZE= 3309 -- VERIFICATION_KEY_SIZE= 1952 -- GAMMA1_EXPONENT= 19 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- GAMMA2= 261888 -- BETA= 196 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 -*/ KRML_ATTRIBUTE_TARGET("avx2") static inline Result_41 -libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_verify_pre_hashed_shake128_01( +libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_ml_dsa_65_verify_pre_hashed_shake128__inner( uint8_t *verification_key, Eurydice_slice message, Eurydice_slice context, - uint8_t *signature) { - return libcrux_ml_dsa_ml_dsa_generic_verify_pre_hashed_f8( - verification_key, message, context, signature); + Eurydice_slice pre_hash_buffer, uint8_t *signature) { + return libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_verify_pre_hashed_37( + verification_key, message, context, pre_hash_buffer, signature); } /** Verify (pre-hashed with SHAKE-128). */ -/** -A monomorphic instance of -libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.verify_pre_hashed_shake128 -with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- SIGNATURE_SIZE= 3309 -- VERIFICATION_KEY_SIZE= 1952 -- GAMMA1_EXPONENT= 19 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- GAMMA2= 261888 -- BETA= 196 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 -*/ KRML_ATTRIBUTE_TARGET("avx2") static inline Result_41 -libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_verify_pre_hashed_shake128_01( +libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_ml_dsa_65_verify_pre_hashed_shake128( uint8_t *verification_key, Eurydice_slice message, Eurydice_slice context, - uint8_t *signature) { - return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_verify_pre_hashed_shake128_01( - verification_key, message, context, signature); + Eurydice_slice pre_hash_buffer, uint8_t *signature) { + return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_ml_dsa_65_verify_pre_hashed_shake128__inner( + verification_key, message, context, pre_hash_buffer, signature); } /** @@ -9075,9 +6999,11 @@ static inline Result_41 libcrux_ml_dsa_ml_dsa_65_avx2_verify_pre_hashed_shake128( libcrux_ml_dsa_types_MLDSAVerificationKey_ea *verification_key, Eurydice_slice message, Eurydice_slice context, - libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature *signature) { - return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_verify_pre_hashed_shake128_01( + libcrux_ml_dsa_types_MLDSASignature_8f *signature) { + uint8_t pre_hash_buffer[256U] = {0U}; + return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_ml_dsa_65_verify_pre_hashed_shake128( libcrux_ml_dsa_types_as_ref_66_97(verification_key), message, context, + Eurydice_array_to_slice((size_t)256U, pre_hash_buffer, uint8_t), libcrux_ml_dsa_types_as_ref_8f_fa(signature)); } @@ -9154,23 +7080,15 @@ libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_generate_shuffle_table( /** This function found in impl {(core::clone::Clone for -libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)#1} +libcrux_ml_dsa::simd::avx2::vector_type::Vec256)} */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_ml_dsa_simd_avx2_vector_type_clone_0f( +static inline __m256i libcrux_ml_dsa_simd_avx2_vector_type_clone_b1( __m256i *self) { return self[0U]; } -/** -This function found in impl {(core::convert::From -for libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_ml_dsa_simd_avx2_vector_type_from_af( - __m256i coefficients) { - return coefficients; -} +typedef __m256i libcrux_ml_dsa_simd_avx2_vector_type_AVX2RingElement[32U]; #if defined(__cplusplus) } diff --git a/libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h b/libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h index 26b22d2ce..c0c85d238 100644 --- a/libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h +++ b/libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: db4e045d4597d06d854ce7a2c10e8dcfda6ecd25 - * Eurydice: 75eae2e2534a16f5ba5430e6ee5c69d8a46f3bea - * Karamel: 3823e3d82fa0b271d799b61c59ffb4742ddc1e65 + * Charon: 0de54092afb546bf53cd8261c79499f3cae2c24b + * Eurydice: 8e112cd3065d2c1eb6c023cd37111300dbf9fc9a + * Karamel: f82ecfe9b99edd64642d47b4e3fb6314a8e2320b * F*: b0961063393215ca65927f017720cb365a193833-dirty - * Libcrux: 834b7f51701fa4e8695a784c138ed230f49f0c4e + * Libcrux: b895bda560d248ec1373c7ad6c27192090ff3311 */ #ifndef __libcrux_mldsa65_portable_H @@ -22,6 +22,19 @@ extern "C" { #include "libcrux_core.h" #include "libcrux_sha3_portable.h" +#define libcrux_ml_dsa_constants_Eta_Two 2 +#define libcrux_ml_dsa_constants_Eta_Four 4 + +typedef uint8_t libcrux_ml_dsa_constants_Eta; + +#define LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT ((size_t)8U) + +#define LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT ((size_t)256U) + +#define LIBCRUX_ML_DSA_SIMD_TRAITS_SIMD_UNITS_IN_RING_ELEMENT \ + (LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / \ + LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT) + #define LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T ((size_t)13U) #define LIBCRUX_ML_DSA_CONSTANTS_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH \ @@ -33,12 +46,16 @@ extern "C" { #define LIBCRUX_ML_DSA_CONSTANTS_BYTES_FOR_VERIFICATION_KEY_HASH ((size_t)64U) -#define LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT ((size_t)256U) - #define LIBCRUX_ML_DSA_CONSTANTS_CONTEXT_MAX_LEN ((size_t)255U) #define LIBCRUX_ML_DSA_CONSTANTS_FIELD_MODULUS ((int32_t)8380417) +#define LIBCRUX_ML_DSA_CONSTANTS_GAMMA2_V261_888 ((int32_t)261888) + +#define LIBCRUX_ML_DSA_CONSTANTS_GAMMA2_V95_232 ((int32_t)95232) + +typedef int32_t libcrux_ml_dsa_constants_Gamma2; + #define LIBCRUX_ML_DSA_CONSTANTS_KEY_GENERATION_RANDOMNESS_SIZE ((size_t)32U) #define LIBCRUX_ML_DSA_CONSTANTS_MASK_SEED_SIZE ((size_t)64U) @@ -63,6 +80,114 @@ extern "C" { #define LIBCRUX_ML_DSA_CONSTANTS_SIGNING_RANDOMNESS_SIZE ((size_t)32U) +static inline int32_t libcrux_ml_dsa_constants_beta( + size_t ones_in_verifier_challenge, libcrux_ml_dsa_constants_Eta eta) { + size_t eta_val; + if (eta == libcrux_ml_dsa_constants_Eta_Two) { + eta_val = (size_t)2U; + } else { + eta_val = (size_t)4U; + } + return (int32_t)(ones_in_verifier_challenge * eta_val); +} + +static inline size_t libcrux_ml_dsa_constants_commitment_ring_element_size( + size_t bits_per_commitment_coefficient) { + return bits_per_commitment_coefficient * + LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / (size_t)8U; +} + +static inline size_t libcrux_ml_dsa_constants_commitment_vector_size( + size_t bits_per_commitment_coefficient, size_t rows_in_a) { + return libcrux_ml_dsa_constants_commitment_ring_element_size( + bits_per_commitment_coefficient) * + rows_in_a; +} + +static inline size_t libcrux_ml_dsa_constants_error_ring_element_size( + size_t bits_per_error_coefficient) { + return bits_per_error_coefficient * + LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / (size_t)8U; +} + +static inline size_t libcrux_ml_dsa_constants_gamma1_ring_element_size( + size_t bits_per_gamma1_coefficient) { + return bits_per_gamma1_coefficient * + LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / (size_t)8U; +} + +static inline size_t libcrux_ml_dsa_constants_signature_size( + size_t rows_in_a, size_t columns_in_a, size_t max_ones_in_hint, + size_t commitment_hash_size, size_t bits_per_gamma1_coefficient) { + return commitment_hash_size + + columns_in_a * libcrux_ml_dsa_constants_gamma1_ring_element_size( + bits_per_gamma1_coefficient) + + max_ones_in_hint + rows_in_a; +} + +static inline size_t libcrux_ml_dsa_constants_signing_key_size( + size_t rows_in_a, size_t columns_in_a, size_t error_ring_element_size) { + return LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE + + LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_SIGNING_SIZE + + LIBCRUX_ML_DSA_CONSTANTS_BYTES_FOR_VERIFICATION_KEY_HASH + + (rows_in_a + columns_in_a) * error_ring_element_size + + rows_in_a * LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE; +} + +static inline size_t libcrux_ml_dsa_constants_verification_key_size( + size_t rows_in_a) { + return LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE + + LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * rows_in_a * + (LIBCRUX_ML_DSA_CONSTANTS_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH - + LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T) / + (size_t)8U; +} + +#define LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_BITS_PER_COMMITMENT_COEFFICIENT \ + ((size_t)4U) + +#define LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_BITS_PER_ERROR_COEFFICIENT \ + ((size_t)4U) + +#define LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_BITS_PER_GAMMA1_COEFFICIENT \ + ((size_t)20U) + +#define LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_COLUMNS_IN_A ((size_t)5U) + +#define LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_COMMITMENT_HASH_SIZE ((size_t)48U) + +#define LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ETA \ + (libcrux_ml_dsa_constants_Eta_Four) + +#define LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_GAMMA1_EXPONENT ((size_t)19U) + +#define LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_GAMMA2 \ + ((LIBCRUX_ML_DSA_CONSTANTS_FIELD_MODULUS - (int32_t)1) / (int32_t)32) + +#define LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_MAX_ONES_IN_HINT ((size_t)55U) + +#define LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ONES_IN_VERIFIER_CHALLENGE \ + ((size_t)49U) + +#define LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ROWS_IN_A ((size_t)6U) + +/** +This function found in impl {(core::clone::Clone for +libcrux_ml_dsa::constants::Eta)} +*/ +static inline libcrux_ml_dsa_constants_Eta libcrux_ml_dsa_constants_clone_f8( + libcrux_ml_dsa_constants_Eta *self) { + return self[0U]; +} + +static KRML_MUSTINLINE size_t +libcrux_ml_dsa_encoding_error_chunk_size(libcrux_ml_dsa_constants_Eta eta) { + if (!(eta == libcrux_ml_dsa_constants_Eta_Two)) { + return (size_t)4U; + } + return (size_t)3U; +} + #define LIBCRUX_ML_DSA_ENCODING_T0_OUTPUT_BYTES_PER_SIMD_UNIT ((size_t)13U) #define LIBCRUX_ML_DSA_ENCODING_T1_DESERIALIZE_WINDOW ((size_t)10U) @@ -138,6 +263,11 @@ libcrux_ml_dsa_hash_functions_portable_init_absorb_x4(Eurydice_slice input0, .state0 = state0, .state1 = state1, .state2 = state2, .state3 = state3}); } +static KRML_MUSTINLINE void libcrux_ml_dsa_hash_functions_portable_shake128( + Eurydice_slice input, Eurydice_slice out) { + libcrux_sha3_portable_shake128(out, input); +} + static KRML_MUSTINLINE void libcrux_ml_dsa_hash_functions_portable_squeeze_first_block_shake256( libcrux_sha3_portable_KeccakState *state, uint8_t ret[136U]) { @@ -289,6 +419,15 @@ libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_x4( return lit; } +/** +This function found in impl {(libcrux_ml_dsa::hash_functions::shake128::Xof for +libcrux_ml_dsa::hash_functions::portable::Shake128)#1} +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_hash_functions_portable_shake128_a0( + Eurydice_slice input, Eurydice_slice out) { + libcrux_ml_dsa_hash_functions_portable_shake128(input, out); +} + /** This function found in impl {(libcrux_ml_dsa::hash_functions::shake128::XofX4 for libcrux_ml_dsa::hash_functions::portable::Shake128X4)} @@ -434,609 +573,513 @@ libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_x4_50( #define LIBCRUX_ML_DSA_HASH_FUNCTIONS_SHAKE256_BLOCK_SIZE ((size_t)136U) -#define LIBCRUX_ML_DSA_ML_DSA_65_ONES_IN_VERIFIER_CHALLENGE ((size_t)49U) - -#define LIBCRUX_ML_DSA_ML_DSA_65_ETA ((size_t)4U) - -#define LIBCRUX_ML_DSA_ML_DSA_65_BETA \ - ((int32_t)(LIBCRUX_ML_DSA_ML_DSA_65_ONES_IN_VERIFIER_CHALLENGE * \ - LIBCRUX_ML_DSA_ML_DSA_65_ETA)) +#define LIBCRUX_ML_DSA_ML_DSA_GENERIC_ML_DSA_65_ERROR_RING_ELEMENT_SIZE \ + (libcrux_ml_dsa_constants_error_ring_element_size( \ + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_BITS_PER_ERROR_COEFFICIENT)) -#define LIBCRUX_ML_DSA_ML_DSA_65_BITS_PER_COMMITMENT_COEFFICIENT ((size_t)4U) +#define LIBCRUX_ML_DSA_ML_DSA_GENERIC_ML_DSA_65_SIGNING_KEY_SIZE \ + (libcrux_ml_dsa_constants_signing_key_size( \ + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ROWS_IN_A, \ + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_COLUMNS_IN_A, \ + LIBCRUX_ML_DSA_ML_DSA_GENERIC_ML_DSA_65_ERROR_RING_ELEMENT_SIZE)) -#define LIBCRUX_ML_DSA_ML_DSA_65_BITS_PER_ERROR_COEFFICIENT ((size_t)4U) +#define LIBCRUX_ML_DSA_ML_DSA_GENERIC_ML_DSA_65_VERIFICATION_KEY_SIZE \ + (libcrux_ml_dsa_constants_verification_key_size( \ + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ROWS_IN_A)) -#define LIBCRUX_ML_DSA_ML_DSA_65_BITS_PER_GAMMA1_COEFFICIENT ((size_t)20U) - -#define LIBCRUX_ML_DSA_ML_DSA_65_COLUMNS_IN_A ((size_t)5U) - -#define LIBCRUX_ML_DSA_ML_DSA_65_COMMITMENT_HASH_SIZE ((size_t)48U) - -#define LIBCRUX_ML_DSA_ML_DSA_65_COMMITMENT_RING_ELEMENT_SIZE \ - (LIBCRUX_ML_DSA_ML_DSA_65_BITS_PER_COMMITMENT_COEFFICIENT * \ - LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / (size_t)8U) - -#define LIBCRUX_ML_DSA_ML_DSA_65_ROWS_IN_A ((size_t)6U) - -#define LIBCRUX_ML_DSA_ML_DSA_65_COMMITMENT_VECTOR_SIZE \ - (LIBCRUX_ML_DSA_ML_DSA_65_COMMITMENT_RING_ELEMENT_SIZE * \ - LIBCRUX_ML_DSA_ML_DSA_65_ROWS_IN_A) - -#define LIBCRUX_ML_DSA_ML_DSA_65_ERROR_RING_ELEMENT_SIZE \ - (LIBCRUX_ML_DSA_ML_DSA_65_BITS_PER_ERROR_COEFFICIENT * \ - LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / (size_t)8U) - -#define LIBCRUX_ML_DSA_ML_DSA_65_GAMMA1_EXPONENT ((size_t)19U) +static KRML_MUSTINLINE void libcrux_ml_dsa_sample_add_error_domain_separator( + Eurydice_slice slice, uint16_t domain_separator, uint8_t ret[66U]) { + uint8_t out[66U] = {0U}; + uint8_t *uu____0 = out; + Eurydice_slice_copy( + Eurydice_array_to_subslice2(uu____0, (size_t)0U, + Eurydice_slice_len(slice, uint8_t), uint8_t), + slice, uint8_t); + out[64U] = (uint8_t)domain_separator; + out[65U] = (uint8_t)((uint32_t)domain_separator >> 8U); + memcpy(ret, out, (size_t)66U * sizeof(uint8_t)); +} -#define LIBCRUX_ML_DSA_ML_DSA_65_GAMMA1_RING_ELEMENT_SIZE \ - (LIBCRUX_ML_DSA_ML_DSA_65_BITS_PER_GAMMA1_COEFFICIENT * \ - LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / (size_t)8U) +#define LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS ((int32_t)8380417) -#define LIBCRUX_ML_DSA_ML_DSA_65_GAMMA2 \ - ((LIBCRUX_ML_DSA_CONSTANTS_FIELD_MODULUS - (int32_t)1) / (int32_t)32) +#define LIBCRUX_ML_DSA_SIMD_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R \ + (58728449ULL) -#define LIBCRUX_ML_DSA_ML_DSA_65_MAX_ONES_IN_HINT ((size_t)55U) +typedef struct uint8_t_x2_s { + uint8_t fst; + uint8_t snd; +} uint8_t_x2; -typedef libcrux_ml_dsa_types_MLDSASigningKey_22 - libcrux_ml_dsa_ml_dsa_65_MLDSA65SigningKey; +static inline uint8_t_x2 +libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_flat_xy(size_t index, + size_t width) { + return (CLITERAL(uint8_t_x2){.fst = (uint8_t)(index / width), + .snd = (uint8_t)(index % width)}); +} -typedef libcrux_ml_dsa_types_MLDSAVerificationKey_ea - libcrux_ml_dsa_ml_dsa_65_MLDSA65VerificationKey; +static KRML_MUSTINLINE uint16_t +libcrux_ml_dsa_sample_generate_domain_separator(uint8_t_x2 _) { + uint8_t row = _.fst; + uint8_t column = _.snd; + return (uint32_t)(uint16_t)column | (uint32_t)(uint16_t)row << 8U; +} -#define LIBCRUX_ML_DSA_ML_DSA_65_ROW_COLUMN \ - (LIBCRUX_ML_DSA_ML_DSA_65_ROWS_IN_A + LIBCRUX_ML_DSA_ML_DSA_65_COLUMNS_IN_A) +static KRML_MUSTINLINE void libcrux_ml_dsa_sample_add_domain_separator( + Eurydice_slice slice, uint8_t_x2 indices, uint8_t ret[34U]) { + uint8_t out[34U] = {0U}; + uint8_t *uu____0 = out; + Eurydice_slice_copy( + Eurydice_array_to_subslice2(uu____0, (size_t)0U, + Eurydice_slice_len(slice, uint8_t), uint8_t), + slice, uint8_t); + uint16_t domain_separator = + libcrux_ml_dsa_sample_generate_domain_separator(indices); + out[32U] = (uint8_t)domain_separator; + out[33U] = (uint8_t)((uint32_t)domain_separator >> 8U); + memcpy(ret, out, (size_t)34U * sizeof(uint8_t)); +} -#define LIBCRUX_ML_DSA_ML_DSA_65_SIGNATURE_SIZE \ - (LIBCRUX_ML_DSA_ML_DSA_65_COMMITMENT_HASH_SIZE + \ - LIBCRUX_ML_DSA_ML_DSA_65_COLUMNS_IN_A * \ - LIBCRUX_ML_DSA_ML_DSA_65_GAMMA1_RING_ELEMENT_SIZE + \ - LIBCRUX_ML_DSA_ML_DSA_65_MAX_ONES_IN_HINT + \ - LIBCRUX_ML_DSA_ML_DSA_65_ROWS_IN_A) +typedef struct libcrux_ml_dsa_pre_hash_DomainSeparationContext_s { + Eurydice_slice context; + Option_30 pre_hash_oid; +} libcrux_ml_dsa_pre_hash_DomainSeparationContext; -#define LIBCRUX_ML_DSA_ML_DSA_65_SIGNING_KEY_SIZE \ - (LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE + \ - LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_SIGNING_SIZE + \ - LIBCRUX_ML_DSA_CONSTANTS_BYTES_FOR_VERIFICATION_KEY_HASH + \ - (LIBCRUX_ML_DSA_ML_DSA_65_ROWS_IN_A + \ - LIBCRUX_ML_DSA_ML_DSA_65_COLUMNS_IN_A) * \ - LIBCRUX_ML_DSA_ML_DSA_65_ERROR_RING_ELEMENT_SIZE + \ - LIBCRUX_ML_DSA_ML_DSA_65_ROWS_IN_A * \ - LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE) +#define libcrux_ml_dsa_pre_hash_DomainSeparationError_ContextTooLongError 0 -#define LIBCRUX_ML_DSA_ML_DSA_65_VERIFICATION_KEY_SIZE \ - (LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE + \ - LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * \ - LIBCRUX_ML_DSA_ML_DSA_65_ROWS_IN_A * \ - (LIBCRUX_ML_DSA_CONSTANTS_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH - \ - LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T) / \ - (size_t)8U) +typedef uint8_t libcrux_ml_dsa_pre_hash_DomainSeparationError; /** -A monomorphic instance of K. -with types uint8_t[4032size_t], uint8_t[1952size_t] +A monomorphic instance of core.result.Result +with types libcrux_ml_dsa_pre_hash_DomainSeparationContext, +libcrux_ml_dsa_pre_hash_DomainSeparationError */ -typedef struct tuple_a0_s { - uint8_t fst[4032U]; - uint8_t snd[1952U]; -} tuple_a0; +typedef struct Result_a8_s { + Result_a9_tags tag; + union { + libcrux_ml_dsa_pre_hash_DomainSeparationContext case_Ok; + libcrux_ml_dsa_pre_hash_DomainSeparationError case_Err; + } val; +} Result_a8; /** - Generate key pair. + `context` must be at most 255 bytes long. */ /** -A monomorphic instance of -libcrux_ml_dsa.ml_dsa_generic.instantiations.portable.generate_key_pair with -const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- ROW_COLUMN= 11 -- ETA= 4 -- ERROR_RING_ELEMENT_SIZE= 128 -- SIGNING_KEY_SIZE= 4032 -- VERIFICATION_KEY_SIZE= 1952 -*/ -static inline tuple_a0 -libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_generate_key_pair_c9( - uint8_t randomness[32U]) { - KRML_HOST_EPRINTF( - "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "Eurydice error: Failure(\"TODO: TraitTypes Self::Coefficient\")\n"); - KRML_HOST_EXIT(255U); +This function found in impl +{libcrux_ml_dsa::pre_hash::DomainSeparationContext<'a>#1} +*/ +static inline Result_a8 libcrux_ml_dsa_pre_hash_new_45(Eurydice_slice context, + Option_30 pre_hash_oid) { + if (!(Eurydice_slice_len(context, uint8_t) > + LIBCRUX_ML_DSA_CONSTANTS_CONTEXT_MAX_LEN)) { + return (CLITERAL(Result_a8){ + .tag = Ok, + .val = { + .case_Ok = {.context = context, .pre_hash_oid = pre_hash_oid}}}); + } + return (CLITERAL(Result_a8){ + .tag = Err, + .val = { + .case_Err = + libcrux_ml_dsa_pre_hash_DomainSeparationError_ContextTooLongError}}); } /** - Generate an ML-DSA-65 Key Pair + Returns the pre-hash OID, if any. */ -static inline libcrux_ml_dsa_ml_dsa_65_MLDSA65KeyPair -libcrux_ml_dsa_ml_dsa_65_portable_generate_key_pair(uint8_t randomness[32U]) { - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_randomness[32U]; - memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - tuple_a0 uu____1 = - libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_generate_key_pair_c9( - copy_of_randomness); - uint8_t signing_key[4032U]; - memcpy(signing_key, uu____1.fst, (size_t)4032U * sizeof(uint8_t)); - uint8_t verification_key[1952U]; - memcpy(verification_key, uu____1.snd, (size_t)1952U * sizeof(uint8_t)); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_signing_key[4032U]; - memcpy(copy_of_signing_key, signing_key, (size_t)4032U * sizeof(uint8_t)); - libcrux_ml_dsa_types_MLDSASigningKey_22 uu____3 = - libcrux_ml_dsa_types_new_9b_09(copy_of_signing_key); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_verification_key[1952U]; - memcpy(copy_of_verification_key, verification_key, - (size_t)1952U * sizeof(uint8_t)); - libcrux_ml_dsa_ml_dsa_65_MLDSA65KeyPair lit; - lit.signing_key = uu____3; - lit.verification_key = - libcrux_ml_dsa_types_new_66_97(copy_of_verification_key); - return lit; +/** +This function found in impl +{libcrux_ml_dsa::pre_hash::DomainSeparationContext<'a>#1} +*/ +static inline Option_30 *libcrux_ml_dsa_pre_hash_pre_hash_oid_45( + libcrux_ml_dsa_pre_hash_DomainSeparationContext *self) { + return &self->pre_hash_oid; } /** - Sign. + Returns the context, guaranteed to be at most 255 bytes long. */ /** -A monomorphic instance of -libcrux_ml_dsa.ml_dsa_generic.instantiations.portable.sign with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- ETA= 4 -- ERROR_RING_ELEMENT_SIZE= 128 -- GAMMA1_EXPONENT= 19 -- GAMMA2= 261888 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- SIGNING_KEY_SIZE= 4032 -- SIGNATURE_SIZE= 3309 +This function found in impl +{libcrux_ml_dsa::pre_hash::DomainSeparationContext<'a>#1} */ -static inline Result_2e -libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_sign_f3( - uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, - uint8_t randomness[32U]) { - KRML_HOST_EPRINTF( - "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "Eurydice error: Failure(\"TODO: TraitTypes Self::Coefficient\")\n"); - KRML_HOST_EXIT(255U); +static inline Eurydice_slice libcrux_ml_dsa_pre_hash_context_45( + libcrux_ml_dsa_pre_hash_DomainSeparationContext *self) { + return self->context; } -/** - Generate an ML-DSA-65 Signature +#define LIBCRUX_ML_DSA_ML_DSA_GENERIC_ML_DSA_65_COMMITMENT_RING_ELEMENT_SIZE \ + (libcrux_ml_dsa_constants_commitment_ring_element_size( \ + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_BITS_PER_COMMITMENT_COEFFICIENT)) - The parameter `context` is used for domain separation - and is a byte string of length at most 255 bytes. It - may also be empty. -*/ -static inline Result_2e libcrux_ml_dsa_ml_dsa_65_portable_sign( - libcrux_ml_dsa_types_MLDSASigningKey_22 *signing_key, - Eurydice_slice message, Eurydice_slice context, uint8_t randomness[32U]) { - uint8_t *uu____0 = libcrux_ml_dsa_types_as_ref_9b_09(signing_key); - Eurydice_slice uu____1 = message; - Eurydice_slice uu____2 = context; - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_randomness[32U]; - memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_sign_f3( - uu____0, uu____1, uu____2, copy_of_randomness); +static KRML_MUSTINLINE bool libcrux_ml_dsa_sample_inside_out_shuffle( + Eurydice_slice randomness, size_t *out_index, uint64_t *signs, + int32_t *result) { + bool done = false; + for (size_t i = (size_t)0U; i < Eurydice_slice_len(randomness, uint8_t); + i++) { + size_t _cloop_j = i; + uint8_t *byte = + &Eurydice_slice_index(randomness, _cloop_j, uint8_t, uint8_t *); + if (!done) { + size_t sample_at = (size_t)byte[0U]; + if (sample_at <= out_index[0U]) { + result[out_index[0U]] = result[sample_at]; + out_index[0U] = out_index[0U] + (size_t)1U; + result[sample_at] = + (int32_t)1 - (int32_t)2 * (int32_t)(signs[0U] & 1ULL); + signs[0U] = signs[0U] >> 1U; + size_t uu____0 = out_index[0U]; + done = uu____0 == Eurydice_slice_len(Eurydice_array_to_slice( + (size_t)256U, result, int32_t), + int32_t); + } else { + size_t uu____1 = out_index[0U]; + done = uu____1 == Eurydice_slice_len(Eurydice_array_to_slice( + (size_t)256U, result, int32_t), + int32_t); + } + } + } + return done; } +#define LIBCRUX_ML_DSA_ML_DSA_GENERIC_ML_DSA_65_BETA \ + (libcrux_ml_dsa_constants_beta( \ + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ONES_IN_VERIFIER_CHALLENGE, \ + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ETA)) + +#define LIBCRUX_ML_DSA_ML_DSA_GENERIC_ML_DSA_65_GAMMA1_RING_ELEMENT_SIZE \ + (libcrux_ml_dsa_constants_gamma1_ring_element_size( \ + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_BITS_PER_GAMMA1_COEFFICIENT)) + +static const uint8_t libcrux_ml_dsa_pre_hash_SHAKE128_OID[11U] = { + 6U, 9U, 96U, 134U, 72U, 1U, 101U, 3U, 4U, 2U, 11U}; + /** - Sign (pre-hashed). -*/ -/** -A monomorphic instance of -libcrux_ml_dsa.ml_dsa_generic.instantiations.portable.sign_pre_hashed_shake128 -with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- ETA= 4 -- ERROR_RING_ELEMENT_SIZE= 128 -- GAMMA1_EXPONENT= 19 -- GAMMA2= 261888 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- SIGNING_KEY_SIZE= 4032 -- SIGNATURE_SIZE= 3309 +This function found in impl {(libcrux_ml_dsa::pre_hash::PreHash for +libcrux_ml_dsa::pre_hash::SHAKE128_PH)} */ -static inline Result_2e -libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_sign_pre_hashed_shake128_f3( - uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, - uint8_t randomness[32U]) { - KRML_HOST_EPRINTF( - "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "Eurydice error: Failure(\"TODO: TraitTypes Self::Coefficient\")\n"); - KRML_HOST_EXIT(255U); +static inline void libcrux_ml_dsa_pre_hash_oid_3e(uint8_t ret[11U]) { + memcpy(ret, libcrux_ml_dsa_pre_hash_SHAKE128_OID, + (size_t)11U * sizeof(uint8_t)); +} + +#define LIBCRUX_ML_DSA_ML_DSA_GENERIC_ML_DSA_65_SIGNATURE_SIZE \ + (libcrux_ml_dsa_constants_signature_size( \ + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ROWS_IN_A, \ + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_COLUMNS_IN_A, \ + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_MAX_ONES_IN_HINT, \ + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_COMMITMENT_HASH_SIZE, \ + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_BITS_PER_GAMMA1_COEFFICIENT)) + +typedef struct libcrux_ml_dsa_simd_portable_vector_type_Coefficients_s { + int32_t values[8U]; +} libcrux_ml_dsa_simd_portable_vector_type_Coefficients; + +static inline libcrux_ml_dsa_simd_portable_vector_type_Coefficients +libcrux_ml_dsa_simd_portable_vector_type_zero(void) { + libcrux_ml_dsa_simd_portable_vector_type_Coefficients lit; + lit.values[0U] = (int32_t)0; + lit.values[1U] = (int32_t)0; + lit.values[2U] = (int32_t)0; + lit.values[3U] = (int32_t)0; + lit.values[4U] = (int32_t)0; + lit.values[5U] = (int32_t)0; + lit.values[6U] = (int32_t)0; + lit.values[7U] = (int32_t)0; + return lit; } /** - Generate a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing - - The parameter `context` is used for domain separation - and is a byte string of length at most 255 bytes. It - may also be empty. +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::Coefficients)} */ -static inline Result_2e -libcrux_ml_dsa_ml_dsa_65_portable_sign_pre_hashed_shake128( - libcrux_ml_dsa_types_MLDSASigningKey_22 *signing_key, - Eurydice_slice message, Eurydice_slice context, uint8_t randomness[32U]) { - uint8_t *uu____0 = libcrux_ml_dsa_types_as_ref_9b_09(signing_key); - Eurydice_slice uu____1 = message; - Eurydice_slice uu____2 = context; - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_randomness[32U]; - memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_sign_pre_hashed_shake128_f3( - uu____0, uu____1, uu____2, copy_of_randomness); +static inline libcrux_ml_dsa_simd_portable_vector_type_Coefficients +libcrux_ml_dsa_simd_portable_zero_e9(void) { + return libcrux_ml_dsa_simd_portable_vector_type_zero(); } -/** - Verify. -*/ -/** -A monomorphic instance of -libcrux_ml_dsa.ml_dsa_generic.instantiations.portable.verify with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- SIGNATURE_SIZE= 3309 -- VERIFICATION_KEY_SIZE= 1952 -- GAMMA1_EXPONENT= 19 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- GAMMA2= 261888 -- BETA= 196 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 -*/ -static inline Result_41 -libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_verify_01( - uint8_t *verification_key, Eurydice_slice message, Eurydice_slice context, - uint8_t *signature) { - KRML_HOST_EPRINTF( - "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "Eurydice error: Failure(\"TODO: TraitTypes Self::Coefficient\")\n"); - KRML_HOST_EXIT(255U); +static inline void +libcrux_ml_dsa_simd_portable_vector_type_from_coefficient_array( + Eurydice_slice array, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *out) { + Eurydice_slice_copy( + Eurydice_array_to_slice((size_t)8U, out->values, int32_t), + Eurydice_slice_subslice2( + array, (size_t)0U, + LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT, int32_t), + int32_t); } /** - Verify an ML-DSA-65 Signature - - The parameter `context` is used for domain separation - and is a byte string of length at most 255 bytes. It - may also be empty. +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::Coefficients)} */ -static inline Result_41 libcrux_ml_dsa_ml_dsa_65_portable_verify( - libcrux_ml_dsa_types_MLDSAVerificationKey_ea *verification_key, - Eurydice_slice message, Eurydice_slice context, - libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature *signature) { - return libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_verify_01( - libcrux_ml_dsa_types_as_ref_66_97(verification_key), message, context, - libcrux_ml_dsa_types_as_ref_8f_fa(signature)); +static inline void libcrux_ml_dsa_simd_portable_from_coefficient_array_e9( + Eurydice_slice array, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *out) { + libcrux_ml_dsa_simd_portable_vector_type_from_coefficient_array(array, out); } -/** - Verify (pre-hashed with SHAKE-128). -*/ -/** -A monomorphic instance of -libcrux_ml_dsa.ml_dsa_generic.instantiations.portable.verify_pre_hashed_shake128 -with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- SIGNATURE_SIZE= 3309 -- VERIFICATION_KEY_SIZE= 1952 -- GAMMA1_EXPONENT= 19 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- GAMMA2= 261888 -- BETA= 196 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 -*/ -static inline Result_41 -libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_verify_pre_hashed_shake128_01( - uint8_t *verification_key, Eurydice_slice message, Eurydice_slice context, - uint8_t *signature) { - KRML_HOST_EPRINTF( - "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "Eurydice error: Failure(\"TODO: TraitTypes Self::Coefficient\")\n"); - KRML_HOST_EXIT(255U); +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_vector_type_to_coefficient_array( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *value, + Eurydice_slice out) { + Eurydice_slice_copy( + out, Eurydice_array_to_slice((size_t)8U, value->values, int32_t), + int32_t); } /** - Verify a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing - - The parameter `context` is used for domain separation - and is a byte string of length at most 255 bytes. It - may also be empty. +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::Coefficients)} */ -static inline Result_41 -libcrux_ml_dsa_ml_dsa_65_portable_verify_pre_hashed_shake128( - libcrux_ml_dsa_types_MLDSAVerificationKey_ea *verification_key, - Eurydice_slice message, Eurydice_slice context, - libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature *signature) { - return libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_verify_pre_hashed_shake128_01( - libcrux_ml_dsa_types_as_ref_66_97(verification_key), message, context, - libcrux_ml_dsa_types_as_ref_8f_fa(signature)); +static inline void libcrux_ml_dsa_simd_portable_to_coefficient_array_e9( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *value, + Eurydice_slice out) { + libcrux_ml_dsa_simd_portable_vector_type_to_coefficient_array(value, out); } -typedef struct libcrux_ml_dsa_pre_hash_DomainSeparationContext_s { - Eurydice_slice context; - Option_30 pre_hash_oid; -} libcrux_ml_dsa_pre_hash_DomainSeparationContext; - -/** - Returns the pre-hash OID, if any. -*/ -/** -This function found in impl -{libcrux_ml_dsa::pre_hash::DomainSeparationContext<'a>#1} -*/ -static inline Option_30 *libcrux_ml_dsa_pre_hash_pre_hash_oid_45( - libcrux_ml_dsa_pre_hash_DomainSeparationContext *self) { - return &self->pre_hash_oid; +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_arithmetic_add( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *lhs, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *rhs) { + for (size_t i = (size_t)0U; + i < + Eurydice_slice_len( + Eurydice_array_to_slice((size_t)8U, lhs->values, int32_t), int32_t); + i++) { + size_t i0 = i; + size_t uu____0 = i0; + lhs->values[uu____0] = lhs->values[uu____0] + rhs->values[i0]; + } } /** - Returns the context, guaranteed to be at most 255 bytes long. -*/ -/** -This function found in impl -{libcrux_ml_dsa::pre_hash::DomainSeparationContext<'a>#1} +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::Coefficients)} */ -static inline Eurydice_slice libcrux_ml_dsa_pre_hash_context_45( - libcrux_ml_dsa_pre_hash_DomainSeparationContext *self) { - return self->context; +static inline void libcrux_ml_dsa_simd_portable_add_e9( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *lhs, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *rhs) { + libcrux_ml_dsa_simd_portable_arithmetic_add(lhs, rhs); } -#define libcrux_ml_dsa_pre_hash_DomainSeparationError_ContextTooLongError 0 - -typedef uint8_t libcrux_ml_dsa_pre_hash_DomainSeparationError; - -#define LIBCRUX_ML_DSA_PRE_HASH_PRE_HASH_OID_LEN ((size_t)11U) - -typedef uint8_t libcrux_ml_dsa_pre_hash_PreHashOID[11U]; - -static const uint8_t libcrux_ml_dsa_pre_hash_SHAKE128_OID[11U] = { - 6U, 9U, 96U, 134U, 72U, 1U, 101U, 3U, 4U, 2U, 11U}; +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_arithmetic_subtract( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *lhs, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *rhs) { + for (size_t i = (size_t)0U; + i < + Eurydice_slice_len( + Eurydice_array_to_slice((size_t)8U, lhs->values, int32_t), int32_t); + i++) { + size_t i0 = i; + size_t uu____0 = i0; + lhs->values[uu____0] = lhs->values[uu____0] - rhs->values[i0]; + } +} /** -This function found in impl -{(core::convert::From for -libcrux_ml_dsa::types::SigningError)#2} +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::Coefficients)} */ -static inline libcrux_ml_dsa_types_SigningError libcrux_ml_dsa_pre_hash_from_4b( - libcrux_ml_dsa_pre_hash_DomainSeparationError e) { - return libcrux_ml_dsa_types_SigningError_ContextTooLongError; +static inline void libcrux_ml_dsa_simd_portable_subtract_e9( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *lhs, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *rhs) { + libcrux_ml_dsa_simd_portable_arithmetic_subtract(lhs, rhs); } -/** -This function found in impl -{(core::convert::From for -libcrux_ml_dsa::types::VerificationError)#3} -*/ -static inline libcrux_ml_dsa_types_VerificationError -libcrux_ml_dsa_pre_hash_from_b6( - libcrux_ml_dsa_pre_hash_DomainSeparationError e) { - return libcrux_ml_dsa_types_VerificationError_VerificationContextTooLongError; +static KRML_MUSTINLINE bool +libcrux_ml_dsa_simd_portable_arithmetic_infinity_norm_exceeds( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *simd_unit, + int32_t bound) { + bool result = false; + core_ops_range_Range_08 lit; + lit.start = (size_t)0U; + lit.end = Eurydice_slice_len( + Eurydice_array_to_slice((size_t)8U, simd_unit->values, int32_t), int32_t); + core_ops_range_Range_08 iter = + core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( + lit, core_ops_range_Range_08, core_ops_range_Range_08); + while (true) { + Option_08 uu____0 = + core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A__TraitClause_0___6__next( + &iter, size_t, Option_08); + if (uu____0.tag == None) { + return result; + } else { + size_t i = uu____0.f0; + int32_t coefficient = simd_unit->values[i]; + int32_t sign = coefficient >> 31U; + int32_t normalized = coefficient - (sign & (int32_t)2 * coefficient); + bool uu____1; + if (result) { + uu____1 = true; + } else { + uu____1 = normalized >= bound; + } + result = uu____1; + } + } } /** -This function found in impl {(libcrux_ml_dsa::pre_hash::PreHash<256: usize> for -libcrux_ml_dsa::pre_hash::SHAKE128_PH)} +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::Coefficients)} */ -static inline void libcrux_ml_dsa_pre_hash_oid_bd(uint8_t ret[11U]) { - memcpy(ret, libcrux_ml_dsa_pre_hash_SHAKE128_OID, - (size_t)11U * sizeof(uint8_t)); +static inline bool libcrux_ml_dsa_simd_portable_infinity_norm_exceeds_e9( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *simd_unit, + int32_t bound) { + return libcrux_ml_dsa_simd_portable_arithmetic_infinity_norm_exceeds( + simd_unit, bound); } -#define libcrux_ml_dsa_pre_hash_Ok 0 -#define libcrux_ml_dsa_pre_hash_Err 1 - -typedef uint8_t libcrux_ml_dsa_pre_hash_PreHashResult_tags; +typedef struct int32_t_x2_s { + int32_t fst; + int32_t snd; +} int32_t_x2; -typedef struct libcrux_ml_dsa_pre_hash_PreHashResult_s { - libcrux_ml_dsa_pre_hash_PreHashResult_tags tag; - union { - libcrux_ml_dsa_pre_hash_DomainSeparationContext case_Ok; - libcrux_ml_dsa_pre_hash_DomainSeparationError case_Err; - } val; -} libcrux_ml_dsa_pre_hash_PreHashResult; +static KRML_MUSTINLINE int32_t_x2 +libcrux_ml_dsa_simd_portable_arithmetic_decompose_element(int32_t gamma2, + int32_t r) { + int32_t r0 = r + (r >> 31U & LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS); + int32_t ceil_of_r_by_128 = (r0 + (int32_t)127) >> 7U; + int32_t r1; + switch (gamma2) { + case 95232: { + int32_t result = + (ceil_of_r_by_128 * (int32_t)11275 + ((int32_t)1 << 23U)) >> 24U; + r1 = (result ^ ((int32_t)43 - result) >> 31U) & result; + break; + } + case 261888: { + int32_t result = + (ceil_of_r_by_128 * (int32_t)1025 + ((int32_t)1 << 21U)) >> 22U; + r1 = result & (int32_t)15; + break; + } + default: { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "panic!"); + KRML_HOST_EXIT(255U); + } + } + int32_t alpha = gamma2 * (int32_t)2; + int32_t r00 = r0 - r1 * alpha; + r00 = r00 - + (((LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS - (int32_t)1) / (int32_t)2 - + r00) >> + 31U & + LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS); + return (CLITERAL(int32_t_x2){.fst = r00, .snd = r1}); +} + +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_arithmetic_decompose( + int32_t gamma2, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *simd_unit, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *low, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *high) { + for (size_t i = (size_t)0U; + i < + Eurydice_slice_len( + Eurydice_array_to_slice((size_t)8U, low->values, int32_t), int32_t); + i++) { + size_t i0 = i; + int32_t_x2 uu____0 = + libcrux_ml_dsa_simd_portable_arithmetic_decompose_element( + gamma2, simd_unit->values[i0]); + int32_t lhs0 = uu____0.fst; + int32_t lhs = uu____0.snd; + low->values[i0] = lhs0; + high->values[i0] = lhs; + } +} /** - `context` must be at most 255 bytes long. -*/ -/** -This function found in impl -{libcrux_ml_dsa::pre_hash::DomainSeparationContext<'a>#1} +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::Coefficients)} */ -static inline libcrux_ml_dsa_pre_hash_PreHashResult -libcrux_ml_dsa_pre_hash_new_45(Eurydice_slice context, Option_30 pre_hash_oid) { - if (!(Eurydice_slice_len(context, uint8_t) > - LIBCRUX_ML_DSA_CONSTANTS_CONTEXT_MAX_LEN)) { - return (CLITERAL(libcrux_ml_dsa_pre_hash_PreHashResult){ - .tag = libcrux_ml_dsa_pre_hash_Ok, - .val = { - .case_Ok = {.context = context, .pre_hash_oid = pre_hash_oid}}}); - } - return (CLITERAL(libcrux_ml_dsa_pre_hash_PreHashResult){ - .tag = libcrux_ml_dsa_pre_hash_Err, - .val = { - .case_Err = - libcrux_ml_dsa_pre_hash_DomainSeparationError_ContextTooLongError}}); +static inline void libcrux_ml_dsa_simd_portable_decompose_e9( + int32_t gamma2, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *simd_unit, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *low, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *high) { + libcrux_ml_dsa_simd_portable_arithmetic_decompose(gamma2, simd_unit, low, + high); } -typedef struct uint8_t_x2_s { - uint8_t fst; - uint8_t snd; -} uint8_t_x2; +static KRML_MUSTINLINE int32_t +libcrux_ml_dsa_simd_portable_arithmetic_use_one_hint(int32_t gamma2, int32_t r, + int32_t hint) { + int32_t_x2 uu____0 = + libcrux_ml_dsa_simd_portable_arithmetic_decompose_element(gamma2, r); + int32_t r0 = uu____0.fst; + int32_t r1 = uu____0.snd; + int32_t uu____1; + if (!(hint == (int32_t)0)) { + switch (gamma2) { + case 95232: { + if (r0 > (int32_t)0) { + if (r1 == (int32_t)43) { + uu____1 = (int32_t)0; + } else { + uu____1 = r1 + hint; + } + } else if (r1 == (int32_t)0) { + uu____1 = (int32_t)43; + } else { + uu____1 = r1 - hint; + } + break; + } + case 261888: { + if (r0 > (int32_t)0) { + uu____1 = (r1 + hint) & (int32_t)15; + } else { + uu____1 = (r1 - hint) & (int32_t)15; + } + break; + } + default: { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "panic!"); + KRML_HOST_EXIT(255U); + } + } + return uu____1; + } + return r1; +} -static KRML_MUSTINLINE uint16_t -libcrux_ml_dsa_sample_generate_domain_separator(uint8_t_x2 _) { - uint8_t row = _.fst; - uint8_t column = _.snd; - return (uint32_t)(uint16_t)column | (uint32_t)(uint16_t)row << 8U; +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_arithmetic_use_hint( + int32_t gamma2, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *simd_unit, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *hint) { + for (size_t i = (size_t)0U; + i < + Eurydice_slice_len( + Eurydice_array_to_slice((size_t)8U, hint->values, int32_t), int32_t); + i++) { + size_t i0 = i; + int32_t uu____0 = libcrux_ml_dsa_simd_portable_arithmetic_use_one_hint( + gamma2, simd_unit->values[i0], hint->values[i0]); + hint->values[i0] = uu____0; + } } -static KRML_MUSTINLINE void libcrux_ml_dsa_sample_add_domain_separator( - Eurydice_slice slice, uint8_t_x2 indices, uint8_t ret[34U]) { - uint8_t out[34U] = {0U}; - uint8_t *uu____0 = out; - Eurydice_slice_copy( - Eurydice_array_to_subslice2(uu____0, (size_t)0U, - Eurydice_slice_len(slice, uint8_t), uint8_t), - slice, uint8_t); - uint16_t domain_separator = - libcrux_ml_dsa_sample_generate_domain_separator(indices); - out[32U] = (uint8_t)domain_separator; - out[33U] = (uint8_t)((uint32_t)domain_separator >> 8U); - memcpy(ret, out, (size_t)34U * sizeof(uint8_t)); +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::Coefficients)} +*/ +static inline void libcrux_ml_dsa_simd_portable_use_hint_e9( + int32_t gamma2, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *simd_unit, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *hint) { + libcrux_ml_dsa_simd_portable_arithmetic_use_hint(gamma2, simd_unit, hint); } -typedef struct libcrux_ml_dsa_pre_hash_DomainSeparationContext_s { - Eurydice_slice context; - Option_30 pre_hash_oid; -} libcrux_ml_dsa_pre_hash_DomainSeparationContext; - -#define libcrux_ml_dsa_pre_hash_DomainSeparationError_ContextTooLongError 0 - -typedef uint8_t libcrux_ml_dsa_pre_hash_DomainSeparationError; - -/** -A monomorphic instance of core.result.Result -with types libcrux_ml_dsa_pre_hash_DomainSeparationContext, -libcrux_ml_dsa_pre_hash_DomainSeparationError - -*/ -typedef struct Result_a8_s { - Result_a9_tags tag; - union { - libcrux_ml_dsa_pre_hash_DomainSeparationContext case_Ok; - libcrux_ml_dsa_pre_hash_DomainSeparationError case_Err; - } val; -} Result_a8; - -/** - `context` must be at most 255 bytes long. -*/ -/** -This function found in impl -{libcrux_ml_dsa::pre_hash::DomainSeparationContext<'a>#1} -*/ -static inline Result_a8 libcrux_ml_dsa_pre_hash_new_45(Eurydice_slice context, - Option_30 pre_hash_oid) { - if (!(Eurydice_slice_len(context, uint8_t) > - LIBCRUX_ML_DSA_CONSTANTS_CONTEXT_MAX_LEN)) { - return (CLITERAL(Result_a8){ - .tag = Ok, - .val = { - .case_Ok = {.context = context, .pre_hash_oid = pre_hash_oid}}}); - } - return (CLITERAL(Result_a8){ - .tag = Err, - .val = { - .case_Err = - libcrux_ml_dsa_pre_hash_DomainSeparationError_ContextTooLongError}}); -} - -/** - Returns the pre-hash OID, if any. -*/ -/** -This function found in impl -{libcrux_ml_dsa::pre_hash::DomainSeparationContext<'a>#1} -*/ -static inline Option_30 *libcrux_ml_dsa_pre_hash_pre_hash_oid_45( - libcrux_ml_dsa_pre_hash_DomainSeparationContext *self) { - return &self->pre_hash_oid; -} - -/** - Returns the context, guaranteed to be at most 255 bytes long. -*/ -/** -This function found in impl -{libcrux_ml_dsa::pre_hash::DomainSeparationContext<'a>#1} -*/ -static inline Eurydice_slice libcrux_ml_dsa_pre_hash_context_45( - libcrux_ml_dsa_pre_hash_DomainSeparationContext *self) { - return self->context; -} - -static KRML_MUSTINLINE void libcrux_ml_dsa_sample_update_seed( - uint8_t seed[66U], uint16_t *domain_separator, uint8_t ret[66U]) { - seed[64U] = (uint8_t)domain_separator[0U]; - seed[65U] = (uint8_t)((uint32_t)domain_separator[0U] >> 8U); - domain_separator[0U] = (uint32_t)domain_separator[0U] + 1U; - memcpy(ret, seed, (size_t)66U * sizeof(uint8_t)); -} - -static KRML_MUSTINLINE bool libcrux_ml_dsa_sample_inside_out_shuffle( - Eurydice_slice randomness, size_t *out_index, uint64_t *signs, - int32_t *result) { - bool done = false; - for (size_t i = (size_t)0U; i < Eurydice_slice_len(randomness, uint8_t); - i++) { - size_t _cloop_j = i; - uint8_t *byte = - &Eurydice_slice_index(randomness, _cloop_j, uint8_t, uint8_t *); - if (!done) { - size_t sample_at = (size_t)byte[0U]; - if (sample_at <= out_index[0U]) { - result[out_index[0U]] = result[sample_at]; - out_index[0U] = out_index[0U] + (size_t)1U; - result[sample_at] = - (int32_t)1 - (int32_t)2 * (int32_t)(signs[0U] & 1ULL); - signs[0U] = signs[0U] >> 1U; - size_t uu____0 = out_index[0U]; - done = uu____0 == Eurydice_slice_len(Eurydice_array_to_slice( - (size_t)256U, result, int32_t), - int32_t); - } else { - size_t uu____1 = out_index[0U]; - done = uu____1 == Eurydice_slice_len(Eurydice_array_to_slice( - (size_t)256U, result, int32_t), - int32_t); - } - } - } - return done; -} - -#define LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS ((int32_t)8380417) - -#define LIBCRUX_ML_DSA_SIMD_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R \ - (58728449ULL) - -#define LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT ((size_t)8U) - -#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ARITHMETIC_MONTGOMERY_SHIFT (32U) - -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_arithmetic_add( - int32_t *lhs, int32_t *rhs) { - for (size_t i = (size_t)0U; - i < Eurydice_slice_len(Eurydice_array_to_slice((size_t)8U, lhs, int32_t), - int32_t); - i++) { - size_t i0 = i; - size_t uu____0 = i0; - lhs[uu____0] = lhs[uu____0] + rhs[i0]; - } -} +#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ARITHMETIC_MONTGOMERY_SHIFT (32U) static KRML_MUSTINLINE uint64_t libcrux_ml_dsa_simd_portable_arithmetic_get_n_least_significant_bits( @@ -1044,16 +1087,6 @@ libcrux_ml_dsa_simd_portable_arithmetic_get_n_least_significant_bits( return value & ((1ULL << (uint32_t)n) - 1ULL); } -static KRML_MUSTINLINE bool -libcrux_ml_dsa_simd_portable_arithmetic_infinity_norm_exceeds( - int32_t *simd_unit, int32_t bound) { - KRML_HOST_EPRINTF( - "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "Eurydice error: Failure(\"TODO: TraitTypes " - "core::ops::bit::{core::ops::bit::Shr for i32}#1175::Output\")\n"); - KRML_HOST_EXIT(255U); -} - static KRML_MUSTINLINE int32_t libcrux_ml_dsa_simd_portable_arithmetic_montgomery_reduce_element( int64_t value) { @@ -1079,44 +1112,36 @@ libcrux_ml_dsa_simd_portable_arithmetic_montgomery_reduce_element( } static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply(int32_t *lhs, - int32_t *rhs) { - for (size_t i = (size_t)0U; - i < Eurydice_slice_len(Eurydice_array_to_slice((size_t)8U, lhs, int32_t), - int32_t); - i++) { - size_t i0 = i; - lhs[i0] = libcrux_ml_dsa_simd_portable_arithmetic_montgomery_reduce_element( - (int64_t)lhs[i0] * (int64_t)rhs[i0]); - } -} - -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - int32_t *simd_unit, int32_t c) { +libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *lhs, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *rhs) { for (size_t i = (size_t)0U; i < Eurydice_slice_len( - Eurydice_array_to_slice((size_t)8U, simd_unit, int32_t), int32_t); + Eurydice_array_to_slice((size_t)8U, lhs->values, int32_t), int32_t); i++) { size_t i0 = i; - simd_unit[i0] = + lhs->values[i0] = libcrux_ml_dsa_simd_portable_arithmetic_montgomery_reduce_element( - (int64_t)simd_unit[i0] * (int64_t)c); + (int64_t)lhs->values[i0] * (int64_t)rhs->values[i0]); } } -static KRML_MUSTINLINE int32_t -libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( - int32_t fe, int32_t fer) { - return libcrux_ml_dsa_simd_portable_arithmetic_montgomery_reduce_element( - (int64_t)fe * (int64_t)fer); +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::Coefficients)} +*/ +static inline void libcrux_ml_dsa_simd_portable_montgomery_multiply_e9( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *lhs, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *rhs) { + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply(lhs, rhs); } -typedef struct int32_t_x2_s { - int32_t fst; - int32_t snd; -} int32_t_x2; +static KRML_MUSTINLINE int32_t +libcrux_ml_dsa_simd_portable_arithmetic_reduce_element(int32_t fe) { + int32_t quotient = (fe + ((int32_t)1 << 22U)) >> 23U; + return fe - quotient * LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS; +} static KRML_MUSTINLINE int32_t_x2 libcrux_ml_dsa_simd_portable_arithmetic_power2round_element(int32_t t) { @@ -1133,228 +1158,286 @@ libcrux_ml_dsa_simd_portable_arithmetic_power2round_element(int32_t t) { } static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_arithmetic_power2round( - int32_t *t0, int32_t *t1) { + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *t0, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *t1) { for (size_t i = (size_t)0U; - i < Eurydice_slice_len(Eurydice_array_to_slice((size_t)8U, t0, int32_t), - int32_t); + i < + Eurydice_slice_len( + Eurydice_array_to_slice((size_t)8U, t0->values, int32_t), int32_t); i++) { size_t i0 = i; int32_t_x2 uu____0 = - libcrux_ml_dsa_simd_portable_arithmetic_power2round_element(t0[i0]); + libcrux_ml_dsa_simd_portable_arithmetic_power2round_element( + t0->values[i0]); int32_t lhs0 = uu____0.fst; int32_t lhs = uu____0.snd; - t0[i0] = lhs0; - t1[i0] = lhs; + t0->values[i0] = lhs0; + t1->values[i0] = lhs; } } -static KRML_MUSTINLINE int32_t -libcrux_ml_dsa_simd_portable_arithmetic_reduce_element(int32_t fe) { - int32_t quotient = (fe + ((int32_t)1 << 22U)) >> 23U; - return fe - quotient * LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS; +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::Coefficients)} +*/ +static inline void libcrux_ml_dsa_simd_portable_power2round_e9( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *t0, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *t1) { + libcrux_ml_dsa_simd_portable_arithmetic_power2round(t0, t1); } -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_arithmetic_subtract( - int32_t *lhs, int32_t *rhs) { +static KRML_MUSTINLINE size_t +libcrux_ml_dsa_simd_portable_sample_rejection_sample_less_than_field_modulus( + Eurydice_slice randomness, Eurydice_slice out) { + size_t sampled = (size_t)0U; for (size_t i = (size_t)0U; - i < Eurydice_slice_len(Eurydice_array_to_slice((size_t)8U, lhs, int32_t), - int32_t); - i++) { - size_t i0 = i; - size_t uu____0 = i0; - lhs[uu____0] = lhs[uu____0] - rhs[i0]; - } -} - -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_encoding_commitment_serialize( - int32_t *simd_unit, Eurydice_slice serialized) { - switch ((uint8_t)Eurydice_slice_len(serialized, uint8_t)) { - case 4U: { - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice((size_t)8U, simd_unit, int32_t), - int32_t) / - (size_t)2U; - i++) { - size_t i0 = i; - Eurydice_slice coefficients = Eurydice_array_to_subslice2( - simd_unit, i0 * (size_t)2U, i0 * (size_t)2U + (size_t)2U, int32_t); - uint8_t coefficient0 = (uint8_t)Eurydice_slice_index( - coefficients, (size_t)0U, int32_t, int32_t *); - uint8_t coefficient1 = (uint8_t)Eurydice_slice_index( - coefficients, (size_t)1U, int32_t, int32_t *); - Eurydice_slice_index(serialized, i0, uint8_t, uint8_t *) = - (uint32_t)coefficient1 << 4U | (uint32_t)coefficient0; - } - break; - } - case 6U: { - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice((size_t)8U, simd_unit, int32_t), - int32_t) / - (size_t)4U; - i++) { - size_t i0 = i; - Eurydice_slice coefficients = Eurydice_array_to_subslice2( - simd_unit, i0 * (size_t)4U, i0 * (size_t)4U + (size_t)4U, int32_t); - uint8_t coefficient0 = (uint8_t)Eurydice_slice_index( - coefficients, (size_t)0U, int32_t, int32_t *); - uint8_t coefficient1 = (uint8_t)Eurydice_slice_index( - coefficients, (size_t)1U, int32_t, int32_t *); - uint8_t coefficient2 = (uint8_t)Eurydice_slice_index( - coefficients, (size_t)2U, int32_t, int32_t *); - uint8_t coefficient3 = (uint8_t)Eurydice_slice_index( - coefficients, (size_t)3U, int32_t, int32_t *); - Eurydice_slice_index(serialized, (size_t)3U * i0, uint8_t, uint8_t *) = - (uint32_t)coefficient1 << 6U | (uint32_t)coefficient0; - Eurydice_slice_index(serialized, (size_t)3U * i0 + (size_t)1U, uint8_t, - uint8_t *) = - (uint32_t)coefficient2 << 4U | (uint32_t)coefficient1 >> 2U; - Eurydice_slice_index(serialized, (size_t)3U * i0 + (size_t)2U, uint8_t, - uint8_t *) = - (uint32_t)coefficient3 << 2U | (uint32_t)coefficient2 >> 4U; - } - break; - } - default: { - KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "panic!"); - KRML_HOST_EXIT(255U); + i < Eurydice_slice_len(randomness, uint8_t) / (size_t)3U; i++) { + size_t _cloop_i = i; + Eurydice_slice bytes = + Eurydice_slice_subslice2(randomness, _cloop_i * (size_t)3U, + _cloop_i * (size_t)3U + (size_t)3U, uint8_t); + int32_t b0 = + (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *); + int32_t b1 = + (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *); + int32_t b2 = + (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *); + int32_t coefficient = ((b2 << 16U | b1 << 8U) | b0) & (int32_t)8388607; + if (coefficient < LIBCRUX_ML_DSA_CONSTANTS_FIELD_MODULUS) { + Eurydice_slice_index(out, sampled, int32_t, int32_t *) = coefficient; + sampled++; } } + return sampled; } -#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA \ - ((int32_t)2) +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::Coefficients)} +*/ +static inline size_t +libcrux_ml_dsa_simd_portable_rejection_sample_less_than_field_modulus_e9( + Eurydice_slice randomness, Eurydice_slice out) { + return libcrux_ml_dsa_simd_portable_sample_rejection_sample_less_than_field_modulus( + randomness, out); +} -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_encoding_error_deserialize_when_eta_is_2( - Eurydice_slice serialized, int32_t *simd_unit) { - int32_t byte0 = - (int32_t)Eurydice_slice_index(serialized, (size_t)0U, uint8_t, uint8_t *); - int32_t byte1 = - (int32_t)Eurydice_slice_index(serialized, (size_t)1U, uint8_t, uint8_t *); - int32_t byte2 = - (int32_t)Eurydice_slice_index(serialized, (size_t)2U, uint8_t, uint8_t *); - simd_unit[0U] = - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA - - (byte0 & (int32_t)7); - simd_unit[1U] = - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA - - (byte0 >> 3U & (int32_t)7); - simd_unit[2U] = - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA - - ((byte0 >> 6U | byte1 << 2U) & (int32_t)7); - simd_unit[3U] = - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA - - (byte1 >> 1U & (int32_t)7); - simd_unit[4U] = - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA - - (byte1 >> 4U & (int32_t)7); - simd_unit[5U] = - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA - - ((byte1 >> 7U | byte2 << 1U) & (int32_t)7); - simd_unit[6U] = - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA - - (byte2 >> 2U & (int32_t)7); - simd_unit[7U] = - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA - - (byte2 >> 5U & (int32_t)7); +static KRML_MUSTINLINE size_t +libcrux_ml_dsa_simd_portable_sample_rejection_sample_less_than_eta_equals_2( + Eurydice_slice randomness, Eurydice_slice out) { + size_t sampled = (size_t)0U; + for (size_t i = (size_t)0U; i < Eurydice_slice_len(randomness, uint8_t); + i++) { + size_t _cloop_j = i; + uint8_t *byte = + &Eurydice_slice_index(randomness, _cloop_j, uint8_t, uint8_t *); + uint8_t try_0 = Eurydice_bitand_pv_u8(byte, 15U); + uint8_t try_1 = Eurydice_shr_pv_u8(byte, (int32_t)4); + if (try_0 < 15U) { + int32_t try_00 = (int32_t)try_0; + int32_t try_0_mod_5 = try_00 - (try_00 * (int32_t)26 >> 7U) * (int32_t)5; + Eurydice_slice_index(out, sampled, int32_t, int32_t *) = + (int32_t)2 - try_0_mod_5; + sampled++; + } + if (try_1 < 15U) { + int32_t try_10 = (int32_t)try_1; + int32_t try_1_mod_5 = try_10 - (try_10 * (int32_t)26 >> 7U) * (int32_t)5; + Eurydice_slice_index(out, sampled, int32_t, int32_t *) = + (int32_t)2 - try_1_mod_5; + sampled++; + } + } + return sampled; } -#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_4_ETA \ - ((int32_t)4) +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::Coefficients)} +*/ +static inline size_t +libcrux_ml_dsa_simd_portable_rejection_sample_less_than_eta_equals_2_e9( + Eurydice_slice randomness, Eurydice_slice out) { + return libcrux_ml_dsa_simd_portable_sample_rejection_sample_less_than_eta_equals_2( + randomness, out); +} -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_encoding_error_deserialize_when_eta_is_4( - Eurydice_slice serialized, int32_t *simd_units) { - for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t); +static KRML_MUSTINLINE size_t +libcrux_ml_dsa_simd_portable_sample_rejection_sample_less_than_eta_equals_4( + Eurydice_slice randomness, Eurydice_slice out) { + size_t sampled = (size_t)0U; + for (size_t i = (size_t)0U; i < Eurydice_slice_len(randomness, uint8_t); i++) { - size_t i0 = i; - uint8_t *byte = &Eurydice_slice_index(serialized, i0, uint8_t, uint8_t *); - uint8_t uu____0 = Eurydice_bitand_pv_u8(byte, 15U); - simd_units[(size_t)2U * i0] = - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_4_ETA - - (int32_t)uu____0; - uint8_t uu____1 = Eurydice_shr_pv_u8(byte, (int32_t)4); - simd_units[(size_t)2U * i0 + (size_t)1U] = - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_4_ETA - - (int32_t)uu____1; + size_t _cloop_j = i; + uint8_t *byte = + &Eurydice_slice_index(randomness, _cloop_j, uint8_t, uint8_t *); + uint8_t try_0 = Eurydice_bitand_pv_u8(byte, 15U); + uint8_t try_1 = Eurydice_shr_pv_u8(byte, (int32_t)4); + if (try_0 < 9U) { + Eurydice_slice_index(out, sampled, int32_t, int32_t *) = + (int32_t)4 - (int32_t)try_0; + sampled++; + } + if (try_1 < 9U) { + Eurydice_slice_index(out, sampled, int32_t, int32_t *) = + (int32_t)4 - (int32_t)try_1; + sampled++; + } } + return sampled; } -#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA \ - ((int32_t)2) +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::Coefficients)} +*/ +static inline size_t +libcrux_ml_dsa_simd_portable_rejection_sample_less_than_eta_equals_4_e9( + Eurydice_slice randomness, Eurydice_slice out) { + return libcrux_ml_dsa_simd_portable_sample_rejection_sample_less_than_eta_equals_4( + randomness, out); +} + +#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 \ + ((int32_t)1 << 17U) static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_encoding_error_serialize_when_eta_is_2( - int32_t *simd_unit, Eurydice_slice serialized) { - uint8_t coefficient0 = - (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA - - simd_unit[0U]); - uint8_t coefficient1 = - (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA - - simd_unit[1U]); - uint8_t coefficient2 = - (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA - - simd_unit[2U]); - uint8_t coefficient3 = - (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA - - simd_unit[3U]); - uint8_t coefficient4 = - (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA - - simd_unit[4U]); - uint8_t coefficient5 = - (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA - - simd_unit[5U]); - uint8_t coefficient6 = - (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA - - simd_unit[6U]); - uint8_t coefficient7 = - (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA - - simd_unit[7U]); - Eurydice_slice_index(serialized, (size_t)0U, uint8_t, uint8_t *) = - ((uint32_t)coefficient2 << 6U | (uint32_t)coefficient1 << 3U) | - (uint32_t)coefficient0; - Eurydice_slice_index(serialized, (size_t)1U, uint8_t, uint8_t *) = - (((uint32_t)coefficient5 << 7U | (uint32_t)coefficient4 << 4U) | - (uint32_t)coefficient3 << 1U) | - (uint32_t)coefficient2 >> 2U; - Eurydice_slice_index(serialized, (size_t)2U, uint8_t, uint8_t *) = - ((uint32_t)coefficient7 << 5U | (uint32_t)coefficient6 << 2U) | - (uint32_t)coefficient5 >> 1U; +libcrux_ml_dsa_simd_portable_encoding_gamma1_serialize_when_gamma1_is_2_pow_17( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *simd_unit, + Eurydice_slice serialized) { + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice((size_t)8U, simd_unit->values, int32_t), + int32_t) / + (size_t)4U; + i++) { + size_t i0 = i; + Eurydice_slice coefficients = + Eurydice_array_to_subslice2(simd_unit->values, i0 * (size_t)4U, + i0 * (size_t)4U + (size_t)4U, int32_t); + int32_t coefficient0 = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 - + Eurydice_slice_index(coefficients, (size_t)0U, int32_t, int32_t *); + int32_t coefficient1 = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 - + Eurydice_slice_index(coefficients, (size_t)1U, int32_t, int32_t *); + int32_t coefficient2 = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 - + Eurydice_slice_index(coefficients, (size_t)2U, int32_t, int32_t *); + int32_t coefficient3 = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 - + Eurydice_slice_index(coefficients, (size_t)3U, int32_t, int32_t *); + Eurydice_slice_index(serialized, (size_t)9U * i0, uint8_t, uint8_t *) = + (uint8_t)coefficient0; + Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)1U, uint8_t, + uint8_t *) = (uint8_t)(coefficient0 >> 8U); + Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)2U, uint8_t, + uint8_t *) = (uint8_t)(coefficient0 >> 16U); + size_t uu____0 = (size_t)9U * i0 + (size_t)2U; + Eurydice_slice_index(serialized, uu____0, uint8_t, uint8_t *) = + (uint32_t)Eurydice_slice_index(serialized, uu____0, uint8_t, + uint8_t *) | + (uint32_t)(uint8_t)(coefficient1 << 2U); + Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)3U, uint8_t, + uint8_t *) = (uint8_t)(coefficient1 >> 6U); + Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)4U, uint8_t, + uint8_t *) = (uint8_t)(coefficient1 >> 14U); + size_t uu____1 = (size_t)9U * i0 + (size_t)4U; + Eurydice_slice_index(serialized, uu____1, uint8_t, uint8_t *) = + (uint32_t)Eurydice_slice_index(serialized, uu____1, uint8_t, + uint8_t *) | + (uint32_t)(uint8_t)(coefficient2 << 4U); + Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)5U, uint8_t, + uint8_t *) = (uint8_t)(coefficient2 >> 4U); + Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)6U, uint8_t, + uint8_t *) = (uint8_t)(coefficient2 >> 12U); + size_t uu____2 = (size_t)9U * i0 + (size_t)6U; + Eurydice_slice_index(serialized, uu____2, uint8_t, uint8_t *) = + (uint32_t)Eurydice_slice_index(serialized, uu____2, uint8_t, + uint8_t *) | + (uint32_t)(uint8_t)(coefficient3 << 6U); + Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)7U, uint8_t, + uint8_t *) = (uint8_t)(coefficient3 >> 2U); + Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)8U, uint8_t, + uint8_t *) = (uint8_t)(coefficient3 >> 10U); + } } -#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_4_ETA \ - ((int32_t)4) +#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 \ + ((int32_t)1 << 19U) static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_encoding_error_serialize_when_eta_is_4( - int32_t *simd_unit, Eurydice_slice serialized) { +libcrux_ml_dsa_simd_portable_encoding_gamma1_serialize_when_gamma1_is_2_pow_19( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *simd_unit, + Eurydice_slice serialized) { for (size_t i = (size_t)0U; - i < - Eurydice_slice_len( - Eurydice_array_to_slice((size_t)8U, simd_unit, int32_t), int32_t) / - (size_t)2U; + i < Eurydice_slice_len( + Eurydice_array_to_slice((size_t)8U, simd_unit->values, int32_t), + int32_t) / + (size_t)2U; i++) { size_t i0 = i; - Eurydice_slice coefficients = Eurydice_array_to_subslice2( - simd_unit, i0 * (size_t)2U, i0 * (size_t)2U + (size_t)2U, int32_t); - uint8_t coefficient0 = - (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_4_ETA - - Eurydice_slice_index(coefficients, (size_t)0U, int32_t, - int32_t *)); - uint8_t coefficient1 = - (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_4_ETA - - Eurydice_slice_index(coefficients, (size_t)1U, int32_t, - int32_t *)); - Eurydice_slice_index(serialized, i0, uint8_t, uint8_t *) = - (uint32_t)coefficient1 << 4U | (uint32_t)coefficient0; + Eurydice_slice coefficients = + Eurydice_array_to_subslice2(simd_unit->values, i0 * (size_t)2U, + i0 * (size_t)2U + (size_t)2U, int32_t); + int32_t coefficient0 = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 - + Eurydice_slice_index(coefficients, (size_t)0U, int32_t, int32_t *); + int32_t coefficient1 = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 - + Eurydice_slice_index(coefficients, (size_t)1U, int32_t, int32_t *); + Eurydice_slice_index(serialized, (size_t)5U * i0, uint8_t, uint8_t *) = + (uint8_t)coefficient0; + Eurydice_slice_index(serialized, (size_t)5U * i0 + (size_t)1U, uint8_t, + uint8_t *) = (uint8_t)(coefficient0 >> 8U); + Eurydice_slice_index(serialized, (size_t)5U * i0 + (size_t)2U, uint8_t, + uint8_t *) = (uint8_t)(coefficient0 >> 16U); + size_t uu____0 = (size_t)5U * i0 + (size_t)2U; + Eurydice_slice_index(serialized, uu____0, uint8_t, uint8_t *) = + (uint32_t)Eurydice_slice_index(serialized, uu____0, uint8_t, + uint8_t *) | + (uint32_t)(uint8_t)(coefficient1 << 4U); + Eurydice_slice_index(serialized, (size_t)5U * i0 + (size_t)3U, uint8_t, + uint8_t *) = (uint8_t)(coefficient1 >> 4U); + Eurydice_slice_index(serialized, (size_t)5U * i0 + (size_t)4U, uint8_t, + uint8_t *) = (uint8_t)(coefficient1 >> 12U); + } +} + +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_encoding_gamma1_serialize( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *simd_unit, + Eurydice_slice serialized, size_t gamma1_exponent) { + switch ((uint8_t)gamma1_exponent) { + case 17U: { + libcrux_ml_dsa_simd_portable_encoding_gamma1_serialize_when_gamma1_is_2_pow_17( + simd_unit, serialized); + break; + } + case 19U: { + libcrux_ml_dsa_simd_portable_encoding_gamma1_serialize_when_gamma1_is_2_pow_19( + simd_unit, serialized); + break; + } + default: { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "panic!"); + KRML_HOST_EXIT(255U); + } } } +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::Coefficients)} +*/ +static inline void libcrux_ml_dsa_simd_portable_gamma1_serialize_e9( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *simd_unit, + Eurydice_slice serialized, size_t gamma1_exponent) { + libcrux_ml_dsa_simd_portable_encoding_gamma1_serialize(simd_unit, serialized, + gamma1_exponent); +} + #define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 \ ((int32_t)1 << 17U) @@ -1365,7 +1448,8 @@ libcrux_ml_dsa_simd_portable_encoding_error_serialize_when_eta_is_4( static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_encoding_gamma1_deserialize_when_gamma1_is_2_pow_17( - Eurydice_slice serialized, int32_t *simd_unit) { + Eurydice_slice serialized, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *simd_unit) { for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)9U; i++) { size_t i0 = i; @@ -1426,16 +1510,16 @@ libcrux_ml_dsa_simd_portable_encoding_gamma1_deserialize_when_gamma1_is_2_pow_17 coefficient3 = coefficient3 & LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1_TIMES_2_BITMASK; - simd_unit[(size_t)4U * i0] = + simd_unit->values[(size_t)4U * i0] = LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 - coefficient0; - simd_unit[(size_t)4U * i0 + (size_t)1U] = + simd_unit->values[(size_t)4U * i0 + (size_t)1U] = LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 - coefficient1; - simd_unit[(size_t)4U * i0 + (size_t)2U] = + simd_unit->values[(size_t)4U * i0 + (size_t)2U] = LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 - coefficient2; - simd_unit[(size_t)4U * i0 + (size_t)3U] = + simd_unit->values[(size_t)4U * i0 + (size_t)3U] = LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 - coefficient3; } @@ -1451,7 +1535,8 @@ libcrux_ml_dsa_simd_portable_encoding_gamma1_deserialize_when_gamma1_is_2_pow_17 static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_encoding_gamma1_deserialize_when_gamma1_is_2_pow_19( - Eurydice_slice serialized, int32_t *simd_unit) { + Eurydice_slice serialized, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *simd_unit) { for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)5U; i++) { size_t i0 = i; @@ -1481,247 +1566,345 @@ libcrux_ml_dsa_simd_portable_encoding_gamma1_deserialize_when_gamma1_is_2_pow_19 coefficient1 | (int32_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *) << 12U; - simd_unit[(size_t)2U * i0] = + simd_unit->values[(size_t)2U * i0] = LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 - coefficient0; - simd_unit[(size_t)2U * i0 + (size_t)1U] = + simd_unit->values[(size_t)2U * i0 + (size_t)1U] = LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 - coefficient1; } } -#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 \ - ((int32_t)1 << 17U) +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_encoding_gamma1_deserialize( + Eurydice_slice serialized, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *out, + size_t gamma1_exponent) { + switch ((uint8_t)gamma1_exponent) { + case 17U: { + libcrux_ml_dsa_simd_portable_encoding_gamma1_deserialize_when_gamma1_is_2_pow_17( + serialized, out); + break; + } + case 19U: { + libcrux_ml_dsa_simd_portable_encoding_gamma1_deserialize_when_gamma1_is_2_pow_19( + serialized, out); + break; + } + default: { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "panic!"); + KRML_HOST_EXIT(255U); + } + } +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::Coefficients)} +*/ +static inline void libcrux_ml_dsa_simd_portable_gamma1_deserialize_e9( + Eurydice_slice serialized, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *out, + size_t gamma1_exponent) { + libcrux_ml_dsa_simd_portable_encoding_gamma1_deserialize(serialized, out, + gamma1_exponent); +} static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_encoding_gamma1_serialize_when_gamma1_is_2_pow_17( - int32_t *simd_unit, Eurydice_slice serialized) { - for (size_t i = (size_t)0U; - i < - Eurydice_slice_len( - Eurydice_array_to_slice((size_t)8U, simd_unit, int32_t), int32_t) / - (size_t)4U; - i++) { - size_t i0 = i; - Eurydice_slice coefficients = Eurydice_array_to_subslice2( - simd_unit, i0 * (size_t)4U, i0 * (size_t)4U + (size_t)4U, int32_t); - int32_t coefficient0 = - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 - - Eurydice_slice_index(coefficients, (size_t)0U, int32_t, int32_t *); - int32_t coefficient1 = - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 - - Eurydice_slice_index(coefficients, (size_t)1U, int32_t, int32_t *); - int32_t coefficient2 = - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 - - Eurydice_slice_index(coefficients, (size_t)2U, int32_t, int32_t *); - int32_t coefficient3 = - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 - - Eurydice_slice_index(coefficients, (size_t)3U, int32_t, int32_t *); - Eurydice_slice_index(serialized, (size_t)9U * i0, uint8_t, uint8_t *) = - (uint8_t)coefficient0; - Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)1U, uint8_t, - uint8_t *) = (uint8_t)(coefficient0 >> 8U); - Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)2U, uint8_t, - uint8_t *) = (uint8_t)(coefficient0 >> 16U); - size_t uu____0 = (size_t)9U * i0 + (size_t)2U; - Eurydice_slice_index(serialized, uu____0, uint8_t, uint8_t *) = - (uint32_t)Eurydice_slice_index(serialized, uu____0, uint8_t, - uint8_t *) | - (uint32_t)(uint8_t)(coefficient1 << 2U); - Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)3U, uint8_t, - uint8_t *) = (uint8_t)(coefficient1 >> 6U); - Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)4U, uint8_t, - uint8_t *) = (uint8_t)(coefficient1 >> 14U); - size_t uu____1 = (size_t)9U * i0 + (size_t)4U; - Eurydice_slice_index(serialized, uu____1, uint8_t, uint8_t *) = - (uint32_t)Eurydice_slice_index(serialized, uu____1, uint8_t, - uint8_t *) | - (uint32_t)(uint8_t)(coefficient2 << 4U); - Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)5U, uint8_t, - uint8_t *) = (uint8_t)(coefficient2 >> 4U); - Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)6U, uint8_t, - uint8_t *) = (uint8_t)(coefficient2 >> 12U); - size_t uu____2 = (size_t)9U * i0 + (size_t)6U; - Eurydice_slice_index(serialized, uu____2, uint8_t, uint8_t *) = - (uint32_t)Eurydice_slice_index(serialized, uu____2, uint8_t, - uint8_t *) | - (uint32_t)(uint8_t)(coefficient3 << 6U); - Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)7U, uint8_t, - uint8_t *) = (uint8_t)(coefficient3 >> 2U); - Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)8U, uint8_t, - uint8_t *) = (uint8_t)(coefficient3 >> 10U); +libcrux_ml_dsa_simd_portable_encoding_commitment_serialize( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *simd_unit, + Eurydice_slice serialized) { + switch ((uint8_t)Eurydice_slice_len(serialized, uint8_t)) { + case 4U: { + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(Eurydice_array_to_slice( + (size_t)8U, simd_unit->values, int32_t), + int32_t) / + (size_t)2U; + i++) { + size_t i0 = i; + Eurydice_slice coefficients = + Eurydice_array_to_subslice2(simd_unit->values, i0 * (size_t)2U, + i0 * (size_t)2U + (size_t)2U, int32_t); + uint8_t coefficient0 = (uint8_t)Eurydice_slice_index( + coefficients, (size_t)0U, int32_t, int32_t *); + uint8_t coefficient1 = (uint8_t)Eurydice_slice_index( + coefficients, (size_t)1U, int32_t, int32_t *); + Eurydice_slice_index(serialized, i0, uint8_t, uint8_t *) = + (uint32_t)coefficient1 << 4U | (uint32_t)coefficient0; + } + break; + } + case 6U: { + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(Eurydice_array_to_slice( + (size_t)8U, simd_unit->values, int32_t), + int32_t) / + (size_t)4U; + i++) { + size_t i0 = i; + Eurydice_slice coefficients = + Eurydice_array_to_subslice2(simd_unit->values, i0 * (size_t)4U, + i0 * (size_t)4U + (size_t)4U, int32_t); + uint8_t coefficient0 = (uint8_t)Eurydice_slice_index( + coefficients, (size_t)0U, int32_t, int32_t *); + uint8_t coefficient1 = (uint8_t)Eurydice_slice_index( + coefficients, (size_t)1U, int32_t, int32_t *); + uint8_t coefficient2 = (uint8_t)Eurydice_slice_index( + coefficients, (size_t)2U, int32_t, int32_t *); + uint8_t coefficient3 = (uint8_t)Eurydice_slice_index( + coefficients, (size_t)3U, int32_t, int32_t *); + Eurydice_slice_index(serialized, (size_t)3U * i0, uint8_t, uint8_t *) = + (uint32_t)coefficient1 << 6U | (uint32_t)coefficient0; + Eurydice_slice_index(serialized, (size_t)3U * i0 + (size_t)1U, uint8_t, + uint8_t *) = + (uint32_t)coefficient2 << 4U | (uint32_t)coefficient1 >> 2U; + Eurydice_slice_index(serialized, (size_t)3U * i0 + (size_t)2U, uint8_t, + uint8_t *) = + (uint32_t)coefficient3 << 2U | (uint32_t)coefficient2 >> 4U; + } + break; + } + default: { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "panic!"); + KRML_HOST_EXIT(255U); + } } } -#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 \ - ((int32_t)1 << 19U) +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::Coefficients)} +*/ +static inline void libcrux_ml_dsa_simd_portable_commitment_serialize_e9( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *simd_unit, + Eurydice_slice serialized) { + libcrux_ml_dsa_simd_portable_encoding_commitment_serialize(simd_unit, + serialized); +} + +#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_4_ETA \ + ((int32_t)4) static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_encoding_gamma1_serialize_when_gamma1_is_2_pow_19( - int32_t *simd_unit, Eurydice_slice serialized) { +libcrux_ml_dsa_simd_portable_encoding_error_serialize_when_eta_is_4( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *simd_unit, + Eurydice_slice serialized) { for (size_t i = (size_t)0U; - i < - Eurydice_slice_len( - Eurydice_array_to_slice((size_t)8U, simd_unit, int32_t), int32_t) / - (size_t)2U; + i < Eurydice_slice_len( + Eurydice_array_to_slice((size_t)8U, simd_unit->values, int32_t), + int32_t) / + (size_t)2U; i++) { size_t i0 = i; - Eurydice_slice coefficients = Eurydice_array_to_subslice2( - simd_unit, i0 * (size_t)2U, i0 * (size_t)2U + (size_t)2U, int32_t); - int32_t coefficient0 = - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 - - Eurydice_slice_index(coefficients, (size_t)0U, int32_t, int32_t *); - int32_t coefficient1 = - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 - - Eurydice_slice_index(coefficients, (size_t)1U, int32_t, int32_t *); - Eurydice_slice_index(serialized, (size_t)5U * i0, uint8_t, uint8_t *) = - (uint8_t)coefficient0; - Eurydice_slice_index(serialized, (size_t)5U * i0 + (size_t)1U, uint8_t, - uint8_t *) = (uint8_t)(coefficient0 >> 8U); - Eurydice_slice_index(serialized, (size_t)5U * i0 + (size_t)2U, uint8_t, - uint8_t *) = (uint8_t)(coefficient0 >> 16U); - size_t uu____0 = (size_t)5U * i0 + (size_t)2U; - Eurydice_slice_index(serialized, uu____0, uint8_t, uint8_t *) = - (uint32_t)Eurydice_slice_index(serialized, uu____0, uint8_t, - uint8_t *) | - (uint32_t)(uint8_t)(coefficient1 << 4U); - Eurydice_slice_index(serialized, (size_t)5U * i0 + (size_t)3U, uint8_t, - uint8_t *) = (uint8_t)(coefficient1 >> 4U); - Eurydice_slice_index(serialized, (size_t)5U * i0 + (size_t)4U, uint8_t, - uint8_t *) = (uint8_t)(coefficient1 >> 12U); + Eurydice_slice coefficients = + Eurydice_array_to_subslice2(simd_unit->values, i0 * (size_t)2U, + i0 * (size_t)2U + (size_t)2U, int32_t); + uint8_t coefficient0 = + (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_4_ETA - + Eurydice_slice_index(coefficients, (size_t)0U, int32_t, + int32_t *)); + uint8_t coefficient1 = + (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_4_ETA - + Eurydice_slice_index(coefficients, (size_t)1U, int32_t, + int32_t *)); + Eurydice_slice_index(serialized, i0, uint8_t, uint8_t *) = + (uint32_t)coefficient1 << 4U | (uint32_t)coefficient0; } } -static KRML_MUSTINLINE int32_t -libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(int32_t t0) { - return ((int32_t)1 - << (uint32_t)(LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T - - (size_t)1U)) - - t0; +#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA \ + ((int32_t)2) + +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_encoding_error_serialize_when_eta_is_2( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *simd_unit, + Eurydice_slice serialized) { + uint8_t coefficient0 = + (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA - + simd_unit->values[0U]); + uint8_t coefficient1 = + (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA - + simd_unit->values[1U]); + uint8_t coefficient2 = + (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA - + simd_unit->values[2U]); + uint8_t coefficient3 = + (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA - + simd_unit->values[3U]); + uint8_t coefficient4 = + (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA - + simd_unit->values[4U]); + uint8_t coefficient5 = + (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA - + simd_unit->values[5U]); + uint8_t coefficient6 = + (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA - + simd_unit->values[6U]); + uint8_t coefficient7 = + (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA - + simd_unit->values[7U]); + Eurydice_slice_index(serialized, (size_t)0U, uint8_t, uint8_t *) = + ((uint32_t)coefficient2 << 6U | (uint32_t)coefficient1 << 3U) | + (uint32_t)coefficient0; + Eurydice_slice_index(serialized, (size_t)1U, uint8_t, uint8_t *) = + (((uint32_t)coefficient5 << 7U | (uint32_t)coefficient4 << 4U) | + (uint32_t)coefficient3 << 1U) | + (uint32_t)coefficient2 >> 2U; + Eurydice_slice_index(serialized, (size_t)2U, uint8_t, uint8_t *) = + ((uint32_t)coefficient7 << 5U | (uint32_t)coefficient6 << 2U) | + (uint32_t)coefficient5 >> 1U; } -#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_T0_DESERIALIZE_BITS_IN_LOWER_PART_OF_T_MASK \ - (((int32_t)1 << (uint32_t)(int32_t) \ - LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T) - \ - (int32_t)1) +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_encoding_error_serialize( + libcrux_ml_dsa_constants_Eta eta, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *simd_unit, + Eurydice_slice serialized) { + void *uu____0 = (void *)0U; + if (!(eta == libcrux_ml_dsa_constants_Eta_Two)) { + libcrux_ml_dsa_simd_portable_encoding_error_serialize_when_eta_is_4( + simd_unit, serialized); + return; + } + libcrux_ml_dsa_simd_portable_encoding_error_serialize_when_eta_is_2( + simd_unit, serialized); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::Coefficients)} +*/ +static inline void libcrux_ml_dsa_simd_portable_error_serialize_e9( + libcrux_ml_dsa_constants_Eta eta, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *simd_unit, + Eurydice_slice serialized) { + libcrux_ml_dsa_simd_portable_encoding_error_serialize(eta, simd_unit, + serialized); +} + +#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_4_ETA \ + ((int32_t)4) + +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_encoding_error_deserialize_when_eta_is_4( + Eurydice_slice serialized, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *simd_units) { + for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t); + i++) { + size_t i0 = i; + uint8_t *byte = &Eurydice_slice_index(serialized, i0, uint8_t, uint8_t *); + uint8_t uu____0 = Eurydice_bitand_pv_u8(byte, 15U); + simd_units->values[(size_t)2U * i0] = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_4_ETA - + (int32_t)uu____0; + uint8_t uu____1 = Eurydice_shr_pv_u8(byte, (int32_t)4); + simd_units->values[(size_t)2U * i0 + (size_t)1U] = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_4_ETA - + (int32_t)uu____1; + } +} + +#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA \ + ((int32_t)2) static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_encoding_t0_deserialize(Eurydice_slice serialized, - int32_t *simd_unit) { +libcrux_ml_dsa_simd_portable_encoding_error_deserialize_when_eta_is_2( + Eurydice_slice serialized, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *simd_unit) { int32_t byte0 = (int32_t)Eurydice_slice_index(serialized, (size_t)0U, uint8_t, uint8_t *); int32_t byte1 = (int32_t)Eurydice_slice_index(serialized, (size_t)1U, uint8_t, uint8_t *); int32_t byte2 = (int32_t)Eurydice_slice_index(serialized, (size_t)2U, uint8_t, uint8_t *); - int32_t byte3 = - (int32_t)Eurydice_slice_index(serialized, (size_t)3U, uint8_t, uint8_t *); - int32_t byte4 = - (int32_t)Eurydice_slice_index(serialized, (size_t)4U, uint8_t, uint8_t *); - int32_t byte5 = - (int32_t)Eurydice_slice_index(serialized, (size_t)5U, uint8_t, uint8_t *); - int32_t byte6 = - (int32_t)Eurydice_slice_index(serialized, (size_t)6U, uint8_t, uint8_t *); - int32_t byte7 = - (int32_t)Eurydice_slice_index(serialized, (size_t)7U, uint8_t, uint8_t *); - int32_t byte8 = - (int32_t)Eurydice_slice_index(serialized, (size_t)8U, uint8_t, uint8_t *); - int32_t byte9 = - (int32_t)Eurydice_slice_index(serialized, (size_t)9U, uint8_t, uint8_t *); - int32_t byte10 = (int32_t)Eurydice_slice_index(serialized, (size_t)10U, - uint8_t, uint8_t *); - int32_t byte11 = (int32_t)Eurydice_slice_index(serialized, (size_t)11U, - uint8_t, uint8_t *); - int32_t byte12 = (int32_t)Eurydice_slice_index(serialized, (size_t)12U, - uint8_t, uint8_t *); - int32_t coefficient0 = byte0; - coefficient0 = coefficient0 | byte1 << 8U; - coefficient0 = - coefficient0 & - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_T0_DESERIALIZE_BITS_IN_LOWER_PART_OF_T_MASK; - int32_t coefficient1 = byte1 >> 5U; - coefficient1 = coefficient1 | byte2 << 3U; - coefficient1 = coefficient1 | byte3 << 11U; - coefficient1 = - coefficient1 & - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_T0_DESERIALIZE_BITS_IN_LOWER_PART_OF_T_MASK; - int32_t coefficient2 = byte3 >> 2U; - coefficient2 = coefficient2 | byte4 << 6U; - coefficient2 = - coefficient2 & - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_T0_DESERIALIZE_BITS_IN_LOWER_PART_OF_T_MASK; - int32_t coefficient3 = byte4 >> 7U; - coefficient3 = coefficient3 | byte5 << 1U; - coefficient3 = coefficient3 | byte6 << 9U; - coefficient3 = - coefficient3 & - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_T0_DESERIALIZE_BITS_IN_LOWER_PART_OF_T_MASK; - int32_t coefficient4 = byte6 >> 4U; - coefficient4 = coefficient4 | byte7 << 4U; - coefficient4 = coefficient4 | byte8 << 12U; - coefficient4 = - coefficient4 & - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_T0_DESERIALIZE_BITS_IN_LOWER_PART_OF_T_MASK; - int32_t coefficient5 = byte8 >> 1U; - coefficient5 = coefficient5 | byte9 << 7U; - coefficient5 = - coefficient5 & - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_T0_DESERIALIZE_BITS_IN_LOWER_PART_OF_T_MASK; - int32_t coefficient6 = byte9 >> 6U; - coefficient6 = coefficient6 | byte10 << 2U; - coefficient6 = coefficient6 | byte11 << 10U; - coefficient6 = - coefficient6 & - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_T0_DESERIALIZE_BITS_IN_LOWER_PART_OF_T_MASK; - int32_t coefficient7 = byte11 >> 3U; - coefficient7 = coefficient7 | byte12 << 5U; - coefficient7 = - coefficient7 & - LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_T0_DESERIALIZE_BITS_IN_LOWER_PART_OF_T_MASK; - simd_unit[0U] = - libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(coefficient0); - simd_unit[1U] = - libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(coefficient1); - simd_unit[2U] = - libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(coefficient2); - simd_unit[3U] = - libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(coefficient3); - simd_unit[4U] = - libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(coefficient4); - simd_unit[5U] = - libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(coefficient5); - simd_unit[6U] = - libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(coefficient6); - simd_unit[7U] = - libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(coefficient7); + simd_unit->values[0U] = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA - + (byte0 & (int32_t)7); + simd_unit->values[1U] = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA - + (byte0 >> 3U & (int32_t)7); + simd_unit->values[2U] = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA - + ((byte0 >> 6U | byte1 << 2U) & (int32_t)7); + simd_unit->values[3U] = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA - + (byte1 >> 1U & (int32_t)7); + simd_unit->values[4U] = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA - + (byte1 >> 4U & (int32_t)7); + simd_unit->values[5U] = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA - + ((byte1 >> 7U | byte2 << 1U) & (int32_t)7); + simd_unit->values[6U] = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA - + (byte2 >> 2U & (int32_t)7); + simd_unit->values[7U] = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA - + (byte2 >> 5U & (int32_t)7); +} + +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_encoding_error_deserialize( + libcrux_ml_dsa_constants_Eta eta, Eurydice_slice serialized, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *out) { + void *uu____0 = (void *)0U; + if (!(eta == libcrux_ml_dsa_constants_Eta_Two)) { + libcrux_ml_dsa_simd_portable_encoding_error_deserialize_when_eta_is_4( + serialized, out); + return; + } + libcrux_ml_dsa_simd_portable_encoding_error_deserialize_when_eta_is_2( + serialized, out); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::Coefficients)} +*/ +static inline void libcrux_ml_dsa_simd_portable_error_deserialize_e9( + libcrux_ml_dsa_constants_Eta eta, Eurydice_slice serialized, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *out) { + libcrux_ml_dsa_simd_portable_encoding_error_deserialize(eta, serialized, out); +} + +static KRML_MUSTINLINE int32_t +libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(int32_t t0) { + return ((int32_t)1 + << (uint32_t)(LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T - + (size_t)1U)) - + t0; } static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_encoding_t0_serialize( - int32_t *simd_unit, Eurydice_slice serialized) { + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *simd_unit, + Eurydice_slice serialized) { int32_t coefficient0 = libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval( - simd_unit[0U]); + simd_unit->values[0U]); int32_t coefficient1 = libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval( - simd_unit[1U]); + simd_unit->values[1U]); int32_t coefficient2 = libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval( - simd_unit[2U]); + simd_unit->values[2U]); int32_t coefficient3 = libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval( - simd_unit[3U]); + simd_unit->values[3U]); int32_t coefficient4 = libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval( - simd_unit[4U]); + simd_unit->values[4U]); int32_t coefficient5 = libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval( - simd_unit[5U]); + simd_unit->values[5U]); int32_t coefficient6 = libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval( - simd_unit[6U]); + simd_unit->values[6U]); int32_t coefficient7 = libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval( - simd_unit[7U]); + simd_unit->values[7U]); Eurydice_slice_index(serialized, (size_t)0U, uint8_t, uint8_t *) = (uint8_t)coefficient0; Eurydice_slice_index(serialized, (size_t)1U, uint8_t, uint8_t *) = @@ -1778,48 +1961,136 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_encoding_t0_serialize( (uint8_t)(coefficient7 >> 5U); } +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::Coefficients)} +*/ +static inline void libcrux_ml_dsa_simd_portable_t0_serialize_e9( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *simd_unit, + Eurydice_slice out) { + libcrux_ml_dsa_simd_portable_encoding_t0_serialize(simd_unit, out); +} + +#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_T0_DESERIALIZE_BITS_IN_LOWER_PART_OF_T_MASK \ + (((int32_t)1 << (uint32_t)(int32_t) \ + LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T) - \ + (int32_t)1) + static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_encoding_t1_deserialize(Eurydice_slice serialized, - int32_t *simd_unit) { - int32_t mask = ((int32_t)1 << (uint32_t) - LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_UPPER_PART_OF_T) - - (int32_t)1; - for (size_t i = (size_t)0U; - i < Eurydice_slice_len(serialized, uint8_t) / (size_t)5U; i++) { - size_t i0 = i; - Eurydice_slice bytes = Eurydice_slice_subslice2( - serialized, i0 * (size_t)5U, i0 * (size_t)5U + (size_t)5U, uint8_t); - int32_t byte0 = - (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *); - int32_t byte1 = - (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *); - int32_t byte2 = - (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *); - int32_t byte3 = - (int32_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *); - int32_t byte4 = - (int32_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *); - simd_unit[(size_t)4U * i0] = (byte0 | byte1 << 8U) & mask; - simd_unit[(size_t)4U * i0 + (size_t)1U] = - (byte1 >> 2U | byte2 << 6U) & mask; - simd_unit[(size_t)4U * i0 + (size_t)2U] = - (byte2 >> 4U | byte3 << 4U) & mask; - simd_unit[(size_t)4U * i0 + (size_t)3U] = - (byte3 >> 6U | byte4 << 2U) & mask; - } +libcrux_ml_dsa_simd_portable_encoding_t0_deserialize( + Eurydice_slice serialized, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *simd_unit) { + int32_t byte0 = + (int32_t)Eurydice_slice_index(serialized, (size_t)0U, uint8_t, uint8_t *); + int32_t byte1 = + (int32_t)Eurydice_slice_index(serialized, (size_t)1U, uint8_t, uint8_t *); + int32_t byte2 = + (int32_t)Eurydice_slice_index(serialized, (size_t)2U, uint8_t, uint8_t *); + int32_t byte3 = + (int32_t)Eurydice_slice_index(serialized, (size_t)3U, uint8_t, uint8_t *); + int32_t byte4 = + (int32_t)Eurydice_slice_index(serialized, (size_t)4U, uint8_t, uint8_t *); + int32_t byte5 = + (int32_t)Eurydice_slice_index(serialized, (size_t)5U, uint8_t, uint8_t *); + int32_t byte6 = + (int32_t)Eurydice_slice_index(serialized, (size_t)6U, uint8_t, uint8_t *); + int32_t byte7 = + (int32_t)Eurydice_slice_index(serialized, (size_t)7U, uint8_t, uint8_t *); + int32_t byte8 = + (int32_t)Eurydice_slice_index(serialized, (size_t)8U, uint8_t, uint8_t *); + int32_t byte9 = + (int32_t)Eurydice_slice_index(serialized, (size_t)9U, uint8_t, uint8_t *); + int32_t byte10 = (int32_t)Eurydice_slice_index(serialized, (size_t)10U, + uint8_t, uint8_t *); + int32_t byte11 = (int32_t)Eurydice_slice_index(serialized, (size_t)11U, + uint8_t, uint8_t *); + int32_t byte12 = (int32_t)Eurydice_slice_index(serialized, (size_t)12U, + uint8_t, uint8_t *); + int32_t coefficient0 = byte0; + coefficient0 = coefficient0 | byte1 << 8U; + coefficient0 = + coefficient0 & + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_T0_DESERIALIZE_BITS_IN_LOWER_PART_OF_T_MASK; + int32_t coefficient1 = byte1 >> 5U; + coefficient1 = coefficient1 | byte2 << 3U; + coefficient1 = coefficient1 | byte3 << 11U; + coefficient1 = + coefficient1 & + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_T0_DESERIALIZE_BITS_IN_LOWER_PART_OF_T_MASK; + int32_t coefficient2 = byte3 >> 2U; + coefficient2 = coefficient2 | byte4 << 6U; + coefficient2 = + coefficient2 & + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_T0_DESERIALIZE_BITS_IN_LOWER_PART_OF_T_MASK; + int32_t coefficient3 = byte4 >> 7U; + coefficient3 = coefficient3 | byte5 << 1U; + coefficient3 = coefficient3 | byte6 << 9U; + coefficient3 = + coefficient3 & + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_T0_DESERIALIZE_BITS_IN_LOWER_PART_OF_T_MASK; + int32_t coefficient4 = byte6 >> 4U; + coefficient4 = coefficient4 | byte7 << 4U; + coefficient4 = coefficient4 | byte8 << 12U; + coefficient4 = + coefficient4 & + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_T0_DESERIALIZE_BITS_IN_LOWER_PART_OF_T_MASK; + int32_t coefficient5 = byte8 >> 1U; + coefficient5 = coefficient5 | byte9 << 7U; + coefficient5 = + coefficient5 & + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_T0_DESERIALIZE_BITS_IN_LOWER_PART_OF_T_MASK; + int32_t coefficient6 = byte9 >> 6U; + coefficient6 = coefficient6 | byte10 << 2U; + coefficient6 = coefficient6 | byte11 << 10U; + coefficient6 = + coefficient6 & + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_T0_DESERIALIZE_BITS_IN_LOWER_PART_OF_T_MASK; + int32_t coefficient7 = byte11 >> 3U; + coefficient7 = coefficient7 | byte12 << 5U; + coefficient7 = + coefficient7 & + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_T0_DESERIALIZE_BITS_IN_LOWER_PART_OF_T_MASK; + simd_unit->values[0U] = + libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(coefficient0); + simd_unit->values[1U] = + libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(coefficient1); + simd_unit->values[2U] = + libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(coefficient2); + simd_unit->values[3U] = + libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(coefficient3); + simd_unit->values[4U] = + libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(coefficient4); + simd_unit->values[5U] = + libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(coefficient5); + simd_unit->values[6U] = + libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(coefficient6); + simd_unit->values[7U] = + libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(coefficient7); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::Coefficients)} +*/ +static inline void libcrux_ml_dsa_simd_portable_t0_deserialize_e9( + Eurydice_slice serialized, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *out) { + libcrux_ml_dsa_simd_portable_encoding_t0_deserialize(serialized, out); } static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_encoding_t1_serialize( - int32_t *simd_unit, Eurydice_slice serialized) { + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *simd_unit, + Eurydice_slice serialized) { for (size_t i = (size_t)0U; - i < - Eurydice_slice_len( - Eurydice_array_to_slice((size_t)8U, simd_unit, int32_t), int32_t) / - (size_t)4U; + i < Eurydice_slice_len( + Eurydice_array_to_slice((size_t)8U, simd_unit->values, int32_t), + int32_t) / + (size_t)4U; i++) { size_t i0 = i; - Eurydice_slice coefficients = Eurydice_array_to_subslice2( - simd_unit, i0 * (size_t)4U, i0 * (size_t)4U + (size_t)4U, int32_t); + Eurydice_slice coefficients = + Eurydice_array_to_subslice2(simd_unit->values, i0 * (size_t)4U, + i0 * (size_t)4U + (size_t)4U, int32_t); Eurydice_slice_index(serialized, (size_t)5U * i0, uint8_t, uint8_t *) = (uint8_t)(Eurydice_slice_index(coefficients, (size_t)0U, int32_t, int32_t *) & @@ -1863,2654 +2134,4180 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_encoding_t1_serialize( } } -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_simd_unit_invert_ntt_at_layer_0( - int32_t *simd_unit, int32_t zeta0, int32_t zeta1, int32_t zeta2, - int32_t zeta3) { - int32_t a_minus_b = simd_unit[1U] - simd_unit[0U]; - simd_unit[0U] = simd_unit[0U] + simd_unit[1U]; - simd_unit[1U] = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( - a_minus_b, zeta0); - int32_t a_minus_b0 = simd_unit[3U] - simd_unit[2U]; - simd_unit[2U] = simd_unit[2U] + simd_unit[3U]; - simd_unit[3U] = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( - a_minus_b0, zeta1); - int32_t a_minus_b1 = simd_unit[5U] - simd_unit[4U]; - simd_unit[4U] = simd_unit[4U] + simd_unit[5U]; - simd_unit[5U] = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( - a_minus_b1, zeta2); - int32_t a_minus_b2 = simd_unit[7U] - simd_unit[6U]; - simd_unit[6U] = simd_unit[6U] + simd_unit[7U]; - simd_unit[7U] = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( - a_minus_b2, zeta3); +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::Coefficients)} +*/ +static inline void libcrux_ml_dsa_simd_portable_t1_serialize_e9( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *simd_unit, + Eurydice_slice out) { + libcrux_ml_dsa_simd_portable_encoding_t1_serialize(simd_unit, out); } static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( - int32_t (*re)[8U], size_t index, int32_t zeta0, int32_t zeta1, - int32_t zeta2, int32_t zeta3) { - libcrux_ml_dsa_simd_portable_invntt_simd_unit_invert_ntt_at_layer_0( - re[index], zeta0, zeta1, zeta2, zeta3); +libcrux_ml_dsa_simd_portable_encoding_t1_deserialize( + Eurydice_slice serialized, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *simd_unit) { + int32_t mask = ((int32_t)1 << (uint32_t) + LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_UPPER_PART_OF_T) - + (int32_t)1; + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(serialized, uint8_t) / (size_t)5U; i++) { + size_t i0 = i; + Eurydice_slice bytes = Eurydice_slice_subslice2( + serialized, i0 * (size_t)5U, i0 * (size_t)5U + (size_t)5U, uint8_t); + int32_t byte0 = + (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *); + int32_t byte1 = + (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *); + int32_t byte2 = + (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *); + int32_t byte3 = + (int32_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *); + int32_t byte4 = + (int32_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *); + simd_unit->values[(size_t)4U * i0] = (byte0 | byte1 << 8U) & mask; + simd_unit->values[(size_t)4U * i0 + (size_t)1U] = + (byte1 >> 2U | byte2 << 6U) & mask; + simd_unit->values[(size_t)4U * i0 + (size_t)2U] = + (byte2 >> 4U | byte3 << 4U) & mask; + simd_unit->values[(size_t)4U * i0 + (size_t)3U] = + (byte3 >> 6U | byte4 << 2U) & mask; + } +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::Coefficients)} +*/ +static inline void libcrux_ml_dsa_simd_portable_t1_deserialize_e9( + Eurydice_slice serialized, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *out) { + libcrux_ml_dsa_simd_portable_encoding_t1_deserialize(serialized, out); } static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0(int32_t (*re)[8U]) { - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( - re, (size_t)0U, (int32_t)1976782, (int32_t)-846154, (int32_t)1400424, - (int32_t)3937738); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( - re, (size_t)1U, (int32_t)-1362209, (int32_t)-48306, (int32_t)3919660, - (int32_t)-554416); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( - re, (size_t)2U, (int32_t)-3545687, (int32_t)1612842, (int32_t)-976891, - (int32_t)183443); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( - re, (size_t)3U, (int32_t)-2286327, (int32_t)-420899, (int32_t)-2235985, - (int32_t)-2939036); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( - re, (size_t)4U, (int32_t)-3833893, (int32_t)-260646, (int32_t)-1104333, - (int32_t)-1667432); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( - re, (size_t)5U, (int32_t)1910376, (int32_t)-1803090, (int32_t)1723600, - (int32_t)-426683); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( - re, (size_t)6U, (int32_t)472078, (int32_t)1717735, (int32_t)-975884, - (int32_t)2213111); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( - re, (size_t)7U, (int32_t)269760, (int32_t)3866901, (int32_t)3523897, - (int32_t)-3038916); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( - re, (size_t)8U, (int32_t)-1799107, (int32_t)-3694233, (int32_t)1652634, - (int32_t)810149); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( - re, (size_t)9U, (int32_t)3014001, (int32_t)1616392, (int32_t)162844, - (int32_t)-3183426); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( - re, (size_t)10U, (int32_t)-1207385, (int32_t)185531, (int32_t)3369112, - (int32_t)1957272); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( - re, (size_t)11U, (int32_t)-164721, (int32_t)2454455, (int32_t)2432395, - (int32_t)-2013608); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( - re, (size_t)12U, (int32_t)-3776993, (int32_t)594136, (int32_t)-3724270, - (int32_t)-2584293); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( - re, (size_t)13U, (int32_t)-1846953, (int32_t)-1671176, (int32_t)-2831860, - (int32_t)-542412); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( - re, (size_t)14U, (int32_t)3406031, (int32_t)2235880, (int32_t)777191, - (int32_t)1500165); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( - re, (size_t)15U, (int32_t)-1374803, (int32_t)-2546312, (int32_t)1917081, - (int32_t)-1279661); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( - re, (size_t)16U, (int32_t)-1962642, (int32_t)3306115, (int32_t)1312455, - (int32_t)-451100); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( - re, (size_t)17U, (int32_t)-1430225, (int32_t)-3318210, (int32_t)1237275, - (int32_t)-1333058); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( - re, (size_t)18U, (int32_t)-1050970, (int32_t)1903435, (int32_t)1869119, - (int32_t)-2994039); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( - re, (size_t)19U, (int32_t)-3548272, (int32_t)2635921, (int32_t)1250494, - (int32_t)-3767016); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( - re, (size_t)20U, (int32_t)1595974, (int32_t)2486353, (int32_t)1247620, - (int32_t)4055324); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( - re, (size_t)21U, (int32_t)1265009, (int32_t)-2590150, (int32_t)2691481, - (int32_t)2842341); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( - re, (size_t)22U, (int32_t)203044, (int32_t)1735879, (int32_t)-3342277, - (int32_t)3437287); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( - re, (size_t)23U, (int32_t)4108315, (int32_t)-2437823, (int32_t)286988, - (int32_t)342297); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( - re, (size_t)24U, (int32_t)-3595838, (int32_t)-768622, (int32_t)-525098, - (int32_t)-3556995); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( - re, (size_t)25U, (int32_t)3207046, (int32_t)2031748, (int32_t)-3122442, - (int32_t)-655327); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( - re, (size_t)26U, (int32_t)-522500, (int32_t)-43260, (int32_t)-1613174, - (int32_t)495491); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( - re, (size_t)27U, (int32_t)819034, (int32_t)909542, (int32_t)1859098, - (int32_t)900702); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( - re, (size_t)28U, (int32_t)-3193378, (int32_t)-1197226, (int32_t)-3759364, - (int32_t)-3520352); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( - re, (size_t)29U, (int32_t)3513181, (int32_t)-1235728, (int32_t)2434439, - (int32_t)266997); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( - re, (size_t)30U, (int32_t)-3562462, (int32_t)-2446433, (int32_t)2244091, - (int32_t)-3342478); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( - re, (size_t)31U, (int32_t)3817976, (int32_t)2316500, (int32_t)3407706, - (int32_t)2091667); +libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *simd_unit, + int32_t c) { + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice((size_t)8U, simd_unit->values, int32_t), + int32_t); + i++) { + size_t i0 = i; + simd_unit->values[i0] = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_reduce_element( + (int64_t)simd_unit->values[i0] * (int64_t)c); + } } -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_simd_unit_invert_ntt_at_layer_1( - int32_t *simd_unit, int32_t zeta0, int32_t zeta1) { - int32_t a_minus_b = simd_unit[2U] - simd_unit[0U]; - simd_unit[0U] = simd_unit[0U] + simd_unit[2U]; - simd_unit[2U] = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( - a_minus_b, zeta0); - int32_t a_minus_b0 = simd_unit[3U] - simd_unit[1U]; - simd_unit[1U] = simd_unit[1U] + simd_unit[3U]; - simd_unit[3U] = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( - a_minus_b0, zeta0); - int32_t a_minus_b1 = simd_unit[6U] - simd_unit[4U]; - simd_unit[4U] = simd_unit[4U] + simd_unit[6U]; - simd_unit[6U] = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( - a_minus_b1, zeta1); - int32_t a_minus_b2 = simd_unit[7U] - simd_unit[5U]; - simd_unit[5U] = simd_unit[5U] + simd_unit[7U]; - simd_unit[7U] = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( - a_minus_b2, zeta1); +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 0 +- STEP_BY= 16 +- ZETA= 25847 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_99( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)16U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_Coefficients tmp = + re[j + (size_t)16U]; + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + &tmp, (int32_t)25847); + re[j + (size_t)16U] = re[j]; + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)16U], + &tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &tmp); + } } -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( - int32_t (*re)[8U], size_t index, int32_t zeta_00, int32_t zeta_01) { - libcrux_ml_dsa_simd_portable_invntt_simd_unit_invert_ntt_at_layer_1( - re[index], zeta_00, zeta_01); +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_7( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_99(re); } -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1(int32_t (*re)[8U]) { - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( - re, (size_t)0U, (int32_t)3839961, (int32_t)-3628969); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( - re, (size_t)1U, (int32_t)-3881060, (int32_t)-3019102); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( - re, (size_t)2U, (int32_t)-1439742, (int32_t)-812732); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( - re, (size_t)3U, (int32_t)-1584928, (int32_t)1285669); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( - re, (size_t)4U, (int32_t)1341330, (int32_t)1315589); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( - re, (size_t)5U, (int32_t)-177440, (int32_t)-2409325); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( - re, (size_t)6U, (int32_t)-1851402, (int32_t)3159746); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( - re, (size_t)7U, (int32_t)-3553272, (int32_t)189548); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( - re, (size_t)8U, (int32_t)-1316856, (int32_t)759969); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( - re, (size_t)9U, (int32_t)-210977, (int32_t)2389356); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( - re, (size_t)10U, (int32_t)-3249728, (int32_t)1653064); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( - re, (size_t)11U, (int32_t)-8578, (int32_t)-3724342); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( - re, (size_t)12U, (int32_t)3958618, (int32_t)904516); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( - re, (size_t)13U, (int32_t)-1100098, (int32_t)44288); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( - re, (size_t)14U, (int32_t)3097992, (int32_t)508951); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( - re, (size_t)15U, (int32_t)264944, (int32_t)-3343383); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( - re, (size_t)16U, (int32_t)-1430430, (int32_t)1852771); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( - re, (size_t)17U, (int32_t)1349076, (int32_t)-381987); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( - re, (size_t)18U, (int32_t)-1308169, (int32_t)-22981); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( - re, (size_t)19U, (int32_t)-1228525, (int32_t)-671102); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( - re, (size_t)20U, (int32_t)-2477047, (int32_t)-411027); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( - re, (size_t)21U, (int32_t)-3693493, (int32_t)-2967645); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( - re, (size_t)22U, (int32_t)2715295, (int32_t)2147896); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( - re, (size_t)23U, (int32_t)-983419, (int32_t)3412210); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( - re, (size_t)24U, (int32_t)126922, (int32_t)-3632928); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( - re, (size_t)25U, (int32_t)-3157330, (int32_t)-3190144); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( - re, (size_t)26U, (int32_t)-1000202, (int32_t)-4083598); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( - re, (size_t)27U, (int32_t)1939314, (int32_t)-1257611); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( - re, (size_t)28U, (int32_t)-1585221, (int32_t)2176455); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( - re, (size_t)29U, (int32_t)3475950, (int32_t)-1452451); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( - re, (size_t)30U, (int32_t)-3041255, (int32_t)-3677745); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( - re, (size_t)31U, (int32_t)-1528703, (int32_t)-3930395); +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 0 +- STEP_BY= 8 +- ZETA= -2608894 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_990( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)8U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_Coefficients tmp = + re[j + (size_t)8U]; + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + &tmp, (int32_t)-2608894); + re[j + (size_t)8U] = re[j]; + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)8U], &tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &tmp); + } } -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_simd_unit_invert_ntt_at_layer_2( - int32_t *simd_unit, int32_t zeta) { - int32_t a_minus_b = simd_unit[4U] - simd_unit[0U]; - simd_unit[0U] = simd_unit[0U] + simd_unit[4U]; - simd_unit[4U] = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( - a_minus_b, zeta); - int32_t a_minus_b0 = simd_unit[5U] - simd_unit[1U]; - simd_unit[1U] = simd_unit[1U] + simd_unit[5U]; - simd_unit[5U] = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( - a_minus_b0, zeta); - int32_t a_minus_b1 = simd_unit[6U] - simd_unit[2U]; - simd_unit[2U] = simd_unit[2U] + simd_unit[6U]; - simd_unit[6U] = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( - a_minus_b1, zeta); - int32_t a_minus_b2 = simd_unit[7U] - simd_unit[3U]; - simd_unit[3U] = simd_unit[3U] + simd_unit[7U]; - simd_unit[7U] = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( - a_minus_b2, zeta); +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 16 +- STEP_BY= 8 +- ZETA= -518909 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)8U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_Coefficients tmp = + re[j + (size_t)8U]; + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + &tmp, (int32_t)-518909); + re[j + (size_t)8U] = re[j]; + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)8U], &tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &tmp); + } } -static inline void -libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( - int32_t (*re)[8U], size_t index, int32_t zeta1) { - libcrux_ml_dsa_simd_portable_invntt_simd_unit_invert_ntt_at_layer_2(re[index], - zeta1); +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_6( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_990(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a(re); } -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2(int32_t (*re)[8U]) { - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( - re, (size_t)0U, (int32_t)-2797779); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( - re, (size_t)1U, (int32_t)2071892); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( - re, (size_t)2U, (int32_t)-2556880); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( - re, (size_t)3U, (int32_t)3900724); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( - re, (size_t)4U, (int32_t)3881043); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( - re, (size_t)5U, (int32_t)954230); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( - re, (size_t)6U, (int32_t)531354); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( - re, (size_t)7U, (int32_t)811944); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( - re, (size_t)8U, (int32_t)3699596); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( - re, (size_t)9U, (int32_t)-1600420); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( - re, (size_t)10U, (int32_t)-2140649); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( - re, (size_t)11U, (int32_t)3507263); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( - re, (size_t)12U, (int32_t)-3821735); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( - re, (size_t)13U, (int32_t)3505694); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( - re, (size_t)14U, (int32_t)-1643818); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( - re, (size_t)15U, (int32_t)-1699267); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( - re, (size_t)16U, (int32_t)-539299); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( - re, (size_t)17U, (int32_t)2348700); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( - re, (size_t)18U, (int32_t)-300467); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( - re, (size_t)19U, (int32_t)3539968); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( - re, (size_t)20U, (int32_t)-2867647); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( - re, (size_t)21U, (int32_t)3574422); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( - re, (size_t)22U, (int32_t)-3043716); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( - re, (size_t)23U, (int32_t)-3861115); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( - re, (size_t)24U, (int32_t)3915439); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( - re, (size_t)25U, (int32_t)-2537516); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( - re, (size_t)26U, (int32_t)-3592148); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( - re, (size_t)27U, (int32_t)-1661693); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( - re, (size_t)28U, (int32_t)3530437); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( - re, (size_t)29U, (int32_t)3077325); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( - re, (size_t)30U, (int32_t)95776); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( - re, (size_t)31U, (int32_t)2706023); +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 0 +- STEP_BY= 4 +- ZETA= 237124 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_991( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)4U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_Coefficients tmp = + re[j + (size_t)4U]; + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + &tmp, (int32_t)237124); + re[j + (size_t)4U] = re[j]; + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)4U], &tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &tmp); + } } /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 8 +- STEP_BY= 4 +- ZETA= -777960 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a8( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)4U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_Coefficients tmp = + re[j + (size_t)4U]; + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + &tmp, (int32_t)-777960); + re[j + (size_t)4U] = re[j]; + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)4U], &tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &tmp); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 16 +- STEP_BY= 4 +- ZETA= -876248 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a0( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)4U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_Coefficients tmp = + re[j + (size_t)4U]; + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + &tmp, (int32_t)-876248); + re[j + (size_t)4U] = re[j]; + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)4U], &tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &tmp); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 24 +- STEP_BY= 4 +- ZETA= 466468 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_d9( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)4U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_Coefficients tmp = + re[j + (size_t)4U]; + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + &tmp, (int32_t)466468); + re[j + (size_t)4U] = re[j]; + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)4U], &tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &tmp); + } +} + +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_5( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_991(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a8(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a0(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_d9(re); +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 0 +- STEP_BY= 2 +- ZETA= 1826347 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_992( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)2U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_Coefficients tmp = + re[j + (size_t)2U]; + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + &tmp, (int32_t)1826347); + re[j + (size_t)2U] = re[j]; + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)2U], &tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &tmp); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 4 +- STEP_BY= 2 +- ZETA= 2353451 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_6b( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)4U; i < (size_t)4U + (size_t)2U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_Coefficients tmp = + re[j + (size_t)2U]; + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + &tmp, (int32_t)2353451); + re[j + (size_t)2U] = re[j]; + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)2U], &tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &tmp); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 8 +- STEP_BY= 2 +- ZETA= -359251 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a80( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)2U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_Coefficients tmp = + re[j + (size_t)2U]; + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + &tmp, (int32_t)-359251); + re[j + (size_t)2U] = re[j]; + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)2U], &tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &tmp); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 12 +- STEP_BY= 2 +- ZETA= -2091905 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_95( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)12U; i < (size_t)12U + (size_t)2U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_Coefficients tmp = + re[j + (size_t)2U]; + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + &tmp, (int32_t)-2091905); + re[j + (size_t)2U] = re[j]; + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)2U], &tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &tmp); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 16 +- STEP_BY= 2 +- ZETA= 3119733 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a1( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)2U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_Coefficients tmp = + re[j + (size_t)2U]; + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + &tmp, (int32_t)3119733); + re[j + (size_t)2U] = re[j]; + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)2U], &tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &tmp); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 20 +- STEP_BY= 2 +- ZETA= -2884855 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_de( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)20U; i < (size_t)20U + (size_t)2U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_Coefficients tmp = + re[j + (size_t)2U]; + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + &tmp, (int32_t)-2884855); + re[j + (size_t)2U] = re[j]; + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)2U], &tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &tmp); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 24 +- STEP_BY= 2 +- ZETA= 3111497 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_d90( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)2U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_Coefficients tmp = + re[j + (size_t)2U]; + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + &tmp, (int32_t)3111497); + re[j + (size_t)2U] = re[j]; + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)2U], &tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &tmp); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 28 +- STEP_BY= 2 +- ZETA= 2680103 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3b( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)28U; i < (size_t)28U + (size_t)2U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_Coefficients tmp = + re[j + (size_t)2U]; + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + &tmp, (int32_t)2680103); + re[j + (size_t)2U] = re[j]; + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)2U], &tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &tmp); + } +} + +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_4( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_992(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_6b(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a80(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_95(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a1(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_de(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_d90(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3b(re); +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus with const generics - OFFSET= 0 - STEP_BY= 1 -- ZETA= 280005 +- ZETA= 2725464 */ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_99( - int32_t (*re)[8U]) { +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_993( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)1U; i++) { size_t j = i; - int32_t rejs[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, re[j + (size_t)1U], rejs, int32_t, void *); - int32_t a_minus_b[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, rejs, a_minus_b, int32_t, void *); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); - int32_t uu____0[8U]; - memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients tmp = + re[j + (size_t)1U]; libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)1U], (int32_t)280005); + &tmp, (int32_t)2725464); + re[j + (size_t)1U] = re[j]; + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], &tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &tmp); } } /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus with const generics - OFFSET= 2 - STEP_BY= 1 -- ZETA= 4010497 +- ZETA= 1024112 */ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_1c( - int32_t (*re)[8U]) { +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_1c( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { for (size_t i = (size_t)2U; i < (size_t)2U + (size_t)1U; i++) { size_t j = i; - int32_t rejs[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, re[j + (size_t)1U], rejs, int32_t, void *); - int32_t a_minus_b[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, rejs, a_minus_b, int32_t, void *); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); - int32_t uu____0[8U]; - memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients tmp = + re[j + (size_t)1U]; libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)1U], (int32_t)4010497); + &tmp, (int32_t)1024112); + re[j + (size_t)1U] = re[j]; + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], &tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &tmp); } } /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus with const generics - OFFSET= 4 - STEP_BY= 1 -- ZETA= -19422 +- ZETA= -1079900 */ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_6b( - int32_t (*re)[8U]) { +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_6b0( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { for (size_t i = (size_t)4U; i < (size_t)4U + (size_t)1U; i++) { size_t j = i; - int32_t rejs[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, re[j + (size_t)1U], rejs, int32_t, void *); - int32_t a_minus_b[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, rejs, a_minus_b, int32_t, void *); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); - int32_t uu____0[8U]; - memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients tmp = + re[j + (size_t)1U]; libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)1U], (int32_t)-19422); + &tmp, (int32_t)-1079900); + re[j + (size_t)1U] = re[j]; + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], &tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &tmp); } } /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus with const generics - OFFSET= 6 - STEP_BY= 1 -- ZETA= 1757237 +- ZETA= 3585928 */ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_44( - int32_t (*re)[8U]) { +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_44( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { for (size_t i = (size_t)6U; i < (size_t)6U + (size_t)1U; i++) { size_t j = i; - int32_t rejs[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, re[j + (size_t)1U], rejs, int32_t, void *); - int32_t a_minus_b[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, rejs, a_minus_b, int32_t, void *); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); - int32_t uu____0[8U]; - memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients tmp = + re[j + (size_t)1U]; libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)1U], (int32_t)1757237); + &tmp, (int32_t)3585928); + re[j + (size_t)1U] = re[j]; + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], &tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &tmp); } } /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus with const generics - OFFSET= 8 - STEP_BY= 1 -- ZETA= -3277672 +- ZETA= -549488 */ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a8( - int32_t (*re)[8U]) { +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a81( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)1U; i++) { size_t j = i; - int32_t rejs[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, re[j + (size_t)1U], rejs, int32_t, void *); - int32_t a_minus_b[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, rejs, a_minus_b, int32_t, void *); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); - int32_t uu____0[8U]; - memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients tmp = + re[j + (size_t)1U]; libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)1U], (int32_t)-3277672); + &tmp, (int32_t)-549488); + re[j + (size_t)1U] = re[j]; + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], &tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &tmp); } } /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus with const generics - OFFSET= 10 - STEP_BY= 1 -- ZETA= -1399561 +- ZETA= -1119584 */ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_1f( - int32_t (*re)[8U]) { +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_1f( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { for (size_t i = (size_t)10U; i < (size_t)10U + (size_t)1U; i++) { size_t j = i; - int32_t rejs[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, re[j + (size_t)1U], rejs, int32_t, void *); - int32_t a_minus_b[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, rejs, a_minus_b, int32_t, void *); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); - int32_t uu____0[8U]; - memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients tmp = + re[j + (size_t)1U]; + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + &tmp, (int32_t)-1119584); + re[j + (size_t)1U] = re[j]; + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], &tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &tmp); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 12 +- STEP_BY= 1 +- ZETA= 2619752 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_950( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)12U; i < (size_t)12U + (size_t)1U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_Coefficients tmp = + re[j + (size_t)1U]; + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + &tmp, (int32_t)2619752); + re[j + (size_t)1U] = re[j]; + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], &tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &tmp); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 14 +- STEP_BY= 1 +- ZETA= -2108549 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3b0( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)14U; i < (size_t)14U + (size_t)1U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_Coefficients tmp = + re[j + (size_t)1U]; + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + &tmp, (int32_t)-2108549); + re[j + (size_t)1U] = re[j]; + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], &tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &tmp); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 16 +- STEP_BY= 1 +- ZETA= -2118186 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a2( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)1U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_Coefficients tmp = + re[j + (size_t)1U]; + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + &tmp, (int32_t)-2118186); + re[j + (size_t)1U] = re[j]; + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], &tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &tmp); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 18 +- STEP_BY= 1 +- ZETA= -3859737 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_e4( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)18U; i < (size_t)18U + (size_t)1U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_Coefficients tmp = + re[j + (size_t)1U]; + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + &tmp, (int32_t)-3859737); + re[j + (size_t)1U] = re[j]; + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], &tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &tmp); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 20 +- STEP_BY= 1 +- ZETA= -1399561 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_de0( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)20U; i < (size_t)20U + (size_t)1U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_Coefficients tmp = + re[j + (size_t)1U]; + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + &tmp, (int32_t)-1399561); + re[j + (size_t)1U] = re[j]; + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], &tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &tmp); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 22 +- STEP_BY= 1 +- ZETA= -3277672 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_05( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)22U; i < (size_t)22U + (size_t)1U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_Coefficients tmp = + re[j + (size_t)1U]; + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + &tmp, (int32_t)-3277672); + re[j + (size_t)1U] = re[j]; + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], &tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &tmp); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 24 +- STEP_BY= 1 +- ZETA= 1757237 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_d91( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)1U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_Coefficients tmp = + re[j + (size_t)1U]; + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + &tmp, (int32_t)1757237); + re[j + (size_t)1U] = re[j]; + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], &tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &tmp); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 26 +- STEP_BY= 1 +- ZETA= -19422 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3a( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)26U; i < (size_t)26U + (size_t)1U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_Coefficients tmp = + re[j + (size_t)1U]; + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + &tmp, (int32_t)-19422); + re[j + (size_t)1U] = re[j]; + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], &tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &tmp); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 28 +- STEP_BY= 1 +- ZETA= 4010497 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3b1( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)28U; i < (size_t)28U + (size_t)1U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_Coefficients tmp = + re[j + (size_t)1U]; + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + &tmp, (int32_t)4010497); + re[j + (size_t)1U] = re[j]; + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], &tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &tmp); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 30 +- STEP_BY= 1 +- ZETA= 280005 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a0( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)30U; i < (size_t)30U + (size_t)1U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_Coefficients tmp = + re[j + (size_t)1U]; libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)1U], (int32_t)-1399561); + &tmp, (int32_t)280005); + re[j + (size_t)1U] = re[j]; + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], &tmp); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &tmp); } } -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus -with const generics -- OFFSET= 12 -- STEP_BY= 1 -- ZETA= -3859737 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_95( - int32_t (*re)[8U]) { - for (size_t i = (size_t)12U; i < (size_t)12U + (size_t)1U; i++) { - size_t j = i; - int32_t rejs[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, re[j + (size_t)1U], rejs, int32_t, void *); - int32_t a_minus_b[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, rejs, a_minus_b, int32_t, void *); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); - int32_t uu____0[8U]; - memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)1U], (int32_t)-3859737); - } +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_3( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_993(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_1c(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_6b0(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_44(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a81(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_1f(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_950(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3b0(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a2(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_e4(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_de0(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_05(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_d91(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3a(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3b1(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a0(re); +} + +static KRML_MUSTINLINE int32_t +libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + int32_t fe, int32_t fer) { + return libcrux_ml_dsa_simd_portable_arithmetic_montgomery_reduce_element( + (int64_t)fe * (int64_t)fer); +} + +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_ntt_simd_unit_ntt_at_layer_2( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *simd_unit, + int32_t zeta) { + int32_t t = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + simd_unit->values[4U], zeta); + simd_unit->values[4U] = simd_unit->values[0U] - t; + simd_unit->values[0U] = simd_unit->values[0U] + t; + int32_t t0 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + simd_unit->values[5U], zeta); + simd_unit->values[5U] = simd_unit->values[1U] - t0; + simd_unit->values[1U] = simd_unit->values[1U] + t0; + int32_t t1 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + simd_unit->values[6U], zeta); + simd_unit->values[6U] = simd_unit->values[2U] - t1; + simd_unit->values[2U] = simd_unit->values[2U] + t1; + int32_t t2 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + simd_unit->values[7U], zeta); + simd_unit->values[7U] = simd_unit->values[3U] - t2; + simd_unit->values[3U] = simd_unit->values[3U] + t2; +} + +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re, size_t index, + int32_t zeta) { + libcrux_ml_dsa_simd_portable_ntt_simd_unit_ntt_at_layer_2(&re[index], zeta); +} + +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)0U, + (int32_t)2706023); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)1U, + (int32_t)95776); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)2U, + (int32_t)3077325); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)3U, + (int32_t)3530437); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)4U, + (int32_t)-1661693); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)5U, + (int32_t)-3592148); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)6U, + (int32_t)-2537516); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)7U, + (int32_t)3915439); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)8U, + (int32_t)-3861115); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)9U, + (int32_t)-3043716); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)10U, + (int32_t)3574422); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)11U, + (int32_t)-2867647); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)12U, + (int32_t)3539968); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)13U, + (int32_t)-300467); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)14U, + (int32_t)2348700); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)15U, + (int32_t)-539299); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)16U, + (int32_t)-1699267); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)17U, + (int32_t)-1643818); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)18U, + (int32_t)3505694); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)19U, + (int32_t)-3821735); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)20U, + (int32_t)3507263); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)21U, + (int32_t)-2140649); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)22U, + (int32_t)-1600420); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)23U, + (int32_t)3699596); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)24U, + (int32_t)811944); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)25U, + (int32_t)531354); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)26U, + (int32_t)954230); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)27U, + (int32_t)3881043); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)28U, + (int32_t)3900724); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)29U, + (int32_t)-2556880); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)30U, + (int32_t)2071892); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)31U, + (int32_t)-2797779); +} + +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_ntt_simd_unit_ntt_at_layer_1( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *simd_unit, + int32_t zeta1, int32_t zeta2) { + int32_t t = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + simd_unit->values[2U], zeta1); + simd_unit->values[2U] = simd_unit->values[0U] - t; + simd_unit->values[0U] = simd_unit->values[0U] + t; + int32_t t0 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + simd_unit->values[3U], zeta1); + simd_unit->values[3U] = simd_unit->values[1U] - t0; + simd_unit->values[1U] = simd_unit->values[1U] + t0; + int32_t t1 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + simd_unit->values[6U], zeta2); + simd_unit->values[6U] = simd_unit->values[4U] - t1; + simd_unit->values[4U] = simd_unit->values[4U] + t1; + int32_t t2 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + simd_unit->values[7U], zeta2); + simd_unit->values[7U] = simd_unit->values[5U] - t2; + simd_unit->values[5U] = simd_unit->values[5U] + t2; } -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus -with const generics -- OFFSET= 14 -- STEP_BY= 1 -- ZETA= -2118186 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3b( - int32_t (*re)[8U]) { - for (size_t i = (size_t)14U; i < (size_t)14U + (size_t)1U; i++) { - size_t j = i; - int32_t rejs[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, re[j + (size_t)1U], rejs, int32_t, void *); - int32_t a_minus_b[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, rejs, a_minus_b, int32_t, void *); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); - int32_t uu____0[8U]; - memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)1U], (int32_t)-2118186); - } +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re, size_t index, + int32_t zeta_0, int32_t zeta_1) { + libcrux_ml_dsa_simd_portable_ntt_simd_unit_ntt_at_layer_1(&re[index], zeta_0, + zeta_1); } -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus -with const generics -- OFFSET= 16 -- STEP_BY= 1 -- ZETA= -2108549 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a( - int32_t (*re)[8U]) { - for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)1U; i++) { - size_t j = i; - int32_t rejs[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, re[j + (size_t)1U], rejs, int32_t, void *); - int32_t a_minus_b[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, rejs, a_minus_b, int32_t, void *); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); - int32_t uu____0[8U]; - memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)1U], (int32_t)-2108549); - } +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)0U, (int32_t)-3930395, (int32_t)-1528703); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)1U, (int32_t)-3677745, (int32_t)-3041255); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)2U, (int32_t)-1452451, (int32_t)3475950); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)3U, (int32_t)2176455, (int32_t)-1585221); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)4U, (int32_t)-1257611, (int32_t)1939314); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)5U, (int32_t)-4083598, (int32_t)-1000202); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)6U, (int32_t)-3190144, (int32_t)-3157330); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)7U, (int32_t)-3632928, (int32_t)126922); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)8U, (int32_t)3412210, (int32_t)-983419); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)9U, (int32_t)2147896, (int32_t)2715295); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)10U, (int32_t)-2967645, (int32_t)-3693493); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)11U, (int32_t)-411027, (int32_t)-2477047); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)12U, (int32_t)-671102, (int32_t)-1228525); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)13U, (int32_t)-22981, (int32_t)-1308169); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)14U, (int32_t)-381987, (int32_t)1349076); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)15U, (int32_t)1852771, (int32_t)-1430430); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)16U, (int32_t)-3343383, (int32_t)264944); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)17U, (int32_t)508951, (int32_t)3097992); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)18U, (int32_t)44288, (int32_t)-1100098); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)19U, (int32_t)904516, (int32_t)3958618); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)20U, (int32_t)-3724342, (int32_t)-8578); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)21U, (int32_t)1653064, (int32_t)-3249728); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)22U, (int32_t)2389356, (int32_t)-210977); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)23U, (int32_t)759969, (int32_t)-1316856); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)24U, (int32_t)189548, (int32_t)-3553272); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)25U, (int32_t)3159746, (int32_t)-1851402); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)26U, (int32_t)-2409325, (int32_t)-177440); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)27U, (int32_t)1315589, (int32_t)1341330); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)28U, (int32_t)1285669, (int32_t)-1584928); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)29U, (int32_t)-812732, (int32_t)-1439742); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)30U, (int32_t)-3019102, (int32_t)-3881060); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)31U, (int32_t)-3628969, (int32_t)3839961); } -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus -with const generics -- OFFSET= 18 -- STEP_BY= 1 -- ZETA= 2619752 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_e4( - int32_t (*re)[8U]) { - for (size_t i = (size_t)18U; i < (size_t)18U + (size_t)1U; i++) { - size_t j = i; - int32_t rejs[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, re[j + (size_t)1U], rejs, int32_t, void *); - int32_t a_minus_b[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, rejs, a_minus_b, int32_t, void *); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); - int32_t uu____0[8U]; - memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)1U], (int32_t)2619752); - } +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_ntt_simd_unit_ntt_at_layer_0( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *simd_unit, + int32_t zeta0, int32_t zeta1, int32_t zeta2, int32_t zeta3) { + int32_t t = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + simd_unit->values[1U], zeta0); + simd_unit->values[1U] = simd_unit->values[0U] - t; + simd_unit->values[0U] = simd_unit->values[0U] + t; + int32_t t0 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + simd_unit->values[3U], zeta1); + simd_unit->values[3U] = simd_unit->values[2U] - t0; + simd_unit->values[2U] = simd_unit->values[2U] + t0; + int32_t t1 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + simd_unit->values[5U], zeta2); + simd_unit->values[5U] = simd_unit->values[4U] - t1; + simd_unit->values[4U] = simd_unit->values[4U] + t1; + int32_t t2 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + simd_unit->values[7U], zeta3); + simd_unit->values[7U] = simd_unit->values[6U] - t2; + simd_unit->values[6U] = simd_unit->values[6U] + t2; } -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus -with const generics -- OFFSET= 20 -- STEP_BY= 1 -- ZETA= -1119584 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_de( - int32_t (*re)[8U]) { - for (size_t i = (size_t)20U; i < (size_t)20U + (size_t)1U; i++) { - size_t j = i; - int32_t rejs[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, re[j + (size_t)1U], rejs, int32_t, void *); - int32_t a_minus_b[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, rejs, a_minus_b, int32_t, void *); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); - int32_t uu____0[8U]; - memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)1U], (int32_t)-1119584); - } +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re, size_t index, + int32_t zeta_0, int32_t zeta_1, int32_t zeta_2, int32_t zeta_3) { + libcrux_ml_dsa_simd_portable_ntt_simd_unit_ntt_at_layer_0( + &re[index], zeta_0, zeta_1, zeta_2, zeta_3); } -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus -with const generics -- OFFSET= 22 -- STEP_BY= 1 -- ZETA= -549488 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_05( - int32_t (*re)[8U]) { - for (size_t i = (size_t)22U; i < (size_t)22U + (size_t)1U; i++) { - size_t j = i; - int32_t rejs[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, re[j + (size_t)1U], rejs, int32_t, void *); - int32_t a_minus_b[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, rejs, a_minus_b, int32_t, void *); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); - int32_t uu____0[8U]; - memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)1U], (int32_t)-549488); - } +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)0U, (int32_t)2091667, (int32_t)3407706, (int32_t)2316500, + (int32_t)3817976); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)1U, (int32_t)-3342478, (int32_t)2244091, (int32_t)-2446433, + (int32_t)-3562462); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)2U, (int32_t)266997, (int32_t)2434439, (int32_t)-1235728, + (int32_t)3513181); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)3U, (int32_t)-3520352, (int32_t)-3759364, (int32_t)-1197226, + (int32_t)-3193378); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)4U, (int32_t)900702, (int32_t)1859098, (int32_t)909542, + (int32_t)819034); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)5U, (int32_t)495491, (int32_t)-1613174, (int32_t)-43260, + (int32_t)-522500); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)6U, (int32_t)-655327, (int32_t)-3122442, (int32_t)2031748, + (int32_t)3207046); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)7U, (int32_t)-3556995, (int32_t)-525098, (int32_t)-768622, + (int32_t)-3595838); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)8U, (int32_t)342297, (int32_t)286988, (int32_t)-2437823, + (int32_t)4108315); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)9U, (int32_t)3437287, (int32_t)-3342277, (int32_t)1735879, + (int32_t)203044); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)10U, (int32_t)2842341, (int32_t)2691481, (int32_t)-2590150, + (int32_t)1265009); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)11U, (int32_t)4055324, (int32_t)1247620, (int32_t)2486353, + (int32_t)1595974); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)12U, (int32_t)-3767016, (int32_t)1250494, (int32_t)2635921, + (int32_t)-3548272); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)13U, (int32_t)-2994039, (int32_t)1869119, (int32_t)1903435, + (int32_t)-1050970); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)14U, (int32_t)-1333058, (int32_t)1237275, (int32_t)-3318210, + (int32_t)-1430225); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)15U, (int32_t)-451100, (int32_t)1312455, (int32_t)3306115, + (int32_t)-1962642); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)16U, (int32_t)-1279661, (int32_t)1917081, (int32_t)-2546312, + (int32_t)-1374803); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)17U, (int32_t)1500165, (int32_t)777191, (int32_t)2235880, + (int32_t)3406031); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)18U, (int32_t)-542412, (int32_t)-2831860, (int32_t)-1671176, + (int32_t)-1846953); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)19U, (int32_t)-2584293, (int32_t)-3724270, (int32_t)594136, + (int32_t)-3776993); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)20U, (int32_t)-2013608, (int32_t)2432395, (int32_t)2454455, + (int32_t)-164721); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)21U, (int32_t)1957272, (int32_t)3369112, (int32_t)185531, + (int32_t)-1207385); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)22U, (int32_t)-3183426, (int32_t)162844, (int32_t)1616392, + (int32_t)3014001); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)23U, (int32_t)810149, (int32_t)1652634, (int32_t)-3694233, + (int32_t)-1799107); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)24U, (int32_t)-3038916, (int32_t)3523897, (int32_t)3866901, + (int32_t)269760); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)25U, (int32_t)2213111, (int32_t)-975884, (int32_t)1717735, + (int32_t)472078); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)26U, (int32_t)-426683, (int32_t)1723600, (int32_t)-1803090, + (int32_t)1910376); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)27U, (int32_t)-1667432, (int32_t)-1104333, (int32_t)-260646, + (int32_t)-3833893); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)28U, (int32_t)-2939036, (int32_t)-2235985, (int32_t)-420899, + (int32_t)-2286327); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)29U, (int32_t)183443, (int32_t)-976891, (int32_t)1612842, + (int32_t)-3545687); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)30U, (int32_t)-554416, (int32_t)3919660, (int32_t)-48306, + (int32_t)-1362209); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)31U, (int32_t)3937738, (int32_t)1400424, (int32_t)-846154, + (int32_t)1976782); } -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus -with const generics -- OFFSET= 24 -- STEP_BY= 1 -- ZETA= 3585928 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_d9( - int32_t (*re)[8U]) { - for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)1U; i++) { - size_t j = i; - int32_t rejs[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, re[j + (size_t)1U], rejs, int32_t, void *); - int32_t a_minus_b[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, rejs, a_minus_b, int32_t, void *); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); - int32_t uu____0[8U]; - memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)1U], (int32_t)3585928); - } +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_7(re); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_6(re); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_5(re); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_4(re); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_3(re); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2(re); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1(re); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0(re); } /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus -with const generics -- OFFSET= 26 -- STEP_BY= 1 -- ZETA= -1079900 +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::Coefficients)} */ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3a( - int32_t (*re)[8U]) { - for (size_t i = (size_t)26U; i < (size_t)26U + (size_t)1U; i++) { - size_t j = i; - int32_t rejs[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, re[j + (size_t)1U], rejs, int32_t, void *); - int32_t a_minus_b[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, rejs, a_minus_b, int32_t, void *); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); - int32_t uu____0[8U]; - memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)1U], (int32_t)-1079900); - } +static inline void libcrux_ml_dsa_simd_portable_ntt_e9( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *simd_units) { + libcrux_ml_dsa_simd_portable_ntt_ntt(simd_units); } -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus -with const generics -- OFFSET= 28 -- STEP_BY= 1 -- ZETA= 1024112 -*/ static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3b0(int32_t (*re)[8U]) { - for (size_t i = (size_t)28U; i < (size_t)28U + (size_t)1U; i++) { - size_t j = i; - int32_t rejs[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, re[j + (size_t)1U], rejs, int32_t, void *); - int32_t a_minus_b[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, rejs, a_minus_b, int32_t, void *); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); - int32_t uu____0[8U]; - memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)1U], (int32_t)1024112); - } +libcrux_ml_dsa_simd_portable_invntt_simd_unit_invert_ntt_at_layer_0( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *simd_unit, + int32_t zeta0, int32_t zeta1, int32_t zeta2, int32_t zeta3) { + int32_t a_minus_b = simd_unit->values[1U] - simd_unit->values[0U]; + simd_unit->values[0U] = simd_unit->values[0U] + simd_unit->values[1U]; + simd_unit->values[1U] = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b, zeta0); + int32_t a_minus_b0 = simd_unit->values[3U] - simd_unit->values[2U]; + simd_unit->values[2U] = simd_unit->values[2U] + simd_unit->values[3U]; + simd_unit->values[3U] = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b0, zeta1); + int32_t a_minus_b1 = simd_unit->values[5U] - simd_unit->values[4U]; + simd_unit->values[4U] = simd_unit->values[4U] + simd_unit->values[5U]; + simd_unit->values[5U] = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b1, zeta2); + int32_t a_minus_b2 = simd_unit->values[7U] - simd_unit->values[6U]; + simd_unit->values[6U] = simd_unit->values[6U] + simd_unit->values[7U]; + simd_unit->values[7U] = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b2, zeta3); } -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus -with const generics -- OFFSET= 30 -- STEP_BY= 1 -- ZETA= 2725464 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a0( - int32_t (*re)[8U]) { - for (size_t i = (size_t)30U; i < (size_t)30U + (size_t)1U; i++) { - size_t j = i; - int32_t rejs[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, re[j + (size_t)1U], rejs, int32_t, void *); - int32_t a_minus_b[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, rejs, a_minus_b, int32_t, void *); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); - int32_t uu____0[8U]; - memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)1U], (int32_t)2725464); - } +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re, size_t index, + int32_t zeta0, int32_t zeta1, int32_t zeta2, int32_t zeta3) { + libcrux_ml_dsa_simd_portable_invntt_simd_unit_invert_ntt_at_layer_0( + &re[index], zeta0, zeta1, zeta2, zeta3); } static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_3(int32_t (*re)[8U]) { - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_99(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_1c(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_6b(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_44(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a8(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_1f(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_95(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3b(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_e4(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_de(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_05(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_d9(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3a(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3b0(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a0(re); +libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)0U, (int32_t)1976782, (int32_t)-846154, (int32_t)1400424, + (int32_t)3937738); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)1U, (int32_t)-1362209, (int32_t)-48306, (int32_t)3919660, + (int32_t)-554416); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)2U, (int32_t)-3545687, (int32_t)1612842, (int32_t)-976891, + (int32_t)183443); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)3U, (int32_t)-2286327, (int32_t)-420899, (int32_t)-2235985, + (int32_t)-2939036); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)4U, (int32_t)-3833893, (int32_t)-260646, (int32_t)-1104333, + (int32_t)-1667432); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)5U, (int32_t)1910376, (int32_t)-1803090, (int32_t)1723600, + (int32_t)-426683); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)6U, (int32_t)472078, (int32_t)1717735, (int32_t)-975884, + (int32_t)2213111); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)7U, (int32_t)269760, (int32_t)3866901, (int32_t)3523897, + (int32_t)-3038916); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)8U, (int32_t)-1799107, (int32_t)-3694233, (int32_t)1652634, + (int32_t)810149); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)9U, (int32_t)3014001, (int32_t)1616392, (int32_t)162844, + (int32_t)-3183426); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)10U, (int32_t)-1207385, (int32_t)185531, (int32_t)3369112, + (int32_t)1957272); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)11U, (int32_t)-164721, (int32_t)2454455, (int32_t)2432395, + (int32_t)-2013608); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)12U, (int32_t)-3776993, (int32_t)594136, (int32_t)-3724270, + (int32_t)-2584293); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)13U, (int32_t)-1846953, (int32_t)-1671176, (int32_t)-2831860, + (int32_t)-542412); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)14U, (int32_t)3406031, (int32_t)2235880, (int32_t)777191, + (int32_t)1500165); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)15U, (int32_t)-1374803, (int32_t)-2546312, (int32_t)1917081, + (int32_t)-1279661); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)16U, (int32_t)-1962642, (int32_t)3306115, (int32_t)1312455, + (int32_t)-451100); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)17U, (int32_t)-1430225, (int32_t)-3318210, (int32_t)1237275, + (int32_t)-1333058); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)18U, (int32_t)-1050970, (int32_t)1903435, (int32_t)1869119, + (int32_t)-2994039); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)19U, (int32_t)-3548272, (int32_t)2635921, (int32_t)1250494, + (int32_t)-3767016); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)20U, (int32_t)1595974, (int32_t)2486353, (int32_t)1247620, + (int32_t)4055324); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)21U, (int32_t)1265009, (int32_t)-2590150, (int32_t)2691481, + (int32_t)2842341); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)22U, (int32_t)203044, (int32_t)1735879, (int32_t)-3342277, + (int32_t)3437287); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)23U, (int32_t)4108315, (int32_t)-2437823, (int32_t)286988, + (int32_t)342297); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)24U, (int32_t)-3595838, (int32_t)-768622, (int32_t)-525098, + (int32_t)-3556995); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)25U, (int32_t)3207046, (int32_t)2031748, (int32_t)-3122442, + (int32_t)-655327); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)26U, (int32_t)-522500, (int32_t)-43260, (int32_t)-1613174, + (int32_t)495491); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)27U, (int32_t)819034, (int32_t)909542, (int32_t)1859098, + (int32_t)900702); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)28U, (int32_t)-3193378, (int32_t)-1197226, (int32_t)-3759364, + (int32_t)-3520352); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)29U, (int32_t)3513181, (int32_t)-1235728, (int32_t)2434439, + (int32_t)266997); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)30U, (int32_t)-3562462, (int32_t)-2446433, (int32_t)2244091, + (int32_t)-3342478); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)31U, (int32_t)3817976, (int32_t)2316500, (int32_t)3407706, + (int32_t)2091667); } -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus -with const generics -- OFFSET= 0 -- STEP_BY= 2 -- ZETA= 2680103 -*/ static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_990(int32_t (*re)[8U]) { - for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)2U; i++) { - size_t j = i; - int32_t rejs[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, re[j + (size_t)2U], rejs, int32_t, void *); - int32_t a_minus_b[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, rejs, a_minus_b, int32_t, void *); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); - int32_t uu____0[8U]; - memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)2U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)2U], (int32_t)2680103); - } +libcrux_ml_dsa_simd_portable_invntt_simd_unit_invert_ntt_at_layer_1( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *simd_unit, + int32_t zeta0, int32_t zeta1) { + int32_t a_minus_b = simd_unit->values[2U] - simd_unit->values[0U]; + simd_unit->values[0U] = simd_unit->values[0U] + simd_unit->values[2U]; + simd_unit->values[2U] = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b, zeta0); + int32_t a_minus_b0 = simd_unit->values[3U] - simd_unit->values[1U]; + simd_unit->values[1U] = simd_unit->values[1U] + simd_unit->values[3U]; + simd_unit->values[3U] = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b0, zeta0); + int32_t a_minus_b1 = simd_unit->values[6U] - simd_unit->values[4U]; + simd_unit->values[4U] = simd_unit->values[4U] + simd_unit->values[6U]; + simd_unit->values[6U] = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b1, zeta1); + int32_t a_minus_b2 = simd_unit->values[7U] - simd_unit->values[5U]; + simd_unit->values[5U] = simd_unit->values[5U] + simd_unit->values[7U]; + simd_unit->values[7U] = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b2, zeta1); } -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus -with const generics -- OFFSET= 4 -- STEP_BY= 2 -- ZETA= 3111497 -*/ static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_6b0(int32_t (*re)[8U]) { - for (size_t i = (size_t)4U; i < (size_t)4U + (size_t)2U; i++) { - size_t j = i; - int32_t rejs[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, re[j + (size_t)2U], rejs, int32_t, void *); - int32_t a_minus_b[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, rejs, a_minus_b, int32_t, void *); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); - int32_t uu____0[8U]; - memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)2U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)2U], (int32_t)3111497); - } +libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re, size_t index, + int32_t zeta_00, int32_t zeta_01) { + libcrux_ml_dsa_simd_portable_invntt_simd_unit_invert_ntt_at_layer_1( + &re[index], zeta_00, zeta_01); } -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus -with const generics -- OFFSET= 8 -- STEP_BY= 2 -- ZETA= -2884855 -*/ static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a80(int32_t (*re)[8U]) { - for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)2U; i++) { - size_t j = i; - int32_t rejs[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, re[j + (size_t)2U], rejs, int32_t, void *); - int32_t a_minus_b[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, rejs, a_minus_b, int32_t, void *); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); - int32_t uu____0[8U]; - memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)2U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)2U], (int32_t)-2884855); - } +libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)0U, (int32_t)3839961, (int32_t)-3628969); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)1U, (int32_t)-3881060, (int32_t)-3019102); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)2U, (int32_t)-1439742, (int32_t)-812732); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)3U, (int32_t)-1584928, (int32_t)1285669); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)4U, (int32_t)1341330, (int32_t)1315589); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)5U, (int32_t)-177440, (int32_t)-2409325); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)6U, (int32_t)-1851402, (int32_t)3159746); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)7U, (int32_t)-3553272, (int32_t)189548); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)8U, (int32_t)-1316856, (int32_t)759969); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)9U, (int32_t)-210977, (int32_t)2389356); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)10U, (int32_t)-3249728, (int32_t)1653064); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)11U, (int32_t)-8578, (int32_t)-3724342); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)12U, (int32_t)3958618, (int32_t)904516); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)13U, (int32_t)-1100098, (int32_t)44288); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)14U, (int32_t)3097992, (int32_t)508951); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)15U, (int32_t)264944, (int32_t)-3343383); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)16U, (int32_t)-1430430, (int32_t)1852771); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)17U, (int32_t)1349076, (int32_t)-381987); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)18U, (int32_t)-1308169, (int32_t)-22981); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)19U, (int32_t)-1228525, (int32_t)-671102); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)20U, (int32_t)-2477047, (int32_t)-411027); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)21U, (int32_t)-3693493, (int32_t)-2967645); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)22U, (int32_t)2715295, (int32_t)2147896); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)23U, (int32_t)-983419, (int32_t)3412210); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)24U, (int32_t)126922, (int32_t)-3632928); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)25U, (int32_t)-3157330, (int32_t)-3190144); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)26U, (int32_t)-1000202, (int32_t)-4083598); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)27U, (int32_t)1939314, (int32_t)-1257611); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)28U, (int32_t)-1585221, (int32_t)2176455); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)29U, (int32_t)3475950, (int32_t)-1452451); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)30U, (int32_t)-3041255, (int32_t)-3677745); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)31U, (int32_t)-1528703, (int32_t)-3930395); } -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus -with const generics -- OFFSET= 12 -- STEP_BY= 2 -- ZETA= 3119733 -*/ static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_950(int32_t (*re)[8U]) { - for (size_t i = (size_t)12U; i < (size_t)12U + (size_t)2U; i++) { - size_t j = i; - int32_t rejs[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, re[j + (size_t)2U], rejs, int32_t, void *); - int32_t a_minus_b[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, rejs, a_minus_b, int32_t, void *); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); - int32_t uu____0[8U]; - memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)2U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)2U], (int32_t)3119733); - } +libcrux_ml_dsa_simd_portable_invntt_simd_unit_invert_ntt_at_layer_2( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *simd_unit, + int32_t zeta) { + int32_t a_minus_b = simd_unit->values[4U] - simd_unit->values[0U]; + simd_unit->values[0U] = simd_unit->values[0U] + simd_unit->values[4U]; + simd_unit->values[4U] = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b, zeta); + int32_t a_minus_b0 = simd_unit->values[5U] - simd_unit->values[1U]; + simd_unit->values[1U] = simd_unit->values[1U] + simd_unit->values[5U]; + simd_unit->values[5U] = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b0, zeta); + int32_t a_minus_b1 = simd_unit->values[6U] - simd_unit->values[2U]; + simd_unit->values[2U] = simd_unit->values[2U] + simd_unit->values[6U]; + simd_unit->values[6U] = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b1, zeta); + int32_t a_minus_b2 = simd_unit->values[7U] - simd_unit->values[3U]; + simd_unit->values[3U] = simd_unit->values[3U] + simd_unit->values[7U]; + simd_unit->values[7U] = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b2, zeta); } -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus -with const generics -- OFFSET= 16 -- STEP_BY= 2 -- ZETA= -2091905 -*/ -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a0(int32_t (*re)[8U]) { - for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)2U; i++) { - size_t j = i; - int32_t rejs[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, re[j + (size_t)2U], rejs, int32_t, void *); - int32_t a_minus_b[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, rejs, a_minus_b, int32_t, void *); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); - int32_t uu____0[8U]; - memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)2U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)2U], (int32_t)-2091905); - } +static inline void +libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re, size_t index, + int32_t zeta1) { + libcrux_ml_dsa_simd_portable_invntt_simd_unit_invert_ntt_at_layer_2( + &re[index], zeta1); } -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus -with const generics -- OFFSET= 20 -- STEP_BY= 2 -- ZETA= -359251 -*/ static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_de0(int32_t (*re)[8U]) { - for (size_t i = (size_t)20U; i < (size_t)20U + (size_t)2U; i++) { - size_t j = i; - int32_t rejs[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, re[j + (size_t)2U], rejs, int32_t, void *); - int32_t a_minus_b[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, rejs, a_minus_b, int32_t, void *); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); - int32_t uu____0[8U]; - memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)2U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)2U], (int32_t)-359251); - } +libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)0U, (int32_t)-2797779); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)1U, (int32_t)2071892); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)2U, (int32_t)-2556880); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)3U, (int32_t)3900724); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)4U, (int32_t)3881043); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)5U, (int32_t)954230); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)6U, (int32_t)531354); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)7U, (int32_t)811944); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)8U, (int32_t)3699596); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)9U, (int32_t)-1600420); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)10U, (int32_t)-2140649); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)11U, (int32_t)3507263); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)12U, (int32_t)-3821735); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)13U, (int32_t)3505694); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)14U, (int32_t)-1643818); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)15U, (int32_t)-1699267); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)16U, (int32_t)-539299); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)17U, (int32_t)2348700); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)18U, (int32_t)-300467); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)19U, (int32_t)3539968); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)20U, (int32_t)-2867647); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)21U, (int32_t)3574422); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)22U, (int32_t)-3043716); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)23U, (int32_t)-3861115); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)24U, (int32_t)3915439); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)25U, (int32_t)-2537516); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)26U, (int32_t)-3592148); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)27U, (int32_t)-1661693); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)28U, (int32_t)3530437); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)29U, (int32_t)3077325); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)30U, (int32_t)95776); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)31U, (int32_t)2706023); } /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus -with const generics -- OFFSET= 24 -- STEP_BY= 2 -- ZETA= 2353451 +This function found in impl {(core::clone::Clone for +libcrux_ml_dsa::simd::portable::vector_type::Coefficients)} */ -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_d90(int32_t (*re)[8U]) { - for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)2U; i++) { - size_t j = i; - int32_t rejs[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, re[j + (size_t)2U], rejs, int32_t, void *); - int32_t a_minus_b[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, rejs, a_minus_b, int32_t, void *); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); - int32_t uu____0[8U]; - memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)2U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)2U], (int32_t)2353451); - } +static inline libcrux_ml_dsa_simd_portable_vector_type_Coefficients +libcrux_ml_dsa_simd_portable_vector_type_clone_88( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *self) { + return self[0U]; } /** A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus with const generics -- OFFSET= 28 -- STEP_BY= 2 -- ZETA= 1826347 +- OFFSET= 0 +- STEP_BY= 1 +- ZETA= 280005 */ -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3b1(int32_t (*re)[8U]) { - for (size_t i = (size_t)28U; i < (size_t)28U + (size_t)2U; i++) { +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_99( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)1U; i++) { size_t j = i; - int32_t rejs[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, re[j + (size_t)2U], rejs, int32_t, void *); - int32_t a_minus_b[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, rejs, a_minus_b, int32_t, void *); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); - int32_t uu____0[8U]; - memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)2U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients rejs = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&re[j + (size_t)1U]); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients a_minus_b = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&rejs); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &rejs); + re[j + (size_t)1U] = a_minus_b; libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)2U], (int32_t)1826347); + &re[j + (size_t)1U], (int32_t)280005); } } -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_4(int32_t (*re)[8U]) { - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_990(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_6b0(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a80(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_950(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a0(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_de0(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_d90(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3b1(re); -} - /** A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus with const generics -- OFFSET= 0 -- STEP_BY= 4 -- ZETA= 466468 -*/ -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_991(int32_t (*re)[8U]) { - for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)4U; i++) { +- OFFSET= 2 +- STEP_BY= 1 +- ZETA= 4010497 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_1c( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)2U; i < (size_t)2U + (size_t)1U; i++) { size_t j = i; - int32_t rejs[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, re[j + (size_t)4U], rejs, int32_t, void *); - int32_t a_minus_b[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, rejs, a_minus_b, int32_t, void *); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); - int32_t uu____0[8U]; - memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)4U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients rejs = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&re[j + (size_t)1U]); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients a_minus_b = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&rejs); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &rejs); + re[j + (size_t)1U] = a_minus_b; libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)4U], (int32_t)466468); + &re[j + (size_t)1U], (int32_t)4010497); } } /** A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus with const generics -- OFFSET= 8 -- STEP_BY= 4 -- ZETA= -876248 +- OFFSET= 4 +- STEP_BY= 1 +- ZETA= -19422 */ -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a81(int32_t (*re)[8U]) { - for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)4U; i++) { +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_6b( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)4U; i < (size_t)4U + (size_t)1U; i++) { size_t j = i; - int32_t rejs[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, re[j + (size_t)4U], rejs, int32_t, void *); - int32_t a_minus_b[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, rejs, a_minus_b, int32_t, void *); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); - int32_t uu____0[8U]; - memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)4U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients rejs = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&re[j + (size_t)1U]); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients a_minus_b = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&rejs); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &rejs); + re[j + (size_t)1U] = a_minus_b; libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)4U], (int32_t)-876248); + &re[j + (size_t)1U], (int32_t)-19422); } } /** A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus with const generics -- OFFSET= 16 -- STEP_BY= 4 -- ZETA= -777960 +- OFFSET= 6 +- STEP_BY= 1 +- ZETA= 1757237 */ -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a1(int32_t (*re)[8U]) { - for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)4U; i++) { +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_44( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)6U; i < (size_t)6U + (size_t)1U; i++) { size_t j = i; - int32_t rejs[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, re[j + (size_t)4U], rejs, int32_t, void *); - int32_t a_minus_b[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, rejs, a_minus_b, int32_t, void *); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); - int32_t uu____0[8U]; - memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)4U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients rejs = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&re[j + (size_t)1U]); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients a_minus_b = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&rejs); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &rejs); + re[j + (size_t)1U] = a_minus_b; libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)4U], (int32_t)-777960); + &re[j + (size_t)1U], (int32_t)1757237); } } /** A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus with const generics -- OFFSET= 24 -- STEP_BY= 4 -- ZETA= 237124 +- OFFSET= 8 +- STEP_BY= 1 +- ZETA= -3277672 */ -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_d91(int32_t (*re)[8U]) { - for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)4U; i++) { +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a8( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)1U; i++) { size_t j = i; - int32_t rejs[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, re[j + (size_t)4U], rejs, int32_t, void *); - int32_t a_minus_b[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, rejs, a_minus_b, int32_t, void *); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); - int32_t uu____0[8U]; - memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)4U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients rejs = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&re[j + (size_t)1U]); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients a_minus_b = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&rejs); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &rejs); + re[j + (size_t)1U] = a_minus_b; libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)4U], (int32_t)237124); + &re[j + (size_t)1U], (int32_t)-3277672); } } -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_5(int32_t (*re)[8U]) { - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_991(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a81(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a1(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_d91(re); -} - /** A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus with const generics -- OFFSET= 0 -- STEP_BY= 8 -- ZETA= -518909 +- OFFSET= 10 +- STEP_BY= 1 +- ZETA= -1399561 */ -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_992(int32_t (*re)[8U]) { - for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)8U; i++) { +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_1f( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)10U; i < (size_t)10U + (size_t)1U; i++) { size_t j = i; - int32_t rejs[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, re[j + (size_t)8U], rejs, int32_t, void *); - int32_t a_minus_b[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, rejs, a_minus_b, int32_t, void *); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); - int32_t uu____0[8U]; - memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)8U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients rejs = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&re[j + (size_t)1U]); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients a_minus_b = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&rejs); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &rejs); + re[j + (size_t)1U] = a_minus_b; libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)8U], (int32_t)-518909); + &re[j + (size_t)1U], (int32_t)-1399561); } } /** A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus with const generics -- OFFSET= 16 -- STEP_BY= 8 -- ZETA= -2608894 +- OFFSET= 12 +- STEP_BY= 1 +- ZETA= -3859737 */ -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a2(int32_t (*re)[8U]) { - for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)8U; i++) { +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_95( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)12U; i < (size_t)12U + (size_t)1U; i++) { size_t j = i; - int32_t rejs[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, re[j + (size_t)8U], rejs, int32_t, void *); - int32_t a_minus_b[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, rejs, a_minus_b, int32_t, void *); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); - int32_t uu____0[8U]; - memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)8U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients rejs = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&re[j + (size_t)1U]); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients a_minus_b = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&rejs); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &rejs); + re[j + (size_t)1U] = a_minus_b; libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)8U], (int32_t)-2608894); + &re[j + (size_t)1U], (int32_t)-3859737); } } -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_6(int32_t (*re)[8U]) { - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_992(re); - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a2(re); -} - /** A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus with const generics -- OFFSET= 0 -- STEP_BY= 16 -- ZETA= 25847 +- OFFSET= 14 +- STEP_BY= 1 +- ZETA= -2118186 */ -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_993(int32_t (*re)[8U]) { - for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)16U; i++) { +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3b( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)14U; i < (size_t)14U + (size_t)1U; i++) { size_t j = i; - int32_t rejs[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, re[j + (size_t)16U], rejs, int32_t, void *); - int32_t a_minus_b[8U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)8U, rejs, a_minus_b, int32_t, void *); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(a_minus_b, re[j]); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], rejs); - int32_t uu____0[8U]; - memcpy(uu____0, a_minus_b, (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)16U], uu____0, (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients rejs = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&re[j + (size_t)1U]); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients a_minus_b = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&rejs); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &rejs); + re[j + (size_t)1U] = a_minus_b; libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[j + (size_t)16U], (int32_t)25847); + &re[j + (size_t)1U], (int32_t)-2118186); } } -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_7(int32_t (*re)[8U]) { - libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_993(re); -} - -static inline void libcrux_ml_dsa_simd_portable_invntt_invert_ntt_montgomery( - int32_t (*re)[8U]) { - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0(re); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1(re); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2(re); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_3(re); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_4(re); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_5(re); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_6(re); - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_7(re); - for (size_t i = (size_t)0U; - i < - Eurydice_slice_len(Eurydice_array_to_slice((size_t)32U, re, int32_t[8U]), - int32_t[8U]); - i++) { - size_t i0 = i; +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus +with const generics +- OFFSET= 16 +- STEP_BY= 1 +- ZETA= -2108549 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)1U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_Coefficients rejs = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&re[j + (size_t)1U]); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients a_minus_b = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&rejs); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &rejs); + re[j + (size_t)1U] = a_minus_b; libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - re[i0], (int32_t)41978); + &re[j + (size_t)1U], (int32_t)-2108549); } } /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus with const generics -- OFFSET= 0 -- STEP_BY= 16 -- ZETA= 25847 +- OFFSET= 18 +- STEP_BY= 1 +- ZETA= 2619752 */ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_99( - int32_t (*re)[8U]) { - for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)16U; i++) { +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_e4( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)18U; i < (size_t)18U + (size_t)1U; i++) { size_t j = i; - int32_t tmp[8U]; - memcpy(tmp, re[j + (size_t)16U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients rejs = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&re[j + (size_t)1U]); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients a_minus_b = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&rejs); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &rejs); + re[j + (size_t)1U] = a_minus_b; libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - tmp, (int32_t)25847); - int32_t uu____0[8U]; - memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)16U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)16U], tmp); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); + &re[j + (size_t)1U], (int32_t)2619752); } } -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_7( - int32_t (*re)[8U]) { - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_99(re); -} - /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus with const generics -- OFFSET= 0 -- STEP_BY= 8 -- ZETA= -2608894 +- OFFSET= 20 +- STEP_BY= 1 +- ZETA= -1119584 */ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_990( - int32_t (*re)[8U]) { - for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)8U; i++) { +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_de( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)20U; i < (size_t)20U + (size_t)1U; i++) { size_t j = i; - int32_t tmp[8U]; - memcpy(tmp, re[j + (size_t)8U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients rejs = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&re[j + (size_t)1U]); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients a_minus_b = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&rejs); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &rejs); + re[j + (size_t)1U] = a_minus_b; libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - tmp, (int32_t)-2608894); - int32_t uu____0[8U]; - memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)8U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)8U], tmp); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); + &re[j + (size_t)1U], (int32_t)-1119584); } } /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus with const generics -- OFFSET= 16 -- STEP_BY= 8 -- ZETA= -518909 +- OFFSET= 22 +- STEP_BY= 1 +- ZETA= -549488 */ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a( - int32_t (*re)[8U]) { - for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)8U; i++) { +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_05( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)22U; i < (size_t)22U + (size_t)1U; i++) { size_t j = i; - int32_t tmp[8U]; - memcpy(tmp, re[j + (size_t)8U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients rejs = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&re[j + (size_t)1U]); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients a_minus_b = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&rejs); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &rejs); + re[j + (size_t)1U] = a_minus_b; libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - tmp, (int32_t)-518909); - int32_t uu____0[8U]; - memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)8U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)8U], tmp); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); + &re[j + (size_t)1U], (int32_t)-549488); } } -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_6( - int32_t (*re)[8U]) { - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_990(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a(re); -} - /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus with const generics -- OFFSET= 0 -- STEP_BY= 4 -- ZETA= 237124 +- OFFSET= 24 +- STEP_BY= 1 +- ZETA= 3585928 */ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_991( - int32_t (*re)[8U]) { - for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)4U; i++) { +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_d9( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)1U; i++) { size_t j = i; - int32_t tmp[8U]; - memcpy(tmp, re[j + (size_t)4U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients rejs = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&re[j + (size_t)1U]); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients a_minus_b = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&rejs); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &rejs); + re[j + (size_t)1U] = a_minus_b; libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - tmp, (int32_t)237124); - int32_t uu____0[8U]; - memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)4U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)4U], tmp); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); + &re[j + (size_t)1U], (int32_t)3585928); } } /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus with const generics -- OFFSET= 8 -- STEP_BY= 4 -- ZETA= -777960 +- OFFSET= 26 +- STEP_BY= 1 +- ZETA= -1079900 */ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a8( - int32_t (*re)[8U]) { - for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)4U; i++) { +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3a( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)26U; i < (size_t)26U + (size_t)1U; i++) { size_t j = i; - int32_t tmp[8U]; - memcpy(tmp, re[j + (size_t)4U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients rejs = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&re[j + (size_t)1U]); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients a_minus_b = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&rejs); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &rejs); + re[j + (size_t)1U] = a_minus_b; libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - tmp, (int32_t)-777960); - int32_t uu____0[8U]; - memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)4U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)4U], tmp); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); + &re[j + (size_t)1U], (int32_t)-1079900); } } /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus with const generics -- OFFSET= 16 -- STEP_BY= 4 -- ZETA= -876248 +- OFFSET= 28 +- STEP_BY= 1 +- ZETA= 1024112 */ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a0( - int32_t (*re)[8U]) { - for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)4U; i++) { +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3b0( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)28U; i < (size_t)28U + (size_t)1U; i++) { size_t j = i; - int32_t tmp[8U]; - memcpy(tmp, re[j + (size_t)4U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients rejs = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&re[j + (size_t)1U]); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients a_minus_b = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&rejs); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &rejs); + re[j + (size_t)1U] = a_minus_b; libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - tmp, (int32_t)-876248); - int32_t uu____0[8U]; - memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)4U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)4U], tmp); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); + &re[j + (size_t)1U], (int32_t)1024112); } } /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus with const generics -- OFFSET= 24 -- STEP_BY= 4 -- ZETA= 466468 +- OFFSET= 30 +- STEP_BY= 1 +- ZETA= 2725464 */ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_d9( - int32_t (*re)[8U]) { - for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)4U; i++) { +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a0( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)30U; i < (size_t)30U + (size_t)1U; i++) { size_t j = i; - int32_t tmp[8U]; - memcpy(tmp, re[j + (size_t)4U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients rejs = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&re[j + (size_t)1U]); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients a_minus_b = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&rejs); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &rejs); + re[j + (size_t)1U] = a_minus_b; libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - tmp, (int32_t)466468); - int32_t uu____0[8U]; - memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)4U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)4U], tmp); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); + &re[j + (size_t)1U], (int32_t)2725464); } } -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_5( - int32_t (*re)[8U]) { - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_991(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a8(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a0(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_d9(re); +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_3( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_99(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_1c(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_6b(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_44(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a8(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_1f(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_95(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3b(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_e4(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_de(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_05(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_d9(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3a(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3b0(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a0(re); } /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus with const generics - OFFSET= 0 - STEP_BY= 2 -- ZETA= 1826347 +- ZETA= 2680103 */ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_992( - int32_t (*re)[8U]) { +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_990( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)2U; i++) { size_t j = i; - int32_t tmp[8U]; - memcpy(tmp, re[j + (size_t)2U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients rejs = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&re[j + (size_t)2U]); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients a_minus_b = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&rejs); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &rejs); + re[j + (size_t)2U] = a_minus_b; libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - tmp, (int32_t)1826347); - int32_t uu____0[8U]; - memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)2U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)2U], tmp); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); + &re[j + (size_t)2U], (int32_t)2680103); } } /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus with const generics - OFFSET= 4 - STEP_BY= 2 -- ZETA= 2353451 +- ZETA= 3111497 */ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_6b( - int32_t (*re)[8U]) { +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_6b0( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { for (size_t i = (size_t)4U; i < (size_t)4U + (size_t)2U; i++) { size_t j = i; - int32_t tmp[8U]; - memcpy(tmp, re[j + (size_t)2U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients rejs = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&re[j + (size_t)2U]); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients a_minus_b = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&rejs); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &rejs); + re[j + (size_t)2U] = a_minus_b; libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - tmp, (int32_t)2353451); - int32_t uu____0[8U]; - memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)2U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)2U], tmp); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); + &re[j + (size_t)2U], (int32_t)3111497); } } /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus with const generics - OFFSET= 8 - STEP_BY= 2 -- ZETA= -359251 +- ZETA= -2884855 */ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a80( - int32_t (*re)[8U]) { +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a80( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)2U; i++) { size_t j = i; - int32_t tmp[8U]; - memcpy(tmp, re[j + (size_t)2U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients rejs = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&re[j + (size_t)2U]); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients a_minus_b = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&rejs); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &rejs); + re[j + (size_t)2U] = a_minus_b; libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - tmp, (int32_t)-359251); - int32_t uu____0[8U]; - memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)2U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)2U], tmp); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); + &re[j + (size_t)2U], (int32_t)-2884855); } } /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus with const generics - OFFSET= 12 - STEP_BY= 2 -- ZETA= -2091905 +- ZETA= 3119733 */ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_95( - int32_t (*re)[8U]) { +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_950( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { for (size_t i = (size_t)12U; i < (size_t)12U + (size_t)2U; i++) { size_t j = i; - int32_t tmp[8U]; - memcpy(tmp, re[j + (size_t)2U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients rejs = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&re[j + (size_t)2U]); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients a_minus_b = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&rejs); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &rejs); + re[j + (size_t)2U] = a_minus_b; libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - tmp, (int32_t)-2091905); - int32_t uu____0[8U]; - memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)2U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)2U], tmp); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); + &re[j + (size_t)2U], (int32_t)3119733); } } /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus with const generics - OFFSET= 16 - STEP_BY= 2 -- ZETA= 3119733 +- ZETA= -2091905 */ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a1( - int32_t (*re)[8U]) { +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a0( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)2U; i++) { size_t j = i; - int32_t tmp[8U]; - memcpy(tmp, re[j + (size_t)2U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients rejs = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&re[j + (size_t)2U]); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients a_minus_b = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&rejs); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &rejs); + re[j + (size_t)2U] = a_minus_b; libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - tmp, (int32_t)3119733); - int32_t uu____0[8U]; - memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)2U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)2U], tmp); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); + &re[j + (size_t)2U], (int32_t)-2091905); } } /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus with const generics - OFFSET= 20 - STEP_BY= 2 -- ZETA= -2884855 +- ZETA= -359251 */ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_de( - int32_t (*re)[8U]) { +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_de0( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { for (size_t i = (size_t)20U; i < (size_t)20U + (size_t)2U; i++) { size_t j = i; - int32_t tmp[8U]; - memcpy(tmp, re[j + (size_t)2U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients rejs = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&re[j + (size_t)2U]); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients a_minus_b = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&rejs); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &rejs); + re[j + (size_t)2U] = a_minus_b; libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - tmp, (int32_t)-2884855); - int32_t uu____0[8U]; - memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)2U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)2U], tmp); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); + &re[j + (size_t)2U], (int32_t)-359251); } } /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus with const generics - OFFSET= 24 - STEP_BY= 2 -- ZETA= 3111497 +- ZETA= 2353451 */ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_d90( - int32_t (*re)[8U]) { +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_d90( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)2U; i++) { size_t j = i; - int32_t tmp[8U]; - memcpy(tmp, re[j + (size_t)2U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients rejs = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&re[j + (size_t)2U]); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients a_minus_b = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&rejs); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &rejs); + re[j + (size_t)2U] = a_minus_b; libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - tmp, (int32_t)3111497); - int32_t uu____0[8U]; - memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)2U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)2U], tmp); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); + &re[j + (size_t)2U], (int32_t)2353451); } } /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus with const generics - OFFSET= 28 - STEP_BY= 2 -- ZETA= 2680103 +- ZETA= 1826347 */ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3b( - int32_t (*re)[8U]) { +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3b1( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { for (size_t i = (size_t)28U; i < (size_t)28U + (size_t)2U; i++) { size_t j = i; - int32_t tmp[8U]; - memcpy(tmp, re[j + (size_t)2U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients rejs = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&re[j + (size_t)2U]); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients a_minus_b = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&rejs); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &rejs); + re[j + (size_t)2U] = a_minus_b; libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - tmp, (int32_t)2680103); - int32_t uu____0[8U]; - memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)2U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)2U], tmp); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); + &re[j + (size_t)2U], (int32_t)1826347); } } -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_4( - int32_t (*re)[8U]) { - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_992(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_6b(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a80(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_95(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a1(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_de(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_d90(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3b(re); +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_4( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_990(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_6b0(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a80(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_950(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a0(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_de0(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_d90(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3b1(re); } /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus with const generics - OFFSET= 0 -- STEP_BY= 1 -- ZETA= 2725464 +- STEP_BY= 4 +- ZETA= 466468 */ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_993( - int32_t (*re)[8U]) { - for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)1U; i++) { +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_991( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)4U; i++) { size_t j = i; - int32_t tmp[8U]; - memcpy(tmp, re[j + (size_t)1U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients rejs = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&re[j + (size_t)4U]); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients a_minus_b = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&rejs); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &rejs); + re[j + (size_t)4U] = a_minus_b; libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - tmp, (int32_t)2725464); - int32_t uu____0[8U]; - memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)1U], tmp); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); + &re[j + (size_t)4U], (int32_t)466468); } } /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus with const generics -- OFFSET= 2 -- STEP_BY= 1 -- ZETA= 1024112 +- OFFSET= 8 +- STEP_BY= 4 +- ZETA= -876248 */ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_1c( - int32_t (*re)[8U]) { - for (size_t i = (size_t)2U; i < (size_t)2U + (size_t)1U; i++) { +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a81( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)4U; i++) { size_t j = i; - int32_t tmp[8U]; - memcpy(tmp, re[j + (size_t)1U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients rejs = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&re[j + (size_t)4U]); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients a_minus_b = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&rejs); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &rejs); + re[j + (size_t)4U] = a_minus_b; libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - tmp, (int32_t)1024112); - int32_t uu____0[8U]; - memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)1U], tmp); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); + &re[j + (size_t)4U], (int32_t)-876248); } } /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus with const generics -- OFFSET= 4 -- STEP_BY= 1 -- ZETA= -1079900 +- OFFSET= 16 +- STEP_BY= 4 +- ZETA= -777960 */ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_6b0( - int32_t (*re)[8U]) { - for (size_t i = (size_t)4U; i < (size_t)4U + (size_t)1U; i++) { +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a1( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)4U; i++) { size_t j = i; - int32_t tmp[8U]; - memcpy(tmp, re[j + (size_t)1U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients rejs = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&re[j + (size_t)4U]); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients a_minus_b = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&rejs); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &rejs); + re[j + (size_t)4U] = a_minus_b; libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - tmp, (int32_t)-1079900); - int32_t uu____0[8U]; - memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)1U], tmp); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); + &re[j + (size_t)4U], (int32_t)-777960); } } /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus with const generics -- OFFSET= 6 -- STEP_BY= 1 -- ZETA= 3585928 +- OFFSET= 24 +- STEP_BY= 4 +- ZETA= 237124 */ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_44( - int32_t (*re)[8U]) { - for (size_t i = (size_t)6U; i < (size_t)6U + (size_t)1U; i++) { +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_d91( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)4U; i++) { size_t j = i; - int32_t tmp[8U]; - memcpy(tmp, re[j + (size_t)1U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients rejs = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&re[j + (size_t)4U]); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients a_minus_b = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&rejs); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &rejs); + re[j + (size_t)4U] = a_minus_b; libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - tmp, (int32_t)3585928); - int32_t uu____0[8U]; - memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)1U], tmp); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); + &re[j + (size_t)4U], (int32_t)237124); } } +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_5( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_991(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a81(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a1(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_d91(re); +} + /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus with const generics -- OFFSET= 8 -- STEP_BY= 1 -- ZETA= -549488 +- OFFSET= 0 +- STEP_BY= 8 +- ZETA= -518909 */ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a81( - int32_t (*re)[8U]) { - for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)1U; i++) { +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_992( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)8U; i++) { size_t j = i; - int32_t tmp[8U]; - memcpy(tmp, re[j + (size_t)1U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients rejs = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&re[j + (size_t)8U]); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients a_minus_b = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&rejs); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &rejs); + re[j + (size_t)8U] = a_minus_b; libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - tmp, (int32_t)-549488); - int32_t uu____0[8U]; - memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)1U], tmp); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); + &re[j + (size_t)8U], (int32_t)-518909); } } /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus with const generics -- OFFSET= 10 -- STEP_BY= 1 -- ZETA= -1119584 +- OFFSET= 16 +- STEP_BY= 8 +- ZETA= -2608894 */ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_1f( - int32_t (*re)[8U]) { - for (size_t i = (size_t)10U; i < (size_t)10U + (size_t)1U; i++) { +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a2( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)8U; i++) { size_t j = i; - int32_t tmp[8U]; - memcpy(tmp, re[j + (size_t)1U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients rejs = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&re[j + (size_t)8U]); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients a_minus_b = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&rejs); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &rejs); + re[j + (size_t)8U] = a_minus_b; libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - tmp, (int32_t)-1119584); - int32_t uu____0[8U]; - memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)1U], tmp); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); + &re[j + (size_t)8U], (int32_t)-2608894); } } +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_6( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_992(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a2(re); +} + /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus with const generics -- OFFSET= 12 -- STEP_BY= 1 -- ZETA= 2619752 +- OFFSET= 0 +- STEP_BY= 16 +- ZETA= 25847 */ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_950( - int32_t (*re)[8U]) { - for (size_t i = (size_t)12U; i < (size_t)12U + (size_t)1U; i++) { +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_993( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)16U; i++) { size_t j = i; - int32_t tmp[8U]; - memcpy(tmp, re[j + (size_t)1U], (size_t)8U * sizeof(int32_t)); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients rejs = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&re[j + (size_t)16U]); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients a_minus_b = + libcrux_ml_dsa_simd_portable_vector_type_clone_88(&rejs); + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&a_minus_b, &re[j]); + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &rejs); + re[j + (size_t)16U] = a_minus_b; + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + &re[j + (size_t)16U], (int32_t)25847); + } +} + +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_7( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_993(re); +} + +static inline void libcrux_ml_dsa_simd_portable_invntt_invert_ntt_montgomery( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *re) { + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0(re); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1(re); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2(re); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_3(re); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_4(re); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_5(re); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_6(re); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_7(re); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)32U, re, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients), + libcrux_ml_dsa_simd_portable_vector_type_Coefficients); + i++) { + size_t i0 = i; libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - tmp, (int32_t)2619752); - int32_t uu____0[8U]; - memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)1U], tmp); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); + &re[i0], (int32_t)41978); } } /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::Coefficients)} +*/ +static inline void libcrux_ml_dsa_simd_portable_invert_ntt_montgomery_e9( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *simd_units) { + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_montgomery(simd_units); +} + +/** +A monomorphic instance of libcrux_ml_dsa.polynomial.PolynomialRingElement +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients + +*/ +typedef struct libcrux_ml_dsa_polynomial_PolynomialRingElement_e8_s { + libcrux_ml_dsa_simd_portable_vector_type_Coefficients simd_units[32U]; +} libcrux_ml_dsa_polynomial_PolynomialRingElement_e8; + +/** +This function found in impl +{libcrux_ml_dsa::polynomial::PolynomialRingElement[TraitClause@0, +TraitClause@1]} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.polynomial.zero_ff +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients with const generics -- OFFSET= 14 -- STEP_BY= 1 -- ZETA= -2108549 + */ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3b0( - int32_t (*re)[8U]) { - for (size_t i = (size_t)14U; i < (size_t)14U + (size_t)1U; i++) { - size_t j = i; - int32_t tmp[8U]; - memcpy(tmp, re[j + (size_t)1U], (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - tmp, (int32_t)-2108549); - int32_t uu____0[8U]; - memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)1U], tmp); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); +static inline libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 +libcrux_ml_dsa_polynomial_zero_ff_5b(void) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 lit; + lit.simd_units[0U] = libcrux_ml_dsa_simd_portable_zero_e9(); + lit.simd_units[1U] = libcrux_ml_dsa_simd_portable_zero_e9(); + lit.simd_units[2U] = libcrux_ml_dsa_simd_portable_zero_e9(); + lit.simd_units[3U] = libcrux_ml_dsa_simd_portable_zero_e9(); + lit.simd_units[4U] = libcrux_ml_dsa_simd_portable_zero_e9(); + lit.simd_units[5U] = libcrux_ml_dsa_simd_portable_zero_e9(); + lit.simd_units[6U] = libcrux_ml_dsa_simd_portable_zero_e9(); + lit.simd_units[7U] = libcrux_ml_dsa_simd_portable_zero_e9(); + lit.simd_units[8U] = libcrux_ml_dsa_simd_portable_zero_e9(); + lit.simd_units[9U] = libcrux_ml_dsa_simd_portable_zero_e9(); + lit.simd_units[10U] = libcrux_ml_dsa_simd_portable_zero_e9(); + lit.simd_units[11U] = libcrux_ml_dsa_simd_portable_zero_e9(); + lit.simd_units[12U] = libcrux_ml_dsa_simd_portable_zero_e9(); + lit.simd_units[13U] = libcrux_ml_dsa_simd_portable_zero_e9(); + lit.simd_units[14U] = libcrux_ml_dsa_simd_portable_zero_e9(); + lit.simd_units[15U] = libcrux_ml_dsa_simd_portable_zero_e9(); + lit.simd_units[16U] = libcrux_ml_dsa_simd_portable_zero_e9(); + lit.simd_units[17U] = libcrux_ml_dsa_simd_portable_zero_e9(); + lit.simd_units[18U] = libcrux_ml_dsa_simd_portable_zero_e9(); + lit.simd_units[19U] = libcrux_ml_dsa_simd_portable_zero_e9(); + lit.simd_units[20U] = libcrux_ml_dsa_simd_portable_zero_e9(); + lit.simd_units[21U] = libcrux_ml_dsa_simd_portable_zero_e9(); + lit.simd_units[22U] = libcrux_ml_dsa_simd_portable_zero_e9(); + lit.simd_units[23U] = libcrux_ml_dsa_simd_portable_zero_e9(); + lit.simd_units[24U] = libcrux_ml_dsa_simd_portable_zero_e9(); + lit.simd_units[25U] = libcrux_ml_dsa_simd_portable_zero_e9(); + lit.simd_units[26U] = libcrux_ml_dsa_simd_portable_zero_e9(); + lit.simd_units[27U] = libcrux_ml_dsa_simd_portable_zero_e9(); + lit.simd_units[28U] = libcrux_ml_dsa_simd_portable_zero_e9(); + lit.simd_units[29U] = libcrux_ml_dsa_simd_portable_zero_e9(); + lit.simd_units[30U] = libcrux_ml_dsa_simd_portable_zero_e9(); + lit.simd_units[31U] = libcrux_ml_dsa_simd_portable_zero_e9(); + return lit; +} + +/** +A monomorphic instance of +libcrux_ml_dsa.sample.rejection_sample_less_than_field_modulus with types +libcrux_ml_dsa_simd_portable_vector_type_Coefficients with const generics + +*/ +static KRML_MUSTINLINE bool +libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_5b( + Eurydice_slice randomness, size_t *sampled_coefficients, int32_t *out) { + bool done = false; + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(randomness, uint8_t) / (size_t)24U; i++) { + size_t _cloop_i = i; + Eurydice_slice random_bytes = + Eurydice_slice_subslice2(randomness, _cloop_i * (size_t)24U, + _cloop_i * (size_t)24U + (size_t)24U, uint8_t); + if (!done) { + Eurydice_slice uu____0 = random_bytes; + size_t sampled = + libcrux_ml_dsa_simd_portable_rejection_sample_less_than_field_modulus_e9( + uu____0, Eurydice_array_to_subslice_from((size_t)263U, out, + sampled_coefficients[0U], + int32_t, size_t)); + sampled_coefficients[0U] = sampled_coefficients[0U] + sampled; + if (sampled_coefficients[0U] >= + LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { + done = true; + } + } + } + return done; +} + +/** +This function found in impl +{libcrux_ml_dsa::polynomial::PolynomialRingElement[TraitClause@0, +TraitClause@1]} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.polynomial.from_i32_array_ff +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients +with const generics + +*/ +static inline void libcrux_ml_dsa_polynomial_from_i32_array_ff_5b( + Eurydice_slice array, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *result) { + for (size_t i = (size_t)0U; + i < LIBCRUX_ML_DSA_SIMD_TRAITS_SIMD_UNITS_IN_RING_ELEMENT; i++) { + size_t i0 = i; + libcrux_ml_dsa_simd_portable_from_coefficient_array_e9( + Eurydice_slice_subslice2( + array, i0 * LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT, + (i0 + (size_t)1U) * + LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT, + int32_t), + &result->simd_units[i0]); + } +} + +/** + Sample and write out up to four ring elements. + + If i <= `elements_requested`, a field element with domain separated + seed according to the provided index is generated in + `tmp_stack[i]`. After successful rejection sampling in + `tmp_stack[i]`, the ring element is written to `matrix` at the + provided index in `indices[i]`. + `rand_stack` is a working buffer that holds initial Shake output. +*/ +/** +A monomorphic instance of +libcrux_ml_dsa.sample.sample_up_to_four_ring_elements_flat with types +libcrux_ml_dsa_simd_portable_vector_type_Coefficients, +libcrux_ml_dsa_hash_functions_portable_Shake128X4 with const generics + +*/ +static KRML_MUSTINLINE void +libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_flat_63( + size_t columns, Eurydice_slice seed, Eurydice_slice matrix, + uint8_t *rand_stack0, uint8_t *rand_stack1, uint8_t *rand_stack2, + uint8_t *rand_stack3, Eurydice_slice tmp_stack, size_t start_index, + size_t elements_requested) { + uint8_t seed0[34U]; + libcrux_ml_dsa_sample_add_domain_separator( + seed, + libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_flat_xy(start_index, + columns), + seed0); + uint8_t seed1[34U]; + libcrux_ml_dsa_sample_add_domain_separator( + seed, + libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_flat_xy( + start_index + (size_t)1U, columns), + seed1); + uint8_t seed2[34U]; + libcrux_ml_dsa_sample_add_domain_separator( + seed, + libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_flat_xy( + start_index + (size_t)2U, columns), + seed2); + uint8_t seed3[34U]; + libcrux_ml_dsa_sample_add_domain_separator( + seed, + libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_flat_xy( + start_index + (size_t)3U, columns), + seed3); + libcrux_ml_dsa_hash_functions_portable_Shake128X4 state = + libcrux_ml_dsa_hash_functions_portable_init_absorb_ed( + Eurydice_array_to_slice((size_t)34U, seed0, uint8_t), + Eurydice_array_to_slice((size_t)34U, seed1, uint8_t), + Eurydice_array_to_slice((size_t)34U, seed2, uint8_t), + Eurydice_array_to_slice((size_t)34U, seed3, uint8_t)); + libcrux_ml_dsa_hash_functions_portable_squeeze_first_five_blocks_ed( + &state, rand_stack0, rand_stack1, rand_stack2, rand_stack3); + size_t sampled0 = (size_t)0U; + size_t sampled1 = (size_t)0U; + size_t sampled2 = (size_t)0U; + size_t sampled3 = (size_t)0U; + bool done0 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_5b( + Eurydice_array_to_slice((size_t)840U, rand_stack0, uint8_t), + &sampled0, + Eurydice_slice_index(tmp_stack, (size_t)0U, int32_t[263U], + int32_t(*)[263U])); + bool done1 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_5b( + Eurydice_array_to_slice((size_t)840U, rand_stack1, uint8_t), + &sampled1, + Eurydice_slice_index(tmp_stack, (size_t)1U, int32_t[263U], + int32_t(*)[263U])); + bool done2 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_5b( + Eurydice_array_to_slice((size_t)840U, rand_stack2, uint8_t), + &sampled2, + Eurydice_slice_index(tmp_stack, (size_t)2U, int32_t[263U], + int32_t(*)[263U])); + bool done3 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_5b( + Eurydice_array_to_slice((size_t)840U, rand_stack3, uint8_t), + &sampled3, + Eurydice_slice_index(tmp_stack, (size_t)3U, int32_t[263U], + int32_t(*)[263U])); + while (true) { + if (done0) { + if (done1) { + if (done2) { + if (done3) { + break; + } else { + uint8_t_168size_t__x4 randomnesses = + libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_ed( + &state); + if (!done0) { + done0 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_5b( + Eurydice_array_to_slice((size_t)168U, randomnesses.fst, + uint8_t), + &sampled0, + Eurydice_slice_index(tmp_stack, (size_t)0U, int32_t[263U], + int32_t(*)[263U])); + } + if (!done1) { + done1 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_5b( + Eurydice_array_to_slice((size_t)168U, randomnesses.snd, + uint8_t), + &sampled1, + Eurydice_slice_index(tmp_stack, (size_t)1U, int32_t[263U], + int32_t(*)[263U])); + } + if (!done2) { + done2 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_5b( + Eurydice_array_to_slice((size_t)168U, randomnesses.thd, + uint8_t), + &sampled2, + Eurydice_slice_index(tmp_stack, (size_t)2U, int32_t[263U], + int32_t(*)[263U])); + } + if (!done3) { + done3 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_5b( + Eurydice_array_to_slice((size_t)168U, randomnesses.f3, + uint8_t), + &sampled3, + Eurydice_slice_index(tmp_stack, (size_t)3U, int32_t[263U], + int32_t(*)[263U])); + } + } + } else { + uint8_t_168size_t__x4 randomnesses = + libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_ed( + &state); + if (!done0) { + done0 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_5b( + Eurydice_array_to_slice((size_t)168U, randomnesses.fst, + uint8_t), + &sampled0, + Eurydice_slice_index(tmp_stack, (size_t)0U, int32_t[263U], + int32_t(*)[263U])); + } + if (!done1) { + done1 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_5b( + Eurydice_array_to_slice((size_t)168U, randomnesses.snd, + uint8_t), + &sampled1, + Eurydice_slice_index(tmp_stack, (size_t)1U, int32_t[263U], + int32_t(*)[263U])); + } + if (!done2) { + done2 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_5b( + Eurydice_array_to_slice((size_t)168U, randomnesses.thd, + uint8_t), + &sampled2, + Eurydice_slice_index(tmp_stack, (size_t)2U, int32_t[263U], + int32_t(*)[263U])); + } + if (!done3) { + done3 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_5b( + Eurydice_array_to_slice((size_t)168U, randomnesses.f3, + uint8_t), + &sampled3, + Eurydice_slice_index(tmp_stack, (size_t)3U, int32_t[263U], + int32_t(*)[263U])); + } + } + } else { + uint8_t_168size_t__x4 randomnesses = + libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_ed( + &state); + if (!done0) { + done0 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_5b( + Eurydice_array_to_slice((size_t)168U, randomnesses.fst, + uint8_t), + &sampled0, + Eurydice_slice_index(tmp_stack, (size_t)0U, int32_t[263U], + int32_t(*)[263U])); + } + if (!done1) { + done1 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_5b( + Eurydice_array_to_slice((size_t)168U, randomnesses.snd, + uint8_t), + &sampled1, + Eurydice_slice_index(tmp_stack, (size_t)1U, int32_t[263U], + int32_t(*)[263U])); + } + if (!done2) { + done2 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_5b( + Eurydice_array_to_slice((size_t)168U, randomnesses.thd, + uint8_t), + &sampled2, + Eurydice_slice_index(tmp_stack, (size_t)2U, int32_t[263U], + int32_t(*)[263U])); + } + if (!done3) { + done3 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_5b( + Eurydice_array_to_slice((size_t)168U, randomnesses.f3, + uint8_t), + &sampled3, + Eurydice_slice_index(tmp_stack, (size_t)3U, int32_t[263U], + int32_t(*)[263U])); + } + } + } else { + uint8_t_168size_t__x4 randomnesses = + libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_ed(&state); + if (!done0) { + done0 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_5b( + Eurydice_array_to_slice((size_t)168U, randomnesses.fst, + uint8_t), + &sampled0, + Eurydice_slice_index(tmp_stack, (size_t)0U, int32_t[263U], + int32_t(*)[263U])); + } + if (!done1) { + done1 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_5b( + Eurydice_array_to_slice((size_t)168U, randomnesses.snd, + uint8_t), + &sampled1, + Eurydice_slice_index(tmp_stack, (size_t)1U, int32_t[263U], + int32_t(*)[263U])); + } + if (!done2) { + done2 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_5b( + Eurydice_array_to_slice((size_t)168U, randomnesses.thd, + uint8_t), + &sampled2, + Eurydice_slice_index(tmp_stack, (size_t)2U, int32_t[263U], + int32_t(*)[263U])); + } + if (!done3) { + done3 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_5b( + Eurydice_array_to_slice((size_t)168U, randomnesses.f3, uint8_t), + &sampled3, + Eurydice_slice_index(tmp_stack, (size_t)3U, int32_t[263U], + int32_t(*)[263U])); + } + } + } + for (size_t i = (size_t)0U; i < elements_requested; i++) { + size_t k = i; + libcrux_ml_dsa_polynomial_from_i32_array_ff_5b( + Eurydice_array_to_slice( + (size_t)263U, + Eurydice_slice_index(tmp_stack, k, int32_t[263U], int32_t(*)[263U]), + int32_t), + &Eurydice_slice_index( + matrix, start_index + k, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *)); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.samplex4.matrix_flat +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients, +libcrux_ml_dsa_hash_functions_portable_Shake128X4 with const generics + +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_matrix_flat_63( + size_t columns, Eurydice_slice seed, Eurydice_slice matrix) { + uint8_t rand_stack0[840U] = {0U}; + uint8_t rand_stack1[840U] = {0U}; + uint8_t rand_stack2[840U] = {0U}; + uint8_t rand_stack3[840U] = {0U}; + int32_t tmp_stack[4U][263U] = {{0U}}; + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + matrix, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8) / + (size_t)4U; + i++) { + size_t start_index = i; + size_t start_index0 = start_index * (size_t)4U; + size_t uu____0 = start_index0 + (size_t)4U; + size_t elements_requested; + if (uu____0 <= + Eurydice_slice_len( + matrix, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8)) { + elements_requested = (size_t)4U; + } else { + elements_requested = + Eurydice_slice_len( + matrix, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8) - + start_index0; + } + libcrux_ml_dsa_sample_sample_up_to_four_ring_elements_flat_63( + columns, seed, matrix, rand_stack0, rand_stack1, rand_stack2, + rand_stack3, + Eurydice_array_to_slice((size_t)4U, tmp_stack, int32_t[263U]), + start_index0, elements_requested); } } /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +This function found in impl {(libcrux_ml_dsa::samplex4::X4Sampler for +libcrux_ml_dsa::samplex4::portable::PortableSampler)} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.samplex4.portable.matrix_flat_36 +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients with const generics -- OFFSET= 16 -- STEP_BY= 1 -- ZETA= -2118186 + */ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a2( - int32_t (*re)[8U]) { - for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)1U; i++) { - size_t j = i; - int32_t tmp[8U]; - memcpy(tmp, re[j + (size_t)1U], (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - tmp, (int32_t)-2118186); - int32_t uu____0[8U]; - memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)1U], tmp); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); - } +static inline void libcrux_ml_dsa_samplex4_portable_matrix_flat_36_5b( + size_t columns, Eurydice_slice seed, Eurydice_slice matrix) { + libcrux_ml_dsa_samplex4_matrix_flat_63(columns, seed, matrix); } /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus -with const generics -- OFFSET= 18 -- STEP_BY= 1 -- ZETA= -3859737 +A monomorphic instance of +libcrux_ml_dsa.sample.rejection_sample_less_than_eta_equals_4 with types +libcrux_ml_dsa_simd_portable_vector_type_Coefficients with const generics + */ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_e4( - int32_t (*re)[8U]) { - for (size_t i = (size_t)18U; i < (size_t)18U + (size_t)1U; i++) { - size_t j = i; - int32_t tmp[8U]; - memcpy(tmp, re[j + (size_t)1U], (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - tmp, (int32_t)-3859737); - int32_t uu____0[8U]; - memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)1U], tmp); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); +static KRML_MUSTINLINE bool +libcrux_ml_dsa_sample_rejection_sample_less_than_eta_equals_4_5b( + Eurydice_slice randomness, size_t *sampled_coefficients, int32_t *out) { + bool done = false; + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(randomness, uint8_t) / (size_t)4U; i++) { + size_t _cloop_i = i; + Eurydice_slice random_bytes = + Eurydice_slice_subslice2(randomness, _cloop_i * (size_t)4U, + _cloop_i * (size_t)4U + (size_t)4U, uint8_t); + if (!done) { + Eurydice_slice uu____0 = random_bytes; + size_t sampled = + libcrux_ml_dsa_simd_portable_rejection_sample_less_than_eta_equals_4_e9( + uu____0, Eurydice_array_to_subslice_from((size_t)263U, out, + sampled_coefficients[0U], + int32_t, size_t)); + sampled_coefficients[0U] = sampled_coefficients[0U] + sampled; + if (sampled_coefficients[0U] >= + LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { + done = true; + } + } } + return done; } /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus -with const generics -- OFFSET= 20 -- STEP_BY= 1 -- ZETA= -1399561 +A monomorphic instance of +libcrux_ml_dsa.sample.rejection_sample_less_than_eta_equals_2 with types +libcrux_ml_dsa_simd_portable_vector_type_Coefficients with const generics + */ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_de0( - int32_t (*re)[8U]) { - for (size_t i = (size_t)20U; i < (size_t)20U + (size_t)1U; i++) { - size_t j = i; - int32_t tmp[8U]; - memcpy(tmp, re[j + (size_t)1U], (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - tmp, (int32_t)-1399561); - int32_t uu____0[8U]; - memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)1U], tmp); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); +static KRML_MUSTINLINE bool +libcrux_ml_dsa_sample_rejection_sample_less_than_eta_equals_2_5b( + Eurydice_slice randomness, size_t *sampled_coefficients, int32_t *out) { + bool done = false; + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(randomness, uint8_t) / (size_t)4U; i++) { + size_t _cloop_i = i; + Eurydice_slice random_bytes = + Eurydice_slice_subslice2(randomness, _cloop_i * (size_t)4U, + _cloop_i * (size_t)4U + (size_t)4U, uint8_t); + if (!done) { + Eurydice_slice uu____0 = random_bytes; + size_t sampled = + libcrux_ml_dsa_simd_portable_rejection_sample_less_than_eta_equals_2_e9( + uu____0, Eurydice_array_to_subslice_from((size_t)263U, out, + sampled_coefficients[0U], + int32_t, size_t)); + sampled_coefficients[0U] = sampled_coefficients[0U] + sampled; + if (sampled_coefficients[0U] >= + LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { + done = true; + } + } } + return done; } /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +A monomorphic instance of libcrux_ml_dsa.sample.rejection_sample_less_than_eta +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients with const generics -- OFFSET= 22 -- STEP_BY= 1 -- ZETA= -3277672 + */ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_05( - int32_t (*re)[8U]) { - for (size_t i = (size_t)22U; i < (size_t)22U + (size_t)1U; i++) { - size_t j = i; - int32_t tmp[8U]; - memcpy(tmp, re[j + (size_t)1U], (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - tmp, (int32_t)-3277672); - int32_t uu____0[8U]; - memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)1U], tmp); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); +static KRML_MUSTINLINE bool +libcrux_ml_dsa_sample_rejection_sample_less_than_eta_5b( + libcrux_ml_dsa_constants_Eta eta, Eurydice_slice randomness, + size_t *sampled, int32_t *out) { + if (!(eta == libcrux_ml_dsa_constants_Eta_Two)) { + return libcrux_ml_dsa_sample_rejection_sample_less_than_eta_equals_4_5b( + randomness, sampled, out); } + return libcrux_ml_dsa_sample_rejection_sample_less_than_eta_equals_2_5b( + randomness, sampled, out); } /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus -with const generics -- OFFSET= 24 -- STEP_BY= 1 -- ZETA= 1757237 +A monomorphic instance of libcrux_ml_dsa.sample.sample_four_error_ring_elements +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients, +libcrux_ml_dsa_hash_functions_portable_Shake256X4 with const generics + */ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_d91( - int32_t (*re)[8U]) { - for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)1U; i++) { - size_t j = i; - int32_t tmp[8U]; - memcpy(tmp, re[j + (size_t)1U], (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - tmp, (int32_t)1757237); - int32_t uu____0[8U]; - memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)1U], tmp); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); +static KRML_MUSTINLINE void +libcrux_ml_dsa_sample_sample_four_error_ring_elements_29( + libcrux_ml_dsa_constants_Eta eta, Eurydice_slice seed, uint16_t start_index, + Eurydice_slice re) { + uint8_t seed0[66U]; + libcrux_ml_dsa_sample_add_error_domain_separator(seed, start_index, seed0); + uint8_t seed1[66U]; + libcrux_ml_dsa_sample_add_error_domain_separator( + seed, (uint32_t)start_index + 1U, seed1); + uint8_t seed2[66U]; + libcrux_ml_dsa_sample_add_error_domain_separator( + seed, (uint32_t)start_index + 2U, seed2); + uint8_t seed3[66U]; + libcrux_ml_dsa_sample_add_error_domain_separator( + seed, (uint32_t)start_index + 3U, seed3); + libcrux_ml_dsa_hash_functions_portable_Shake256X4 state = + libcrux_ml_dsa_hash_functions_portable_init_absorb_x4_50( + Eurydice_array_to_slice((size_t)66U, seed0, uint8_t), + Eurydice_array_to_slice((size_t)66U, seed1, uint8_t), + Eurydice_array_to_slice((size_t)66U, seed2, uint8_t), + Eurydice_array_to_slice((size_t)66U, seed3, uint8_t)); + uint8_t_136size_t__x4 randomnesses0 = + libcrux_ml_dsa_hash_functions_portable_squeeze_first_block_x4_50(&state); + int32_t out[4U][263U] = {{0U}}; + size_t sampled0 = (size_t)0U; + size_t sampled1 = (size_t)0U; + size_t sampled2 = (size_t)0U; + size_t sampled3 = (size_t)0U; + bool done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_5b( + eta, Eurydice_array_to_slice((size_t)136U, randomnesses0.fst, uint8_t), + &sampled0, out[0U]); + bool done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_5b( + eta, Eurydice_array_to_slice((size_t)136U, randomnesses0.snd, uint8_t), + &sampled1, out[1U]); + bool done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_5b( + eta, Eurydice_array_to_slice((size_t)136U, randomnesses0.thd, uint8_t), + &sampled2, out[2U]); + bool done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_5b( + eta, Eurydice_array_to_slice((size_t)136U, randomnesses0.f3, uint8_t), + &sampled3, out[3U]); + while (true) { + if (done0) { + if (done1) { + if (done2) { + if (done3) { + break; + } else { + uint8_t_136size_t__x4 randomnesses = + libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_x4_50( + &state); + if (!done0) { + done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_5b( + eta, + Eurydice_array_to_slice((size_t)136U, randomnesses.fst, + uint8_t), + &sampled0, out[0U]); + } + if (!done1) { + done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_5b( + eta, + Eurydice_array_to_slice((size_t)136U, randomnesses.snd, + uint8_t), + &sampled1, out[1U]); + } + if (!done2) { + done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_5b( + eta, + Eurydice_array_to_slice((size_t)136U, randomnesses.thd, + uint8_t), + &sampled2, out[2U]); + } + if (!done3) { + done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_5b( + eta, + Eurydice_array_to_slice((size_t)136U, randomnesses.f3, + uint8_t), + &sampled3, out[3U]); + } + } + } else { + uint8_t_136size_t__x4 randomnesses = + libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_x4_50( + &state); + if (!done0) { + done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_5b( + eta, + Eurydice_array_to_slice((size_t)136U, randomnesses.fst, + uint8_t), + &sampled0, out[0U]); + } + if (!done1) { + done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_5b( + eta, + Eurydice_array_to_slice((size_t)136U, randomnesses.snd, + uint8_t), + &sampled1, out[1U]); + } + if (!done2) { + done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_5b( + eta, + Eurydice_array_to_slice((size_t)136U, randomnesses.thd, + uint8_t), + &sampled2, out[2U]); + } + if (!done3) { + done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_5b( + eta, + Eurydice_array_to_slice((size_t)136U, randomnesses.f3, uint8_t), + &sampled3, out[3U]); + } + } + } else { + uint8_t_136size_t__x4 randomnesses = + libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_x4_50( + &state); + if (!done0) { + done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_5b( + eta, + Eurydice_array_to_slice((size_t)136U, randomnesses.fst, uint8_t), + &sampled0, out[0U]); + } + if (!done1) { + done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_5b( + eta, + Eurydice_array_to_slice((size_t)136U, randomnesses.snd, uint8_t), + &sampled1, out[1U]); + } + if (!done2) { + done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_5b( + eta, + Eurydice_array_to_slice((size_t)136U, randomnesses.thd, uint8_t), + &sampled2, out[2U]); + } + if (!done3) { + done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_5b( + eta, + Eurydice_array_to_slice((size_t)136U, randomnesses.f3, uint8_t), + &sampled3, out[3U]); + } + } + } else { + uint8_t_136size_t__x4 randomnesses = + libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_x4_50( + &state); + if (!done0) { + done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_5b( + eta, + Eurydice_array_to_slice((size_t)136U, randomnesses.fst, uint8_t), + &sampled0, out[0U]); + } + if (!done1) { + done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_5b( + eta, + Eurydice_array_to_slice((size_t)136U, randomnesses.snd, uint8_t), + &sampled1, out[1U]); + } + if (!done2) { + done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_5b( + eta, + Eurydice_array_to_slice((size_t)136U, randomnesses.thd, uint8_t), + &sampled2, out[2U]); + } + if (!done3) { + done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_5b( + eta, + Eurydice_array_to_slice((size_t)136U, randomnesses.f3, uint8_t), + &sampled3, out[3U]); + } + } + } + size_t max0 = (size_t)start_index + (size_t)4U; + size_t max; + if (Eurydice_slice_len( + re, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8) < max0) { + max = Eurydice_slice_len( + re, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8); + } else { + max = max0; + } + for (size_t i = (size_t)start_index; i < max; i++) { + size_t i0 = i; + libcrux_ml_dsa_polynomial_from_i32_array_ff_5b( + Eurydice_array_to_slice((size_t)263U, out[i0 % (size_t)4U], int32_t), + &Eurydice_slice_index( + re, i0, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *)); } } /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus -with const generics -- OFFSET= 26 -- STEP_BY= 1 -- ZETA= -19422 +A monomorphic instance of libcrux_ml_dsa.samplex4.sample_s1_and_s2 +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients, +libcrux_ml_dsa_hash_functions_portable_Shake256X4 with const generics + */ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3a( - int32_t (*re)[8U]) { - for (size_t i = (size_t)26U; i < (size_t)26U + (size_t)1U; i++) { - size_t j = i; - int32_t tmp[8U]; - memcpy(tmp, re[j + (size_t)1U], (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - tmp, (int32_t)-19422); - int32_t uu____0[8U]; - memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)1U], tmp); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); +static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_sample_s1_and_s2_29( + libcrux_ml_dsa_constants_Eta eta, Eurydice_slice seed, + Eurydice_slice s1_s2) { + size_t len = Eurydice_slice_len( + s1_s2, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8); + for (size_t i = (size_t)0U; i < len / (size_t)4U; i++) { + size_t i0 = i; + libcrux_ml_dsa_sample_sample_four_error_ring_elements_29( + eta, seed, 4U * (uint32_t)(uint16_t)i0, s1_s2); + } + size_t remainder = len % (size_t)4U; + if (remainder != (size_t)0U) { + libcrux_ml_dsa_sample_sample_four_error_ring_elements_29( + eta, seed, (uint16_t)(len - remainder), s1_s2); } } /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +A monomorphic instance of libcrux_ml_dsa.ntt.ntt +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients with const generics -- OFFSET= 28 -- STEP_BY= 1 -- ZETA= 4010497 + */ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3b1( - int32_t (*re)[8U]) { - for (size_t i = (size_t)28U; i < (size_t)28U + (size_t)1U; i++) { - size_t j = i; - int32_t tmp[8U]; - memcpy(tmp, re[j + (size_t)1U], (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - tmp, (int32_t)4010497); - int32_t uu____0[8U]; - memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)1U], tmp); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); - } +static KRML_MUSTINLINE void libcrux_ml_dsa_ntt_ntt_5b( + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *re) { + libcrux_ml_dsa_simd_portable_ntt_e9(re->simd_units); } /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +A monomorphic instance of libcrux_ml_dsa.ntt.ntt_multiply_montgomery +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients with const generics -- OFFSET= 30 -- STEP_BY= 1 -- ZETA= 280005 + */ -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a0( - int32_t (*re)[8U]) { - for (size_t i = (size_t)30U; i < (size_t)30U + (size_t)1U; i++) { - size_t j = i; - int32_t tmp[8U]; - memcpy(tmp, re[j + (size_t)1U], (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( - tmp, (int32_t)280005); - int32_t uu____0[8U]; - memcpy(uu____0, re[j], (size_t)8U * sizeof(int32_t)); - memcpy(re[j + (size_t)1U], uu____0, (size_t)8U * sizeof(int32_t)); - libcrux_ml_dsa_simd_portable_arithmetic_subtract(re[j + (size_t)1U], tmp); - libcrux_ml_dsa_simd_portable_arithmetic_add(re[j], tmp); +static KRML_MUSTINLINE void libcrux_ml_dsa_ntt_ntt_multiply_montgomery_5b( + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *lhs, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *rhs) { + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)32U, lhs->simd_units, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients), + libcrux_ml_dsa_simd_portable_vector_type_Coefficients); + i++) { + size_t i0 = i; + libcrux_ml_dsa_simd_portable_montgomery_multiply_e9(&lhs->simd_units[i0], + &rhs->simd_units[i0]); } } -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_3( - int32_t (*re)[8U]) { - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_993(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_1c(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_6b0(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_44(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a81(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_1f(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_950(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3b0(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a2(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_e4(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_de0(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_05(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_d91(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3a(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3b1(re); - libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a0(re); -} +/** +This function found in impl +{libcrux_ml_dsa::polynomial::PolynomialRingElement[TraitClause@0, +TraitClause@1]} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.polynomial.add_ff +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients +with const generics -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_ntt_simd_unit_ntt_at_layer_2(int32_t *simd_unit, - int32_t zeta) { - int32_t t = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( - simd_unit[4U], zeta); - simd_unit[4U] = simd_unit[0U] - t; - simd_unit[0U] = simd_unit[0U] + t; - int32_t t0 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( - simd_unit[5U], zeta); - simd_unit[5U] = simd_unit[1U] - t0; - simd_unit[1U] = simd_unit[1U] + t0; - int32_t t1 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( - simd_unit[6U], zeta); - simd_unit[6U] = simd_unit[2U] - t1; - simd_unit[2U] = simd_unit[2U] + t1; - int32_t t2 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( - simd_unit[7U], zeta); - simd_unit[7U] = simd_unit[3U] - t2; - simd_unit[3U] = simd_unit[3U] + t2; +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_polynomial_add_ff_5b( + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *self, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *rhs) { + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)32U, self->simd_units, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients), + libcrux_ml_dsa_simd_portable_vector_type_Coefficients); + i++) { + size_t i0 = i; + libcrux_ml_dsa_simd_portable_add_e9(&self->simd_units[i0], + &rhs->simd_units[i0]); + } } -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(int32_t (*re)[8U], - size_t index, - int32_t zeta) { - libcrux_ml_dsa_simd_portable_ntt_simd_unit_ntt_at_layer_2(re[index], zeta); -} +/** +A monomorphic instance of libcrux_ml_dsa.ntt.invert_ntt_montgomery +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients +with const generics -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2( - int32_t (*re)[8U]) { - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)0U, - (int32_t)2706023); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)1U, - (int32_t)95776); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)2U, - (int32_t)3077325); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)3U, - (int32_t)3530437); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)4U, - (int32_t)-1661693); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)5U, - (int32_t)-3592148); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)6U, - (int32_t)-2537516); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)7U, - (int32_t)3915439); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)8U, - (int32_t)-3861115); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)9U, - (int32_t)-3043716); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)10U, - (int32_t)3574422); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)11U, - (int32_t)-2867647); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)12U, - (int32_t)3539968); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)13U, - (int32_t)-300467); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)14U, - (int32_t)2348700); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)15U, - (int32_t)-539299); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)16U, - (int32_t)-1699267); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)17U, - (int32_t)-1643818); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)18U, - (int32_t)3505694); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)19U, - (int32_t)-3821735); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)20U, - (int32_t)3507263); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)21U, - (int32_t)-2140649); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)22U, - (int32_t)-1600420); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)23U, - (int32_t)3699596); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)24U, - (int32_t)811944); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)25U, - (int32_t)531354); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)26U, - (int32_t)954230); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)27U, - (int32_t)3881043); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)28U, - (int32_t)3900724); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)29U, - (int32_t)-2556880); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)30U, - (int32_t)2071892); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)31U, - (int32_t)-2797779); +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_ntt_invert_ntt_montgomery_5b( + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *re) { + libcrux_ml_dsa_simd_portable_invert_ntt_montgomery_e9(re->simd_units); } -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_ntt_simd_unit_ntt_at_layer_1(int32_t *simd_unit, - int32_t zeta1, - int32_t zeta2) { - int32_t t = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( - simd_unit[2U], zeta1); - simd_unit[2U] = simd_unit[0U] - t; - simd_unit[0U] = simd_unit[0U] + t; - int32_t t0 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( - simd_unit[3U], zeta1); - simd_unit[3U] = simd_unit[1U] - t0; - simd_unit[1U] = simd_unit[1U] + t0; - int32_t t1 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( - simd_unit[6U], zeta2); - simd_unit[6U] = simd_unit[4U] - t1; - simd_unit[4U] = simd_unit[4U] + t1; - int32_t t2 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( - simd_unit[7U], zeta2); - simd_unit[7U] = simd_unit[5U] - t2; - simd_unit[5U] = simd_unit[5U] + t2; +/** + Compute InvertNTT(Â ◦ ŝ₁) + s₂ +*/ +/** +A monomorphic instance of libcrux_ml_dsa.matrix.compute_as1_plus_s2 +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients +with const generics + +*/ +static inline void libcrux_ml_dsa_matrix_compute_as1_plus_s2_5b( + size_t rows_in_a, size_t columns_in_a, Eurydice_slice a_as_ntt, + Eurydice_slice s1_ntt, Eurydice_slice s1_s2, Eurydice_slice result) { + for (size_t i0 = (size_t)0U; i0 < rows_in_a; i0++) { + size_t i1 = i0; + for (size_t i = (size_t)0U; i < columns_in_a; i++) { + size_t j = i; + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 product = + Eurydice_slice_index( + a_as_ntt, i1 * columns_in_a + j, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *); + libcrux_ml_dsa_ntt_ntt_multiply_montgomery_5b( + &product, + &Eurydice_slice_index( + s1_ntt, j, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *)); + libcrux_ml_dsa_polynomial_add_ff_5b( + &Eurydice_slice_index( + result, i1, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *), + &product); + } + } + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + result, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8); + i++) { + size_t i0 = i; + libcrux_ml_dsa_ntt_invert_ntt_montgomery_5b(&Eurydice_slice_index( + result, i0, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *)); + libcrux_ml_dsa_polynomial_add_ff_5b( + &Eurydice_slice_index( + result, i0, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *), + &Eurydice_slice_index( + s1_s2, columns_in_a + i0, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *)); + } } -static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round(int32_t (*re)[8U], - size_t index, - int32_t zeta_0, - int32_t zeta_1) { - libcrux_ml_dsa_simd_portable_ntt_simd_unit_ntt_at_layer_1(re[index], zeta_0, - zeta_1); +/** +A monomorphic instance of libcrux_ml_dsa.arithmetic.power2round_vector +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients +with const generics + +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_arithmetic_power2round_vector_5b( + Eurydice_slice t, Eurydice_slice t1) { + for (size_t i0 = (size_t)0U; + i0 < Eurydice_slice_len( + t, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8); + i0++) { + size_t i1 = i0; + for (size_t i = (size_t)0U; + i < + Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)32U, + Eurydice_slice_index( + t, i1, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *) + .simd_units, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients), + libcrux_ml_dsa_simd_portable_vector_type_Coefficients); + i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_power2round_e9( + &Eurydice_slice_index( + t, i1, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *) + .simd_units[j], + &Eurydice_slice_index( + t1, i1, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *) + .simd_units[j]); + } + } } -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1( - int32_t (*re)[8U]) { - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)0U, (int32_t)-3930395, (int32_t)-1528703); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)1U, (int32_t)-3677745, (int32_t)-3041255); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)2U, (int32_t)-1452451, (int32_t)3475950); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)3U, (int32_t)2176455, (int32_t)-1585221); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)4U, (int32_t)-1257611, (int32_t)1939314); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)5U, (int32_t)-4083598, (int32_t)-1000202); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)6U, (int32_t)-3190144, (int32_t)-3157330); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)7U, (int32_t)-3632928, (int32_t)126922); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)8U, (int32_t)3412210, (int32_t)-983419); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)9U, (int32_t)2147896, (int32_t)2715295); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)10U, (int32_t)-2967645, (int32_t)-3693493); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)11U, (int32_t)-411027, (int32_t)-2477047); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)12U, (int32_t)-671102, (int32_t)-1228525); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)13U, (int32_t)-22981, (int32_t)-1308169); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)14U, (int32_t)-381987, (int32_t)1349076); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)15U, (int32_t)1852771, (int32_t)-1430430); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)16U, (int32_t)-3343383, (int32_t)264944); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)17U, (int32_t)508951, (int32_t)3097992); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)18U, (int32_t)44288, (int32_t)-1100098); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)19U, (int32_t)904516, (int32_t)3958618); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)20U, (int32_t)-3724342, (int32_t)-8578); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)21U, (int32_t)1653064, (int32_t)-3249728); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)22U, (int32_t)2389356, (int32_t)-210977); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)23U, (int32_t)759969, (int32_t)-1316856); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)24U, (int32_t)189548, (int32_t)-3553272); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)25U, (int32_t)3159746, (int32_t)-1851402); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)26U, (int32_t)-2409325, (int32_t)-177440); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)27U, (int32_t)1315589, (int32_t)1341330); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)28U, (int32_t)1285669, (int32_t)-1584928); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)29U, (int32_t)-812732, (int32_t)-1439742); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)30U, (int32_t)-3019102, (int32_t)-3881060); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( - re, (size_t)31U, (int32_t)-3628969, (int32_t)3839961); +/** +A monomorphic instance of libcrux_ml_dsa.encoding.t1.serialize +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients +with const generics + +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_t1_serialize_5b( + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *re, uint8_t ret[320U]) { + uint8_t serialized[320U] = {0U}; + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)32U, re->simd_units, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients), + libcrux_ml_dsa_simd_portable_vector_type_Coefficients); + i++) { + size_t i0 = i; + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *simd_unit = + &re->simd_units[i0]; + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *uu____0 = simd_unit; + libcrux_ml_dsa_simd_portable_t1_serialize_e9( + uu____0, + Eurydice_array_to_subslice2( + serialized, + i0 * + LIBCRUX_ML_DSA_ENCODING_T1_SERIALIZE_OUTPUT_BYTES_PER_SIMD_UNIT, + (i0 + (size_t)1U) * + LIBCRUX_ML_DSA_ENCODING_T1_SERIALIZE_OUTPUT_BYTES_PER_SIMD_UNIT, + uint8_t)); + } + memcpy(ret, serialized, (size_t)320U * sizeof(uint8_t)); } +/** +A monomorphic instance of +libcrux_ml_dsa.encoding.verification_key.generate_serialized with types +libcrux_ml_dsa_simd_portable_vector_type_Coefficients with const generics + +*/ static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_ntt_simd_unit_ntt_at_layer_0(int32_t *simd_unit, - int32_t zeta0, - int32_t zeta1, - int32_t zeta2, - int32_t zeta3) { - int32_t t = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( - simd_unit[1U], zeta0); - simd_unit[1U] = simd_unit[0U] - t; - simd_unit[0U] = simd_unit[0U] + t; - int32_t t0 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( - simd_unit[3U], zeta1); - simd_unit[3U] = simd_unit[2U] - t0; - simd_unit[2U] = simd_unit[2U] + t0; - int32_t t1 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( - simd_unit[5U], zeta2); - simd_unit[5U] = simd_unit[4U] - t1; - simd_unit[4U] = simd_unit[4U] + t1; - int32_t t2 = - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( - simd_unit[7U], zeta3); - simd_unit[7U] = simd_unit[6U] - t2; - simd_unit[6U] = simd_unit[6U] + t2; +libcrux_ml_dsa_encoding_verification_key_generate_serialized_5b( + Eurydice_slice seed, Eurydice_slice t1, + Eurydice_slice verification_key_serialized) { + Eurydice_slice_copy(Eurydice_slice_subslice2( + verification_key_serialized, (size_t)0U, + LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE, uint8_t), + seed, uint8_t); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + t1, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8); + i++) { + size_t i0 = i; + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *ring_element = + &Eurydice_slice_index( + t1, i0, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *); + size_t offset = LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE + + i0 * LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T1S_SIZE; + Eurydice_slice uu____0 = Eurydice_slice_subslice2( + verification_key_serialized, offset, + offset + LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T1S_SIZE, uint8_t); + uint8_t ret[320U]; + libcrux_ml_dsa_encoding_t1_serialize_5b(ring_element, ret); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)320U, ret, uint8_t), uint8_t); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.hash_functions.portable.shake256 +with const generics +- OUTPUT_LENGTH= 64 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_hash_functions_portable_shake256_24( + Eurydice_slice input, uint8_t *out) { + libcrux_sha3_portable_shake256( + Eurydice_array_to_slice((size_t)64U, out, uint8_t), input); } +/** +This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::DsaXof +for libcrux_ml_dsa::hash_functions::portable::Shake256)#2} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.hash_functions.portable.shake256_5c +with const generics +- OUTPUT_LENGTH= 64 +*/ static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - int32_t (*re)[8U], size_t index, int32_t zeta_0, int32_t zeta_1, - int32_t zeta_2, int32_t zeta_3) { - libcrux_ml_dsa_simd_portable_ntt_simd_unit_ntt_at_layer_0( - re[index], zeta_0, zeta_1, zeta_2, zeta_3); +libcrux_ml_dsa_hash_functions_portable_shake256_5c_24(Eurydice_slice input, + uint8_t *out) { + libcrux_ml_dsa_hash_functions_portable_shake256_24(input, out); } -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0( - int32_t (*re)[8U]) { - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)0U, (int32_t)2091667, (int32_t)3407706, (int32_t)2316500, - (int32_t)3817976); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)1U, (int32_t)-3342478, (int32_t)2244091, (int32_t)-2446433, - (int32_t)-3562462); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)2U, (int32_t)266997, (int32_t)2434439, (int32_t)-1235728, - (int32_t)3513181); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)3U, (int32_t)-3520352, (int32_t)-3759364, (int32_t)-1197226, - (int32_t)-3193378); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)4U, (int32_t)900702, (int32_t)1859098, (int32_t)909542, - (int32_t)819034); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)5U, (int32_t)495491, (int32_t)-1613174, (int32_t)-43260, - (int32_t)-522500); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)6U, (int32_t)-655327, (int32_t)-3122442, (int32_t)2031748, - (int32_t)3207046); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)7U, (int32_t)-3556995, (int32_t)-525098, (int32_t)-768622, - (int32_t)-3595838); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)8U, (int32_t)342297, (int32_t)286988, (int32_t)-2437823, - (int32_t)4108315); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)9U, (int32_t)3437287, (int32_t)-3342277, (int32_t)1735879, - (int32_t)203044); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)10U, (int32_t)2842341, (int32_t)2691481, (int32_t)-2590150, - (int32_t)1265009); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)11U, (int32_t)4055324, (int32_t)1247620, (int32_t)2486353, - (int32_t)1595974); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)12U, (int32_t)-3767016, (int32_t)1250494, (int32_t)2635921, - (int32_t)-3548272); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)13U, (int32_t)-2994039, (int32_t)1869119, (int32_t)1903435, - (int32_t)-1050970); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)14U, (int32_t)-1333058, (int32_t)1237275, (int32_t)-3318210, - (int32_t)-1430225); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)15U, (int32_t)-451100, (int32_t)1312455, (int32_t)3306115, - (int32_t)-1962642); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)16U, (int32_t)-1279661, (int32_t)1917081, (int32_t)-2546312, - (int32_t)-1374803); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)17U, (int32_t)1500165, (int32_t)777191, (int32_t)2235880, - (int32_t)3406031); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)18U, (int32_t)-542412, (int32_t)-2831860, (int32_t)-1671176, - (int32_t)-1846953); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)19U, (int32_t)-2584293, (int32_t)-3724270, (int32_t)594136, - (int32_t)-3776993); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)20U, (int32_t)-2013608, (int32_t)2432395, (int32_t)2454455, - (int32_t)-164721); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)21U, (int32_t)1957272, (int32_t)3369112, (int32_t)185531, - (int32_t)-1207385); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)22U, (int32_t)-3183426, (int32_t)162844, (int32_t)1616392, - (int32_t)3014001); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)23U, (int32_t)810149, (int32_t)1652634, (int32_t)-3694233, - (int32_t)-1799107); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)24U, (int32_t)-3038916, (int32_t)3523897, (int32_t)3866901, - (int32_t)269760); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)25U, (int32_t)2213111, (int32_t)-975884, (int32_t)1717735, - (int32_t)472078); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)26U, (int32_t)-426683, (int32_t)1723600, (int32_t)-1803090, - (int32_t)1910376); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)27U, (int32_t)-1667432, (int32_t)-1104333, (int32_t)-260646, - (int32_t)-3833893); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)28U, (int32_t)-2939036, (int32_t)-2235985, (int32_t)-420899, - (int32_t)-2286327); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)29U, (int32_t)183443, (int32_t)-976891, (int32_t)1612842, - (int32_t)-3545687); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)30U, (int32_t)-554416, (int32_t)3919660, (int32_t)-48306, - (int32_t)-1362209); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( - re, (size_t)31U, (int32_t)3937738, (int32_t)1400424, (int32_t)-846154, - (int32_t)1976782); +/** +A monomorphic instance of libcrux_ml_dsa.encoding.error.serialize +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients +with const generics + +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_error_serialize_5b( + libcrux_ml_dsa_constants_Eta eta, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *re, + Eurydice_slice serialized) { + size_t output_bytes_per_simd_unit = + libcrux_ml_dsa_encoding_error_chunk_size(eta); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)32U, re->simd_units, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients), + libcrux_ml_dsa_simd_portable_vector_type_Coefficients); + i++) { + size_t i0 = i; + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *simd_unit = + &re->simd_units[i0]; + libcrux_ml_dsa_simd_portable_error_serialize_e9( + eta, simd_unit, + Eurydice_slice_subslice2(serialized, i0 * output_bytes_per_simd_unit, + (i0 + (size_t)1U) * output_bytes_per_simd_unit, + uint8_t)); + } } -static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt( - int32_t (*re)[8U]) { - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_7(re); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_6(re); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_5(re); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_4(re); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_3(re); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2(re); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1(re); - libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0(re); +/** +A monomorphic instance of libcrux_ml_dsa.encoding.t0.serialize +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients +with const generics + +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_t0_serialize_5b( + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *re, + Eurydice_slice serialized) { + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)32U, re->simd_units, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients), + libcrux_ml_dsa_simd_portable_vector_type_Coefficients); + i++) { + size_t i0 = i; + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *simd_unit = + &re->simd_units[i0]; + libcrux_ml_dsa_simd_portable_t0_serialize_e9( + simd_unit, + Eurydice_slice_subslice2( + serialized, + i0 * LIBCRUX_ML_DSA_ENCODING_T0_OUTPUT_BYTES_PER_SIMD_UNIT, + (i0 + (size_t)1U) * + LIBCRUX_ML_DSA_ENCODING_T0_OUTPUT_BYTES_PER_SIMD_UNIT, + uint8_t)); + } } -static KRML_MUSTINLINE size_t -libcrux_ml_dsa_simd_portable_sample_rejection_sample_less_than_eta_equals_2( - Eurydice_slice randomness, Eurydice_slice out) { - size_t sampled = (size_t)0U; - for (size_t i = (size_t)0U; i < Eurydice_slice_len(randomness, uint8_t); +/** +A monomorphic instance of +libcrux_ml_dsa.encoding.signing_key.generate_serialized with types +libcrux_ml_dsa_simd_portable_vector_type_Coefficients, +libcrux_ml_dsa_hash_functions_portable_Shake256 with const generics + +*/ +static KRML_MUSTINLINE void +libcrux_ml_dsa_encoding_signing_key_generate_serialized_2e( + libcrux_ml_dsa_constants_Eta eta, size_t error_ring_element_size, + Eurydice_slice seed_matrix, Eurydice_slice seed_signing, + Eurydice_slice verification_key, Eurydice_slice s1_2, Eurydice_slice t0, + Eurydice_slice signing_key_serialized) { + size_t offset = (size_t)0U; + Eurydice_slice_copy( + Eurydice_slice_subslice2( + signing_key_serialized, offset, + offset + LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE, uint8_t), + seed_matrix, uint8_t); + offset = offset + LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE; + Eurydice_slice_copy( + Eurydice_slice_subslice2( + signing_key_serialized, offset, + offset + LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_SIGNING_SIZE, uint8_t), + seed_signing, uint8_t); + offset = offset + LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_SIGNING_SIZE; + uint8_t verification_key_hash[64U] = {0U}; + libcrux_ml_dsa_hash_functions_portable_shake256_5c_24(verification_key, + verification_key_hash); + Eurydice_slice_copy( + Eurydice_slice_subslice2( + signing_key_serialized, offset, + offset + LIBCRUX_ML_DSA_CONSTANTS_BYTES_FOR_VERIFICATION_KEY_HASH, + uint8_t), + Eurydice_array_to_slice((size_t)64U, verification_key_hash, uint8_t), + uint8_t); + offset = offset + LIBCRUX_ML_DSA_CONSTANTS_BYTES_FOR_VERIFICATION_KEY_HASH; + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + s1_2, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8); + i++) { + size_t i0 = i; + libcrux_ml_dsa_encoding_error_serialize_5b( + eta, + &Eurydice_slice_index( + s1_2, i0, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *), + Eurydice_slice_subslice2(signing_key_serialized, offset, + offset + error_ring_element_size, uint8_t)); + offset = offset + error_ring_element_size; + } + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + t0, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8); i++) { size_t _cloop_j = i; - uint8_t *byte = - &Eurydice_slice_index(randomness, _cloop_j, uint8_t, uint8_t *); - uint8_t try_0 = Eurydice_bitand_pv_u8(byte, 15U); - uint8_t try_1 = Eurydice_shr_pv_u8(byte, (int32_t)4); - if (try_0 < 15U) { - int32_t try_00 = (int32_t)try_0; - int32_t try_0_mod_5 = try_00 - (try_00 * (int32_t)26 >> 7U) * (int32_t)5; - Eurydice_slice_index(out, sampled, int32_t, int32_t *) = - (int32_t)2 - try_0_mod_5; - sampled++; - } - if (try_1 < 15U) { - int32_t try_10 = (int32_t)try_1; - int32_t try_1_mod_5 = try_10 - (try_10 * (int32_t)26 >> 7U) * (int32_t)5; - Eurydice_slice_index(out, sampled, int32_t, int32_t *) = - (int32_t)2 - try_1_mod_5; - sampled++; - } + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *ring_element = + &Eurydice_slice_index( + t0, _cloop_j, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *); + libcrux_ml_dsa_encoding_t0_serialize_5b( + ring_element, + Eurydice_slice_subslice2( + signing_key_serialized, offset, + offset + LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE, + uint8_t)); + offset = offset + LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE; } - return sampled; } -static KRML_MUSTINLINE size_t -libcrux_ml_dsa_simd_portable_sample_rejection_sample_less_than_eta_equals_4( - Eurydice_slice randomness, Eurydice_slice out) { - size_t sampled = (size_t)0U; - for (size_t i = (size_t)0U; i < Eurydice_slice_len(randomness, uint8_t); +/** +A monomorphic instance of +libcrux_ml_dsa.ml_dsa_generic.ml_dsa_65.generate_key_pair with types +libcrux_ml_dsa_simd_portable_vector_type_Coefficients, +libcrux_ml_dsa_samplex4_portable_PortableSampler, +libcrux_ml_dsa_hash_functions_portable_Shake128X4, +libcrux_ml_dsa_hash_functions_portable_Shake256, +libcrux_ml_dsa_hash_functions_portable_Shake256Xof, +libcrux_ml_dsa_hash_functions_portable_Shake256X4 with const generics + +*/ +static KRML_MUSTINLINE void +libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_generate_key_pair_5a( + uint8_t randomness[32U], Eurydice_slice signing_key, + Eurydice_slice verification_key) { + uint8_t seed_expanded0[128U] = {0U}; + libcrux_sha3_portable_incremental_Shake256Xof shake = + libcrux_ml_dsa_hash_functions_portable_init_83(); + libcrux_ml_dsa_hash_functions_portable_absorb_83( + &shake, Eurydice_array_to_slice((size_t)32U, randomness, uint8_t)); + uint8_t buf[2U] = {(uint8_t)LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ROWS_IN_A, + (uint8_t)LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_COLUMNS_IN_A}; + libcrux_ml_dsa_hash_functions_portable_absorb_final_83( + &shake, Eurydice_array_to_slice((size_t)2U, buf, uint8_t)); + libcrux_ml_dsa_hash_functions_portable_squeeze_83( + &shake, Eurydice_array_to_slice((size_t)128U, seed_expanded0, uint8_t)); + Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)128U, seed_expanded0, uint8_t), + LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE, uint8_t, + Eurydice_slice_uint8_t_x2); + Eurydice_slice seed_for_a = uu____0.fst; + Eurydice_slice seed_expanded = uu____0.snd; + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( + seed_expanded, LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_ERROR_VECTORS_SIZE, + uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice seed_for_error_vectors = uu____1.fst; + Eurydice_slice seed_for_signing = uu____1.snd; + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 a_as_ntt[30U]; + for (size_t i = (size_t)0U; i < (size_t)30U; i++) { + a_as_ntt[i] = libcrux_ml_dsa_polynomial_zero_ff_5b(); + } + libcrux_ml_dsa_samplex4_portable_matrix_flat_36_5b( + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_COLUMNS_IN_A, seed_for_a, + Eurydice_array_to_slice( + (size_t)30U, a_as_ntt, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 s1_s2[11U]; + for (size_t i = (size_t)0U; i < (size_t)11U; i++) { + s1_s2[i] = libcrux_ml_dsa_polynomial_zero_ff_5b(); + } + libcrux_ml_dsa_samplex4_sample_s1_and_s2_29( + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ETA, seed_for_error_vectors, + Eurydice_array_to_slice( + (size_t)11U, s1_s2, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 t0[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + t0[i] = libcrux_ml_dsa_polynomial_zero_ff_5b(); + } + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 s1_ntt[5U]; + for (size_t i = (size_t)0U; i < (size_t)5U; i++) { + s1_ntt[i] = libcrux_ml_dsa_polynomial_zero_ff_5b(); + } + Eurydice_slice uu____2 = Eurydice_array_to_slice( + (size_t)5U, s1_ntt, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8); + Eurydice_slice_copy( + uu____2, + Eurydice_array_to_subslice2( + s1_s2, (size_t)0U, LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_COLUMNS_IN_A, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8), + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)5U, s1_ntt, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8), + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8); i++) { - size_t _cloop_j = i; - uint8_t *byte = - &Eurydice_slice_index(randomness, _cloop_j, uint8_t, uint8_t *); - uint8_t try_0 = Eurydice_bitand_pv_u8(byte, 15U); - uint8_t try_1 = Eurydice_shr_pv_u8(byte, (int32_t)4); - if (try_0 < 9U) { - Eurydice_slice_index(out, sampled, int32_t, int32_t *) = - (int32_t)4 - (int32_t)try_0; - sampled++; - } - if (try_1 < 9U) { - Eurydice_slice_index(out, sampled, int32_t, int32_t *) = - (int32_t)4 - (int32_t)try_1; - sampled++; - } + size_t i0 = i; + libcrux_ml_dsa_ntt_ntt_5b(&s1_ntt[i0]); + } + libcrux_ml_dsa_matrix_compute_as1_plus_s2_5b( + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ROWS_IN_A, + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_COLUMNS_IN_A, + Eurydice_array_to_slice( + (size_t)30U, a_as_ntt, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8), + Eurydice_array_to_slice( + (size_t)5U, s1_ntt, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8), + Eurydice_array_to_slice( + (size_t)11U, s1_s2, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8), + Eurydice_array_to_slice( + (size_t)6U, t0, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 t1[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + t1[i] = libcrux_ml_dsa_polynomial_zero_ff_5b(); + } + libcrux_ml_dsa_arithmetic_power2round_vector_5b( + Eurydice_array_to_slice( + (size_t)6U, t0, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8), + Eurydice_array_to_slice( + (size_t)6U, t1, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8)); + libcrux_ml_dsa_encoding_verification_key_generate_serialized_5b( + seed_for_a, + Eurydice_array_to_slice( + (size_t)6U, t1, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8), + verification_key); + libcrux_ml_dsa_encoding_signing_key_generate_serialized_2e( + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ETA, + LIBCRUX_ML_DSA_ML_DSA_GENERIC_ML_DSA_65_ERROR_RING_ELEMENT_SIZE, + seed_for_a, seed_for_signing, verification_key, + Eurydice_array_to_slice( + (size_t)11U, s1_s2, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8), + Eurydice_array_to_slice( + (size_t)6U, t0, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8), + signing_key); +} + +/** + Generate key pair. +*/ +static inline void +libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_ml_dsa_65_generate_key_pair( + uint8_t randomness[32U], uint8_t *signing_key, uint8_t *verification_key) { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_generate_key_pair_5a( + copy_of_randomness, + Eurydice_array_to_slice((size_t)4032U, signing_key, uint8_t), + Eurydice_array_to_slice((size_t)1952U, verification_key, uint8_t)); +} + +/** + Generate an ML-DSA-65 Key Pair +*/ +static inline libcrux_ml_dsa_types_MLDSAKeyPair_06 +libcrux_ml_dsa_ml_dsa_65_portable_generate_key_pair(uint8_t randomness[32U]) { + uint8_t signing_key[4032U] = {0U}; + uint8_t verification_key[1952U] = {0U}; + uint8_t uu____0[32U]; + memcpy(uu____0, randomness, (size_t)32U * sizeof(uint8_t)); + libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_ml_dsa_65_generate_key_pair( + uu____0, signing_key, verification_key); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_signing_key[4032U]; + memcpy(copy_of_signing_key, signing_key, (size_t)4032U * sizeof(uint8_t)); + libcrux_ml_dsa_types_MLDSASigningKey_22 uu____2 = + libcrux_ml_dsa_types_new_9b_09(copy_of_signing_key); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_verification_key[1952U]; + memcpy(copy_of_verification_key, verification_key, + (size_t)1952U * sizeof(uint8_t)); + libcrux_ml_dsa_types_MLDSAKeyPair_06 lit; + lit.signing_key = uu____2; + lit.verification_key = + libcrux_ml_dsa_types_new_66_97(copy_of_verification_key); + return lit; +} + +/** +A monomorphic instance of core.option.Option +with types libcrux_ml_dsa_pre_hash_DomainSeparationContext + +*/ +typedef struct Option_84_s { + Option_d8_tags tag; + libcrux_ml_dsa_pre_hash_DomainSeparationContext f0; +} Option_84; + +/** +A monomorphic instance of libcrux_ml_dsa.encoding.error.deserialize +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients +with const generics + +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_error_deserialize_5b( + libcrux_ml_dsa_constants_Eta eta, Eurydice_slice serialized, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *result) { + size_t chunk_size = libcrux_ml_dsa_encoding_error_chunk_size(eta); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)32U, result->simd_units, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients), + libcrux_ml_dsa_simd_portable_vector_type_Coefficients); + i++) { + size_t i0 = i; + libcrux_ml_dsa_simd_portable_error_deserialize_e9( + eta, + Eurydice_slice_subslice2(serialized, i0 * chunk_size, + (i0 + (size_t)1U) * chunk_size, uint8_t), + &result->simd_units[i0]); } - return sampled; } -static KRML_MUSTINLINE size_t -libcrux_ml_dsa_simd_portable_sample_rejection_sample_less_than_field_modulus( - Eurydice_slice randomness, Eurydice_slice out) { - size_t sampled = (size_t)0U; +/** +A monomorphic instance of +libcrux_ml_dsa.encoding.error.deserialize_to_vector_then_ntt with types +libcrux_ml_dsa_simd_portable_vector_type_Coefficients with const generics + +*/ +static KRML_MUSTINLINE void +libcrux_ml_dsa_encoding_error_deserialize_to_vector_then_ntt_5b( + libcrux_ml_dsa_constants_Eta eta, size_t ring_element_size, + Eurydice_slice serialized, Eurydice_slice ring_elements) { for (size_t i = (size_t)0U; - i < Eurydice_slice_len(randomness, uint8_t) / (size_t)3U; i++) { - size_t _cloop_i = i; - Eurydice_slice bytes = - Eurydice_slice_subslice2(randomness, _cloop_i * (size_t)3U, - _cloop_i * (size_t)3U + (size_t)3U, uint8_t); - int32_t b0 = - (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *); - int32_t b1 = - (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *); - int32_t b2 = - (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *); - int32_t coefficient = ((b2 << 16U | b1 << 8U) | b0) & (int32_t)8388607; - if (coefficient < LIBCRUX_ML_DSA_CONSTANTS_FIELD_MODULUS) { - Eurydice_slice_index(out, sampled, int32_t, int32_t *) = coefficient; - sampled++; - } + i < Eurydice_slice_len(serialized, uint8_t) / ring_element_size; i++) { + size_t i0 = i; + Eurydice_slice bytes = Eurydice_slice_subslice2( + serialized, i0 * ring_element_size, + i0 * ring_element_size + ring_element_size, uint8_t); + libcrux_ml_dsa_encoding_error_deserialize_5b( + eta, bytes, + &Eurydice_slice_index( + ring_elements, i0, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *)); + libcrux_ml_dsa_ntt_ntt_5b(&Eurydice_slice_index( + ring_elements, i0, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *)); } - return sampled; } -static inline void -libcrux_ml_dsa_simd_portable_vector_type_from_coefficient_array( - Eurydice_slice array, int32_t ret[8U]) { - Result_6c dst; - Eurydice_slice_to_array2( - &dst, - Eurydice_slice_subslice2( - array, (size_t)0U, - LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT, int32_t), - Eurydice_slice, int32_t[8U]); - unwrap_26_55(dst, ret); +/** +A monomorphic instance of libcrux_ml_dsa.encoding.t0.deserialize +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients +with const generics + +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_t0_deserialize_5b( + Eurydice_slice serialized, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *result) { + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)32U, result->simd_units, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients), + libcrux_ml_dsa_simd_portable_vector_type_Coefficients); + i++) { + size_t i0 = i; + libcrux_ml_dsa_simd_portable_t0_deserialize_e9( + Eurydice_slice_subslice2( + serialized, + i0 * LIBCRUX_ML_DSA_ENCODING_T0_OUTPUT_BYTES_PER_SIMD_UNIT, + (i0 + (size_t)1U) * + LIBCRUX_ML_DSA_ENCODING_T0_OUTPUT_BYTES_PER_SIMD_UNIT, + uint8_t), + &result->simd_units[i0]); + } } +/** +A monomorphic instance of +libcrux_ml_dsa.encoding.t0.deserialize_to_vector_then_ntt with types +libcrux_ml_dsa_simd_portable_vector_type_Coefficients with const generics + +*/ static KRML_MUSTINLINE void -libcrux_ml_dsa_simd_portable_vector_type_to_coefficient_array( - int32_t *value, Eurydice_slice out) { - Eurydice_slice_copy(out, Eurydice_array_to_slice((size_t)8U, value, int32_t), - int32_t); +libcrux_ml_dsa_encoding_t0_deserialize_to_vector_then_ntt_5b( + Eurydice_slice serialized, Eurydice_slice ring_elements) { + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(serialized, uint8_t) / + LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE; + i++) { + size_t i0 = i; + Eurydice_slice bytes = Eurydice_slice_subslice2( + serialized, i0 * LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE, + i0 * LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE + + LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE, + uint8_t); + libcrux_ml_dsa_encoding_t0_deserialize_5b( + bytes, &Eurydice_slice_index( + ring_elements, i0, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *)); + libcrux_ml_dsa_ntt_ntt_5b(&Eurydice_slice_index( + ring_elements, i0, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *)); + } +} + +/** + This corresponds to line 6 in algorithm 7 in FIPS 204 (line 7 in algorithm + 8, resp.). + + If `domain_separation_context` is supplied, applies domain + separation and length encoding to the context string, + before appending the message (in the regular variant) or the + pre-hash OID as well as the pre-hashed message digest. Otherwise, + it is assumed that `message` already contains domain separation + information. + + In FIPS 204 M' is the concatenation of the domain separated context, any + potential pre-hash OID and the message (or the message pre-hash). We do not + explicitely construct the concatenation in memory since it is of statically + unknown length, but feed its components directly into the incremental XOF. + + Refer to line 10 of Algorithm 2 (and line 5 of Algorithm 3, resp.) in [FIPS + 204](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf#section.5) + for details on the domain separation for regular ML-DSA. Line + 23 of Algorithm 4 (and line 18 of Algorithm 5,resp.) describe domain separation + for the HashMl-DSA variant. +*/ +/** +A monomorphic instance of +libcrux_ml_dsa.ml_dsa_generic.derive_message_representative with types +libcrux_ml_dsa_hash_functions_portable_Shake256Xof with const generics + +*/ +static KRML_MUSTINLINE void +libcrux_ml_dsa_ml_dsa_generic_derive_message_representative_7b( + Eurydice_slice verification_key_hash, Option_84 *domain_separation_context, + Eurydice_slice message, uint8_t *message_representative) { + libcrux_sha3_portable_incremental_Shake256Xof shake = + libcrux_ml_dsa_hash_functions_portable_init_83(); + libcrux_ml_dsa_hash_functions_portable_absorb_83(&shake, + verification_key_hash); + if (domain_separation_context->tag == Some) { + libcrux_ml_dsa_pre_hash_DomainSeparationContext + *domain_separation_context0 = &domain_separation_context->f0; + libcrux_sha3_portable_incremental_Shake256Xof *uu____0 = &shake; + uint8_t buf0[1U] = { + (uint8_t)core_option__core__option__Option_T__TraitClause_0___is_some( + libcrux_ml_dsa_pre_hash_pre_hash_oid_45(domain_separation_context0), + uint8_t[11U], bool)}; + libcrux_ml_dsa_hash_functions_portable_absorb_83( + uu____0, Eurydice_array_to_slice((size_t)1U, buf0, uint8_t)); + libcrux_sha3_portable_incremental_Shake256Xof *uu____1 = &shake; + uint8_t buf[1U] = {(uint8_t)Eurydice_slice_len( + libcrux_ml_dsa_pre_hash_context_45(domain_separation_context0), + uint8_t)}; + libcrux_ml_dsa_hash_functions_portable_absorb_83( + uu____1, Eurydice_array_to_slice((size_t)1U, buf, uint8_t)); + libcrux_ml_dsa_hash_functions_portable_absorb_83( + &shake, libcrux_ml_dsa_pre_hash_context_45(domain_separation_context0)); + Option_30 *uu____2 = + libcrux_ml_dsa_pre_hash_pre_hash_oid_45(domain_separation_context0); + if (uu____2->tag == Some) { + uint8_t *pre_hash_oid = uu____2->f0; + libcrux_ml_dsa_hash_functions_portable_absorb_83( + &shake, Eurydice_array_to_slice((size_t)11U, pre_hash_oid, uint8_t)); + } + } + libcrux_ml_dsa_hash_functions_portable_absorb_final_83(&shake, message); + libcrux_ml_dsa_hash_functions_portable_squeeze_83( + &shake, + Eurydice_array_to_slice((size_t)64U, message_representative, uint8_t)); } -static inline void libcrux_ml_dsa_simd_portable_vector_type_zero( - int32_t ret[8U]) { - ret[0U] = (int32_t)0; - ret[1U] = (int32_t)0; - ret[2U] = (int32_t)0; - ret[3U] = (int32_t)0; - ret[4U] = (int32_t)0; - ret[5U] = (int32_t)0; - ret[6U] = (int32_t)0; - ret[7U] = (int32_t)0; +/** +A monomorphic instance of core.option.Option +with types libcrux_ml_dsa_polynomial_PolynomialRingElement +libcrux_ml_dsa_simd_portable_vector_type_Coefficients[5size_t] + +*/ +typedef struct Option_a5_s { + Option_d8_tags tag; + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 f0[5U]; +} Option_a5; + +/** +A monomorphic instance of libcrux_ml_dsa.hash_functions.portable.shake256 +with const generics +- OUTPUT_LENGTH= 576 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_hash_functions_portable_shake256_1b( + Eurydice_slice input, uint8_t *out) { + libcrux_sha3_portable_shake256( + Eurydice_array_to_slice((size_t)576U, out, uint8_t), input); } /** -This function found in impl {(core::clone::Clone for -libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::XofX4 +for libcrux_ml_dsa::hash_functions::portable::Shake256X4)#3} */ -static inline void libcrux_ml_dsa_simd_portable_vector_type_clone_ae( - void **self) {} - /** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +A monomorphic instance of libcrux_ml_dsa.hash_functions.portable.shake256_x4_50 +with const generics +- OUT_LEN= 576 */ -static inline void libcrux_ml_dsa_simd_portable_add_36(int32_t *lhs, - int32_t *rhs) { - libcrux_ml_dsa_simd_portable_arithmetic_add(lhs, rhs); +static KRML_MUSTINLINE void +libcrux_ml_dsa_hash_functions_portable_shake256_x4_50_1b( + Eurydice_slice input0, Eurydice_slice input1, Eurydice_slice input2, + Eurydice_slice input3, uint8_t *out0, uint8_t *out1, uint8_t *out2, + uint8_t *out3) { + libcrux_ml_dsa_hash_functions_portable_shake256_1b(input0, out0); + libcrux_ml_dsa_hash_functions_portable_shake256_1b(input1, out1); + libcrux_ml_dsa_hash_functions_portable_shake256_1b(input2, out2); + libcrux_ml_dsa_hash_functions_portable_shake256_1b(input3, out3); } /** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +A monomorphic instance of libcrux_ml_dsa.encoding.gamma1.deserialize +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients +with const generics + */ -static inline void libcrux_ml_dsa_simd_portable_commitment_serialize_36( - int32_t *simd_unit, Eurydice_slice serialized) { - libcrux_ml_dsa_simd_portable_encoding_commitment_serialize(simd_unit, - serialized); +static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_gamma1_deserialize_5b( + size_t gamma1_exponent, Eurydice_slice serialized, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *result) { + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)32U, result->simd_units, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients), + libcrux_ml_dsa_simd_portable_vector_type_Coefficients); + i++) { + size_t i0 = i; + libcrux_ml_dsa_simd_portable_gamma1_deserialize_e9( + Eurydice_slice_subslice2( + serialized, i0 * (gamma1_exponent + (size_t)1U), + (i0 + (size_t)1U) * (gamma1_exponent + (size_t)1U), uint8_t), + &result->simd_units[i0], gamma1_exponent); + } } /** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +A monomorphic instance of libcrux_ml_dsa.hash_functions.portable.shake256 +with const generics +- OUTPUT_LENGTH= 640 */ -static inline void libcrux_ml_dsa_simd_portable_from_coefficient_array_36( - Eurydice_slice array, int32_t ret[8U]) { - libcrux_ml_dsa_simd_portable_vector_type_from_coefficient_array(array, ret); +static KRML_MUSTINLINE void libcrux_ml_dsa_hash_functions_portable_shake256_c8( + Eurydice_slice input, uint8_t *out) { + libcrux_sha3_portable_shake256( + Eurydice_array_to_slice((size_t)640U, out, uint8_t), input); } /** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::XofX4 +for libcrux_ml_dsa::hash_functions::portable::Shake256X4)#3} */ -static inline bool libcrux_ml_dsa_simd_portable_infinity_norm_exceeds_36( - int32_t *simd_unit, int32_t bound) { - return libcrux_ml_dsa_simd_portable_arithmetic_infinity_norm_exceeds( - simd_unit, bound); +/** +A monomorphic instance of libcrux_ml_dsa.hash_functions.portable.shake256_x4_50 +with const generics +- OUT_LEN= 640 +*/ +static KRML_MUSTINLINE void +libcrux_ml_dsa_hash_functions_portable_shake256_x4_50_c8( + Eurydice_slice input0, Eurydice_slice input1, Eurydice_slice input2, + Eurydice_slice input3, uint8_t *out0, uint8_t *out1, uint8_t *out2, + uint8_t *out3) { + libcrux_ml_dsa_hash_functions_portable_shake256_c8(input0, out0); + libcrux_ml_dsa_hash_functions_portable_shake256_c8(input1, out1); + libcrux_ml_dsa_hash_functions_portable_shake256_c8(input2, out2); + libcrux_ml_dsa_hash_functions_portable_shake256_c8(input3, out3); } /** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::DsaXof +for libcrux_ml_dsa::hash_functions::portable::Shake256)#2} */ -static inline void libcrux_ml_dsa_simd_portable_invert_ntt_montgomery_36( - int32_t (*simd_units)[8U]) { - libcrux_ml_dsa_simd_portable_invntt_invert_ntt_montgomery(simd_units); +/** +A monomorphic instance of libcrux_ml_dsa.hash_functions.portable.shake256_5c +with const generics +- OUTPUT_LENGTH= 576 +*/ +static KRML_MUSTINLINE void +libcrux_ml_dsa_hash_functions_portable_shake256_5c_1b(Eurydice_slice input, + uint8_t *out) { + libcrux_ml_dsa_hash_functions_portable_shake256_1b(input, out); } /** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::DsaXof +for libcrux_ml_dsa::hash_functions::portable::Shake256)#2} */ -static inline void libcrux_ml_dsa_simd_portable_montgomery_multiply_36( - int32_t *lhs, int32_t *rhs) { - libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply(lhs, rhs); +/** +A monomorphic instance of libcrux_ml_dsa.hash_functions.portable.shake256_5c +with const generics +- OUTPUT_LENGTH= 640 +*/ +static KRML_MUSTINLINE void +libcrux_ml_dsa_hash_functions_portable_shake256_5c_c8(Eurydice_slice input, + uint8_t *out) { + libcrux_ml_dsa_hash_functions_portable_shake256_c8(input, out); } /** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +A monomorphic instance of libcrux_ml_dsa.sample.sample_mask_ring_element +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients, +libcrux_ml_dsa_hash_functions_portable_Shake256 with const generics + */ -static inline void libcrux_ml_dsa_simd_portable_ntt_36( - int32_t (*simd_units)[8U]) { - libcrux_ml_dsa_simd_portable_ntt_ntt(simd_units); +static KRML_MUSTINLINE void libcrux_ml_dsa_sample_sample_mask_ring_element_2e( + uint8_t *seed, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *result, + size_t gamma1_exponent) { + switch ((uint8_t)gamma1_exponent) { + case 17U: { + uint8_t out[576U] = {0U}; + libcrux_ml_dsa_hash_functions_portable_shake256_5c_1b( + Eurydice_array_to_slice((size_t)66U, seed, uint8_t), out); + libcrux_ml_dsa_encoding_gamma1_deserialize_5b( + gamma1_exponent, Eurydice_array_to_slice((size_t)576U, out, uint8_t), + result); + break; + } + case 19U: { + uint8_t out[640U] = {0U}; + libcrux_ml_dsa_hash_functions_portable_shake256_5c_c8( + Eurydice_array_to_slice((size_t)66U, seed, uint8_t), out); + libcrux_ml_dsa_encoding_gamma1_deserialize_5b( + gamma1_exponent, Eurydice_array_to_slice((size_t)640U, out, uint8_t), + result); + break; + } + default: { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "panic!"); + KRML_HOST_EXIT(255U); + } + } } /** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +A monomorphic instance of libcrux_ml_dsa.sample.sample_mask_vector +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients, +libcrux_ml_dsa_hash_functions_portable_Shake256, +libcrux_ml_dsa_hash_functions_portable_Shake256X4 with const generics + */ -static inline void libcrux_ml_dsa_simd_portable_power2round_36(int32_t *t0, - int32_t *t1) { - libcrux_ml_dsa_simd_portable_arithmetic_power2round(t0, t1); +static KRML_MUSTINLINE void libcrux_ml_dsa_sample_sample_mask_vector_67( + size_t dimension, size_t gamma1_exponent, uint8_t *seed, + uint16_t *domain_separator, Eurydice_slice mask) { + uint8_t seed0[66U]; + libcrux_ml_dsa_sample_add_error_domain_separator( + Eurydice_array_to_slice((size_t)64U, seed, uint8_t), domain_separator[0U], + seed0); + uint8_t seed1[66U]; + libcrux_ml_dsa_sample_add_error_domain_separator( + Eurydice_array_to_slice((size_t)64U, seed, uint8_t), + (uint32_t)domain_separator[0U] + 1U, seed1); + uint8_t seed2[66U]; + libcrux_ml_dsa_sample_add_error_domain_separator( + Eurydice_array_to_slice((size_t)64U, seed, uint8_t), + (uint32_t)domain_separator[0U] + 2U, seed2); + uint8_t seed3[66U]; + libcrux_ml_dsa_sample_add_error_domain_separator( + Eurydice_array_to_slice((size_t)64U, seed, uint8_t), + (uint32_t)domain_separator[0U] + 3U, seed3); + domain_separator[0U] = (uint32_t)domain_separator[0U] + 4U; + switch ((uint8_t)gamma1_exponent) { + case 17U: { + uint8_t out0[576U] = {0U}; + uint8_t out1[576U] = {0U}; + uint8_t out2[576U] = {0U}; + uint8_t out3[576U] = {0U}; + libcrux_ml_dsa_hash_functions_portable_shake256_x4_50_1b( + Eurydice_array_to_slice((size_t)66U, seed0, uint8_t), + Eurydice_array_to_slice((size_t)66U, seed1, uint8_t), + Eurydice_array_to_slice((size_t)66U, seed2, uint8_t), + Eurydice_array_to_slice((size_t)66U, seed3, uint8_t), out0, out1, + out2, out3); + libcrux_ml_dsa_encoding_gamma1_deserialize_5b( + gamma1_exponent, Eurydice_array_to_slice((size_t)576U, out0, uint8_t), + &Eurydice_slice_index( + mask, (size_t)0U, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *)); + libcrux_ml_dsa_encoding_gamma1_deserialize_5b( + gamma1_exponent, Eurydice_array_to_slice((size_t)576U, out1, uint8_t), + &Eurydice_slice_index( + mask, (size_t)1U, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *)); + libcrux_ml_dsa_encoding_gamma1_deserialize_5b( + gamma1_exponent, Eurydice_array_to_slice((size_t)576U, out2, uint8_t), + &Eurydice_slice_index( + mask, (size_t)2U, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *)); + libcrux_ml_dsa_encoding_gamma1_deserialize_5b( + gamma1_exponent, Eurydice_array_to_slice((size_t)576U, out3, uint8_t), + &Eurydice_slice_index( + mask, (size_t)3U, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *)); + break; + } + case 19U: { + uint8_t out0[640U] = {0U}; + uint8_t out1[640U] = {0U}; + uint8_t out2[640U] = {0U}; + uint8_t out3[640U] = {0U}; + libcrux_ml_dsa_hash_functions_portable_shake256_x4_50_c8( + Eurydice_array_to_slice((size_t)66U, seed0, uint8_t), + Eurydice_array_to_slice((size_t)66U, seed1, uint8_t), + Eurydice_array_to_slice((size_t)66U, seed2, uint8_t), + Eurydice_array_to_slice((size_t)66U, seed3, uint8_t), out0, out1, + out2, out3); + libcrux_ml_dsa_encoding_gamma1_deserialize_5b( + gamma1_exponent, Eurydice_array_to_slice((size_t)640U, out0, uint8_t), + &Eurydice_slice_index( + mask, (size_t)0U, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *)); + libcrux_ml_dsa_encoding_gamma1_deserialize_5b( + gamma1_exponent, Eurydice_array_to_slice((size_t)640U, out1, uint8_t), + &Eurydice_slice_index( + mask, (size_t)1U, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *)); + libcrux_ml_dsa_encoding_gamma1_deserialize_5b( + gamma1_exponent, Eurydice_array_to_slice((size_t)640U, out2, uint8_t), + &Eurydice_slice_index( + mask, (size_t)2U, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *)); + libcrux_ml_dsa_encoding_gamma1_deserialize_5b( + gamma1_exponent, Eurydice_array_to_slice((size_t)640U, out3, uint8_t), + &Eurydice_slice_index( + mask, (size_t)3U, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *)); + break; + } + default: { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "panic!"); + KRML_HOST_EXIT(255U); + } + } + for (size_t i = (size_t)4U; i < dimension; i++) { + size_t i0 = i; + uint8_t seed4[66U]; + libcrux_ml_dsa_sample_add_error_domain_separator( + Eurydice_array_to_slice((size_t)64U, seed, uint8_t), + domain_separator[0U], seed4); + domain_separator[0U] = (uint32_t)domain_separator[0U] + 1U; + libcrux_ml_dsa_sample_sample_mask_ring_element_2e( + seed4, + &Eurydice_slice_index( + mask, i0, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *), + gamma1_exponent); + } } /** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} + Compute InvertNTT(Â ◦ ŷ) */ /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.decompose_36 +A monomorphic instance of libcrux_ml_dsa.matrix.compute_matrix_x_mask +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients with const generics -- GAMMA2= 261888 + */ -static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x2 -libcrux_ml_dsa_simd_portable_decompose_36_80( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit) { - return libcrux_ml_dsa_simd_portable_arithmetic_decompose_80(simd_unit); +static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_compute_matrix_x_mask_5b( + size_t rows_in_a, size_t columns_in_a, Eurydice_slice matrix, + Eurydice_slice mask, Eurydice_slice result) { + for (size_t i0 = (size_t)0U; i0 < rows_in_a; i0++) { + size_t i1 = i0; + for (size_t i = (size_t)0U; i < columns_in_a; i++) { + size_t j = i; + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 product = + Eurydice_slice_index( + mask, j, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *); + libcrux_ml_dsa_ntt_ntt_multiply_montgomery_5b( + &product, &Eurydice_slice_index( + matrix, i1 * columns_in_a + j, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *)); + libcrux_ml_dsa_polynomial_add_ff_5b( + &Eurydice_slice_index( + result, i1, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *), + &product); + } + libcrux_ml_dsa_ntt_invert_ntt_montgomery_5b(&Eurydice_slice_index( + result, i1, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *)); + } } /** A monomorphic instance of libcrux_ml_dsa.arithmetic.decompose_vector -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients with const generics -- DIMENSION= 6 -- GAMMA2= 261888 + */ -static KRML_MUSTINLINE - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_6size_t__x2 - libcrux_ml_dsa_arithmetic_decompose_vector_2f( - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t[6U]) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b vector_low[6U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - vector_low[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - } - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b vector_high[6U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - vector_high[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - } - for (size_t i0 = (size_t)0U; i0 < (size_t)6U; i0++) { +static KRML_MUSTINLINE void libcrux_ml_dsa_arithmetic_decompose_vector_5b( + size_t dimension, int32_t gamma2, Eurydice_slice t, Eurydice_slice low, + Eurydice_slice high) { + for (size_t i0 = (size_t)0U; i0 < dimension; i0++) { size_t i1 = i0; for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice( - (size_t)32U, vector_low->simd_units, - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit), - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit); + (size_t)32U, + Eurydice_slice_index( + low, (size_t)0U, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *) + .simd_units, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients), + libcrux_ml_dsa_simd_portable_vector_type_Coefficients); i++) { size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x2 uu____0 = - libcrux_ml_dsa_simd_portable_decompose_36_80(t[i1].simd_units[j]); - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit low = - uu____0.fst; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit high = - uu____0.snd; - vector_low[i1].simd_units[j] = low; - vector_high[i1].simd_units[j] = high; + libcrux_ml_dsa_simd_portable_decompose_e9( + gamma2, + &Eurydice_slice_index( + t, i1, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *) + .simd_units[j], + &Eurydice_slice_index( + low, i1, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *) + .simd_units[j], + &Eurydice_slice_index( + high, i1, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *) + .simd_units[j]); } } - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_vector_low[6U]; - memcpy( - copy_of_vector_low, vector_low, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_vector_high[6U]; - memcpy( - copy_of_vector_high, vector_high, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_6size_t__x2 - lit; - memcpy( - lit.fst, copy_of_vector_low, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - memcpy( - lit.snd, copy_of_vector_high, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - return lit; } /** A monomorphic instance of libcrux_ml_dsa.encoding.commitment.serialize -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients with const generics */ -static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_commitment_serialize_ba( - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b re, +static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_commitment_serialize_5b( + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *re, Eurydice_slice serialized) { size_t output_bytes_per_simd_unit = Eurydice_slice_len(serialized, uint8_t) / ((size_t)8U * (size_t)4U); for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice( - (size_t)32U, re.simd_units, - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit), - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit); + (size_t)32U, re->simd_units, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients), + libcrux_ml_dsa_simd_portable_vector_type_Coefficients); i++) { size_t i0 = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *simd_unit = - &re.simd_units[i0]; - libcrux_ml_dsa_simd_portable_commitment_serialize_36( - simd_unit[0U], + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *simd_unit = + &re->simd_units[i0]; + libcrux_ml_dsa_simd_portable_commitment_serialize_e9( + simd_unit, Eurydice_slice_subslice2(serialized, i0 * output_bytes_per_simd_unit, (i0 + (size_t)1U) * output_bytes_per_simd_unit, uint8_t)); @@ -4519,50 +6316,45 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_commitment_serialize_ba( /** A monomorphic instance of libcrux_ml_dsa.encoding.commitment.serialize_vector -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients with const generics -- DIMENSION= 6 -- RING_ELEMENT_SIZE= 128 -- OUTPUT_SIZE= 768 + */ static KRML_MUSTINLINE void -libcrux_ml_dsa_encoding_commitment_serialize_vector_5d( - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b vector[6U], - uint8_t ret[768U]) { - uint8_t serialized[768U] = {0U}; +libcrux_ml_dsa_encoding_commitment_serialize_vector_5b( + size_t ring_element_size, Eurydice_slice vector, + Eurydice_slice serialized) { size_t offset = (size_t)0U; for (size_t i = (size_t)0U; i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)6U, vector, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b), - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b); + vector, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8); i++) { size_t _cloop_j = i; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *ring_element = - &vector[_cloop_j]; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____0 = - ring_element[0U]; - libcrux_ml_dsa_encoding_commitment_serialize_ba( - uu____0, Eurydice_array_to_subslice2(serialized, offset, - offset + (size_t)128U, uint8_t)); - offset = offset + (size_t)128U; + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *ring_element = + &Eurydice_slice_index( + vector, _cloop_j, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *); + libcrux_ml_dsa_encoding_commitment_serialize_5b( + ring_element, + Eurydice_slice_subslice2(serialized, offset, offset + ring_element_size, + uint8_t)); + offset = offset + ring_element_size; } - memcpy(ret, serialized, (size_t)768U * sizeof(uint8_t)); } /** A monomorphic instance of libcrux_ml_dsa.sample.sample_challenge_ring_element -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients, libcrux_ml_dsa_hash_functions_portable_Shake256 with const generics -- NUMBER_OF_ONES= 49 -- SEED_SIZE= 48 + */ -static KRML_MUSTINLINE libcrux_ml_dsa_polynomial_PolynomialRingElement_9b -libcrux_ml_dsa_sample_sample_challenge_ring_element_83(uint8_t seed[48U]) { +static KRML_MUSTINLINE void +libcrux_ml_dsa_sample_sample_challenge_ring_element_2e( + Eurydice_slice seed, size_t number_of_ones, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *re) { libcrux_sha3_portable_KeccakState state = - libcrux_ml_dsa_hash_functions_portable_init_absorb_final_5c( - Eurydice_array_to_slice((size_t)48U, seed, uint8_t)); + libcrux_ml_dsa_hash_functions_portable_init_absorb_final_5c(seed); uint8_t randomness0[136U]; libcrux_ml_dsa_hash_functions_portable_squeeze_first_block_5c(&state, randomness0); @@ -4578,7 +6370,7 @@ libcrux_ml_dsa_sample_sample_challenge_ring_element_83(uint8_t seed[48U]) { size_t out_index = Eurydice_slice_len(Eurydice_array_to_slice((size_t)256U, result, int32_t), int32_t) - - (size_t)49U; + number_of_ones; Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( (size_t)136U, randomness0, (size_t)8U, uint8_t, size_t); bool done = libcrux_ml_dsa_sample_inside_out_shuffle(uu____0, &out_index, @@ -4595,103 +6387,53 @@ libcrux_ml_dsa_sample_sample_challenge_ring_element_83(uint8_t seed[48U]) { &out_index, &signs, result); } } - return libcrux_ml_dsa_polynomial_from_i32_array_ff_ba( - Eurydice_array_to_slice((size_t)256U, result, int32_t)); + libcrux_ml_dsa_polynomial_from_i32_array_ff_5b( + Eurydice_array_to_slice((size_t)256U, result, int32_t), re); } /** A monomorphic instance of libcrux_ml_dsa.matrix.vector_times_ring_element -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients with const generics -- DIMENSION= 5 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_vector_times_ring_element_4f( - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *vector, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *ring_element, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[5U]) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b result[5U]; - for (size_t i = (size_t)0U; i < (size_t)5U; i++) { - result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - } - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)5U, vector, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b), - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b); - i++) { - size_t i0 = i; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *vector_ring_element = - &vector[i0]; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____0 = - libcrux_ml_dsa_ntt_invert_ntt_montgomery_ba( - libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ba(vector_ring_element, - ring_element)); - result[i0] = uu____0; - } - memcpy( - ret, result, - (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); -} -/** -A monomorphic instance of libcrux_ml_dsa.matrix.vector_times_ring_element -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -with const generics -- DIMENSION= 6 */ -static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_vector_times_ring_element_07( - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *vector, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *ring_element, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[6U]) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b result[6U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - } +static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_vector_times_ring_element_5b( + Eurydice_slice vector, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *ring_element) { for (size_t i = (size_t)0U; i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)6U, vector, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b), - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b); + vector, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8); i++) { size_t i0 = i; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *vector_ring_element = - &vector[i0]; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____0 = - libcrux_ml_dsa_ntt_invert_ntt_montgomery_ba( - libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ba(vector_ring_element, - ring_element)); - result[i0] = uu____0; + libcrux_ml_dsa_ntt_ntt_multiply_montgomery_5b( + &Eurydice_slice_index( + vector, i0, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *), + ring_element); + libcrux_ml_dsa_ntt_invert_ntt_montgomery_5b(&Eurydice_slice_index( + vector, i0, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *)); } - memcpy( - ret, result, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); } /** A monomorphic instance of libcrux_ml_dsa.matrix.add_vectors -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients with const generics -- DIMENSION= 5 + */ -static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_add_vectors_4f( - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *lhs, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *rhs, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[5U]) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b result[5U]; - for (size_t i = (size_t)0U; i < (size_t)5U; i++) { - result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - } - for (size_t i = (size_t)0U; i < (size_t)5U; i++) { +static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_add_vectors_5b( + size_t dimension, Eurydice_slice lhs, Eurydice_slice rhs) { + for (size_t i = (size_t)0U; i < dimension; i++) { size_t i0 = i; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____0 = - libcrux_ml_dsa_polynomial_add_ff_ba(&lhs[i0], &rhs[i0]); - result[i0] = uu____0; + libcrux_ml_dsa_polynomial_add_ff_5b( + &Eurydice_slice_index( + lhs, i0, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *), + &Eurydice_slice_index( + rhs, i0, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *)); } - memcpy( - ret, result, - (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); } /** @@ -4701,55 +6443,44 @@ TraitClause@1]} */ /** A monomorphic instance of libcrux_ml_dsa.polynomial.subtract_ff -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients with const generics */ -static KRML_MUSTINLINE libcrux_ml_dsa_polynomial_PolynomialRingElement_9b -libcrux_ml_dsa_polynomial_subtract_ff_ba( - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *self, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *rhs) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b difference = - libcrux_ml_dsa_polynomial_ZERO_ff_ba(); +static KRML_MUSTINLINE void libcrux_ml_dsa_polynomial_subtract_ff_5b( + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *self, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *rhs) { for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice( - (size_t)32U, difference.simd_units, - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit), - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit); + (size_t)32U, self->simd_units, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients), + libcrux_ml_dsa_simd_portable_vector_type_Coefficients); i++) { size_t i0 = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 = - libcrux_ml_dsa_simd_portable_subtract_36(&self->simd_units[i0], - &rhs->simd_units[i0]); - difference.simd_units[i0] = uu____0; + libcrux_ml_dsa_simd_portable_subtract_e9(&self->simd_units[i0], + &rhs->simd_units[i0]); } - return difference; } /** A monomorphic instance of libcrux_ml_dsa.matrix.subtract_vectors -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients with const generics -- DIMENSION= 6 + */ -static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_subtract_vectors_07( - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *lhs, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *rhs, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[6U]) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b result[6U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - } - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { +static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_subtract_vectors_5b( + size_t dimension, Eurydice_slice lhs, Eurydice_slice rhs) { + for (size_t i = (size_t)0U; i < dimension; i++) { size_t i0 = i; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____0 = - libcrux_ml_dsa_polynomial_subtract_ff_ba(&lhs[i0], &rhs[i0]); - result[i0] = uu____0; + libcrux_ml_dsa_polynomial_subtract_ff_5b( + &Eurydice_slice_index( + lhs, i0, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *), + &Eurydice_slice_index( + rhs, i0, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *)); } - memcpy( - ret, result, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); } /** @@ -4759,134 +6490,65 @@ TraitClause@1]} */ /** A monomorphic instance of libcrux_ml_dsa.polynomial.infinity_norm_exceeds_ff -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients with const generics */ -static inline bool libcrux_ml_dsa_polynomial_infinity_norm_exceeds_ff_ba( - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *self, int32_t bound) { - bool exceeds = false; +static KRML_MUSTINLINE bool +libcrux_ml_dsa_polynomial_infinity_norm_exceeds_ff_5b( + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *self, int32_t bound) { + bool result = false; for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)32U, self->simd_units, - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit), - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients), + libcrux_ml_dsa_simd_portable_vector_type_Coefficients); i++) { size_t i0 = i; bool uu____0; - if (exceeds) { + if (result) { uu____0 = true; } else { - uu____0 = libcrux_ml_dsa_simd_portable_infinity_norm_exceeds_36( - self->simd_units[i0], bound); + uu____0 = libcrux_ml_dsa_simd_portable_infinity_norm_exceeds_e9( + &self->simd_units[i0], bound); } - exceeds = uu____0; + result = uu____0; } - return exceeds; + return result; } /** A monomorphic instance of libcrux_ml_dsa.arithmetic.vector_infinity_norm_exceeds -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients with const generics -- DIMENSION= 5 -*/ -static KRML_MUSTINLINE bool -libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_4f( - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b vector[5U], - int32_t bound) { - bool exceeds = false; - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)5U, vector, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b), - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b); - i++) { - size_t _cloop_j = i; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *ring_element = - &vector[_cloop_j]; - bool uu____0; - if (exceeds) { - uu____0 = true; - } else { - uu____0 = libcrux_ml_dsa_polynomial_infinity_norm_exceeds_ff_ba( - ring_element, bound); - } - exceeds = uu____0; - } - return exceeds; -} -/** -A monomorphic instance of libcrux_ml_dsa.arithmetic.vector_infinity_norm_exceeds -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -with const generics -- DIMENSION= 6 */ static KRML_MUSTINLINE bool -libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_07( - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b vector[6U], - int32_t bound) { - bool exceeds = false; +libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_5b(Eurydice_slice vector, + int32_t bound) { + bool result = false; for (size_t i = (size_t)0U; i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)6U, vector, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b), - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b); + vector, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8); i++) { size_t _cloop_j = i; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *ring_element = - &vector[_cloop_j]; - bool uu____0; - if (exceeds) { - uu____0 = true; - } else { - uu____0 = libcrux_ml_dsa_polynomial_infinity_norm_exceeds_ff_ba( - ring_element, bound); + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *ring_element = + &Eurydice_slice_index( + vector, _cloop_j, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *); + if (!result) { + if (libcrux_ml_dsa_polynomial_infinity_norm_exceeds_ff_5b(ring_element, + bound)) { + result = true; + continue; + } } - exceeds = uu____0; - } - return exceeds; -} - -/** -A monomorphic instance of libcrux_ml_dsa.matrix.add_vectors -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -with const generics -- DIMENSION= 6 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_add_vectors_07( - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *lhs, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *rhs, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[6U]) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b result[6U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - } - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - size_t i0 = i; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____0 = - libcrux_ml_dsa_polynomial_add_ff_ba(&lhs[i0], &rhs[i0]); - result[i0] = uu____0; } - memcpy( - ret, result, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + return result; } -/** -A monomorphic instance of K. -with types size_t, libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit - -*/ -typedef struct tuple_ca_s { - size_t fst; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit snd; -} tuple_ca; - /** A monomorphic instance of libcrux_ml_dsa.simd.portable.arithmetic.compute_one_hint with const generics @@ -4914,209 +6576,289 @@ A monomorphic instance of libcrux_ml_dsa.simd.portable.arithmetic.compute_hint with const generics - GAMMA2= 261888 */ -static KRML_MUSTINLINE tuple_ca +static KRML_MUSTINLINE size_t libcrux_ml_dsa_simd_portable_arithmetic_compute_hint_80( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit low, - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit high) { - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit hint = - libcrux_ml_dsa_simd_portable_vector_type_ZERO(); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *low, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *high, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *hint) { size_t one_hints_count = (size_t)0U; for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice((size_t)8U, hint.coefficients, int32_t), - int32_t); + i < + Eurydice_slice_len( + Eurydice_array_to_slice((size_t)8U, hint->values, int32_t), int32_t); i++) { size_t i0 = i; - hint.coefficients[i0] = + hint->values[i0] = libcrux_ml_dsa_simd_portable_arithmetic_compute_one_hint_80( - low.coefficients[i0], high.coefficients[i0]); - one_hints_count = one_hints_count + (size_t)hint.coefficients[i0]; + low->values[i0], high->values[i0]); + one_hints_count = one_hints_count + (size_t)hint->values[i0]; } - return (CLITERAL(tuple_ca){.fst = one_hints_count, .snd = hint}); + return one_hints_count; } /** This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +libcrux_ml_dsa::simd::portable::vector_type::Coefficients)} */ -static inline size_t -libcrux_ml_dsa_simd_portable_rejection_sample_less_than_eta_equals_4_36( - Eurydice_slice randomness, Eurydice_slice out) { - return libcrux_ml_dsa_simd_portable_sample_rejection_sample_less_than_eta_equals_4( - randomness, out); +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.compute_hint_e9 +with const generics +- GAMMA2= 261888 +*/ +static inline size_t libcrux_ml_dsa_simd_portable_compute_hint_e9_80( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *low, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *high, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *hint) { + return libcrux_ml_dsa_simd_portable_arithmetic_compute_hint_80(low, high, + hint); } /** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +This function found in impl +{libcrux_ml_dsa::polynomial::PolynomialRingElement[TraitClause@0, +TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.gamma1_serialize_36 +A monomorphic instance of libcrux_ml_dsa.polynomial.to_i32_array_ff +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients with const generics -- GAMMA1_EXPONENT= 19 + */ -static inline void libcrux_ml_dsa_simd_portable_gamma1_serialize_36_36( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, - Eurydice_slice serialized) { - libcrux_ml_dsa_simd_portable_encoding_gamma1_serialize_36(simd_unit, - serialized); +static inline void libcrux_ml_dsa_polynomial_to_i32_array_ff_5b( + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *self, + int32_t ret[256U]) { + int32_t result[256U] = {0U}; + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)32U, self->simd_units, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients), + libcrux_ml_dsa_simd_portable_vector_type_Coefficients); + i++) { + size_t i0 = i; + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *simd_unit = + &self->simd_units[i0]; + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *uu____0 = simd_unit; + libcrux_ml_dsa_simd_portable_to_coefficient_array_e9( + uu____0, + Eurydice_array_to_subslice2( + result, i0 * LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT, + (i0 + (size_t)1U) * + LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT, + int32_t)); + } + memcpy(ret, result, (size_t)256U * sizeof(int32_t)); +} + +/** +A monomorphic instance of libcrux_ml_dsa.arithmetic.make_hint +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients +with const generics +- DIMENSION= 6 +- GAMMA2= 261888 +*/ +static KRML_MUSTINLINE size_t libcrux_ml_dsa_arithmetic_make_hint_4a( + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *low, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *high, + int32_t (*hint)[256U]) { + size_t true_hints = (size_t)0U; + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 hint_simd = + libcrux_ml_dsa_polynomial_zero_ff_5b(); + for (size_t i0 = (size_t)0U; i0 < (size_t)6U; i0++) { + size_t i1 = i0; + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)32U, hint_simd.simd_units, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients), + libcrux_ml_dsa_simd_portable_vector_type_Coefficients); + i++) { + size_t j = i; + size_t one_hints_count = libcrux_ml_dsa_simd_portable_compute_hint_e9_80( + &low[i1].simd_units[j], &high[i1].simd_units[j], + &hint_simd.simd_units[j]); + true_hints = true_hints + one_hints_count; + } + int32_t uu____0[256U]; + libcrux_ml_dsa_polynomial_to_i32_array_ff_5b(&hint_simd, uu____0); + memcpy(hint[i1], uu____0, (size_t)256U * sizeof(int32_t)); + } + return true_hints; } /** A monomorphic instance of libcrux_ml_dsa.encoding.gamma1.serialize -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients with const generics -- GAMMA1_EXPONENT= 19 + */ -static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_gamma1_serialize_61( - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b re, - Eurydice_slice serialized) { +static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_gamma1_serialize_5b( + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *re, + Eurydice_slice serialized, size_t gamma1_exponent) { for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice( - (size_t)32U, re.simd_units, - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit), - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit); + (size_t)32U, re->simd_units, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients), + libcrux_ml_dsa_simd_portable_vector_type_Coefficients); i++) { size_t i0 = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *simd_unit = - &re.simd_units[i0]; - libcrux_ml_dsa_simd_portable_gamma1_serialize_36_36( - simd_unit[0U], - Eurydice_slice_subslice2(serialized, i0 * ((size_t)19U + (size_t)1U), - (i0 + (size_t)1U) * ((size_t)19U + (size_t)1U), - uint8_t)); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *simd_unit = + &re->simd_units[i0]; + libcrux_ml_dsa_simd_portable_gamma1_serialize_e9( + simd_unit, + Eurydice_slice_subslice2( + serialized, i0 * (gamma1_exponent + (size_t)1U), + (i0 + (size_t)1U) * (gamma1_exponent + (size_t)1U), uint8_t), + gamma1_exponent); } } /** -This function found in impl -{libcrux_ml_dsa::encoding::signature::Signature[TraitClause@0, TraitClause@1]} -*/ -/** -A monomorphic instance of libcrux_ml_dsa.encoding.signature.serialize_92 -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +A monomorphic instance of libcrux_ml_dsa.encoding.signature.serialize +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients with const generics -- COMMITMENT_HASH_SIZE= 48 -- COLUMNS_IN_A= 5 -- ROWS_IN_A= 6 -- GAMMA1_EXPONENT= 19 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- MAX_ONES_IN_HINT= 55 -- SIGNATURE_SIZE= 3309 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_signature_serialize_92_76( - libcrux_ml_dsa_encoding_signature_Signature_44 *self, uint8_t ret[3309U]) { - uint8_t signature[3309U] = {0U}; + +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_signature_serialize_5b( + Eurydice_slice commitment_hash, Eurydice_slice signer_response, + Eurydice_slice hint, size_t commitment_hash_size, size_t columns_in_a, + size_t rows_in_a, size_t gamma1_exponent, size_t gamma1_ring_element_size, + size_t max_ones_in_hint, Eurydice_slice signature) { size_t offset = (size_t)0U; - Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - signature, offset, offset + (size_t)48U, uint8_t); Eurydice_slice_copy( - uu____0, - Eurydice_array_to_slice((size_t)48U, self->commitment_hash, uint8_t), - uint8_t); - offset = offset + (size_t)48U; - for (size_t i = (size_t)0U; i < (size_t)5U; i++) { + Eurydice_slice_subslice2(signature, offset, offset + commitment_hash_size, + uint8_t), + commitment_hash, uint8_t); + offset = offset + commitment_hash_size; + for (size_t i = (size_t)0U; i < columns_in_a; i++) { size_t i0 = i; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____1 = - self->signer_response[i0]; - libcrux_ml_dsa_encoding_gamma1_serialize_61( - uu____1, Eurydice_array_to_subslice2(signature, offset, - offset + (size_t)640U, uint8_t)); - offset = offset + (size_t)640U; + libcrux_ml_dsa_encoding_gamma1_serialize_5b( + &Eurydice_slice_index( + signer_response, i0, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *), + Eurydice_slice_subslice2(signature, offset, + offset + gamma1_ring_element_size, uint8_t), + gamma1_exponent); + offset = offset + gamma1_ring_element_size; } size_t true_hints_seen = (size_t)0U; - for (size_t i0 = (size_t)0U; i0 < (size_t)6U; i0++) { + for (size_t i0 = (size_t)0U; i0 < rows_in_a; i0++) { size_t i1 = i0; for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice((size_t)256U, self->hint[i1], int32_t), - int32_t); + i < + Eurydice_slice_len(Eurydice_array_to_slice( + (size_t)256U, + Eurydice_slice_index(hint, i1, int32_t[256U], + int32_t(*)[256U]), + int32_t), + int32_t); i++) { size_t j = i; - if (self->hint[i1][j] == (int32_t)1) { - signature[offset + true_hints_seen] = (uint8_t)j; + if (Eurydice_slice_index(hint, i1, int32_t[256U], int32_t(*)[256U])[j] == + (int32_t)1) { + Eurydice_slice_index(signature, offset + true_hints_seen, uint8_t, + uint8_t *) = (uint8_t)j; true_hints_seen++; } } - signature[offset + (size_t)55U + i1] = (uint8_t)true_hints_seen; + Eurydice_slice_index(signature, offset + max_ones_in_hint + i1, uint8_t, + uint8_t *) = (uint8_t)true_hints_seen; } - memcpy(ret, signature, (size_t)3309U * sizeof(uint8_t)); } /** - The internal signing API. - - If no `domain_separation_context` is supplied, it is assumed that - `message` already contains the domain separation. -*/ -/** -A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.sign_internal -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, +A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.ml_dsa_65.sign_internal +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients, libcrux_ml_dsa_samplex4_portable_PortableSampler, libcrux_ml_dsa_hash_functions_portable_Shake128X4, libcrux_ml_dsa_hash_functions_portable_Shake256, libcrux_ml_dsa_hash_functions_portable_Shake256Xof, libcrux_ml_dsa_hash_functions_portable_Shake256X4 with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- ETA= 4 -- ERROR_RING_ELEMENT_SIZE= 128 -- GAMMA1_EXPONENT= 19 -- GAMMA2= 261888 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- SIGNING_KEY_SIZE= 4032 -- SIGNATURE_SIZE= 3309 -*/ -static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_internal_3f( - uint8_t *signing_key, Eurydice_slice message, + +*/ +static KRML_MUSTINLINE Result_2e +libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_internal_5a( + Eurydice_slice signing_key, Eurydice_slice message, Option_84 domain_separation_context, uint8_t randomness[32U]) { - tuple_f0 uu____0 = - libcrux_ml_dsa_encoding_signing_key_deserialize_then_ntt_c6(signing_key); - uint8_t seed_for_a[32U]; - memcpy(seed_for_a, uu____0.fst, (size_t)32U * sizeof(uint8_t)); - uint8_t seed_for_signing[32U]; - memcpy(seed_for_signing, uu____0.snd, (size_t)32U * sizeof(uint8_t)); - uint8_t verification_key_hash[64U]; - memcpy(verification_key_hash, uu____0.thd, (size_t)64U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s1_as_ntt[5U]; - memcpy( - s1_as_ntt, uu____0.f3, - (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s2_as_ntt[6U]; - memcpy( - s2_as_ntt, uu____0.f4, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t0_as_ntt[6U]; - memcpy( - t0_as_ntt, uu____0.f5, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b matrix[6U][5U]; + Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( + signing_key, LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE, uint8_t, + Eurydice_slice_uint8_t_x2); + Eurydice_slice seed_for_a = uu____0.fst; + Eurydice_slice remaining_serialized0 = uu____0.snd; + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( + remaining_serialized0, LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_SIGNING_SIZE, + uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice seed_for_signing = uu____1.fst; + Eurydice_slice remaining_serialized1 = uu____1.snd; + Eurydice_slice_uint8_t_x2 uu____2 = Eurydice_slice_split_at( + remaining_serialized1, + LIBCRUX_ML_DSA_CONSTANTS_BYTES_FOR_VERIFICATION_KEY_HASH, uint8_t, + Eurydice_slice_uint8_t_x2); + Eurydice_slice verification_key_hash = uu____2.fst; + Eurydice_slice remaining_serialized2 = uu____2.snd; + Eurydice_slice_uint8_t_x2 uu____3 = Eurydice_slice_split_at( + remaining_serialized2, + LIBCRUX_ML_DSA_ML_DSA_GENERIC_ML_DSA_65_ERROR_RING_ELEMENT_SIZE * + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_COLUMNS_IN_A, + uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice s1_serialized = uu____3.fst; + Eurydice_slice remaining_serialized = uu____3.snd; + Eurydice_slice_uint8_t_x2 uu____4 = Eurydice_slice_split_at( + remaining_serialized, + LIBCRUX_ML_DSA_ML_DSA_GENERIC_ML_DSA_65_ERROR_RING_ELEMENT_SIZE * + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ROWS_IN_A, + uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice s2_serialized = uu____4.fst; + Eurydice_slice t0_serialized = uu____4.snd; + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 s1_as_ntt[5U]; + for (size_t i = (size_t)0U; i < (size_t)5U; i++) { + s1_as_ntt[i] = libcrux_ml_dsa_polynomial_zero_ff_5b(); + } + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 s2_as_ntt[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + s2_as_ntt[i] = libcrux_ml_dsa_polynomial_zero_ff_5b(); + } + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 t0_as_ntt[6U]; for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - matrix[i][0U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - matrix[i][1U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - matrix[i][2U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - matrix[i][3U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - matrix[i][4U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - } - libcrux_ml_dsa_samplex4_portable_matrix_36_2f( - Eurydice_array_to_slice((size_t)32U, seed_for_a, uint8_t), matrix); + t0_as_ntt[i] = libcrux_ml_dsa_polynomial_zero_ff_5b(); + } + libcrux_ml_dsa_encoding_error_deserialize_to_vector_then_ntt_5b( + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ETA, + LIBCRUX_ML_DSA_ML_DSA_GENERIC_ML_DSA_65_ERROR_RING_ELEMENT_SIZE, + s1_serialized, + Eurydice_array_to_slice( + (size_t)5U, s1_as_ntt, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8)); + libcrux_ml_dsa_encoding_error_deserialize_to_vector_then_ntt_5b( + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ETA, + LIBCRUX_ML_DSA_ML_DSA_GENERIC_ML_DSA_65_ERROR_RING_ELEMENT_SIZE, + s2_serialized, + Eurydice_array_to_slice( + (size_t)6U, s2_as_ntt, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8)); + libcrux_ml_dsa_encoding_t0_deserialize_to_vector_then_ntt_5b( + t0_serialized, Eurydice_array_to_slice( + (size_t)6U, t0_as_ntt, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 matrix[30U]; + for (size_t i = (size_t)0U; i < (size_t)30U; i++) { + matrix[i] = libcrux_ml_dsa_polynomial_zero_ff_5b(); + } + libcrux_ml_dsa_samplex4_portable_matrix_flat_36_5b( + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_COLUMNS_IN_A, seed_for_a, + Eurydice_array_to_slice( + (size_t)30U, matrix, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8)); uint8_t message_representative[64U] = {0U}; - uint8_t uu____1[64U]; - memcpy(uu____1, verification_key_hash, (size_t)64U * sizeof(uint8_t)); libcrux_ml_dsa_ml_dsa_generic_derive_message_representative_7b( - uu____1, domain_separation_context, message, message_representative); + verification_key_hash, &domain_separation_context, message, + message_representative); uint8_t mask_seed[64U] = {0U}; libcrux_sha3_portable_incremental_Shake256Xof shake0 = libcrux_ml_dsa_hash_functions_portable_init_83(); - libcrux_ml_dsa_hash_functions_portable_absorb_83( - &shake0, Eurydice_array_to_slice((size_t)32U, seed_for_signing, uint8_t)); + libcrux_ml_dsa_hash_functions_portable_absorb_83(&shake0, seed_for_signing); libcrux_ml_dsa_hash_functions_portable_absorb_83( &shake0, Eurydice_array_to_slice((size_t)32U, randomness, uint8_t)); libcrux_ml_dsa_hash_functions_portable_absorb_final_83( @@ -5125,46 +6867,80 @@ static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_internal_3f( libcrux_ml_dsa_hash_functions_portable_squeeze_83( &shake0, Eurydice_array_to_slice((size_t)64U, mask_seed, uint8_t)); uint16_t domain_separator_for_mask = 0U; - int32_t BETA = (int32_t)((size_t)49U * (size_t)4U); size_t attempt = (size_t)0U; Option_67 commitment_hash0 = {.tag = None}; - Option_f3 signer_response0 = {.tag = None}; + Option_a5 signer_response0 = {.tag = None}; Option_f0 hint0 = {.tag = None}; while (attempt < LIBCRUX_ML_DSA_CONSTANTS_REJECTION_SAMPLE_BOUND_SIGN) { attempt++; - uint8_t uu____2[66U]; - libcrux_ml_dsa_utils_into_padded_array_20( - Eurydice_array_to_slice((size_t)64U, mask_seed, uint8_t), uu____2); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b mask[5U]; - libcrux_ml_dsa_sample_sample_mask_vector_0e( - uu____2, &domain_separator_for_mask, mask); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b A_times_mask[6U]; - libcrux_ml_dsa_matrix_compute_A_times_mask_2f(A_as_ntt, mask, A_times_mask); - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_A_times_mask[6U]; - memcpy(copy_of_A_times_mask, A_times_mask, - (size_t)6U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_6size_t__x2 - uu____4 = - libcrux_ml_dsa_arithmetic_decompose_vector_2f(copy_of_A_times_mask); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b w0[6U]; - memcpy(w0, uu____4.fst, - (size_t)6U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b commitment[6U]; - memcpy(commitment, uu____4.snd, - (size_t)6U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 mask[5U]; + for (size_t i = (size_t)0U; i < (size_t)5U; i++) { + mask[i] = libcrux_ml_dsa_polynomial_zero_ff_5b(); + } + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 w0[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + w0[i] = libcrux_ml_dsa_polynomial_zero_ff_5b(); + } + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 commitment[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + commitment[i] = libcrux_ml_dsa_polynomial_zero_ff_5b(); + } + libcrux_ml_dsa_sample_sample_mask_vector_67( + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_COLUMNS_IN_A, + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_GAMMA1_EXPONENT, mask_seed, + &domain_separator_for_mask, + Eurydice_array_to_slice( + (size_t)5U, mask, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 a_x_mask[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + a_x_mask[i] = libcrux_ml_dsa_polynomial_zero_ff_5b(); + } + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 mask_ntt[5U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)5U, mask, mask_ntt, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, void *); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)5U, mask_ntt, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8), + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8); + i++) { + size_t i0 = i; + libcrux_ml_dsa_ntt_ntt_5b(&mask_ntt[i0]); + } + libcrux_ml_dsa_matrix_compute_matrix_x_mask_5b( + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ROWS_IN_A, + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_COLUMNS_IN_A, + Eurydice_array_to_slice( + (size_t)30U, matrix, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8), + Eurydice_array_to_slice( + (size_t)5U, mask_ntt, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8), + Eurydice_array_to_slice( + (size_t)6U, a_x_mask, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8)); + libcrux_ml_dsa_arithmetic_decompose_vector_5b( + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ROWS_IN_A, + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_GAMMA2, + Eurydice_array_to_slice( + (size_t)6U, a_x_mask, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8), + Eurydice_array_to_slice( + (size_t)6U, w0, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8), + Eurydice_array_to_slice( + (size_t)6U, commitment, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8)); uint8_t commitment_hash_candidate[48U] = {0U}; - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_commitment0[6U]; - memcpy(copy_of_commitment0, commitment, - (size_t)6U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - uint8_t commitment_serialized[768U]; - libcrux_ml_dsa_encoding_commitment_serialize_vector_5d( - copy_of_commitment0, commitment_serialized); + uint8_t commitment_serialized[768U] = {0U}; + libcrux_ml_dsa_encoding_commitment_serialize_vector_5b( + LIBCRUX_ML_DSA_ML_DSA_GENERIC_ML_DSA_65_COMMITMENT_RING_ELEMENT_SIZE, + Eurydice_array_to_slice( + (size_t)6U, commitment, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8), + Eurydice_array_to_slice((size_t)768U, commitment_serialized, uint8_t)); libcrux_sha3_portable_incremental_Shake256Xof shake = libcrux_ml_dsa_hash_functions_portable_init_83(); libcrux_ml_dsa_hash_functions_portable_absorb_83( @@ -5176,107 +6952,110 @@ static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_internal_3f( libcrux_ml_dsa_hash_functions_portable_squeeze_83( &shake, Eurydice_array_to_slice((size_t)48U, commitment_hash_candidate, uint8_t)); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_commitment_hash_candidate[48U]; - memcpy(copy_of_commitment_hash_candidate, commitment_hash_candidate, - (size_t)48U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b - verifier_challenge_as_ntt = libcrux_ml_dsa_ntt_ntt_ba( - libcrux_ml_dsa_sample_sample_challenge_ring_element_83( - copy_of_commitment_hash_candidate)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b challenge_times_s1[5U]; - libcrux_ml_dsa_matrix_vector_times_ring_element_4f( - s1_as_ntt, &verifier_challenge_as_ntt, challenge_times_s1); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b challenge_times_s2[6U]; - libcrux_ml_dsa_matrix_vector_times_ring_element_07( - s2_as_ntt, &verifier_challenge_as_ntt, challenge_times_s2); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b - signer_response_candidate[5U]; - libcrux_ml_dsa_matrix_add_vectors_4f(mask, challenge_times_s1, - signer_response_candidate); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b - w0_minus_challenge_times_s2[6U]; - libcrux_ml_dsa_matrix_subtract_vectors_07(w0, challenge_times_s2, - w0_minus_challenge_times_s2); - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b - copy_of_signer_response_candidate[5U]; - memcpy(copy_of_signer_response_candidate, signer_response_candidate, - (size_t)5U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - if (!libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_4f( - copy_of_signer_response_candidate, - ((int32_t)1 << (uint32_t)(size_t)19U) - BETA)) { - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b - copy_of_w0_minus_challenge_times_s2[6U]; - memcpy(copy_of_w0_minus_challenge_times_s2, w0_minus_challenge_times_s2, - (size_t)6U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - if (!libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_07( - copy_of_w0_minus_challenge_times_s2, (int32_t)261888 - BETA)) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 verifier_challenge = + libcrux_ml_dsa_polynomial_zero_ff_5b(); + libcrux_ml_dsa_sample_sample_challenge_ring_element_2e( + Eurydice_array_to_slice((size_t)48U, commitment_hash_candidate, + uint8_t), + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ONES_IN_VERIFIER_CHALLENGE, + &verifier_challenge); + libcrux_ml_dsa_ntt_ntt_5b(&verifier_challenge); + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 challenge_times_s1[5U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)5U, s1_as_ntt, challenge_times_s1, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, void *); + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 challenge_times_s2[6U]; + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)6U, s2_as_ntt, challenge_times_s2, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, void *); + libcrux_ml_dsa_matrix_vector_times_ring_element_5b( + Eurydice_array_to_slice( + (size_t)5U, challenge_times_s1, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8), + &verifier_challenge); + libcrux_ml_dsa_matrix_vector_times_ring_element_5b( + Eurydice_array_to_slice( + (size_t)6U, challenge_times_s2, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8), + &verifier_challenge); + libcrux_ml_dsa_matrix_add_vectors_5b( + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_COLUMNS_IN_A, + Eurydice_array_to_slice( + (size_t)5U, mask, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8), + Eurydice_array_to_slice( + (size_t)5U, challenge_times_s1, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8)); + libcrux_ml_dsa_matrix_subtract_vectors_5b( + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ROWS_IN_A, + Eurydice_array_to_slice( + (size_t)6U, w0, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8), + Eurydice_array_to_slice( + (size_t)6U, challenge_times_s2, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8)); + if (!libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_5b( + Eurydice_array_to_slice( + (size_t)5U, mask, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8), + ((int32_t)1 << (uint32_t) + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_GAMMA1_EXPONENT) - + LIBCRUX_ML_DSA_ML_DSA_GENERIC_ML_DSA_65_BETA)) { + if (!libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_5b( + Eurydice_array_to_slice( + (size_t)6U, w0, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8), + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_GAMMA2 - + LIBCRUX_ML_DSA_ML_DSA_GENERIC_ML_DSA_65_BETA)) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 challenge_times_t0[6U]; - libcrux_ml_dsa_matrix_vector_times_ring_element_07( - t0_as_ntt, &verifier_challenge_as_ntt, challenge_times_t0); - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b - copy_of_challenge_times_t0[6U]; - memcpy(copy_of_challenge_times_t0, challenge_times_t0, - (size_t)6U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - if (!libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_07( - copy_of_challenge_times_t0, (int32_t)261888)) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b - w0_minus_c_times_s2_plus_c_times_t0[6U]; - libcrux_ml_dsa_matrix_add_vectors_07( - w0_minus_challenge_times_s2, challenge_times_t0, - w0_minus_c_times_s2_plus_c_times_t0); - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b - copy_of_w0_minus_c_times_s2_plus_c_times_t0[6U]; - memcpy( - copy_of_w0_minus_c_times_s2_plus_c_times_t0, - w0_minus_c_times_s2_plus_c_times_t0, - (size_t)6U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b - copy_of_commitment[6U]; - memcpy( - copy_of_commitment, commitment, - (size_t)6U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - tuple_e6 uu____12 = libcrux_ml_dsa_arithmetic_make_hint_2f( - copy_of_w0_minus_c_times_s2_plus_c_times_t0, copy_of_commitment); - int32_t hint_candidate[6U][256U]; - memcpy(hint_candidate, uu____12.fst, - (size_t)6U * sizeof(int32_t[256U])); - size_t ones_in_hint = uu____12.snd; - if (!(ones_in_hint > (size_t)55U)) { + core_array___core__clone__Clone_for__Array_T__N___20__clone( + (size_t)6U, t0_as_ntt, challenge_times_t0, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, void *); + libcrux_ml_dsa_matrix_vector_times_ring_element_5b( + Eurydice_array_to_slice( + (size_t)6U, challenge_times_t0, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8), + &verifier_challenge); + if (!libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_5b( + Eurydice_array_to_slice( + (size_t)6U, challenge_times_t0, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8), + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_GAMMA2)) { + libcrux_ml_dsa_matrix_add_vectors_5b( + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ROWS_IN_A, + Eurydice_array_to_slice( + (size_t)6U, w0, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8), + Eurydice_array_to_slice( + (size_t)6U, challenge_times_t0, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8)); + int32_t hint_candidate[6U][256U] = {{0U}}; + size_t ones_in_hint = libcrux_ml_dsa_arithmetic_make_hint_4a( + w0, commitment, hint_candidate); + if (!(ones_in_hint > + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_MAX_ONES_IN_HINT)) { attempt = LIBCRUX_ML_DSA_CONSTANTS_REJECTION_SAMPLE_BOUND_SIGN; /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_commitment_hash_candidate0[48U]; - memcpy(copy_of_commitment_hash_candidate0, - commitment_hash_candidate, (size_t)48U * sizeof(uint8_t)); + uint8_t copy_of_commitment_hash_candidate[48U]; + memcpy(copy_of_commitment_hash_candidate, commitment_hash_candidate, + (size_t)48U * sizeof(uint8_t)); Option_67 lit0; lit0.tag = Some; - memcpy(lit0.f0, copy_of_commitment_hash_candidate0, + memcpy(lit0.f0, copy_of_commitment_hash_candidate, (size_t)48U * sizeof(uint8_t)); commitment_hash0 = lit0; /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b - copy_of_signer_response_candidate0[5U]; + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 copy_of_mask[5U]; memcpy( - copy_of_signer_response_candidate0, signer_response_candidate, + copy_of_mask, mask, (size_t)5U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - Option_f3 lit1; + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_e8)); + Option_a5 lit1; lit1.tag = Some; memcpy( - lit1.f0, copy_of_signer_response_candidate0, + lit1.f0, copy_of_mask, (size_t)5U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_e8)); signer_response0 = lit1; /* Passing arrays by value in Rust generates a copy in C */ int32_t copy_of_hint_candidate[6U][256U]; @@ -5292,9 +7071,9 @@ static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_internal_3f( } } } - Result_2e uu____16; + Result_2e uu____8; if (commitment_hash0.tag == None) { - uu____16 = (CLITERAL(Result_2e){ + uu____8 = (CLITERAL(Result_2e){ .tag = Err, .val = {.case_Err = libcrux_ml_dsa_types_SigningError_RejectionSamplingError}}); @@ -5305,22 +7084,22 @@ static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_internal_3f( uint8_t commitment_hash[48U]; memcpy(commitment_hash, commitment_hash1, (size_t)48U * sizeof(uint8_t)); if (signer_response0.tag == None) { - uu____16 = (CLITERAL(Result_2e){ + uu____8 = (CLITERAL(Result_2e){ .tag = Err, .val = { .case_Err = libcrux_ml_dsa_types_SigningError_RejectionSamplingError}}); } else { - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b signer_response1[5U]; + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 signer_response1[5U]; memcpy(signer_response1, signer_response0.f0, (size_t)5U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b signer_response[5U]; + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_e8)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 signer_response[5U]; memcpy(signer_response, signer_response1, (size_t)5U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_e8)); if (hint0.tag == None) { - uu____16 = (CLITERAL(Result_2e){ + uu____8 = (CLITERAL(Result_2e){ .tag = Err, .val = { .case_Err = @@ -5330,30 +7109,20 @@ static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_internal_3f( memcpy(hint1, hint0.f0, (size_t)6U * sizeof(int32_t[256U])); int32_t hint[6U][256U]; memcpy(hint, hint1, (size_t)6U * sizeof(int32_t[256U])); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_commitment_hash[48U]; - memcpy(copy_of_commitment_hash, commitment_hash, - (size_t)48U * sizeof(uint8_t)); - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b - copy_of_signer_response[5U]; - memcpy(copy_of_signer_response, signer_response, - (size_t)5U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - /* Passing arrays by value in Rust generates a copy in C */ - int32_t copy_of_hint[6U][256U]; - memcpy(copy_of_hint, hint, (size_t)6U * sizeof(int32_t[256U])); - uint8_t signature[3309U]; - libcrux_ml_dsa_encoding_signature_Signature_44 lit0; - memcpy(lit0.commitment_hash, copy_of_commitment_hash, - (size_t)48U * sizeof(uint8_t)); - memcpy(lit0.signer_response, copy_of_signer_response, - (size_t)5U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - memcpy(lit0.hint, copy_of_hint, (size_t)6U * sizeof(int32_t[256U])); - /* original Rust expression is not an lvalue in C */ - libcrux_ml_dsa_encoding_signature_Signature_44 lvalue = lit0; - libcrux_ml_dsa_encoding_signature_serialize_92_76(&lvalue, signature); + uint8_t signature[3309U] = {0U}; + libcrux_ml_dsa_encoding_signature_serialize_5b( + Eurydice_array_to_slice((size_t)48U, commitment_hash, uint8_t), + Eurydice_array_to_slice( + (size_t)5U, signer_response, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8), + Eurydice_array_to_slice((size_t)6U, hint, int32_t[256U]), + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_COMMITMENT_HASH_SIZE, + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_COLUMNS_IN_A, + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ROWS_IN_A, + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_GAMMA1_EXPONENT, + LIBCRUX_ML_DSA_ML_DSA_GENERIC_ML_DSA_65_GAMMA1_RING_ELEMENT_SIZE, + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_MAX_ONES_IN_HINT, + Eurydice_array_to_slice((size_t)3309U, signature, uint8_t)); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_signature[3309U]; memcpy(copy_of_signature, signature, (size_t)3309U * sizeof(uint8_t)); @@ -5364,35 +7133,24 @@ static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_internal_3f( } } } - return uu____16; + return uu____8; } /** -A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.sign -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, +A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.ml_dsa_65.sign +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients, libcrux_ml_dsa_samplex4_portable_PortableSampler, libcrux_ml_dsa_hash_functions_portable_Shake128X4, libcrux_ml_dsa_hash_functions_portable_Shake256, libcrux_ml_dsa_hash_functions_portable_Shake256Xof, libcrux_ml_dsa_hash_functions_portable_Shake256X4 with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- ETA= 4 -- ERROR_RING_ELEMENT_SIZE= 128 -- GAMMA1_EXPONENT= 19 -- GAMMA2= 261888 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- SIGNING_KEY_SIZE= 4032 -- SIGNATURE_SIZE= 3309 -*/ -static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_3f( - uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, - uint8_t randomness[32U]) { + +*/ +static KRML_MUSTINLINE Result_2e +libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_5a(Eurydice_slice signing_key, + Eurydice_slice message, + Eurydice_slice context, + uint8_t randomness[32U]) { Result_a8 uu____0 = libcrux_ml_dsa_pre_hash_new_45( context, (CLITERAL(Option_30){.tag = None})); if (!(uu____0.tag == Ok)) { @@ -5404,49 +7162,32 @@ static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_3f( libcrux_ml_dsa_pre_hash_DomainSeparationContext dsc = uu____0.val.case_Ok; libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context = dsc; - uint8_t *uu____1 = signing_key; + Eurydice_slice uu____1 = signing_key; Eurydice_slice uu____2 = message; Option_84 uu____3 = {.tag = Some, .f0 = domain_separation_context}; /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_dsa_ml_dsa_generic_sign_internal_3f( + return libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_internal_5a( uu____1, uu____2, uu____3, copy_of_randomness); } /** Sign. */ -/** -A monomorphic instance of -libcrux_ml_dsa.ml_dsa_generic.instantiations.portable.sign with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- ETA= 4 -- ERROR_RING_ELEMENT_SIZE= 128 -- GAMMA1_EXPONENT= 19 -- GAMMA2= 261888 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- SIGNING_KEY_SIZE= 4032 -- SIGNATURE_SIZE= 3309 -*/ static inline Result_2e -libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_sign_f3( +libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_ml_dsa_65_sign( uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, uint8_t randomness[32U]) { - uint8_t *uu____0 = signing_key; + Eurydice_slice uu____0 = + Eurydice_array_to_slice((size_t)4032U, signing_key, uint8_t); Eurydice_slice uu____1 = message; Eurydice_slice uu____2 = context; /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_dsa_ml_dsa_generic_sign_3f(uu____0, uu____1, uu____2, - copy_of_randomness); + return libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_5a( + uu____0, uu____1, uu____2, copy_of_randomness); } /** @@ -5465,56 +7206,29 @@ static inline Result_2e libcrux_ml_dsa_ml_dsa_65_portable_sign( /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_sign_f3( + return libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_ml_dsa_65_sign( uu____0, uu____1, uu____2, copy_of_randomness); } /** -A monomorphic instance of libcrux_ml_dsa.hash_functions.portable.shake128 -with const generics -- OUTPUT_LENGTH= 256 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_hash_functions_portable_shake128_6b( - Eurydice_slice input, uint8_t *out) { - libcrux_sha3_portable_shake128( - Eurydice_array_to_slice((size_t)256U, out, uint8_t), input); -} - -/** -This function found in impl {(libcrux_ml_dsa::hash_functions::shake128::Xof for -libcrux_ml_dsa::hash_functions::portable::Shake128)#1} -*/ -/** -A monomorphic instance of libcrux_ml_dsa.hash_functions.portable.shake128_a0 -with const generics -- OUTPUT_LENGTH= 256 -*/ -static KRML_MUSTINLINE void -libcrux_ml_dsa_hash_functions_portable_shake128_a0_6b(Eurydice_slice input, - uint8_t *out) { - libcrux_ml_dsa_hash_functions_portable_shake128_6b(input, out); -} - -/** -This function found in impl {(libcrux_ml_dsa::pre_hash::PreHash<256: usize> for +This function found in impl {(libcrux_ml_dsa::pre_hash::PreHash for libcrux_ml_dsa::pre_hash::SHAKE128_PH)} */ /** -A monomorphic instance of libcrux_ml_dsa.pre_hash.hash_bd +A monomorphic instance of libcrux_ml_dsa.pre_hash.hash_3e with types libcrux_ml_dsa_hash_functions_portable_Shake128 with const generics */ -static KRML_MUSTINLINE void libcrux_ml_dsa_pre_hash_hash_bd_54( - Eurydice_slice message, uint8_t ret[256U]) { - uint8_t output[256U] = {0U}; - libcrux_ml_dsa_hash_functions_portable_shake128_a0_6b(message, output); - memcpy(ret, output, (size_t)256U * sizeof(uint8_t)); +static KRML_MUSTINLINE void libcrux_ml_dsa_pre_hash_hash_3e_cc( + Eurydice_slice message, Eurydice_slice output) { + libcrux_ml_dsa_hash_functions_portable_shake128_a0(message, output); } /** -A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.sign_pre_hashed -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, +A monomorphic instance of +libcrux_ml_dsa.ml_dsa_generic.ml_dsa_65.sign_pre_hashed with types +libcrux_ml_dsa_simd_portable_vector_type_Coefficients, libcrux_ml_dsa_samplex4_portable_PortableSampler, libcrux_ml_dsa_hash_functions_portable_Shake128, libcrux_ml_dsa_hash_functions_portable_Shake128X4, @@ -5522,36 +7236,20 @@ libcrux_ml_dsa_hash_functions_portable_Shake256, libcrux_ml_dsa_hash_functions_portable_Shake256Xof, libcrux_ml_dsa_hash_functions_portable_Shake256X4, libcrux_ml_dsa_pre_hash_SHAKE128_PH with const generics -- PH_DIGEST_LEN= 256 -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- ETA= 4 -- ERROR_RING_ELEMENT_SIZE= 128 -- GAMMA1_EXPONENT= 19 -- GAMMA2= 261888 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- SIGNING_KEY_SIZE= 4032 -- SIGNATURE_SIZE= 3309 + */ static KRML_MUSTINLINE Result_2e -libcrux_ml_dsa_ml_dsa_generic_sign_pre_hashed_da(uint8_t *signing_key, - Eurydice_slice message, - Eurydice_slice context, - uint8_t randomness[32U]) { +libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_pre_hashed_3f( + Eurydice_slice signing_key, Eurydice_slice message, Eurydice_slice context, + Eurydice_slice pre_hash_buffer, uint8_t randomness[32U]) { if (!(Eurydice_slice_len(context, uint8_t) > LIBCRUX_ML_DSA_CONSTANTS_CONTEXT_MAX_LEN)) { - uint8_t pre_hashed_message[256U]; - libcrux_ml_dsa_pre_hash_hash_bd_54(message, pre_hashed_message); + libcrux_ml_dsa_pre_hash_hash_3e_cc(message, pre_hash_buffer); Eurydice_slice uu____0 = context; Option_30 lit; lit.tag = Some; uint8_t ret[11U]; - libcrux_ml_dsa_pre_hash_oid_bd(ret); + libcrux_ml_dsa_pre_hash_oid_3e(ret); memcpy(lit.f0, ret, (size_t)11U * sizeof(uint8_t)); Result_a8 uu____1 = libcrux_ml_dsa_pre_hash_new_45(uu____0, lit); if (!(uu____1.tag == Ok)) { @@ -5563,14 +7261,13 @@ libcrux_ml_dsa_ml_dsa_generic_sign_pre_hashed_da(uint8_t *signing_key, libcrux_ml_dsa_pre_hash_DomainSeparationContext dsc = uu____1.val.case_Ok; libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context = dsc; - uint8_t *uu____2 = signing_key; - Eurydice_slice uu____3 = - Eurydice_array_to_slice((size_t)256U, pre_hashed_message, uint8_t); + Eurydice_slice uu____2 = signing_key; + Eurydice_slice uu____3 = pre_hash_buffer; Option_84 uu____4 = {.tag = Some, .f0 = domain_separation_context}; /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_dsa_ml_dsa_generic_sign_internal_3f( + return libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_internal_5a( uu____2, uu____3, uu____4, copy_of_randomness); } return (CLITERAL(Result_2e){ @@ -5582,37 +7279,20 @@ libcrux_ml_dsa_ml_dsa_generic_sign_pre_hashed_da(uint8_t *signing_key, /** Sign (pre-hashed). */ -/** -A monomorphic instance of -libcrux_ml_dsa.ml_dsa_generic.instantiations.portable.sign_pre_hashed_shake128 -with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- ETA= 4 -- ERROR_RING_ELEMENT_SIZE= 128 -- GAMMA1_EXPONENT= 19 -- GAMMA2= 261888 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- SIGNING_KEY_SIZE= 4032 -- SIGNATURE_SIZE= 3309 -*/ static inline Result_2e -libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_sign_pre_hashed_shake128_f3( +libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_ml_dsa_65_sign_pre_hashed_shake128( uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, - uint8_t randomness[32U]) { - uint8_t *uu____0 = signing_key; + Eurydice_slice pre_hash_buffer, uint8_t randomness[32U]) { + Eurydice_slice uu____0 = + Eurydice_array_to_slice((size_t)4032U, signing_key, uint8_t); Eurydice_slice uu____1 = message; Eurydice_slice uu____2 = context; + Eurydice_slice uu____3 = pre_hash_buffer; /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_dsa_ml_dsa_generic_sign_pre_hashed_da( - uu____0, uu____1, uu____2, copy_of_randomness); + return libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_pre_hashed_3f( + uu____0, uu____1, uu____2, uu____3, copy_of_randomness); } /** @@ -5626,165 +7306,115 @@ static inline Result_2e libcrux_ml_dsa_ml_dsa_65_portable_sign_pre_hashed_shake128( libcrux_ml_dsa_types_MLDSASigningKey_22 *signing_key, Eurydice_slice message, Eurydice_slice context, uint8_t randomness[32U]) { + uint8_t pre_hash_buffer[256U] = {0U}; uint8_t *uu____0 = libcrux_ml_dsa_types_as_ref_9b_09(signing_key); Eurydice_slice uu____1 = message; Eurydice_slice uu____2 = context; + Eurydice_slice uu____3 = + Eurydice_array_to_slice((size_t)256U, pre_hash_buffer, uint8_t); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_sign_pre_hashed_shake128_f3( - uu____0, uu____1, uu____2, copy_of_randomness); + return libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_ml_dsa_65_sign_pre_hashed_shake128( + uu____0, uu____1, uu____2, uu____3, copy_of_randomness); } -/** -A monomorphic instance of K. -with types uint8_t[32size_t], libcrux_ml_dsa_polynomial_PolynomialRingElement -libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit[6size_t] - -*/ -typedef struct tuple_93_s { - uint8_t fst[32U]; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b snd[6U]; -} tuple_93; - /** A monomorphic instance of libcrux_ml_dsa.encoding.t1.deserialize -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients with const generics */ -static inline void libcrux_ml_dsa_encoding_t1_deserialize_ba( +static inline void libcrux_ml_dsa_encoding_t1_deserialize_5b( Eurydice_slice serialized, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *result) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *result) { for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)32U, result->simd_units, - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit), - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients), + libcrux_ml_dsa_simd_portable_vector_type_Coefficients); i++) { size_t i0 = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 = - libcrux_ml_dsa_simd_portable_t1_deserialize_36(Eurydice_slice_subslice2( + libcrux_ml_dsa_simd_portable_t1_deserialize_e9( + Eurydice_slice_subslice2( serialized, i0 * LIBCRUX_ML_DSA_ENCODING_T1_DESERIALIZE_WINDOW, (i0 + (size_t)1U) * LIBCRUX_ML_DSA_ENCODING_T1_DESERIALIZE_WINDOW, - uint8_t)); - result->simd_units[i0] = uu____0; + uint8_t), + &result->simd_units[i0]); } } /** A monomorphic instance of libcrux_ml_dsa.encoding.verification_key.deserialize -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients with const generics -- ROWS_IN_A= 6 -- VERIFICATION_KEY_SIZE= 1952 + */ -static KRML_MUSTINLINE tuple_93 -libcrux_ml_dsa_encoding_verification_key_deserialize_2f(uint8_t *serialized) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t1[6U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - t1[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - } - Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( - Eurydice_array_to_slice((size_t)1952U, serialized, uint8_t), - LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE, uint8_t, - Eurydice_slice_uint8_t_x2); - Eurydice_slice seed_for_A = uu____0.fst; - Eurydice_slice serialized_remaining = uu____0.snd; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { +static KRML_MUSTINLINE void +libcrux_ml_dsa_encoding_verification_key_deserialize_5b( + size_t rows_in_a, size_t verification_key_size, Eurydice_slice serialized, + Eurydice_slice t1) { + for (size_t i = (size_t)0U; i < rows_in_a; i++) { size_t i0 = i; - libcrux_ml_dsa_encoding_t1_deserialize_ba( + libcrux_ml_dsa_encoding_t1_deserialize_5b( Eurydice_slice_subslice2( - serialized_remaining, - i0 * LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T1S_SIZE, + serialized, i0 * LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T1S_SIZE, (i0 + (size_t)1U) * LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T1S_SIZE, uint8_t), - &t1[i0]); + &Eurydice_slice_index( + t1, i0, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *)); } - uint8_t uu____1[32U]; - Result_fb dst; - Eurydice_slice_to_array2(&dst, seed_for_A, Eurydice_slice, uint8_t[32U]); - unwrap_26_b3(dst, uu____1); - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_t1[6U]; - memcpy( - copy_of_t1, t1, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - tuple_93 lit; - memcpy(lit.fst, uu____1, (size_t)32U * sizeof(uint8_t)); - memcpy( - lit.snd, copy_of_t1, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - return lit; } /** -A monomorphic instance of core.result.Result -with types libcrux_ml_dsa_encoding_signature_Signature -libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit[[$6size_t]][[$5size_t]][[$48size_t]], -libcrux_ml_dsa_types_VerificationError - -*/ -typedef struct Result_ef_s { - Result_a9_tags tag; - union { - libcrux_ml_dsa_encoding_signature_Signature_44 case_Ok; - libcrux_ml_dsa_types_VerificationError case_Err; - } val; -} Result_ef; +A monomorphic instance of libcrux_ml_dsa.encoding.signature.deserialize +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients +with const generics -/** -This function found in impl -{libcrux_ml_dsa::encoding::signature::Signature[TraitClause@0, TraitClause@1]} */ -/** -A monomorphic instance of libcrux_ml_dsa.encoding.signature.deserialize_92 -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -with const generics -- COMMITMENT_HASH_SIZE= 48 -- COLUMNS_IN_A= 5 -- ROWS_IN_A= 6 -- GAMMA1_EXPONENT= 19 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- MAX_ONES_IN_HINT= 55 -- SIGNATURE_SIZE= 3309 -*/ -static KRML_MUSTINLINE Result_ef -libcrux_ml_dsa_encoding_signature_deserialize_92_76(uint8_t *serialized) { +static KRML_MUSTINLINE Result_41 +libcrux_ml_dsa_encoding_signature_deserialize_5b( + size_t columns_in_a, size_t rows_in_a, size_t commitment_hash_size, + size_t gamma1_exponent, size_t gamma1_ring_element_size, + size_t max_ones_in_hint, size_t signature_size, Eurydice_slice serialized, + Eurydice_slice out_commitment_hash, Eurydice_slice out_signer_response, + Eurydice_slice out_hint) { Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( - Eurydice_array_to_slice((size_t)3309U, serialized, uint8_t), (size_t)48U, - uint8_t, Eurydice_slice_uint8_t_x2); + serialized, commitment_hash_size, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice commitment_hash = uu____0.fst; Eurydice_slice rest_of_serialized = uu____0.snd; - Eurydice_slice_uint8_t_x2 uu____1 = - Eurydice_slice_split_at(rest_of_serialized, (size_t)640U * (size_t)5U, - uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice_copy(Eurydice_slice_subslice2(out_commitment_hash, (size_t)0U, + commitment_hash_size, uint8_t), + commitment_hash, uint8_t); + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( + rest_of_serialized, gamma1_ring_element_size * columns_in_a, uint8_t, + Eurydice_slice_uint8_t_x2); Eurydice_slice signer_response_serialized = uu____1.fst; Eurydice_slice hint_serialized = uu____1.snd; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b signer_response[5U]; - for (size_t i = (size_t)0U; i < (size_t)5U; i++) { - signer_response[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - } - for (size_t i = (size_t)0U; i < (size_t)5U; i++) { + for (size_t i = (size_t)0U; i < columns_in_a; i++) { size_t i0 = i; - libcrux_ml_dsa_encoding_gamma1_deserialize_61( - Eurydice_slice_subslice2(signer_response_serialized, i0 * (size_t)640U, - (i0 + (size_t)1U) * (size_t)640U, uint8_t), - &signer_response[i0]); + libcrux_ml_dsa_encoding_gamma1_deserialize_5b( + gamma1_exponent, + Eurydice_slice_subslice2( + signer_response_serialized, i0 * gamma1_ring_element_size, + (i0 + (size_t)1U) * gamma1_ring_element_size, uint8_t), + &Eurydice_slice_index( + out_signer_response, i0, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *)); } - int32_t hint[6U][256U] = {{0U}}; size_t previous_true_hints_seen = (size_t)0U; size_t i = (size_t)0U; bool malformed_hint = false; - while (i < (size_t)6U) { + while (i < rows_in_a) { if (malformed_hint) { break; } else { size_t current_true_hints_seen = (size_t)Eurydice_slice_index( - hint_serialized, (size_t)55U + i, uint8_t, uint8_t *); + hint_serialized, max_ones_in_hint + i, uint8_t, uint8_t *); size_t j; bool uu____2; bool uu____3; @@ -5801,13 +7431,14 @@ libcrux_ml_dsa_encoding_signature_deserialize_92_76(uint8_t *serialized) { size_t uu____14; bool uu____15; size_t uu____16; - size_t uu____17; - uint8_t uu____18; - size_t uu____19; - bool uu____20; - size_t uu____21; + Eurydice_slice *uu____17; + size_t uu____18; + uint8_t uu____19; + size_t uu____20; + bool uu____21; + size_t uu____22; if (!(current_true_hints_seen < previous_true_hints_seen)) { - if (!(previous_true_hints_seen > (size_t)55U)) { + if (!(previous_true_hints_seen > max_ones_in_hint)) { j = previous_true_hints_seen; while (true) { uu____2 = malformed_hint; @@ -5835,11 +7466,14 @@ libcrux_ml_dsa_encoding_signature_deserialize_92_76(uint8_t *serialized) { uu____15 = malformed_hint; if (!uu____15) { uu____16 = i; - uu____19 = j; - uu____18 = Eurydice_slice_index(hint_serialized, uu____19, + uu____17 = &out_hint; + uu____20 = j; + uu____19 = Eurydice_slice_index(hint_serialized, uu____20, uint8_t, uint8_t *); - uu____17 = (size_t)uu____18; - hint[uu____16][uu____17] = (int32_t)1; + uu____18 = (size_t)uu____19; + Eurydice_slice_index(out_hint, uu____16, int32_t[256U], + int32_t(*)[256U])[uu____18] = + (int32_t)1; j++; } continue; @@ -5848,11 +7482,13 @@ libcrux_ml_dsa_encoding_signature_deserialize_92_76(uint8_t *serialized) { uu____15 = malformed_hint; if (!uu____15) { uu____16 = i; - uu____19 = j; - uu____18 = Eurydice_slice_index(hint_serialized, uu____19, + uu____17 = &out_hint; + uu____20 = j; + uu____19 = Eurydice_slice_index(hint_serialized, uu____20, uint8_t, uint8_t *); - uu____17 = (size_t)uu____18; - hint[uu____16][uu____17] = (int32_t)1; + uu____18 = (size_t)uu____19; + Eurydice_slice_index(out_hint, uu____16, int32_t[256U], + int32_t(*)[256U])[uu____18] = (int32_t)1; j++; } } else { @@ -5860,10 +7496,10 @@ libcrux_ml_dsa_encoding_signature_deserialize_92_76(uint8_t *serialized) { } } } - uu____20 = malformed_hint; - if (!uu____20) { - uu____21 = current_true_hints_seen; - previous_true_hints_seen = uu____21; + uu____21 = malformed_hint; + if (!uu____21) { + uu____22 = current_true_hints_seen; + previous_true_hints_seen = uu____22; i++; } continue; @@ -5897,11 +7533,13 @@ libcrux_ml_dsa_encoding_signature_deserialize_92_76(uint8_t *serialized) { uu____15 = malformed_hint; if (!uu____15) { uu____16 = i; - uu____19 = j; - uu____18 = Eurydice_slice_index(hint_serialized, uu____19, + uu____17 = &out_hint; + uu____20 = j; + uu____19 = Eurydice_slice_index(hint_serialized, uu____20, uint8_t, uint8_t *); - uu____17 = (size_t)uu____18; - hint[uu____16][uu____17] = (int32_t)1; + uu____18 = (size_t)uu____19; + Eurydice_slice_index(out_hint, uu____16, int32_t[256U], + int32_t(*)[256U])[uu____18] = (int32_t)1; j++; } continue; @@ -5910,11 +7548,13 @@ libcrux_ml_dsa_encoding_signature_deserialize_92_76(uint8_t *serialized) { uu____15 = malformed_hint; if (!uu____15) { uu____16 = i; - uu____19 = j; - uu____18 = Eurydice_slice_index(hint_serialized, uu____19, + uu____17 = &out_hint; + uu____20 = j; + uu____19 = Eurydice_slice_index(hint_serialized, uu____20, uint8_t, uint8_t *); - uu____17 = (size_t)uu____18; - hint[uu____16][uu____17] = (int32_t)1; + uu____18 = (size_t)uu____19; + Eurydice_slice_index(out_hint, uu____16, int32_t[256U], + int32_t(*)[256U])[uu____18] = (int32_t)1; j++; } } else { @@ -5922,16 +7562,16 @@ libcrux_ml_dsa_encoding_signature_deserialize_92_76(uint8_t *serialized) { } } } - uu____20 = malformed_hint; - if (!uu____20) { - uu____21 = current_true_hints_seen; - previous_true_hints_seen = uu____21; + uu____21 = malformed_hint; + if (!uu____21) { + uu____22 = current_true_hints_seen; + previous_true_hints_seen = uu____22; i++; } } } i = previous_true_hints_seen; - while (i < (size_t)55U) { + while (i < max_ones_in_hint) { if (malformed_hint) { break; } else { @@ -5942,35 +7582,11 @@ libcrux_ml_dsa_encoding_signature_deserialize_92_76(uint8_t *serialized) { } } if (!malformed_hint) { - uint8_t uu____22[48U]; - Result_ae dst; - Eurydice_slice_to_array2(&dst, commitment_hash, Eurydice_slice, - uint8_t[48U]); - unwrap_26_28(dst, uu____22); - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b - copy_of_signer_response[5U]; - memcpy(copy_of_signer_response, signer_response, - (size_t)5U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - /* Passing arrays by value in Rust generates a copy in C */ - int32_t copy_of_hint[6U][256U]; - memcpy(copy_of_hint, hint, (size_t)6U * sizeof(int32_t[256U])); - Result_ef lit; - lit.tag = Ok; - memcpy(lit.val.case_Ok.commitment_hash, uu____22, - (size_t)48U * sizeof(uint8_t)); - memcpy(lit.val.case_Ok.signer_response, copy_of_signer_response, - (size_t)5U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - memcpy(lit.val.case_Ok.hint, copy_of_hint, - (size_t)6U * sizeof(int32_t[256U])); - return lit; - } - return (CLITERAL(Result_ef){ + return (CLITERAL(Result_41){.tag = Ok}); + } + return (CLITERAL(Result_41){ .tag = Err, - .val = {.case_Err = - libcrux_ml_dsa_types_VerificationError_MalformedHintError}}); + .f0 = libcrux_ml_dsa_types_VerificationError_MalformedHintError}); } /** @@ -5979,67 +7595,54 @@ libcrux_ml_dsa.simd.portable.arithmetic.shift_left_then_reduce with const generics - SHIFT_BY= 13 */ -static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_arithmetic_shift_left_then_reduce_84( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit) { - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit out = - libcrux_ml_dsa_simd_portable_vector_type_ZERO(); + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *simd_unit) { for (size_t i = (size_t)0U; - i < Eurydice_slice_len(Eurydice_array_to_slice( - (size_t)8U, simd_unit.coefficients, int32_t), - int32_t); + i < Eurydice_slice_len( + Eurydice_array_to_slice((size_t)8U, simd_unit->values, int32_t), + int32_t); i++) { size_t i0 = i; - out.coefficients[i0] = + simd_unit->values[i0] = libcrux_ml_dsa_simd_portable_arithmetic_reduce_element( - simd_unit.coefficients[i0] << (uint32_t)(int32_t)13); + simd_unit->values[i0] << (uint32_t)(int32_t)13); } - return out; } /** This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +libcrux_ml_dsa::simd::portable::vector_type::Coefficients)} */ /** -A monomorphic instance of libcrux_ml_dsa.simd.portable.shift_left_then_reduce_36 +A monomorphic instance of libcrux_ml_dsa.simd.portable.shift_left_then_reduce_e9 with const generics - SHIFT_BY= 13 */ -static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -libcrux_ml_dsa_simd_portable_shift_left_then_reduce_36_84( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit) { - return libcrux_ml_dsa_simd_portable_arithmetic_shift_left_then_reduce_84( - simd_unit); +static inline void libcrux_ml_dsa_simd_portable_shift_left_then_reduce_e9_84( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *simd_unit) { + libcrux_ml_dsa_simd_portable_arithmetic_shift_left_then_reduce_84(simd_unit); } /** A monomorphic instance of libcrux_ml_dsa.arithmetic.shift_left_then_reduce -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients with const generics - SHIFT_BY= 13 */ -static KRML_MUSTINLINE libcrux_ml_dsa_polynomial_PolynomialRingElement_9b -libcrux_ml_dsa_arithmetic_shift_left_then_reduce_b9( - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b re) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b out = - libcrux_ml_dsa_polynomial_ZERO_ff_ba(); +static KRML_MUSTINLINE void libcrux_ml_dsa_arithmetic_shift_left_then_reduce_68( + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *re) { for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice( - (size_t)32U, re.simd_units, - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit), - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit); + (size_t)32U, re->simd_units, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients), + libcrux_ml_dsa_simd_portable_vector_type_Coefficients); i++) { size_t i0 = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *simd_unit = - &re.simd_units[i0]; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 = - libcrux_ml_dsa_simd_portable_shift_left_then_reduce_36_84( - simd_unit[0U]); - out.simd_units[i0] = uu____0; + libcrux_ml_dsa_simd_portable_shift_left_then_reduce_e9_84( + &re->simd_units[i0]); } - return out; } /** @@ -6047,290 +7650,237 @@ libcrux_ml_dsa_arithmetic_shift_left_then_reduce_b9( */ /** A monomorphic instance of libcrux_ml_dsa.matrix.compute_w_approx -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -*/ -static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_compute_w_approx_2f( - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b (*A_as_ntt)[5U], - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b signer_response[5U], - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b - verifier_challenge_as_ntt, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t1[6U], - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[6U]) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b result[6U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - } - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)5U, signer_response, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b), - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b); - i++) { - size_t i0 = i; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____0 = - libcrux_ml_dsa_ntt_ntt_ba(signer_response[i0]); - signer_response[i0] = uu____0; - } - for (size_t i0 = (size_t)0U; - i0 < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)6U, A_as_ntt, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b[5U]), - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b[5U]); - i0++) { + +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_compute_w_approx_5b( + size_t rows_in_a, size_t columns_in_a, Eurydice_slice matrix, + Eurydice_slice signer_response, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 + *verifier_challenge_as_ntt, + Eurydice_slice t1) { + for (size_t i0 = (size_t)0U; i0 < rows_in_a; i0++) { size_t i1 = i0; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *row = A_as_ntt[i1]; - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)5U, row, - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b), - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b); - i++) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 inner_result = + libcrux_ml_dsa_polynomial_zero_ff_5b(); + for (size_t i = (size_t)0U; i < columns_in_a; i++) { size_t j = i; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *ring_element = - &row[j]; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b product = - libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ba(ring_element, - &signer_response[j]); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____1 = - libcrux_ml_dsa_polynomial_add_ff_ba(&result[i1], &product); - result[i1] = uu____1; - } - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t1_shifted = - libcrux_ml_dsa_arithmetic_shift_left_then_reduce_b9(t1[i1]); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t1_shifted0 = - libcrux_ml_dsa_ntt_ntt_ba(t1_shifted); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b - challenge_times_t1_shifted = - libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ba( - &verifier_challenge_as_ntt, &t1_shifted0); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____2 = - libcrux_ml_dsa_ntt_invert_ntt_montgomery_ba( - libcrux_ml_dsa_polynomial_subtract_ff_ba( - &result[i1], &challenge_times_t1_shifted)); - result[i1] = uu____2; - } - memcpy( - ret, result, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.arithmetic.use_one_hint -with const generics -- GAMMA2= 261888 -*/ -static KRML_MUSTINLINE int32_t -libcrux_ml_dsa_simd_portable_arithmetic_use_one_hint_80(int32_t r, - int32_t hint) { - int32_t_x2 uu____0 = - libcrux_ml_dsa_simd_portable_arithmetic_decompose_element_80(r); - int32_t r0 = uu____0.fst; - int32_t r1 = uu____0.snd; - int32_t uu____1; - if (!(hint == (int32_t)0)) { - if (r0 > (int32_t)0) { - uu____1 = (r1 + hint) & (int32_t)15; - } else { - uu____1 = (r1 - hint) & (int32_t)15; + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 product = + Eurydice_slice_index( + matrix, i1 * columns_in_a + j, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *); + libcrux_ml_dsa_ntt_ntt_multiply_montgomery_5b( + &product, &Eurydice_slice_index( + signer_response, j, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *)); + libcrux_ml_dsa_polynomial_add_ff_5b(&inner_result, &product); } - return uu____1; - } - return r1; -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.arithmetic.use_hint -with const generics -- GAMMA2= 261888 -*/ -static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit -libcrux_ml_dsa_simd_portable_arithmetic_use_hint_80( - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit hint) { - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit result = - libcrux_ml_dsa_simd_portable_vector_type_ZERO(); - for (size_t i = (size_t)0U; - i < Eurydice_slice_len(Eurydice_array_to_slice( - (size_t)8U, result.coefficients, int32_t), - int32_t); - i++) { - size_t i0 = i; - int32_t uu____0 = libcrux_ml_dsa_simd_portable_arithmetic_use_one_hint_80( - simd_unit.coefficients[i0], hint.coefficients[i0]); - result.coefficients[i0] = uu____0; + libcrux_ml_dsa_arithmetic_shift_left_then_reduce_68(&Eurydice_slice_index( + t1, i1, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *)); + libcrux_ml_dsa_ntt_ntt_5b(&Eurydice_slice_index( + t1, i1, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *)); + libcrux_ml_dsa_ntt_ntt_multiply_montgomery_5b( + &Eurydice_slice_index( + t1, i1, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *), + verifier_challenge_as_ntt); + libcrux_ml_dsa_polynomial_subtract_ff_5b( + &inner_result, + &Eurydice_slice_index( + t1, i1, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *)); + Eurydice_slice_index( + t1, i1, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *) = inner_result; + libcrux_ml_dsa_ntt_invert_ntt_montgomery_5b(&Eurydice_slice_index( + t1, i1, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *)); } - return result; -} - -/** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} -*/ -static inline void libcrux_ml_dsa_simd_portable_t0_deserialize_36( - Eurydice_slice serialized, int32_t *out) { - libcrux_ml_dsa_simd_portable_encoding_t0_deserialize(serialized, out); } /** A monomorphic instance of libcrux_ml_dsa.arithmetic.use_hint -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients with const generics -- DIMENSION= 6 -- GAMMA2= 261888 + */ -static KRML_MUSTINLINE void libcrux_ml_dsa_arithmetic_use_hint_2f( - int32_t hint[6U][256U], - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b re_vector[6U], - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[6U]) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b result[6U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - } - for (size_t i0 = (size_t)0U; i0 < (size_t)6U; i0++) { +static KRML_MUSTINLINE void libcrux_ml_dsa_arithmetic_use_hint_5b( + int32_t gamma2, Eurydice_slice hint, Eurydice_slice re_vector) { + for (size_t i0 = (size_t)0U; + i0 < Eurydice_slice_len( + re_vector, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8); + i0++) { size_t i1 = i0; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b hint_simd = - libcrux_ml_dsa_polynomial_from_i32_array_ff_ba( - Eurydice_array_to_slice((size_t)256U, hint[i1], int32_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 tmp = + libcrux_ml_dsa_polynomial_zero_ff_5b(); + libcrux_ml_dsa_polynomial_from_i32_array_ff_5b( + Eurydice_array_to_slice( + (size_t)256U, + Eurydice_slice_index(hint, i1, int32_t[256U], int32_t(*)[256U]), + int32_t), + &tmp); for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice( - (size_t)32U, result->simd_units, - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit), - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit); + (size_t)32U, + Eurydice_slice_index( + re_vector, (size_t)0U, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *) + .simd_units, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients), + libcrux_ml_dsa_simd_portable_vector_type_Coefficients); i++) { size_t j = i; - libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 = - libcrux_ml_dsa_simd_portable_use_hint_36_80( - re_vector[i1].simd_units[j], hint_simd.simd_units[j]); - result[i1].simd_units[j] = uu____0; + libcrux_ml_dsa_simd_portable_use_hint_e9( + gamma2, + &Eurydice_slice_index( + re_vector, i1, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *) + .simd_units[j], + &tmp.simd_units[j]); } + Eurydice_slice_index( + re_vector, i1, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *) = tmp; } - memcpy( - ret, result, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); } /** - The internal verification API. - - If no `domain_separation_context` is supplied, it is assumed that - `message` already contains the domain separation. -*/ -/** -A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.verify_internal -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, +A monomorphic instance of +libcrux_ml_dsa.ml_dsa_generic.ml_dsa_65.verify_internal with types +libcrux_ml_dsa_simd_portable_vector_type_Coefficients, libcrux_ml_dsa_samplex4_portable_PortableSampler, libcrux_ml_dsa_hash_functions_portable_Shake128X4, libcrux_ml_dsa_hash_functions_portable_Shake256, libcrux_ml_dsa_hash_functions_portable_Shake256Xof with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- SIGNATURE_SIZE= 3309 -- VERIFICATION_KEY_SIZE= 1952 -- GAMMA1_EXPONENT= 19 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- GAMMA2= 261888 -- BETA= 196 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 + */ static KRML_MUSTINLINE Result_41 -libcrux_ml_dsa_ml_dsa_generic_verify_internal_51( - uint8_t *verification_key_serialized, Eurydice_slice message, +libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_verify_internal_5a( + uint8_t *verification_key, Eurydice_slice message, Option_84 domain_separation_context, uint8_t *signature_serialized) { - tuple_93 uu____0 = libcrux_ml_dsa_encoding_verification_key_deserialize_2f( - verification_key_serialized); - uint8_t seed_for_a[32U]; - memcpy(seed_for_a, uu____0.fst, (size_t)32U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t1[6U]; - memcpy( - t1, uu____0.snd, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - Result_ef uu____1 = - libcrux_ml_dsa_encoding_signature_deserialize_92_76(signature_serialized); + Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)1952U, verification_key, uint8_t), + LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE, uint8_t, + Eurydice_slice_uint8_t_x2); + Eurydice_slice seed_for_a = uu____0.fst; + Eurydice_slice t1_serialized = uu____0.snd; + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 t1[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + t1[i] = libcrux_ml_dsa_polynomial_zero_ff_5b(); + } + libcrux_ml_dsa_encoding_verification_key_deserialize_5b( + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ROWS_IN_A, + LIBCRUX_ML_DSA_ML_DSA_GENERIC_ML_DSA_65_VERIFICATION_KEY_SIZE, + t1_serialized, + Eurydice_array_to_slice( + (size_t)6U, t1, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8)); + uint8_t deserialized_commitment_hash[48U] = {0U}; + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 + deserialized_signer_response[5U]; + for (size_t i = (size_t)0U; i < (size_t)5U; i++) { + deserialized_signer_response[i] = libcrux_ml_dsa_polynomial_zero_ff_5b(); + } + int32_t deserialized_hint[6U][256U] = {{0U}}; + Result_41 uu____1 = libcrux_ml_dsa_encoding_signature_deserialize_5b( + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_COLUMNS_IN_A, + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ROWS_IN_A, + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_COMMITMENT_HASH_SIZE, + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_GAMMA1_EXPONENT, + LIBCRUX_ML_DSA_ML_DSA_GENERIC_ML_DSA_65_GAMMA1_RING_ELEMENT_SIZE, + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_MAX_ONES_IN_HINT, + LIBCRUX_ML_DSA_ML_DSA_GENERIC_ML_DSA_65_SIGNATURE_SIZE, + Eurydice_array_to_slice((size_t)3309U, signature_serialized, uint8_t), + Eurydice_array_to_slice((size_t)48U, deserialized_commitment_hash, + uint8_t), + Eurydice_array_to_slice( + (size_t)5U, deserialized_signer_response, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8), + Eurydice_array_to_slice((size_t)6U, deserialized_hint, int32_t[256U])); Result_41 uu____2; if (uu____1.tag == Ok) { - libcrux_ml_dsa_encoding_signature_Signature_44 s = uu____1.val.case_Ok; - libcrux_ml_dsa_encoding_signature_Signature_44 signature = s; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____3[5U]; - memcpy(uu____3, signature.signer_response, - (size_t)5U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - if (libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_4f( - uu____3, ((int32_t)2 << (uint32_t)(size_t)19U) - (int32_t)196)) { + if (libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_5b( + Eurydice_array_to_slice( + (size_t)5U, deserialized_signer_response, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8), + ((int32_t)2 << (uint32_t) + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_GAMMA1_EXPONENT) - + LIBCRUX_ML_DSA_ML_DSA_GENERIC_ML_DSA_65_BETA)) { uu____2 = (CLITERAL(Result_41){ .tag = Err, .f0 = libcrux_ml_dsa_types_VerificationError_SignerResponseExceedsBoundError}); } else { - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b matrix[6U][5U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - matrix[i][0U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - matrix[i][1U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - matrix[i][2U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - matrix[i][3U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - matrix[i][4U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 matrix[30U]; + for (size_t i = (size_t)0U; i < (size_t)30U; i++) { + matrix[i] = libcrux_ml_dsa_polynomial_zero_ff_5b(); } - libcrux_ml_dsa_samplex4_portable_matrix_36_2f( - Eurydice_array_to_slice((size_t)32U, seed_for_a, uint8_t), matrix); + libcrux_ml_dsa_samplex4_portable_matrix_flat_36_5b( + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_COLUMNS_IN_A, seed_for_a, + Eurydice_array_to_slice( + (size_t)30U, matrix, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8)); uint8_t verification_key_hash[64U] = {0U}; libcrux_ml_dsa_hash_functions_portable_shake256_5c_24( - Eurydice_array_to_slice((size_t)1952U, verification_key_serialized, - uint8_t), + Eurydice_array_to_slice((size_t)1952U, verification_key, uint8_t), verification_key_hash); uint8_t message_representative[64U] = {0U}; - uint8_t uu____4[64U]; - memcpy(uu____4, verification_key_hash, (size_t)64U * sizeof(uint8_t)); libcrux_ml_dsa_ml_dsa_generic_derive_message_representative_7b( - uu____4, domain_separation_context, message, message_representative); - uint8_t uu____5[48U]; - memcpy(uu____5, signature.commitment_hash, (size_t)48U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b - verifier_challenge_as_ntt = libcrux_ml_dsa_ntt_ntt_ba( - libcrux_ml_dsa_sample_sample_challenge_ring_element_83(uu____5)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b(*uu____6)[5U] = matrix; - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____7[5U]; - memcpy(uu____7, signature.signer_response, - (size_t)5U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____8 = - verifier_challenge_as_ntt; - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_t1[6U]; - memcpy(copy_of_t1, t1, - (size_t)6U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b w_approx[6U]; - libcrux_ml_dsa_matrix_compute_w_approx_2f(uu____6, uu____7, uu____8, - copy_of_t1, w_approx); - uint8_t commitment_hash[48U] = {0U}; - int32_t uu____10[6U][256U]; - memcpy(uu____10, signature.hint, (size_t)6U * sizeof(int32_t[256U])); - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_w_approx[6U]; - memcpy(copy_of_w_approx, w_approx, - (size_t)6U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b commitment[6U]; - libcrux_ml_dsa_arithmetic_use_hint_2f(uu____10, copy_of_w_approx, - commitment); - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_commitment[6U]; - memcpy(copy_of_commitment, commitment, - (size_t)6U * - sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - uint8_t commitment_serialized[768U]; - libcrux_ml_dsa_encoding_commitment_serialize_vector_5d( - copy_of_commitment, commitment_serialized); + Eurydice_array_to_slice((size_t)64U, verification_key_hash, uint8_t), + &domain_separation_context, message, message_representative); + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 verifier_challenge = + libcrux_ml_dsa_polynomial_zero_ff_5b(); + libcrux_ml_dsa_sample_sample_challenge_ring_element_2e( + Eurydice_array_to_slice((size_t)48U, deserialized_commitment_hash, + uint8_t), + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ONES_IN_VERIFIER_CHALLENGE, + &verifier_challenge); + libcrux_ml_dsa_ntt_ntt_5b(&verifier_challenge); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)5U, deserialized_signer_response, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8), + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8); + i++) { + size_t i0 = i; + libcrux_ml_dsa_ntt_ntt_5b(&deserialized_signer_response[i0]); + } + libcrux_ml_dsa_matrix_compute_w_approx_5b( + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ROWS_IN_A, + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_COLUMNS_IN_A, + Eurydice_array_to_slice( + (size_t)30U, matrix, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8), + Eurydice_array_to_slice( + (size_t)5U, deserialized_signer_response, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8), + &verifier_challenge, + Eurydice_array_to_slice( + (size_t)6U, t1, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8)); + uint8_t recomputed_commitment_hash[48U] = {0U}; + libcrux_ml_dsa_arithmetic_use_hint_5b( + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_GAMMA2, + Eurydice_array_to_slice((size_t)6U, deserialized_hint, int32_t[256U]), + Eurydice_array_to_slice( + (size_t)6U, t1, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8)); + uint8_t commitment_serialized[768U] = {0U}; + libcrux_ml_dsa_encoding_commitment_serialize_vector_5b( + LIBCRUX_ML_DSA_ML_DSA_GENERIC_ML_DSA_65_COMMITMENT_RING_ELEMENT_SIZE, + Eurydice_array_to_slice( + (size_t)6U, t1, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8), + Eurydice_array_to_slice((size_t)768U, commitment_serialized, + uint8_t)); libcrux_sha3_portable_incremental_Shake256Xof shake = libcrux_ml_dsa_hash_functions_portable_init_83(); libcrux_ml_dsa_hash_functions_portable_absorb_83( @@ -6340,11 +7890,11 @@ libcrux_ml_dsa_ml_dsa_generic_verify_internal_51( &shake, Eurydice_array_to_slice((size_t)768U, commitment_serialized, uint8_t)); libcrux_ml_dsa_hash_functions_portable_squeeze_83( - &shake, - Eurydice_array_to_slice((size_t)48U, commitment_hash, uint8_t)); + &shake, Eurydice_array_to_slice((size_t)48U, + recomputed_commitment_hash, uint8_t)); if (core_array_equality___core__cmp__PartialEq__Array_U__N___for__Array_T__N____eq( - (size_t)48U, signature.commitment_hash, commitment_hash, uint8_t, - uint8_t, bool)) { + (size_t)48U, deserialized_commitment_hash, + recomputed_commitment_hash, uint8_t, uint8_t, bool)) { uu____2 = (CLITERAL(Result_41){.tag = Ok}); } else { uu____2 = (CLITERAL(Result_41){ @@ -6354,34 +7904,23 @@ libcrux_ml_dsa_ml_dsa_generic_verify_internal_51( } } } else { - libcrux_ml_dsa_types_VerificationError e = uu____1.val.case_Err; + libcrux_ml_dsa_types_VerificationError e = uu____1.f0; uu____2 = (CLITERAL(Result_41){.tag = Err, .f0 = e}); } return uu____2; } /** -A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.verify -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, +A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.ml_dsa_65.verify +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients, libcrux_ml_dsa_samplex4_portable_PortableSampler, libcrux_ml_dsa_hash_functions_portable_Shake128X4, libcrux_ml_dsa_hash_functions_portable_Shake256, libcrux_ml_dsa_hash_functions_portable_Shake256Xof with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- SIGNATURE_SIZE= 3309 -- VERIFICATION_KEY_SIZE= 1952 -- GAMMA1_EXPONENT= 19 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- GAMMA2= 261888 -- BETA= 196 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 -*/ -static KRML_MUSTINLINE Result_41 libcrux_ml_dsa_ml_dsa_generic_verify_51( + +*/ +static KRML_MUSTINLINE Result_41 +libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_verify_5a( uint8_t *verification_key_serialized, Eurydice_slice message, Eurydice_slice context, uint8_t *signature_serialized) { Result_a8 uu____0 = libcrux_ml_dsa_pre_hash_new_45( @@ -6395,7 +7934,7 @@ static KRML_MUSTINLINE Result_41 libcrux_ml_dsa_ml_dsa_generic_verify_51( libcrux_ml_dsa_pre_hash_DomainSeparationContext dsc = uu____0.val.case_Ok; libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context = dsc; - return libcrux_ml_dsa_ml_dsa_generic_verify_internal_51( + return libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_verify_internal_5a( verification_key_serialized, message, (CLITERAL(Option_84){.tag = Some, .f0 = domain_separation_context}), signature_serialized); @@ -6404,29 +7943,12 @@ static KRML_MUSTINLINE Result_41 libcrux_ml_dsa_ml_dsa_generic_verify_51( /** Verify. */ -/** -A monomorphic instance of -libcrux_ml_dsa.ml_dsa_generic.instantiations.portable.verify with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- SIGNATURE_SIZE= 3309 -- VERIFICATION_KEY_SIZE= 1952 -- GAMMA1_EXPONENT= 19 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- GAMMA2= 261888 -- BETA= 196 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 -*/ static inline Result_41 -libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_verify_01( +libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_ml_dsa_65_verify( uint8_t *verification_key, Eurydice_slice message, Eurydice_slice context, uint8_t *signature) { - return libcrux_ml_dsa_ml_dsa_generic_verify_51(verification_key, message, - context, signature); + return libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_verify_5a( + verification_key, message, context, signature); } /** @@ -6439,47 +7961,35 @@ libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_verify_01( static inline Result_41 libcrux_ml_dsa_ml_dsa_65_portable_verify( libcrux_ml_dsa_types_MLDSAVerificationKey_ea *verification_key, Eurydice_slice message, Eurydice_slice context, - libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature *signature) { - return libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_verify_01( + libcrux_ml_dsa_types_MLDSASignature_8f *signature) { + return libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_ml_dsa_65_verify( libcrux_ml_dsa_types_as_ref_66_97(verification_key), message, context, libcrux_ml_dsa_types_as_ref_8f_fa(signature)); } /** -A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.verify_pre_hashed -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, +A monomorphic instance of +libcrux_ml_dsa.ml_dsa_generic.ml_dsa_65.verify_pre_hashed with types +libcrux_ml_dsa_simd_portable_vector_type_Coefficients, libcrux_ml_dsa_samplex4_portable_PortableSampler, libcrux_ml_dsa_hash_functions_portable_Shake128, libcrux_ml_dsa_hash_functions_portable_Shake128X4, libcrux_ml_dsa_hash_functions_portable_Shake256, libcrux_ml_dsa_hash_functions_portable_Shake256Xof, libcrux_ml_dsa_pre_hash_SHAKE128_PH with const generics -- PH_DIGEST_LEN= 256 -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- SIGNATURE_SIZE= 3309 -- VERIFICATION_KEY_SIZE= 1952 -- GAMMA1_EXPONENT= 19 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- GAMMA2= 261888 -- BETA= 196 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 + */ static KRML_MUSTINLINE Result_41 -libcrux_ml_dsa_ml_dsa_generic_verify_pre_hashed_3b( +libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_verify_pre_hashed_3f( uint8_t *verification_key_serialized, Eurydice_slice message, - Eurydice_slice context, uint8_t *signature_serialized) { - uint8_t pre_hashed_message[256U]; - libcrux_ml_dsa_pre_hash_hash_bd_54(message, pre_hashed_message); + Eurydice_slice context, Eurydice_slice pre_hash_buffer, + uint8_t *signature_serialized) { + libcrux_ml_dsa_pre_hash_hash_3e_cc(message, pre_hash_buffer); Eurydice_slice uu____0 = context; Option_30 lit; lit.tag = Some; uint8_t ret[11U]; - libcrux_ml_dsa_pre_hash_oid_bd(ret); + libcrux_ml_dsa_pre_hash_oid_3e(ret); memcpy(lit.f0, ret, (size_t)11U * sizeof(uint8_t)); Result_a8 uu____1 = libcrux_ml_dsa_pre_hash_new_45(uu____0, lit); if (!(uu____1.tag == Ok)) { @@ -6491,9 +8001,8 @@ libcrux_ml_dsa_ml_dsa_generic_verify_pre_hashed_3b( libcrux_ml_dsa_pre_hash_DomainSeparationContext dsc = uu____1.val.case_Ok; libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context = dsc; - return libcrux_ml_dsa_ml_dsa_generic_verify_internal_51( - verification_key_serialized, - Eurydice_array_to_slice((size_t)256U, pre_hashed_message, uint8_t), + return libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_verify_internal_5a( + verification_key_serialized, pre_hash_buffer, (CLITERAL(Option_84){.tag = Some, .f0 = domain_separation_context}), signature_serialized); } @@ -6501,30 +8010,12 @@ libcrux_ml_dsa_ml_dsa_generic_verify_pre_hashed_3b( /** Verify (pre-hashed with SHAKE-128). */ -/** -A monomorphic instance of -libcrux_ml_dsa.ml_dsa_generic.instantiations.portable.verify_pre_hashed_shake128 -with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- SIGNATURE_SIZE= 3309 -- VERIFICATION_KEY_SIZE= 1952 -- GAMMA1_EXPONENT= 19 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- GAMMA2= 261888 -- BETA= 196 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 -*/ static inline Result_41 -libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_verify_pre_hashed_shake128_01( +libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_ml_dsa_65_verify_pre_hashed_shake128( uint8_t *verification_key, Eurydice_slice message, Eurydice_slice context, - uint8_t *signature) { - return libcrux_ml_dsa_ml_dsa_generic_verify_pre_hashed_3b( - verification_key, message, context, signature); + Eurydice_slice pre_hash_buffer, uint8_t *signature) { + return libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_verify_pre_hashed_3f( + verification_key, message, context, pre_hash_buffer, signature); } /** @@ -6538,12 +8029,39 @@ static inline Result_41 libcrux_ml_dsa_ml_dsa_65_portable_verify_pre_hashed_shake128( libcrux_ml_dsa_types_MLDSAVerificationKey_ea *verification_key, Eurydice_slice message, Eurydice_slice context, - libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature *signature) { - return libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_verify_pre_hashed_shake128_01( + libcrux_ml_dsa_types_MLDSASignature_8f *signature) { + uint8_t pre_hash_buffer[256U] = {0U}; + return libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_ml_dsa_65_verify_pre_hashed_shake128( libcrux_ml_dsa_types_as_ref_66_97(verification_key), message, context, + Eurydice_array_to_slice((size_t)256U, pre_hash_buffer, uint8_t), libcrux_ml_dsa_types_as_ref_8f_fa(signature)); } +#define LIBCRUX_ML_DSA_ML_DSA_GENERIC_ML_DSA_65_COMMITMENT_VECTOR_SIZE \ + (libcrux_ml_dsa_constants_commitment_vector_size( \ + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_BITS_PER_COMMITMENT_COEFFICIENT, \ + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ROWS_IN_A)) + +typedef libcrux_ml_dsa_types_MLDSAKeyPair_06 + libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_MLDSA65KeyPair; + +typedef libcrux_ml_dsa_types_MLDSASignature_8f + libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_MLDSA65Signature; + +typedef libcrux_ml_dsa_types_MLDSASigningKey_22 + libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_MLDSA65SigningKey; + +typedef libcrux_ml_dsa_types_MLDSAVerificationKey_ea + libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_MLDSA65VerificationKey; + +#define LIBCRUX_ML_DSA_ML_DSA_GENERIC_ML_DSA_65_ROW_COLUMN \ + (LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ROWS_IN_A + \ + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_COLUMNS_IN_A) + +#define LIBCRUX_ML_DSA_ML_DSA_GENERIC_ML_DSA_65_ROW_X_COLUMN \ + (LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_ROWS_IN_A * \ + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_COLUMNS_IN_A) + #define LIBCRUX_ML_DSA_PRE_HASH_PRE_HASH_OID_LEN ((size_t)11U) typedef uint8_t libcrux_ml_dsa_pre_hash_PreHashOID[11U]; @@ -6569,72 +8087,11 @@ libcrux_ml_dsa_pre_hash_from_b6( return libcrux_ml_dsa_types_VerificationError_VerificationContextTooLongError; } -static KRML_MUSTINLINE void libcrux_ml_dsa_sample_add_error_domain_separator( - Eurydice_slice slice, uint16_t domain_separator, uint8_t ret[66U]) { - uint8_t out[66U] = {0U}; - uint8_t *uu____0 = out; - Eurydice_slice_copy( - Eurydice_array_to_subslice2(uu____0, (size_t)0U, - Eurydice_slice_len(slice, uint8_t), uint8_t), - slice, uint8_t); - out[64U] = (uint8_t)domain_separator; - out[65U] = (uint8_t)((uint32_t)domain_separator >> 8U); - memcpy(ret, out, (size_t)66U * sizeof(uint8_t)); -} - -/** -This function found in impl {(core::clone::Clone for -libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} -*/ -static inline void libcrux_ml_dsa_simd_portable_t0_serialize_36( - int32_t *simd_unit, Eurydice_slice out) { - libcrux_ml_dsa_simd_portable_encoding_t0_serialize(simd_unit, out); -} - -/** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} -*/ -static inline void libcrux_ml_dsa_simd_portable_t1_deserialize_36( - Eurydice_slice serialized, int32_t *out) { - libcrux_ml_dsa_simd_portable_encoding_t1_deserialize(serialized, out); -} - -/** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} -*/ -static inline void libcrux_ml_dsa_simd_portable_t1_serialize_36( - int32_t *simd_unit, Eurydice_slice out) { - libcrux_ml_dsa_simd_portable_encoding_t1_serialize(simd_unit, out); -} - -/** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} -*/ -static inline void libcrux_ml_dsa_simd_portable_to_coefficient_array_36( - int32_t *value, Eurydice_slice out) { - libcrux_ml_dsa_simd_portable_vector_type_to_coefficient_array(value, out); -} - -/** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} -*/ -static inline void libcrux_ml_dsa_simd_portable_zero_36(int32_t ret[8U]) { - libcrux_ml_dsa_simd_portable_vector_type_zero(ret); -} - -#define LIBCRUX_ML_DSA_SIMD_TRAITS_SIMD_UNITS_IN_RING_ELEMENT \ - (LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / \ - LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT) - typedef int32_t libcrux_ml_dsa_simd_traits_FieldElementTimesMontgomeryR; typedef int32_t libcrux_ml_dsa_simd_portable_vector_type_FieldElement; -typedef int32_t libcrux_ml_dsa_simd_portable_vector_type_Coefficients[8U]; +typedef Result_a8 libcrux_ml_dsa_pre_hash_PreHashResult; #if defined(__cplusplus) } diff --git a/libcrux-ml-dsa/cg/libcrux_sha3_avx2.h b/libcrux-ml-dsa/cg/libcrux_sha3_avx2.h index 9da49c8f6..e17ad3b09 100644 --- a/libcrux-ml-dsa/cg/libcrux_sha3_avx2.h +++ b/libcrux-ml-dsa/cg/libcrux_sha3_avx2.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: db4e045d4597d06d854ce7a2c10e8dcfda6ecd25 - * Eurydice: 75eae2e2534a16f5ba5430e6ee5c69d8a46f3bea - * Karamel: 3823e3d82fa0b271d799b61c59ffb4742ddc1e65 + * Charon: 0de54092afb546bf53cd8261c79499f3cae2c24b + * Eurydice: 8e112cd3065d2c1eb6c023cd37111300dbf9fc9a + * Karamel: f82ecfe9b99edd64642d47b4e3fb6314a8e2320b * F*: b0961063393215ca65927f017720cb365a193833-dirty - * Libcrux: 834b7f51701fa4e8695a784c138ed230f49f0c4e + * Libcrux: b895bda560d248ec1373c7ad6c27192090ff3311 */ #ifndef __libcrux_sha3_avx2_H diff --git a/libcrux-ml-dsa/cg/libcrux_sha3_portable.h b/libcrux-ml-dsa/cg/libcrux_sha3_portable.h index 892fe9cff..e03133555 100644 --- a/libcrux-ml-dsa/cg/libcrux_sha3_portable.h +++ b/libcrux-ml-dsa/cg/libcrux_sha3_portable.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: db4e045d4597d06d854ce7a2c10e8dcfda6ecd25 - * Eurydice: 75eae2e2534a16f5ba5430e6ee5c69d8a46f3bea - * Karamel: 3823e3d82fa0b271d799b61c59ffb4742ddc1e65 + * Charon: 0de54092afb546bf53cd8261c79499f3cae2c24b + * Eurydice: 8e112cd3065d2c1eb6c023cd37111300dbf9fc9a + * Karamel: f82ecfe9b99edd64642d47b4e3fb6314a8e2320b * F*: b0961063393215ca65927f017720cb365a193833-dirty - * Libcrux: 834b7f51701fa4e8695a784c138ed230f49f0c4e + * Libcrux: b895bda560d248ec1373c7ad6c27192090ff3311 */ #ifndef __libcrux_sha3_portable_H diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst index 5154e697d..17457022f 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst @@ -40,8 +40,8 @@ let decompose_vector in let i:usize = i in Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #i1.f_Coefficient - ((low.[ sz 0 ]).Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice i1.f_Coefficient) + (Core.Slice.impl__len #v_SIMDUnit + ((low.[ sz 0 ]).Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) <: usize) (fun temp_0_ temp_1_ -> @@ -63,22 +63,22 @@ let decompose_vector temp_0_ in let j:usize = j in - let tmp0, tmp1:(i1.f_Coefficient & i1.f_Coefficient) = + let tmp0, tmp1:(v_SIMDUnit & v_SIMDUnit) = Libcrux_ml_dsa.Simd.Traits.f_decompose #v_SIMDUnit #FStar.Tactics.Typeclasses.solve gamma2 ((t.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: - i1.f_Coefficient) + v_SIMDUnit) ((low.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: - i1.f_Coefficient) + v_SIMDUnit) ((high.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: - i1.f_Coefficient) + v_SIMDUnit) in let low:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize low @@ -94,7 +94,7 @@ let decompose_vector j tmp0 <: - t_Array i1.f_Coefficient (sz 32) + t_Array v_SIMDUnit (sz 32) } <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) @@ -113,7 +113,7 @@ let decompose_vector j tmp1 <: - t_Array i1.f_Coefficient (sz 32) + t_Array v_SIMDUnit (sz 32) } <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) @@ -163,8 +163,8 @@ let power2round_vector in let i:usize = i in Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #i1.f_Coefficient - ((t.[ i ]).Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice i1.f_Coefficient) + (Core.Slice.impl__len #v_SIMDUnit + ((t.[ i ]).Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) <: usize) (fun temp_0_ temp_1_ -> @@ -184,17 +184,17 @@ let power2round_vector temp_0_ in let j:usize = j in - let tmp0, tmp1:(i1.f_Coefficient & i1.f_Coefficient) = + let tmp0, tmp1:(v_SIMDUnit & v_SIMDUnit) = Libcrux_ml_dsa.Simd.Traits.f_power2round #v_SIMDUnit #FStar.Tactics.Typeclasses.solve ((t.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: - i1.f_Coefficient) + v_SIMDUnit) ((t1.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: - i1.f_Coefficient) + v_SIMDUnit) in let t:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t @@ -210,7 +210,7 @@ let power2round_vector j tmp0 <: - t_Array i1.f_Coefficient (sz 32) + t_Array v_SIMDUnit (sz 32) } <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) @@ -229,7 +229,7 @@ let power2round_vector j tmp1 <: - t_Array i1.f_Coefficient (sz 32) + t_Array v_SIMDUnit (sz 32) } <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) @@ -258,8 +258,8 @@ let shift_left_then_reduce = let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #i1.f_Coefficient - (re.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice i1.f_Coefficient) + (Core.Slice.impl__len #v_SIMDUnit + (re.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) <: usize) (fun re temp_1_ -> @@ -280,11 +280,11 @@ let shift_left_then_reduce (Libcrux_ml_dsa.Simd.Traits.f_shift_left_then_reduce #v_SIMDUnit #FStar.Tactics.Typeclasses.solve v_SHIFT_BY - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ i ] <: i1.f_Coefficient) + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ i ] <: v_SIMDUnit) <: - i1.f_Coefficient) + v_SIMDUnit) <: - t_Array i1.f_Coefficient (sz 32) + t_Array v_SIMDUnit (sz 32) } <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) @@ -292,6 +292,89 @@ let shift_left_then_reduce let hax_temp_output:Prims.unit = () <: Prims.unit in re +let use_hint + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (gamma2: i32) + (hint: t_Slice (t_Array i32 (sz 256))) + (re_vector: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + = + let re_vector:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + re_vector + <: + usize) + (fun re_vector temp_1_ -> + let re_vector:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + re_vector + in + let _:usize = temp_1_ in + true) + re_vector + (fun re_vector i -> + let re_vector:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + re_vector + in + let i:usize = i in + let tmp:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + in + let tmp:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit + (hint.[ i ] <: t_Slice i32) + tmp + in + let tmp:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_SIMDUnit + ((re_vector.[ sz 0 ]).Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit + ) + <: + usize) + (fun tmp temp_1_ -> + let tmp:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp in + let _:usize = temp_1_ in + true) + tmp + (fun tmp j -> + let tmp:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp in + let j:usize = j in + { + tmp with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp + .Libcrux_ml_dsa.Polynomial.f_simd_units + j + (Libcrux_ml_dsa.Simd.Traits.f_use_hint #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + gamma2 + ((re_vector.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] + <: + v_SIMDUnit) + (tmp.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: v_SIMDUnit) + <: + v_SIMDUnit) + <: + t_Array v_SIMDUnit (sz 32) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let re_vector:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re_vector i tmp + in + re_vector) + in + let hax_temp_output:Prims.unit = () <: Prims.unit in + re_vector + let vector_infinity_norm_exceeds (#v_SIMDUnit: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -371,8 +454,8 @@ let make_hint let hint_simd, true_hints:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #i1.f_Coefficient - (hint_simd.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice i1.f_Coefficient) + (Core.Slice.impl__len #v_SIMDUnit + (hint_simd.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) <: usize) (fun temp_0_ temp_1_ -> @@ -393,19 +476,19 @@ let make_hint temp_0_ in let j:usize = j in - let tmp0, out:(i1.f_Coefficient & usize) = + let tmp0, out:(v_SIMDUnit & usize) = Libcrux_ml_dsa.Simd.Traits.f_compute_hint #v_SIMDUnit #FStar.Tactics.Typeclasses.solve v_GAMMA2 ((low.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: - i1.f_Coefficient) + v_SIMDUnit) ((high.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: - i1.f_Coefficient) - (hint_simd.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: i1.f_Coefficient) + v_SIMDUnit) + (hint_simd.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: v_SIMDUnit) in let hint_simd:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = { @@ -441,87 +524,3 @@ let make_hint in let hax_temp_output:usize = true_hints in hint, hax_temp_output <: (t_Array (t_Array i32 (sz 256)) v_DIMENSION & usize) - -let use_hint - (#v_SIMDUnit: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (gamma2: i32) - (hint: t_Slice (t_Array i32 (sz 256))) - (re_vector: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - = - let re_vector:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - re_vector - <: - usize) - (fun re_vector temp_1_ -> - let re_vector:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - re_vector - in - let _:usize = temp_1_ in - true) - re_vector - (fun re_vector i -> - let re_vector:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - re_vector - in - let i:usize = i in - let tmp:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - in - let tmp:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit - (hint.[ i ] <: t_Slice i32) - tmp - in - let tmp:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #i1.f_Coefficient - ((re_vector.[ sz 0 ]).Libcrux_ml_dsa.Polynomial.f_simd_units - <: - t_Slice i1.f_Coefficient) - <: - usize) - (fun tmp temp_1_ -> - let tmp:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp in - let _:usize = temp_1_ in - true) - tmp - (fun tmp j -> - let tmp:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp in - let j:usize = j in - { - tmp with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp - .Libcrux_ml_dsa.Polynomial.f_simd_units - j - (Libcrux_ml_dsa.Simd.Traits.f_use_hint #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - gamma2 - ((re_vector.[ i ] - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] - <: - i1.f_Coefficient) - (tmp.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: i1.f_Coefficient) - <: - i1.f_Coefficient) - <: - t_Array i1.f_Coefficient (sz 32) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - in - let re_vector:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re_vector i tmp - in - re_vector) - in - let hax_temp_output:Prims.unit = () <: Prims.unit in - re_vector diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fsti index b3c33c15c..dd98b1d77 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fsti @@ -40,6 +40,16 @@ val shift_left_then_reduce Prims.l_True (fun _ -> Prims.l_True) +val use_hint + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (gamma2: i32) + (hint: t_Slice (t_Array i32 (sz 256))) + (re_vector: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + : Prims.Pure (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + Prims.l_True + (fun _ -> Prims.l_True) + val vector_infinity_norm_exceeds (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} @@ -57,13 +67,3 @@ val make_hint : Prims.Pure (t_Array (t_Array i32 (sz 256)) v_DIMENSION & usize) Prims.l_True (fun _ -> Prims.l_True) - -val use_hint - (#v_SIMDUnit: Type0) - {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (gamma2: i32) - (hint: t_Slice (t_Array i32 (sz 256))) - (re_vector: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - : Prims.Pure (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - Prims.l_True - (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fst index 2cb494125..34e40aa6e 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fst @@ -9,9 +9,12 @@ let t_Eta_cast_to_repr (x: t_Eta) = | Eta_Four -> discriminant_Eta_Four let beta (ones_in_verifier_challenge: usize) (eta: t_Eta) = - cast (ones_in_verifier_challenge *! (cast (t_Eta_cast_to_repr eta <: isize) <: usize) <: usize) - <: - i32 + let (eta_val: usize):usize = + match eta <: t_Eta with + | Eta_Two -> sz 2 + | Eta_Four -> sz 4 + in + cast (ones_in_verifier_challenge *! eta_val <: usize) <: i32 let commitment_ring_element_size (bits_per_commitment_coefficient: usize) = (bits_per_commitment_coefficient *! v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! sz 8 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fst index ddad1b46a..ba042cfe4 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fst @@ -23,7 +23,7 @@ let serialize let serialized:t_Slice u8 = Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units <: - t_Slice i1.f_Coefficient) + t_Slice v_SIMDUnit) (fun serialized temp_1_ -> let serialized:t_Slice u8 = serialized in let _:usize = temp_1_ in @@ -31,7 +31,7 @@ let serialize serialized (fun serialized temp_1_ -> let serialized:t_Slice u8 = serialized in - let i, simd_unit:(usize & i1.f_Coefficient) = temp_1_ in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized ({ Core.Ops.Range.f_start = i *! output_bytes_per_simd_unit <: usize; diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fst index 60f503c84..a89960040 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fst @@ -26,8 +26,8 @@ let deserialize let chunk_size:usize = chunk_size eta in let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #i1.f_Coefficient - (result.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice i1.f_Coefficient) + (Core.Slice.impl__len #v_SIMDUnit + (result.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) <: usize) (fun result temp_1_ -> @@ -56,11 +56,11 @@ let deserialize Core.Ops.Range.t_Range usize ] <: t_Slice u8) - (result.Libcrux_ml_dsa.Polynomial.f_simd_units.[ i ] <: i1.f_Coefficient) + (result.Libcrux_ml_dsa.Polynomial.f_simd_units.[ i ] <: v_SIMDUnit) <: - i1.f_Coefficient) + v_SIMDUnit) <: - t_Array i1.f_Coefficient (sz 32) + t_Array v_SIMDUnit (sz 32) } <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) @@ -68,57 +68,6 @@ let deserialize let hax_temp_output:Prims.unit = () <: Prims.unit in result -let serialize - (#v_SIMDUnit: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (eta: Libcrux_ml_dsa.Constants.t_Eta) - (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (serialized: t_Slice u8) - = - let output_bytes_per_simd_unit:usize = chunk_size eta in - let serialized:t_Slice u8 = - Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units - <: - t_Slice i1.f_Coefficient) - (fun serialized temp_1_ -> - let serialized:t_Slice u8 = serialized in - let _:usize = temp_1_ in - true) - serialized - (fun serialized temp_1_ -> - let serialized:t_Slice u8 = serialized in - let i, simd_unit:(usize & i1.f_Coefficient) = temp_1_ in - Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized - ({ - Core.Ops.Range.f_start = i *! output_bytes_per_simd_unit <: usize; - Core.Ops.Range.f_end = (i +! sz 1 <: usize) *! output_bytes_per_simd_unit <: usize - } - <: - Core.Ops.Range.t_Range usize) - (Libcrux_ml_dsa.Simd.Traits.f_error_serialize #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - eta - simd_unit - (serialized.[ { - Core.Ops.Range.f_start = i *! output_bytes_per_simd_unit <: usize; - Core.Ops.Range.f_end - = - (i +! sz 1 <: usize) *! output_bytes_per_simd_unit <: usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - <: - t_Slice u8) - <: - t_Slice u8) - in - let hax_temp_output:Prims.unit = () <: Prims.unit in - serialized - let deserialize_to_vector_then_ntt (#v_SIMDUnit: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -170,3 +119,54 @@ let deserialize_to_vector_then_ntt in let hax_temp_output:Prims.unit = () <: Prims.unit in ring_elements + +let serialize + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (serialized: t_Slice u8) + = + let output_bytes_per_simd_unit:usize = chunk_size eta in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units + <: + t_Slice v_SIMDUnit) + (fun serialized temp_1_ -> + let serialized:t_Slice u8 = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Slice u8 = serialized in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = i *! output_bytes_per_simd_unit <: usize; + Core.Ops.Range.f_end = (i +! sz 1 <: usize) *! output_bytes_per_simd_unit <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_ml_dsa.Simd.Traits.f_error_serialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + eta + simd_unit + (serialized.[ { + Core.Ops.Range.f_start = i *! output_bytes_per_simd_unit <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! output_bytes_per_simd_unit <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + t_Slice u8) + <: + t_Slice u8) + in + let hax_temp_output:Prims.unit = () <: Prims.unit in + serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fsti index 22e863781..7fec31f61 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fsti @@ -22,14 +22,6 @@ val deserialize Prims.l_True (fun _ -> Prims.l_True) -val serialize - (#v_SIMDUnit: Type0) - {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (eta: Libcrux_ml_dsa.Constants.t_Eta) - (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (serialized: t_Slice u8) - : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) - val deserialize_to_vector_then_ntt (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} @@ -40,3 +32,11 @@ val deserialize_to_vector_then_ntt : Prims.Pure (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) Prims.l_True (fun _ -> Prims.l_True) + +val serialize + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (serialized: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fst index 0e53c0ee1..404fe91ba 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fst @@ -20,8 +20,8 @@ let deserialize = let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #i1.f_Coefficient - (result.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice i1.f_Coefficient) + (Core.Slice.impl__len #v_SIMDUnit + (result.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) <: usize) (fun result temp_1_ -> @@ -51,12 +51,12 @@ let deserialize Core.Ops.Range.t_Range usize ] <: t_Slice u8) - (result.Libcrux_ml_dsa.Polynomial.f_simd_units.[ i ] <: i1.f_Coefficient) + (result.Libcrux_ml_dsa.Polynomial.f_simd_units.[ i ] <: v_SIMDUnit) gamma1_exponent <: - i1.f_Coefficient) + v_SIMDUnit) <: - t_Array i1.f_Coefficient (sz 32) + t_Array v_SIMDUnit (sz 32) } <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) @@ -76,7 +76,7 @@ let serialize let serialized:t_Slice u8 = Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units <: - t_Slice i1.f_Coefficient) + t_Slice v_SIMDUnit) (fun serialized temp_1_ -> let serialized:t_Slice u8 = serialized in let _:usize = temp_1_ in @@ -84,7 +84,7 @@ let serialize serialized (fun serialized temp_1_ -> let serialized:t_Slice u8 = serialized in - let i, simd_unit:(usize & i1.f_Coefficient) = temp_1_ in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized ({ Core.Ops.Range.f_start = i *! (gamma1_exponent +! sz 1 <: usize) <: usize; diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fst index 17638e3fb..a12bf71c5 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fst @@ -19,8 +19,8 @@ let deserialize = let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #i1.f_Coefficient - (result.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice i1.f_Coefficient) + (Core.Slice.impl__len #v_SIMDUnit + (result.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) <: usize) (fun result temp_1_ -> @@ -50,11 +50,11 @@ let deserialize Core.Ops.Range.t_Range usize ] <: t_Slice u8) - (result.Libcrux_ml_dsa.Polynomial.f_simd_units.[ i ] <: i1.f_Coefficient) + (result.Libcrux_ml_dsa.Polynomial.f_simd_units.[ i ] <: v_SIMDUnit) <: - i1.f_Coefficient) + v_SIMDUnit) <: - t_Array i1.f_Coefficient (sz 32) + t_Array v_SIMDUnit (sz 32) } <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) @@ -62,54 +62,6 @@ let deserialize let hax_temp_output:Prims.unit = () <: Prims.unit in result -let serialize - (#v_SIMDUnit: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (serialized: t_Slice u8) - = - let serialized:t_Slice u8 = - Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units - <: - t_Slice i1.f_Coefficient) - (fun serialized temp_1_ -> - let serialized:t_Slice u8 = serialized in - let _:usize = temp_1_ in - true) - serialized - (fun serialized temp_1_ -> - let serialized:t_Slice u8 = serialized in - let i, simd_unit:(usize & i1.f_Coefficient) = temp_1_ in - Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized - ({ - Core.Ops.Range.f_start = i *! v_OUTPUT_BYTES_PER_SIMD_UNIT <: usize; - Core.Ops.Range.f_end = (i +! sz 1 <: usize) *! v_OUTPUT_BYTES_PER_SIMD_UNIT <: usize - } - <: - Core.Ops.Range.t_Range usize) - (Libcrux_ml_dsa.Simd.Traits.f_t0_serialize #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - simd_unit - (serialized.[ { - Core.Ops.Range.f_start = i *! v_OUTPUT_BYTES_PER_SIMD_UNIT <: usize; - Core.Ops.Range.f_end - = - (i +! sz 1 <: usize) *! v_OUTPUT_BYTES_PER_SIMD_UNIT <: usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - <: - t_Slice u8) - <: - t_Slice u8) - in - let hax_temp_output:Prims.unit = () <: Prims.unit in - serialized - let deserialize_to_vector_then_ntt (#v_SIMDUnit: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -158,3 +110,51 @@ let deserialize_to_vector_then_ntt in let hax_temp_output:Prims.unit = () <: Prims.unit in ring_elements + +let serialize + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (serialized: t_Slice u8) + = + let serialized:t_Slice u8 = + Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units + <: + t_Slice v_SIMDUnit) + (fun serialized temp_1_ -> + let serialized:t_Slice u8 = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Slice u8 = serialized in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = i *! v_OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_end = (i +! sz 1 <: usize) *! v_OUTPUT_BYTES_PER_SIMD_UNIT <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_ml_dsa.Simd.Traits.f_t0_serialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + simd_unit + (serialized.[ { + Core.Ops.Range.f_start = i *! v_OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! v_OUTPUT_BYTES_PER_SIMD_UNIT <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + t_Slice u8) + <: + t_Slice u8) + in + let hax_temp_output:Prims.unit = () <: Prims.unit in + serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fsti index 328e22df6..3e1291df0 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fsti @@ -20,13 +20,6 @@ val deserialize Prims.l_True (fun _ -> Prims.l_True) -val serialize - (#v_SIMDUnit: Type0) - {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (serialized: t_Slice u8) - : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) - val deserialize_to_vector_then_ntt (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} @@ -35,3 +28,10 @@ val deserialize_to_vector_then_ntt : Prims.Pure (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) Prims.l_True (fun _ -> Prims.l_True) + +val serialize + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (serialized: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst index 4b931182e..faf046732 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst @@ -19,8 +19,8 @@ let deserialize = let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #i1.f_Coefficient - (result.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice i1.f_Coefficient) + (Core.Slice.impl__len #v_SIMDUnit + (result.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) <: usize) (fun result temp_1_ -> @@ -48,11 +48,11 @@ let deserialize Core.Ops.Range.t_Range usize ] <: t_Slice u8) - (result.Libcrux_ml_dsa.Polynomial.f_simd_units.[ i ] <: i1.f_Coefficient) + (result.Libcrux_ml_dsa.Polynomial.f_simd_units.[ i ] <: v_SIMDUnit) <: - i1.f_Coefficient) + v_SIMDUnit) <: - t_Array i1.f_Coefficient (sz 32) + t_Array v_SIMDUnit (sz 32) } <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) @@ -71,7 +71,7 @@ let serialize let serialized:t_Array u8 (sz 320) = Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units <: - t_Slice i1.f_Coefficient) + t_Slice v_SIMDUnit) (fun serialized temp_1_ -> let serialized:t_Array u8 (sz 320) = serialized in let _:usize = temp_1_ in @@ -79,7 +79,7 @@ let serialize serialized (fun serialized temp_1_ -> let serialized:t_Array u8 (sz 320) = serialized in - let i, simd_unit:(usize & i1.f_Coefficient) = temp_1_ in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized ({ Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fst index 85fee5525..78b15caa6 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fst @@ -267,38 +267,6 @@ let compute_matrix_x_mask let hax_temp_output:Prims.unit = () <: Prims.unit in result -let subtract_vectors - (#v_SIMDUnit: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (dimension: usize) - (lhs rhs: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - = - let lhs:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - Rust_primitives.Hax.Folds.fold_range (sz 0) - dimension - (fun lhs temp_1_ -> - let lhs:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = lhs in - let _:usize = temp_1_ in - true) - lhs - (fun lhs i -> - let lhs:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = lhs in - let i:usize = i in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs - i - (Libcrux_ml_dsa.Polynomial.impl__subtract #v_SIMDUnit - (lhs.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (rhs.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - <: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - in - let hax_temp_output:Prims.unit = () <: Prims.unit in - lhs - let compute_w_approx (#v_SIMDUnit: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -400,3 +368,35 @@ let compute_w_approx in let hax_temp_output:Prims.unit = () <: Prims.unit in t1 + +let subtract_vectors + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (dimension: usize) + (lhs rhs: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + = + let lhs:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + dimension + (fun lhs temp_1_ -> + let lhs:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = lhs in + let _:usize = temp_1_ in + true) + lhs + (fun lhs i -> + let lhs:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = lhs in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs + i + (Libcrux_ml_dsa.Polynomial.impl__subtract #v_SIMDUnit + (lhs.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (rhs.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + in + let hax_temp_output:Prims.unit = () <: Prims.unit in + lhs diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fsti index ee21e7601..69baf07d6 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fsti @@ -48,15 +48,6 @@ val compute_matrix_x_mask Prims.l_True (fun _ -> Prims.l_True) -val subtract_vectors - (#v_SIMDUnit: Type0) - {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (dimension: usize) - (lhs rhs: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - : Prims.Pure (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - Prims.l_True - (fun _ -> Prims.l_True) - /// Compute InvertNTT(Â ◦ ẑ - ĉ ◦ NTT(t₁2ᵈ)) val compute_w_approx (#v_SIMDUnit: Type0) @@ -69,3 +60,12 @@ val compute_w_approx : Prims.Pure (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) Prims.l_True (fun _ -> Prims.l_True) + +val subtract_vectors + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (dimension: usize) + (lhs rhs: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + : Prims.Pure (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.fst index 0e90b5905..cd101511d 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.fst @@ -22,7 +22,7 @@ let generate_key_pair___inner (signing_key verification_key: t_Slice u8) = let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.generate_key_pair #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.generate_key_pair #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 @@ -51,7 +51,7 @@ let sign___inner (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.sign #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.sign #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof @@ -72,7 +72,7 @@ let sign_pre_hashed_shake128___inner let tmp0, out:(t_Slice u8 & Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) Libcrux_ml_dsa.Types.t_SigningError) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.sign_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.sign_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 @@ -117,7 +117,7 @@ let verify___inner (message context: t_Slice u8) (signature: t_Array u8 (sz 2420)) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.verify #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.verify #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 @@ -140,7 +140,7 @@ let verify_pre_hashed_shake128___inner = let tmp0, out:(t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.fst index 2eaef669f..21bded2ad 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.fst @@ -22,7 +22,7 @@ let generate_key_pair___inner (signing_key verification_key: t_Slice u8) = let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.generate_key_pair #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.generate_key_pair #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 @@ -51,7 +51,7 @@ let sign___inner (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.sign #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.sign #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof @@ -72,7 +72,7 @@ let sign_pre_hashed_shake128___inner let tmp0, out:(t_Slice u8 & Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) Libcrux_ml_dsa.Types.t_SigningError) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.sign_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.sign_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 @@ -117,7 +117,7 @@ let verify___inner (message context: t_Slice u8) (signature: t_Array u8 (sz 3309)) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.verify #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.verify #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 @@ -140,7 +140,7 @@ let verify_pre_hashed_shake128___inner = let tmp0, out:(t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.fst index b33bc079f..0673c1047 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.fst @@ -22,7 +22,7 @@ let generate_key_pair___inner (signing_key verification_key: t_Slice u8) = let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.generate_key_pair #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.generate_key_pair #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 @@ -51,7 +51,7 @@ let sign___inner (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.sign #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.sign #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof @@ -72,7 +72,7 @@ let sign_pre_hashed_shake128___inner let tmp0, out:(t_Slice u8 & Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) Libcrux_ml_dsa.Types.t_SigningError) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.sign_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.sign_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 @@ -117,7 +117,7 @@ let verify___inner (message context: t_Slice u8) (signature: t_Array u8 (sz 4627)) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.verify #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.verify #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 @@ -140,7 +140,7 @@ let verify_pre_hashed_shake128___inner = let tmp0, out:(t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.fst index f427c1cf1..356bb5d34 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.fst @@ -23,7 +23,7 @@ let generate_key_pair (verification_key: t_Array u8 (sz 1312)) = let tmp0, tmp1:(t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.generate_key_pair #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.generate_key_pair #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 @@ -43,7 +43,7 @@ let sign (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof @@ -58,7 +58,7 @@ let sign_pre_hashed_shake128 let tmp0, out:(t_Slice u8 & Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) Libcrux_ml_dsa.Types.t_SigningError) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.sign_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.sign_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 @@ -82,7 +82,7 @@ let verify (message context: t_Slice u8) (signature: t_Array u8 (sz 2420)) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 @@ -99,7 +99,7 @@ let verify_pre_hashed_shake128 = let tmp0, out:(t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.fst index 32e1935fe..d36980422 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.fst @@ -23,7 +23,7 @@ let generate_key_pair (verification_key: t_Array u8 (sz 1952)) = let tmp0, tmp1:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.generate_key_pair #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.generate_key_pair #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 @@ -43,7 +43,7 @@ let sign (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof @@ -58,7 +58,7 @@ let sign_pre_hashed_shake128 let tmp0, out:(t_Slice u8 & Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) Libcrux_ml_dsa.Types.t_SigningError) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.sign_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.sign_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 @@ -82,7 +82,7 @@ let verify (message context: t_Slice u8) (signature: t_Array u8 (sz 3309)) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 @@ -99,7 +99,7 @@ let verify_pre_hashed_shake128 = let tmp0, out:(t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.fst index 02aca3140..a4178c8e4 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.fst @@ -23,7 +23,7 @@ let generate_key_pair (verification_key: t_Array u8 (sz 2592)) = let tmp0, tmp1:(t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.generate_key_pair #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.generate_key_pair #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 @@ -43,7 +43,7 @@ let sign (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof @@ -58,7 +58,7 @@ let sign_pre_hashed_shake128 let tmp0, out:(t_Slice u8 & Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) Libcrux_ml_dsa.Types.t_SigningError) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.sign_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.sign_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 @@ -82,7 +82,7 @@ let verify (message context: t_Slice u8) (signature: t_Array u8 (sz 4627)) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 @@ -99,7 +99,7 @@ let verify_pre_hashed_shake128 = let tmp0, out:(t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.fst index f5d75d98f..2ec142025 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.fst @@ -22,7 +22,7 @@ let generate_key_pair (verification_key: t_Array u8 (sz 1312)) = let tmp0, tmp1:(t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.generate_key_pair #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.generate_key_pair #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 @@ -42,7 +42,7 @@ let sign (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 @@ -58,7 +58,7 @@ let sign_pre_hashed_shake128 let tmp0, out:(t_Slice u8 & Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) Libcrux_ml_dsa.Types.t_SigningError) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.sign_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.sign_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 @@ -83,7 +83,7 @@ let verify (message context: t_Slice u8) (signature: t_Array u8 (sz 2420)) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 @@ -100,7 +100,7 @@ let verify_pre_hashed_shake128 = let tmp0, out:(t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.fst index 7350b6417..f0f0540d5 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.fst @@ -22,7 +22,7 @@ let generate_key_pair (verification_key: t_Array u8 (sz 1952)) = let tmp0, tmp1:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.generate_key_pair #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.generate_key_pair #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 @@ -42,7 +42,7 @@ let sign (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 @@ -58,7 +58,7 @@ let sign_pre_hashed_shake128 let tmp0, out:(t_Slice u8 & Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) Libcrux_ml_dsa.Types.t_SigningError) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.sign_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.sign_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 @@ -83,7 +83,7 @@ let verify (message context: t_Slice u8) (signature: t_Array u8 (sz 3309)) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 @@ -100,7 +100,7 @@ let verify_pre_hashed_shake128 = let tmp0, out:(t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.fst index e57e2445f..bff63f137 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.fst @@ -22,7 +22,7 @@ let generate_key_pair (verification_key: t_Array u8 (sz 2592)) = let tmp0, tmp1:(t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.generate_key_pair #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.generate_key_pair #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 @@ -42,7 +42,7 @@ let sign (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 @@ -58,7 +58,7 @@ let sign_pre_hashed_shake128 let tmp0, out:(t_Slice u8 & Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) Libcrux_ml_dsa.Types.t_SigningError) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.sign_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.sign_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 @@ -83,7 +83,7 @@ let verify (message context: t_Slice u8) (signature: t_Array u8 (sz 4627)) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 @@ -100,7 +100,7 @@ let verify_pre_hashed_shake128 = let tmp0, out:(t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fst index 7c4cf255d..b3f75d893 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fst @@ -14,599 +14,257 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let sign_internal - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) +let verify_internal + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i6: + i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i8: + i7: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i9: + i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i10: + i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i11: - Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) - (signing_key message: t_Slice u8) + (verification_key: t_Array u8 (sz 1312)) + (message: t_Slice u8) (domain_separation_context: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) - (randomness: t_Array u8 (sz 32)) + (signature_serialized: t_Array u8 (sz 2420)) = - let eta:Libcrux_ml_dsa.Constants.t_Eta = - match - cast (Libcrux_ml_dsa.Constants.t_Eta_cast_to_repr Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ETA - <: - isize) - <: - u8 - with - | 2uy -> Libcrux_ml_dsa.Constants.Eta_Two <: Libcrux_ml_dsa.Constants.t_Eta - | 4uy -> Libcrux_ml_dsa.Constants.Eta_Four <: Libcrux_ml_dsa.Constants.t_Eta - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - - <: - Rust_primitives.Hax.t_Never) - in - let seed_for_a, remaining_serialized:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 signing_key Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE - in - let seed_for_signing, remaining_serialized:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - remaining_serialized - Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE - in - let verification_key_hash, remaining_serialized:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - remaining_serialized - Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH - in - let s1_serialized, remaining_serialized:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - remaining_serialized - (v_ERROR_RING_ELEMENT_SIZE *! Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A <: usize) - in - let s2_serialized, t0_serialized:(t_Slice u8 & t_Slice u8) = + let seed_for_a, t1_serialized:(t_Slice u8 & t_Slice u8) = Core.Slice.impl__split_at #u8 - remaining_serialized - (v_ERROR_RING_ELEMENT_SIZE *! Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A <: usize) + (verification_key <: t_Slice u8) + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE in - let s1_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) in - let s2_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 4) + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Libcrux_ml_dsa.Encoding.Verification_key.deserialize #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A + v_VERIFICATION_KEY_SIZE + t1_serialized + t1 in - let t0_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + let deserialized_commitment_hash:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let deserialized_signer_response:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) in - let s1_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = - Libcrux_ml_dsa.Encoding.Error.deserialize_to_vector_then_ntt #v_SIMDUnit - eta - v_ERROR_RING_ELEMENT_SIZE - s1_serialized - s1_as_ntt - in - let s2_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = - Libcrux_ml_dsa.Encoding.Error.deserialize_to_vector_then_ntt #v_SIMDUnit - eta - v_ERROR_RING_ELEMENT_SIZE - s2_serialized - s2_as_ntt - in - let t0_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = - Libcrux_ml_dsa.Encoding.T0.deserialize_to_vector_then_ntt #v_SIMDUnit t0_serialized t0_as_ntt - in - let matrix:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 16) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 16) + let deserialized_hint:t_Array (t_Array i32 (sz 256)) (sz 4) = + Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0l (sz 256) <: t_Array i32 (sz 256)) + (sz 4) in - let matrix:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 16) = - Libcrux_ml_dsa.Samplex4.f_matrix_flat #v_Sampler - #FStar.Tactics.Typeclasses.solve - #v_SIMDUnit + let tmp0, tmp1, tmp2, out:(t_Array u8 (sz 32) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) & + t_Array (t_Array i32 (sz 256)) (sz 4) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Encoding.Signature.deserialize #v_SIMDUnit Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A - seed_for_a - matrix - in - let message_representative:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in - let message_representative:t_Array u8 (sz 64) = - Libcrux_ml_dsa.Ml_dsa_generic.derive_message_representative #v_Shake256Xof - verification_key_hash - domain_separation_context - message - message_representative - in - let mask_seed:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve () - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - seed_for_signing - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - (randomness <: t_Slice u8) - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - (message_representative <: t_Slice u8) - in - let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 64)) = - Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - mask_seed - in - let shake:v_Shake256Xof = tmp0 in - let mask_seed:t_Array u8 (sz 64) = tmp1 in - let _:Prims.unit = () in - let _:Prims.unit = () in - let (domain_separator_for_mask: u16):u16 = 0us in - let attempt:usize = sz 0 in - let commitment_hash:Core.Option.t_Option (t_Array u8 (sz 32)) = - Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 32)) - in - let signer_response:Core.Option.t_Option - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) = - Core.Option.Option_None - <: - Core.Option.t_Option - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COMMITMENT_HASH_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_MAX_ONES_IN_HINT v_SIGNATURE_SIZE + (signature_serialized <: t_Slice u8) deserialized_commitment_hash deserialized_signer_response + deserialized_hint in - let hint:Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) = - Core.Option.Option_None <: Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) + let deserialized_commitment_hash:t_Array u8 (sz 32) = tmp0 in + let deserialized_signer_response:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + tmp1 in - let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & - Core.Option.t_Option (t_Array u8 (sz 32)) & - u16 & - Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) & - Core.Option.t_Option - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4))) = - Rust_primitives.f_while_loop (fun temp_0_ -> - let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & - Core.Option.t_Option (t_Array u8 (sz 32)) & - u16 & - Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) & - Core.Option.t_Option - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4))) = - temp_0_ - in - attempt <. Libcrux_ml_dsa.Constants.v_REJECTION_SAMPLE_BOUND_SIGN <: bool) - (attempt, commitment_hash, domain_separator_for_mask, hint, signer_response + let deserialized_hint:t_Array (t_Array i32 (sz 256)) (sz 4) = tmp2 in + match out <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError with + | Core.Result.Result_Ok _ -> + let _:Prims.unit = () <: Prims.unit in + if + Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit + (deserialized_signer_response + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + ((2l < - let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & - Core.Option.t_Option (t_Array u8 (sz 32)) & - u16 & - Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) & - Core.Option.t_Option - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4))) = - temp_0_ - in - let attempt:usize = attempt +! sz 1 in - let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 4) - in - let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 4) - in - let commitment:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 4) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 4) - in - let tmp0, tmp1:(u16 & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) = - Libcrux_ml_dsa.Sample.sample_mask_vector #v_SIMDUnit - #v_Shake256 - #v_Shake256X4 - Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A - Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_GAMMA1_EXPONENT - mask_seed - domain_separator_for_mask - mask - in - let domain_separator_for_mask:u16 = tmp0 in - let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = - tmp1 - in - let _:Prims.unit = () in - let a_x_mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) - = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 4) - in - let mask_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) - = - Core.Clone.f_clone #(t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) - #FStar.Tactics.Typeclasses.solve - mask - in - let mask_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) - = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (mask_ntt - <: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - <: - usize) - (fun mask_ntt temp_1_ -> - let mask_ntt:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = - mask_ntt - in - let _:usize = temp_1_ in - true) - mask_ntt - (fun mask_ntt i -> - let mask_ntt:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = - mask_ntt - in - let i:usize = i in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask_ntt - i - (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit - (mask_ntt.[ i ] - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - <: - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) - in - let a_x_mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) - = - Libcrux_ml_dsa.Matrix.compute_matrix_x_mask #v_SIMDUnit - Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A - Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A - (matrix <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (mask_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - a_x_mask - in - let tmp0, tmp1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 4) & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) = - Libcrux_ml_dsa.Arithmetic.decompose_vector #v_SIMDUnit - Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A - Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_GAMMA2 - (a_x_mask <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - w0 - commitment - in - let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = - tmp0 - in - let commitment:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 4) = - tmp1 - in - let _:Prims.unit = () in - let _:Prims.unit = () in - let commitment_hash_candidate:t_Array u8 (sz 32) = - Rust_primitives.Hax.repeat 0uy (sz 32) - in - let commitment_serialized:t_Array u8 (sz 768) = Rust_primitives.Hax.repeat 0uy (sz 768) in - let commitment_serialized:t_Array u8 (sz 768) = - Libcrux_ml_dsa.Encoding.Commitment.serialize_vector #v_SIMDUnit - v_COMMITMENT_RING_ELEMENT_SIZE - (commitment <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - commitment_serialized - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - () - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - (message_representative <: t_Slice u8) - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - (commitment_serialized <: t_Slice u8) - in - let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - commitment_hash_candidate - in - let shake:v_Shake256Xof = tmp0 in - let commitment_hash_candidate:t_Array u8 (sz 32) = tmp1 in - let _:Prims.unit = () in - let _:Prims.unit = () in - let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - in - let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Libcrux_ml_dsa.Sample.sample_challenge_ring_element #v_SIMDUnit - #v_Shake256 - (commitment_hash_candidate <: t_Slice u8) - Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ONES_IN_VERIFIER_CHALLENGE - verifier_challenge - in - let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit verifier_challenge - in - let challenge_times_s1:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = - Core.Clone.f_clone #(t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) - #FStar.Tactics.Typeclasses.solve - s1_as_ntt - in - let challenge_times_s2:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = - Core.Clone.f_clone #(t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) - #FStar.Tactics.Typeclasses.solve - s2_as_ntt - in - let challenge_times_s1:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = - Libcrux_ml_dsa.Matrix.vector_times_ring_element #v_SIMDUnit - challenge_times_s1 - verifier_challenge - in - let challenge_times_s2:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = - Libcrux_ml_dsa.Matrix.vector_times_ring_element #v_SIMDUnit - challenge_times_s2 - verifier_challenge - in - let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = - Libcrux_ml_dsa.Matrix.add_vectors #v_SIMDUnit - Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A - mask - (challenge_times_s1 - <: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - in - let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = - Libcrux_ml_dsa.Matrix.subtract_vectors #v_SIMDUnit - Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A - w0 - (challenge_times_s2 + Libcrux_ml_dsa.Types.t_VerificationError) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + else + let matrix:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 16) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 16) + in + let matrix:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 16) = + Libcrux_ml_dsa.Samplex4.f_matrix_flat #v_Sampler + #FStar.Tactics.Typeclasses.solve + #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A + seed_for_a + matrix + in + let verification_key_hash:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let verification_key_hash:t_Array u8 (sz 64) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256 #v_Shake256 + #FStar.Tactics.Typeclasses.solve + (sz 64) + (verification_key <: t_Slice u8) + verification_key_hash + in + let message_representative:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let message_representative:t_Array u8 (sz 64) = + Libcrux_ml_dsa.Ml_dsa_generic.derive_message_representative #v_Shake256Xof + (verification_key_hash <: t_Slice u8) + domain_separation_context + message + message_representative + in + let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + in + let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Sample.sample_challenge_ring_element #v_SIMDUnit + #v_Shake256 + (deserialized_commitment_hash <: t_Slice u8) + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ONES_IN_VERIFIER_CHALLENGE + verifier_challenge + in + let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit verifier_challenge + in + let deserialized_signer_response:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (deserialized_signer_response <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - in - if - Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit - (mask <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - ((1l < + let deserialized_signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = - Core.Clone.f_clone #(t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) - #FStar.Tactics.Typeclasses.solve - t0_as_ntt + deserialized_signer_response in - let challenge_times_t0:t_Array + let _:usize = temp_1_ in + true) + deserialized_signer_response + (fun deserialized_signer_response i -> + let deserialized_signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = - Libcrux_ml_dsa.Matrix.vector_times_ring_element #v_SIMDUnit - challenge_times_t0 - verifier_challenge + deserialized_signer_response in - if - Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit - (challenge_times_t0 - <: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_GAMMA2 - then - attempt, commitment_hash, domain_separator_for_mask, hint, signer_response - <: - (usize & Core.Option.t_Option (t_Array u8 (sz 32)) & u16 & - Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) & - Core.Option.t_Option - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4))) - else - let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) - = - Libcrux_ml_dsa.Matrix.add_vectors #v_SIMDUnit - Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A - w0 - (challenge_times_t0 - <: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - in - let hint_candidate:t_Array (t_Array i32 (sz 256)) (sz 4) = - Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0l (sz 256) + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize deserialized_signer_response + i + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (deserialized_signer_response.[ i ] <: - t_Array i32 (sz 256)) - (sz 4) - in - let tmp0, out:(t_Array (t_Array i32 (sz 256)) (sz 4) & usize) = - Libcrux_ml_dsa.Arithmetic.make_hint #v_SIMDUnit - (sz 4) - 95232l - w0 - commitment - hint_candidate - in - let hint_candidate:t_Array (t_Array i32 (sz 256)) (sz 4) = tmp0 in - let ones_in_hint:usize = out in - if ones_in_hint >. Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_MAX_ONES_IN_HINT - then - attempt, commitment_hash, domain_separator_for_mask, hint, signer_response - <: - (usize & Core.Option.t_Option (t_Array u8 (sz 32)) & u16 & - Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) & - Core.Option.t_Option - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4))) - else - let attempt:usize = Libcrux_ml_dsa.Constants.v_REJECTION_SAMPLE_BOUND_SIGN in - let commitment_hash:Core.Option.t_Option (t_Array u8 (sz 32)) = - Core.Option.Option_Some commitment_hash_candidate - <: - Core.Option.t_Option (t_Array u8 (sz 32)) - in - let signer_response:Core.Option.t_Option - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) = - Core.Option.Option_Some mask - <: - Core.Option.t_Option - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) - in - let hint:Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) = - Core.Option.Option_Some hint_candidate - <: - Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) - in - attempt, commitment_hash, domain_separator_for_mask, hint, signer_response - <: - (usize & Core.Option.t_Option (t_Array u8 (sz 32)) & u16 & - Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) & - Core.Option.t_Option - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4))) - ) - in - match commitment_hash <: Core.Option.t_Option (t_Array u8 (sz 32)) with - | Core.Option.Option_Some commitment_hash -> - let commitment_hash:t_Array u8 (sz 32) = commitment_hash in - (match - signer_response - <: - Core.Option.t_Option - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) - with - | Core.Option.Option_Some signer_response -> - let signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 4) = - signer_response - in - (match hint <: Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) with - | Core.Option.Option_Some hint -> - let hint:t_Array (t_Array i32 (sz 256)) (sz 4) = hint in - let signature:t_Array u8 (sz 2420) = Rust_primitives.Hax.repeat 0uy (sz 2420) in - let signature:t_Array u8 (sz 2420) = - Libcrux_ml_dsa.Encoding.Signature.serialize #v_SIMDUnit - (commitment_hash <: t_Slice u8) - (signer_response + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) <: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (hint <: t_Slice (t_Array i32 (sz 256))) - Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COMMITMENT_HASH_SIZE - Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A - Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A - Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE - Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_MAX_ONES_IN_HINT signature - in - Core.Result.Result_Ok (Libcrux_ml_dsa.Types.impl_4__new (sz 2420) signature) - <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) - Libcrux_ml_dsa.Types.t_SigningError - | Core.Option.Option_None -> - Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) <: - Libcrux_ml_dsa.Types.t_SigningError) + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) + in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Libcrux_ml_dsa.Matrix.compute_w_approx #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A + (matrix <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (deserialized_signer_response <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) - Libcrux_ml_dsa.Types.t_SigningError) - | Core.Option.Option_None -> + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + verifier_challenge + t1 + in + let recomputed_commitment_hash:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Libcrux_ml_dsa.Arithmetic.use_hint #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_GAMMA2 + (deserialized_hint <: t_Slice (t_Array i32 (sz 256))) + t1 + in + let commitment_serialized:t_Array u8 (sz 768) = Rust_primitives.Hax.repeat 0uy (sz 768) in + let commitment_serialized:t_Array u8 (sz 768) = + Libcrux_ml_dsa.Encoding.Commitment.serialize_vector #v_SIMDUnit + v_COMMITMENT_RING_ELEMENT_SIZE + (t1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + commitment_serialized + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + () + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (message_representative <: t_Slice u8) + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (commitment_serialized <: t_Slice u8) + in + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 32)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + recomputed_commitment_hash + in + let shake:v_Shake256Xof = tmp0 in + let recomputed_commitment_hash:t_Array u8 (sz 32) = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + if deserialized_commitment_hash =. recomputed_commitment_hash + then + Core.Result.Result_Ok (() <: Prims.unit) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + else Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + (Libcrux_ml_dsa.Types.VerificationError_CommitmentHashesDontMatchError <: - Libcrux_ml_dsa.Types.t_SigningError) + Libcrux_ml_dsa.Types.t_VerificationError) <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) - Libcrux_ml_dsa.Types.t_SigningError) - | Core.Option.Option_None -> - Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError <: Libcrux_ml_dsa.Types.t_SigningError - ) + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + | Core.Result.Result_Err e -> + Core.Result.Result_Err e <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) - Libcrux_ml_dsa.Types.t_SigningError + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError -let sign - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) +let verify + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i6: + i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i8: + i7: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i9: + i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i10: - Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i11: - Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) - (signing_key message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (verification_key_serialized: t_Array u8 (sz 1312)) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 (sz 2420)) = match Libcrux_ml_dsa.Pre_hash.impl_1__new context @@ -617,356 +275,673 @@ let sign with | Core.Result.Result_Ok dsc -> let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in - sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 - signing_key message + verify_internal #v_SIMDUnit + #v_Sampler + #v_Shake128X4 + #v_Shake256 + #v_Shake256Xof + verification_key_serialized + message (Core.Option.Option_Some domain_separation_context <: - Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + signature_serialized | Core.Result.Result_Err _ -> Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) + (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError + <: + Libcrux_ml_dsa.Types.t_VerificationError) <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) - Libcrux_ml_dsa.Types.t_SigningError + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError -let sign_pre_hashed - (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: - Type0) +let verify_pre_hashed + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i8: + i7: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i9: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i8: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i10: + i9: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i11: + i10: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i12: + i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i13: + i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i14: - Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH) - (signing_key message context pre_hash_buffer: t_Slice u8) - (randomness: t_Array u8 (sz 32)) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i13: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH) + (verification_key_serialized: t_Array u8 (sz 1312)) + (message context pre_hash_buffer: t_Slice u8) + (signature_serialized: t_Array u8 (sz 2420)) = - if (Core.Slice.impl__len #u8 context <: usize) >. Libcrux_ml_dsa.Constants.v_CONTEXT_MAX_LEN - then - pre_hash_buffer, - (Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) - <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) - Libcrux_ml_dsa.Types.t_SigningError) + let pre_hash_buffer:t_Slice u8 = + Libcrux_ml_dsa.Pre_hash.f_hash #v_PH + #FStar.Tactics.Typeclasses.solve + #v_Shake128 + message + pre_hash_buffer + in + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_Some + (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #FStar.Tactics.Typeclasses.solve () + <: + t_Array u8 (sz 11)) + <: + Core.Option.t_Option (t_Array u8 (sz 11))) <: - (t_Slice u8 & - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) - Libcrux_ml_dsa.Types.t_SigningError) - else - let pre_hash_buffer:t_Slice u8 = - Libcrux_ml_dsa.Pre_hash.f_hash #v_PH - #FStar.Tactics.Typeclasses.solve - #v_Shake128 - message + Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext + Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + with + | Core.Result.Result_Ok dsc -> + let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + verify_internal #v_SIMDUnit + #v_Sampler + #v_Shake128X4 + #v_Shake256 + #v_Shake256Xof + verification_key_serialized pre_hash_buffer - in - match - Libcrux_ml_dsa.Pre_hash.impl_1__new context - (Core.Option.Option_Some - (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #FStar.Tactics.Typeclasses.solve () - <: - t_Array u8 (sz 11)) - <: - Core.Option.t_Option (t_Array u8 (sz 11))) - <: - Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext - Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError - with - | Core.Result.Result_Ok dsc -> - let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in - let hax_temp_output:Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) - Libcrux_ml_dsa.Types.t_SigningError = - sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 - signing_key pre_hash_buffer - (Core.Option.Option_Some domain_separation_context - <: - Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness - in - pre_hash_buffer, hax_temp_output - <: - (t_Slice u8 & - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) - Libcrux_ml_dsa.Types.t_SigningError) - | Core.Result.Result_Err _ -> - pre_hash_buffer, - (Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError + (Core.Option.Option_Some domain_separation_context <: - Libcrux_ml_dsa.Types.t_SigningError) + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + signature_serialized + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + | Core.Result.Result_Err _ -> + pre_hash_buffer, + (Core.Result.Result_Err + (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) - Libcrux_ml_dsa.Types.t_SigningError) + Libcrux_ml_dsa.Types.t_VerificationError) <: - (t_Slice u8 & - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) - Libcrux_ml_dsa.Types.t_SigningError) + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) -let verify_internal - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) +let sign_internal + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i5: + i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i7: + i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i8: + i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i9: + i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) - (verification_key: t_Array u8 (sz 1312)) - (message: t_Slice u8) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (signing_key message: t_Slice u8) (domain_separation_context: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) - (signature_serialized: t_Array u8 (sz 2420)) + (randomness: t_Array u8 (sz 32)) = - let seed_for_a, t1_serialized:(t_Slice u8 & t_Slice u8) = + let seed_for_a, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 signing_key Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + in + let seed_for_signing, remaining_serialized:(t_Slice u8 & t_Slice u8) = Core.Slice.impl__split_at #u8 - (verification_key <: t_Slice u8) - Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + remaining_serialized + Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE in - let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + let verification_key_hash, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH + in + let s1_serialized, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + (v_ERROR_RING_ELEMENT_SIZE *! Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A <: usize) + in + let s2_serialized, t0_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + (v_ERROR_RING_ELEMENT_SIZE *! Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A <: usize) + in + let s1_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) + in + let s2_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) + in + let t0_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) in - let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = - Libcrux_ml_dsa.Encoding.Verification_key.deserialize #v_SIMDUnit - Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A - v_VERIFICATION_KEY_SIZE - t1_serialized - t1 + let s1_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Libcrux_ml_dsa.Encoding.Error.deserialize_to_vector_then_ntt #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ETA + v_ERROR_RING_ELEMENT_SIZE + s1_serialized + s1_as_ntt + in + let s2_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Libcrux_ml_dsa.Encoding.Error.deserialize_to_vector_then_ntt #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ETA + v_ERROR_RING_ELEMENT_SIZE + s2_serialized + s2_as_ntt + in + let t0_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Libcrux_ml_dsa.Encoding.T0.deserialize_to_vector_then_ntt #v_SIMDUnit t0_serialized t0_as_ntt + in + let matrix:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 16) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 16) + in + let matrix:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 16) = + Libcrux_ml_dsa.Samplex4.f_matrix_flat #v_Sampler + #FStar.Tactics.Typeclasses.solve + #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A + seed_for_a + matrix + in + let message_representative:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let message_representative:t_Array u8 (sz 64) = + Libcrux_ml_dsa.Ml_dsa_generic.derive_message_representative #v_Shake256Xof + verification_key_hash + domain_separation_context + message + message_representative + in + let mask_seed:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve () + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + seed_for_signing + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (randomness <: t_Slice u8) in - let deserialized_commitment_hash:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in - let deserialized_signer_response:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 4) + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (message_representative <: t_Slice u8) in - let deserialized_hint:t_Array (t_Array i32 (sz 256)) (sz 4) = - Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0l (sz 256) <: t_Array i32 (sz 256)) - (sz 4) + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 64)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + mask_seed in - let tmp0, tmp1, tmp2, out:(t_Array u8 (sz 32) & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) & - t_Array (t_Array i32 (sz 256)) (sz 4) & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = - Libcrux_ml_dsa.Encoding.Signature.deserialize #v_SIMDUnit - Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A - Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A - Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COMMITMENT_HASH_SIZE - Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE - Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_MAX_ONES_IN_HINT v_SIGNATURE_SIZE - (signature_serialized <: t_Slice u8) deserialized_commitment_hash deserialized_signer_response - deserialized_hint + let shake:v_Shake256Xof = tmp0 in + let mask_seed:t_Array u8 (sz 64) = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + let (domain_separator_for_mask: u16):u16 = 0us in + let attempt:usize = sz 0 in + let commitment_hash:Core.Option.t_Option (t_Array u8 (sz 32)) = + Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 32)) in - let deserialized_commitment_hash:t_Array u8 (sz 32) = tmp0 in - let deserialized_signer_response:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = - tmp1 + let signer_response:Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) = + Core.Option.Option_None + <: + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) in - let deserialized_hint:t_Array (t_Array i32 (sz 256)) (sz 4) = tmp2 in - match out <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError with - | Core.Result.Result_Ok _ -> - let _:Prims.unit = () <: Prims.unit in - if - Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit - (deserialized_signer_response - <: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - ((2l < + let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & + Core.Option.t_Option (t_Array u8 (sz 32)) & + u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4))) = + temp_0_ + in + attempt <. Libcrux_ml_dsa.Constants.v_REJECTION_SAMPLE_BOUND_SIGN <: bool) + (attempt, commitment_hash, domain_separator_for_mask, hint, signer_response <: - Libcrux_ml_dsa.Types.t_VerificationError) - <: - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError - else - let matrix:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 16) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 16) - in - let matrix:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 16) = - Libcrux_ml_dsa.Samplex4.f_matrix_flat #v_Sampler - #FStar.Tactics.Typeclasses.solve - #v_SIMDUnit - Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A - seed_for_a - matrix - in - let verification_key_hash:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in - let verification_key_hash:t_Array u8 (sz 64) = - Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256 #v_Shake256 - #FStar.Tactics.Typeclasses.solve - (sz 64) - (verification_key <: t_Slice u8) - verification_key_hash - in - let message_representative:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in - let message_representative:t_Array u8 (sz 64) = - Libcrux_ml_dsa.Ml_dsa_generic.derive_message_representative #v_Shake256Xof - (verification_key_hash <: t_Slice u8) - domain_separation_context - message - message_representative - in - let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - in - let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Libcrux_ml_dsa.Sample.sample_challenge_ring_element #v_SIMDUnit - #v_Shake256 - (deserialized_commitment_hash <: t_Slice u8) - Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ONES_IN_VERIFIER_CHALLENGE - verifier_challenge - in - let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit verifier_challenge - in - let deserialized_signer_response:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (deserialized_signer_response + (usize & Core.Option.t_Option (t_Array u8 (sz 32)) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)))) + (fun temp_0_ -> + let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & + Core.Option.t_Option (t_Array u8 (sz 32)) & + u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4))) = + temp_0_ + in + let attempt:usize = attempt +! sz 1 in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) + in + let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) + in + let commitment:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) + in + let tmp0, tmp1:(u16 & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) = + Libcrux_ml_dsa.Sample.sample_mask_vector #v_SIMDUnit + #v_Shake256 + #v_Shake256X4 + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_GAMMA1_EXPONENT + mask_seed + domain_separator_for_mask + mask + in + let domain_separator_for_mask:u16 = tmp0 in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + tmp1 + in + let _:Prims.unit = () in + let a_x_mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) + = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) + in + let mask_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) + = + Core.Clone.f_clone #(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) + #FStar.Tactics.Typeclasses.solve + mask + in + let mask_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) + = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (mask_ntt + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + usize) + (fun mask_ntt temp_1_ -> + let mask_ntt:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + mask_ntt + in + let _:usize = temp_1_ in + true) + mask_ntt + (fun mask_ntt i -> + let mask_ntt:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + mask_ntt + in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask_ntt + i + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (mask_ntt.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) + in + let a_x_mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) + = + Libcrux_ml_dsa.Matrix.compute_matrix_x_mask #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A + (matrix <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (mask_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + a_x_mask + in + let tmp0, tmp1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) = + Libcrux_ml_dsa.Arithmetic.decompose_vector #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_GAMMA2 + (a_x_mask <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + w0 + commitment + in + let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + tmp0 + in + let commitment:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) = + tmp1 + in + let _:Prims.unit = () in + let _:Prims.unit = () in + let commitment_hash_candidate:t_Array u8 (sz 32) = + Rust_primitives.Hax.repeat 0uy (sz 32) + in + let commitment_serialized:t_Array u8 (sz 768) = Rust_primitives.Hax.repeat 0uy (sz 768) in + let commitment_serialized:t_Array u8 (sz 768) = + Libcrux_ml_dsa.Encoding.Commitment.serialize_vector #v_SIMDUnit + v_COMMITMENT_RING_ELEMENT_SIZE + (commitment <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + commitment_serialized + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + () + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (message_representative <: t_Slice u8) + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (commitment_serialized <: t_Slice u8) + in + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 32)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + commitment_hash_candidate + in + let shake:v_Shake256Xof = tmp0 in + let commitment_hash_candidate:t_Array u8 (sz 32) = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + in + let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Sample.sample_challenge_ring_element #v_SIMDUnit + #v_Shake256 + (commitment_hash_candidate <: t_Slice u8) + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ONES_IN_VERIFIER_CHALLENGE + verifier_challenge + in + let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit verifier_challenge + in + let challenge_times_s1:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Core.Clone.f_clone #(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) + #FStar.Tactics.Typeclasses.solve + s1_as_ntt + in + let challenge_times_s2:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Core.Clone.f_clone #(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) + #FStar.Tactics.Typeclasses.solve + s2_as_ntt + in + let challenge_times_s1:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Libcrux_ml_dsa.Matrix.vector_times_ring_element #v_SIMDUnit + challenge_times_s1 + verifier_challenge + in + let challenge_times_s2:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Libcrux_ml_dsa.Matrix.vector_times_ring_element #v_SIMDUnit + challenge_times_s2 + verifier_challenge + in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Libcrux_ml_dsa.Matrix.add_vectors #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A + mask + (challenge_times_s1 + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + in + let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Libcrux_ml_dsa.Matrix.subtract_vectors #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A + w0 + (challenge_times_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + in + if + Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit + (mask <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + ((1l < - let deserialized_signer_response:t_Array + (usize & Core.Option.t_Option (t_Array u8 (sz 32)) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4))) + else + if + Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit + (w0 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_GAMMA2 -! v_BETA <: i32) + then + attempt, commitment_hash, domain_separator_for_mask, hint, signer_response + <: + (usize & Core.Option.t_Option (t_Array u8 (sz 32)) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4))) + else + let challenge_times_t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = - deserialized_signer_response + Core.Clone.f_clone #(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) + #FStar.Tactics.Typeclasses.solve + t0_as_ntt in - let _:usize = temp_1_ in - true) - deserialized_signer_response - (fun deserialized_signer_response i -> - let deserialized_signer_response:t_Array + let challenge_times_t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = - deserialized_signer_response + Libcrux_ml_dsa.Matrix.vector_times_ring_element #v_SIMDUnit + challenge_times_t0 + verifier_challenge in - let i:usize = i in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize deserialized_signer_response - i - (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit - (deserialized_signer_response.[ i ] + if + Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit + (challenge_times_t0 + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_GAMMA2 + then + attempt, commitment_hash, domain_separator_for_mask, hint, signer_response + <: + (usize & Core.Option.t_Option (t_Array u8 (sz 32)) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4))) + else + let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) + = + Libcrux_ml_dsa.Matrix.add_vectors #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A + w0 + (challenge_times_t0 <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + in + let hint_candidate:t_Array (t_Array i32 (sz 256)) (sz 4) = + Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0l (sz 256) + <: + t_Array i32 (sz 256)) + (sz 4) + in + let tmp0, out:(t_Array (t_Array i32 (sz 256)) (sz 4) & usize) = + Libcrux_ml_dsa.Arithmetic.make_hint #v_SIMDUnit + (sz 4) + 95232l + w0 + commitment + hint_candidate + in + let hint_candidate:t_Array (t_Array i32 (sz 256)) (sz 4) = tmp0 in + let ones_in_hint:usize = out in + if ones_in_hint >. Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_MAX_ONES_IN_HINT + then + attempt, commitment_hash, domain_separator_for_mask, hint, signer_response <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (usize & Core.Option.t_Option (t_Array u8 (sz 32)) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4))) + else + let attempt:usize = Libcrux_ml_dsa.Constants.v_REJECTION_SAMPLE_BOUND_SIGN in + let commitment_hash:Core.Option.t_Option (t_Array u8 (sz 32)) = + Core.Option.Option_Some commitment_hash_candidate + <: + Core.Option.t_Option (t_Array u8 (sz 32)) + in + let signer_response:Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) = + Core.Option.Option_Some mask + <: + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) + in + let hint:Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) = + Core.Option.Option_Some hint_candidate + <: + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) + in + attempt, commitment_hash, domain_separator_for_mask, hint, signer_response + <: + (usize & Core.Option.t_Option (t_Array u8 (sz 32)) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4))) + ) + in + match commitment_hash <: Core.Option.t_Option (t_Array u8 (sz 32)) with + | Core.Option.Option_Some commitment_hash -> + let commitment_hash:t_Array u8 (sz 32) = commitment_hash in + (match + signer_response + <: + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) + with + | Core.Option.Option_Some signer_response -> + let signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) = + signer_response + in + (match hint <: Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) with + | Core.Option.Option_Some hint -> + let hint:t_Array (t_Array i32 (sz 256)) (sz 4) = hint in + let signature:t_Array u8 (sz 2420) = Rust_primitives.Hax.repeat 0uy (sz 2420) in + let signature:t_Array u8 (sz 2420) = + Libcrux_ml_dsa.Encoding.Signature.serialize #v_SIMDUnit + (commitment_hash <: t_Slice u8) + (signer_response + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (hint <: t_Slice (t_Array i32 (sz 256))) + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COMMITMENT_HASH_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_MAX_ONES_IN_HINT signature + in + Core.Result.Result_Ok (Libcrux_ml_dsa.Types.impl_4__new (sz 2420) signature) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError + | Core.Option.Option_None -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError <: - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) - in - let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = - Libcrux_ml_dsa.Matrix.compute_w_approx #v_SIMDUnit - Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A - Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A - (matrix <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (deserialized_signer_response + Libcrux_ml_dsa.Types.t_SigningError) <: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - verifier_challenge - t1 - in - let recomputed_commitment_hash:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in - let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = - Libcrux_ml_dsa.Arithmetic.use_hint #v_SIMDUnit - Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_GAMMA2 - (deserialized_hint <: t_Slice (t_Array i32 (sz 256))) - t1 - in - let commitment_serialized:t_Array u8 (sz 768) = Rust_primitives.Hax.repeat 0uy (sz 768) in - let commitment_serialized:t_Array u8 (sz 768) = - Libcrux_ml_dsa.Encoding.Commitment.serialize_vector #v_SIMDUnit - v_COMMITMENT_RING_ELEMENT_SIZE - (t1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - commitment_serialized - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - () - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - (message_representative <: t_Slice u8) - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - (commitment_serialized <: t_Slice u8) - in - let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - recomputed_commitment_hash - in - let shake:v_Shake256Xof = tmp0 in - let recomputed_commitment_hash:t_Array u8 (sz 32) = tmp1 in - let _:Prims.unit = () in - let _:Prims.unit = () in - if deserialized_commitment_hash =. recomputed_commitment_hash - then - Core.Result.Result_Ok (() <: Prims.unit) - <: - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError - else + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) + | Core.Option.Option_None -> Core.Result.Result_Err - (Libcrux_ml_dsa.Types.VerificationError_CommitmentHashesDontMatchError + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError <: - Libcrux_ml_dsa.Types.t_VerificationError) + Libcrux_ml_dsa.Types.t_SigningError) <: - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError - | Core.Result.Result_Err e -> - Core.Result.Result_Err e + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) + | Core.Option.Option_None -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError <: Libcrux_ml_dsa.Types.t_SigningError + ) <: - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError -let verify - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) +let sign + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i5: + i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i7: + i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i8: + i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i9: + i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) - (verification_key_serialized: t_Array u8 (sz 1312)) - (message context: t_Slice u8) - (signature_serialized: t_Array u8 (sz 2420)) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (signing_key message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) = match Libcrux_ml_dsa.Pre_hash.impl_1__new context @@ -977,95 +952,104 @@ let verify with | Core.Result.Result_Ok dsc -> let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in - verify_internal #v_SIMDUnit - #v_Sampler - #v_Shake128X4 - #v_Shake256 - #v_Shake256Xof - verification_key_serialized - message + sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 + signing_key message (Core.Option.Option_Some domain_separation_context <: - Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) - signature_serialized + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness | Core.Result.Result_Err _ -> Core.Result.Result_Err - (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError - <: - Libcrux_ml_dsa.Types.t_VerificationError) + (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) <: - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError -let verify_pre_hashed - (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0) +let sign_pre_hashed + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: + Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i7: + i8: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i8: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i9: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i9: + i10: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i10: + i11: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i11: + i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i12: + i13: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i13: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH) - (verification_key_serialized: t_Array u8 (sz 1312)) - (message context pre_hash_buffer: t_Slice u8) - (signature_serialized: t_Array u8 (sz 2420)) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i14: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH) + (signing_key message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) = - let pre_hash_buffer:t_Slice u8 = - Libcrux_ml_dsa.Pre_hash.f_hash #v_PH - #FStar.Tactics.Typeclasses.solve - #v_Shake128 - message - pre_hash_buffer - in - match - Libcrux_ml_dsa.Pre_hash.impl_1__new context - (Core.Option.Option_Some - (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #FStar.Tactics.Typeclasses.solve () - <: - t_Array u8 (sz 11)) - <: - Core.Option.t_Option (t_Array u8 (sz 11))) + if (Core.Slice.impl__len #u8 context <: usize) >. Libcrux_ml_dsa.Constants.v_CONTEXT_MAX_LEN + then + pre_hash_buffer, + (Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) <: - Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext - Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError - with - | Core.Result.Result_Ok dsc -> - let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in - let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = - verify_internal #v_SIMDUnit - #v_Sampler - #v_Shake128X4 - #v_Shake256 - #v_Shake256Xof - verification_key_serialized + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) + else + let pre_hash_buffer:t_Slice u8 = + Libcrux_ml_dsa.Pre_hash.f_hash #v_PH + #FStar.Tactics.Typeclasses.solve + #v_Shake128 + message pre_hash_buffer - (Core.Option.Option_Some domain_separation_context - <: - Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) - signature_serialized in - pre_hash_buffer, hax_temp_output - <: - (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) - | Core.Result.Result_Err _ -> - pre_hash_buffer, - (Core.Result.Result_Err - (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_Some + (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #FStar.Tactics.Typeclasses.solve () + <: + t_Array u8 (sz 11)) + <: + Core.Option.t_Option (t_Array u8 (sz 11))) + <: + Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext + Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + with + | Core.Result.Result_Ok dsc -> + let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in + let hax_temp_output:Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError = + sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 + signing_key pre_hash_buffer + (Core.Option.Option_Some domain_separation_context + <: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) + | Core.Result.Result_Err _ -> + pre_hash_buffer, + (Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError + <: + Libcrux_ml_dsa.Types.t_SigningError) <: - Libcrux_ml_dsa.Types.t_VerificationError) + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) <: - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) - <: - (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) let generate_key_pair (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fsti index d42b5c793..004470087 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fsti @@ -54,54 +54,6 @@ let v_SIGNING_KEY_SIZE: usize = let v_VERIFICATION_KEY_SIZE: usize = Libcrux_ml_dsa.Constants.verification_key_size Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A -val sign_internal - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) - {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} - {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} - {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} - {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} - (signing_key message: t_Slice u8) - (domain_separation_context: - Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) - -val sign - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) - {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} - {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} - {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} - {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} - (signing_key message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) - -val sign_pre_hashed - (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: - Type0) - {| i8: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i9: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} - {| i10: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |} - {| i11: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - {| i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} - {| i13: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} - {| i14: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} - {| i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH |} - (signing_key message context pre_hash_buffer: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (t_Slice u8 & - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) - /// The internal verification API. /// If no `domain_separation_context` is supplied, it is assumed that /// `message` already contains the domain separation. @@ -152,6 +104,54 @@ val verify_pre_hashed Prims.l_True (fun _ -> Prims.l_True) +val sign_internal + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (signing_key message: t_Slice u8) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (signing_key message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign_pre_hashed + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: + Type0) + {| i8: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i9: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i13: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i14: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + {| i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH |} + (signing_key message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + val generate_key_pair (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fst index d7663ec47..0d0d24ae6 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fst @@ -14,599 +14,257 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let sign_internal - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) +let verify_internal + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i6: + i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i8: + i7: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i9: + i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i10: + i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i11: - Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) - (signing_key message: t_Slice u8) + (verification_key: t_Array u8 (sz 1952)) + (message: t_Slice u8) (domain_separation_context: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) - (randomness: t_Array u8 (sz 32)) + (signature_serialized: t_Array u8 (sz 3309)) = - let eta:Libcrux_ml_dsa.Constants.t_Eta = - match - cast (Libcrux_ml_dsa.Constants.t_Eta_cast_to_repr Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ETA - <: - isize) - <: - u8 - with - | 2uy -> Libcrux_ml_dsa.Constants.Eta_Two <: Libcrux_ml_dsa.Constants.t_Eta - | 4uy -> Libcrux_ml_dsa.Constants.Eta_Four <: Libcrux_ml_dsa.Constants.t_Eta - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - - <: - Rust_primitives.Hax.t_Never) - in - let seed_for_a, remaining_serialized:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 signing_key Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE - in - let seed_for_signing, remaining_serialized:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - remaining_serialized - Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE - in - let verification_key_hash, remaining_serialized:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - remaining_serialized - Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH - in - let s1_serialized, remaining_serialized:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - remaining_serialized - (v_ERROR_RING_ELEMENT_SIZE *! Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A <: usize) - in - let s2_serialized, t0_serialized:(t_Slice u8 & t_Slice u8) = + let seed_for_a, t1_serialized:(t_Slice u8 & t_Slice u8) = Core.Slice.impl__split_at #u8 - remaining_serialized - (v_ERROR_RING_ELEMENT_SIZE *! Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A <: usize) - in - let s1_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 5) - in - let s2_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 6) + (verification_key <: t_Slice u8) + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE in - let t0_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) in - let s1_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = - Libcrux_ml_dsa.Encoding.Error.deserialize_to_vector_then_ntt #v_SIMDUnit - eta - v_ERROR_RING_ELEMENT_SIZE - s1_serialized - s1_as_ntt - in - let s2_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = - Libcrux_ml_dsa.Encoding.Error.deserialize_to_vector_then_ntt #v_SIMDUnit - eta - v_ERROR_RING_ELEMENT_SIZE - s2_serialized - s2_as_ntt - in - let t0_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = - Libcrux_ml_dsa.Encoding.T0.deserialize_to_vector_then_ntt #v_SIMDUnit t0_serialized t0_as_ntt + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Libcrux_ml_dsa.Encoding.Verification_key.deserialize #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A + v_VERIFICATION_KEY_SIZE + t1_serialized + t1 in - let matrix:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 30) = + let deserialized_commitment_hash:t_Array u8 (sz 48) = Rust_primitives.Hax.repeat 0uy (sz 48) in + let deserialized_signer_response:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 30) - in - let matrix:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 30) = - Libcrux_ml_dsa.Samplex4.f_matrix_flat #v_Sampler - #FStar.Tactics.Typeclasses.solve - #v_SIMDUnit - Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A - seed_for_a - matrix - in - let message_representative:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in - let message_representative:t_Array u8 (sz 64) = - Libcrux_ml_dsa.Ml_dsa_generic.derive_message_representative #v_Shake256Xof - verification_key_hash - domain_separation_context - message - message_representative - in - let mask_seed:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve () - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - seed_for_signing - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - (randomness <: t_Slice u8) - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - (message_representative <: t_Slice u8) - in - let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 64)) = - Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - mask_seed + (sz 5) in - let shake:v_Shake256Xof = tmp0 in - let mask_seed:t_Array u8 (sz 64) = tmp1 in - let _:Prims.unit = () in - let _:Prims.unit = () in - let (domain_separator_for_mask: u16):u16 = 0us in - let attempt:usize = sz 0 in - let commitment_hash:Core.Option.t_Option (t_Array u8 (sz 48)) = - Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 48)) + let deserialized_hint:t_Array (t_Array i32 (sz 256)) (sz 6) = + Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0l (sz 256) <: t_Array i32 (sz 256)) + (sz 6) in - let signer_response:Core.Option.t_Option - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) = - Core.Option.Option_None - <: - Core.Option.t_Option - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) + let tmp0, tmp1, tmp2, out:(t_Array u8 (sz 48) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) & + t_Array (t_Array i32 (sz 256)) (sz 6) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Encoding.Signature.deserialize #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COMMITMENT_HASH_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_MAX_ONES_IN_HINT v_SIGNATURE_SIZE + (signature_serialized <: t_Slice u8) deserialized_commitment_hash deserialized_signer_response + deserialized_hint in - let hint:Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) = - Core.Option.Option_None <: Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) + let deserialized_commitment_hash:t_Array u8 (sz 48) = tmp0 in + let deserialized_signer_response:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + tmp1 in - let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & - Core.Option.t_Option (t_Array u8 (sz 48)) & - u16 & - Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) & - Core.Option.t_Option - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5))) = - Rust_primitives.f_while_loop (fun temp_0_ -> - let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & - Core.Option.t_Option (t_Array u8 (sz 48)) & - u16 & - Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) & - Core.Option.t_Option - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5))) = - temp_0_ - in - attempt <. Libcrux_ml_dsa.Constants.v_REJECTION_SAMPLE_BOUND_SIGN <: bool) - (attempt, commitment_hash, domain_separator_for_mask, hint, signer_response + let deserialized_hint:t_Array (t_Array i32 (sz 256)) (sz 6) = tmp2 in + match out <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError with + | Core.Result.Result_Ok _ -> + let _:Prims.unit = () <: Prims.unit in + if + Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit + (deserialized_signer_response + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + ((2l < - let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & - Core.Option.t_Option (t_Array u8 (sz 48)) & - u16 & - Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) & - Core.Option.t_Option - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5))) = - temp_0_ - in - let attempt:usize = attempt +! sz 1 in - let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 5) - in - let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 6) - in - let commitment:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 6) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 6) - in - let tmp0, tmp1:(u16 & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) = - Libcrux_ml_dsa.Sample.sample_mask_vector #v_SIMDUnit - #v_Shake256 - #v_Shake256X4 - Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A - Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_GAMMA1_EXPONENT - mask_seed - domain_separator_for_mask - mask - in - let domain_separator_for_mask:u16 = tmp0 in - let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = - tmp1 - in - let _:Prims.unit = () in - let a_x_mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) - = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 6) - in - let mask_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) - = - Core.Clone.f_clone #(t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) - #FStar.Tactics.Typeclasses.solve - mask - in - let mask_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) - = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (mask_ntt - <: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - <: - usize) - (fun mask_ntt temp_1_ -> - let mask_ntt:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = - mask_ntt - in - let _:usize = temp_1_ in - true) - mask_ntt - (fun mask_ntt i -> - let mask_ntt:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = - mask_ntt - in - let i:usize = i in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask_ntt - i - (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit - (mask_ntt.[ i ] - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - <: - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) - in - let a_x_mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) - = - Libcrux_ml_dsa.Matrix.compute_matrix_x_mask #v_SIMDUnit - Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A - Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A - (matrix <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (mask_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - a_x_mask - in - let tmp0, tmp1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 6) & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6)) = - Libcrux_ml_dsa.Arithmetic.decompose_vector #v_SIMDUnit - Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A - Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_GAMMA2 - (a_x_mask <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - w0 - commitment - in - let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = - tmp0 - in - let commitment:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 6) = - tmp1 - in - let _:Prims.unit = () in - let _:Prims.unit = () in - let commitment_hash_candidate:t_Array u8 (sz 48) = - Rust_primitives.Hax.repeat 0uy (sz 48) - in - let commitment_serialized:t_Array u8 (sz 768) = Rust_primitives.Hax.repeat 0uy (sz 768) in - let commitment_serialized:t_Array u8 (sz 768) = - Libcrux_ml_dsa.Encoding.Commitment.serialize_vector #v_SIMDUnit - v_COMMITMENT_RING_ELEMENT_SIZE - (commitment <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - commitment_serialized - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - () - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - (message_representative <: t_Slice u8) - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - (commitment_serialized <: t_Slice u8) - in - let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 48)) = - Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - commitment_hash_candidate - in - let shake:v_Shake256Xof = tmp0 in - let commitment_hash_candidate:t_Array u8 (sz 48) = tmp1 in - let _:Prims.unit = () in - let _:Prims.unit = () in - let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - in - let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Libcrux_ml_dsa.Sample.sample_challenge_ring_element #v_SIMDUnit - #v_Shake256 - (commitment_hash_candidate <: t_Slice u8) - Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ONES_IN_VERIFIER_CHALLENGE - verifier_challenge - in - let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit verifier_challenge - in - let challenge_times_s1:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = - Core.Clone.f_clone #(t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) - #FStar.Tactics.Typeclasses.solve - s1_as_ntt - in - let challenge_times_s2:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = - Core.Clone.f_clone #(t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6)) - #FStar.Tactics.Typeclasses.solve - s2_as_ntt - in - let challenge_times_s1:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = - Libcrux_ml_dsa.Matrix.vector_times_ring_element #v_SIMDUnit - challenge_times_s1 - verifier_challenge - in - let challenge_times_s2:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = - Libcrux_ml_dsa.Matrix.vector_times_ring_element #v_SIMDUnit - challenge_times_s2 - verifier_challenge - in - let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = - Libcrux_ml_dsa.Matrix.add_vectors #v_SIMDUnit - Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A - mask - (challenge_times_s1 - <: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - in - let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = - Libcrux_ml_dsa.Matrix.subtract_vectors #v_SIMDUnit - Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A - w0 - (challenge_times_s2 + Libcrux_ml_dsa.Types.t_VerificationError) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + else + let matrix:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 30) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 30) + in + let matrix:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 30) = + Libcrux_ml_dsa.Samplex4.f_matrix_flat #v_Sampler + #FStar.Tactics.Typeclasses.solve + #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A + seed_for_a + matrix + in + let verification_key_hash:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let verification_key_hash:t_Array u8 (sz 64) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256 #v_Shake256 + #FStar.Tactics.Typeclasses.solve + (sz 64) + (verification_key <: t_Slice u8) + verification_key_hash + in + let message_representative:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let message_representative:t_Array u8 (sz 64) = + Libcrux_ml_dsa.Ml_dsa_generic.derive_message_representative #v_Shake256Xof + (verification_key_hash <: t_Slice u8) + domain_separation_context + message + message_representative + in + let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + in + let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Sample.sample_challenge_ring_element #v_SIMDUnit + #v_Shake256 + (deserialized_commitment_hash <: t_Slice u8) + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ONES_IN_VERIFIER_CHALLENGE + verifier_challenge + in + let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit verifier_challenge + in + let deserialized_signer_response:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (deserialized_signer_response <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - in - if - Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit - (mask <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - ((1l < + let deserialized_signer_response:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + deserialized_signer_response in - let challenge_times_t0:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = - Libcrux_ml_dsa.Matrix.vector_times_ring_element #v_SIMDUnit - challenge_times_t0 - verifier_challenge + let _:usize = temp_1_ in + true) + deserialized_signer_response + (fun deserialized_signer_response i -> + let deserialized_signer_response:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + deserialized_signer_response in - if - Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit - (challenge_times_t0 - <: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_GAMMA2 - then - attempt, commitment_hash, domain_separator_for_mask, hint, signer_response - <: - (usize & Core.Option.t_Option (t_Array u8 (sz 48)) & u16 & - Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) & - Core.Option.t_Option - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5))) - else - let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) - = - Libcrux_ml_dsa.Matrix.add_vectors #v_SIMDUnit - Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A - w0 - (challenge_times_t0 - <: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - in - let hint_candidate:t_Array (t_Array i32 (sz 256)) (sz 6) = - Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0l (sz 256) + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize deserialized_signer_response + i + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (deserialized_signer_response.[ i ] <: - t_Array i32 (sz 256)) - (sz 6) - in - let tmp0, out:(t_Array (t_Array i32 (sz 256)) (sz 6) & usize) = - Libcrux_ml_dsa.Arithmetic.make_hint #v_SIMDUnit - (sz 6) - 261888l - w0 - commitment - hint_candidate - in - let hint_candidate:t_Array (t_Array i32 (sz 256)) (sz 6) = tmp0 in - let ones_in_hint:usize = out in - if ones_in_hint >. Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_MAX_ONES_IN_HINT - then - attempt, commitment_hash, domain_separator_for_mask, hint, signer_response - <: - (usize & Core.Option.t_Option (t_Array u8 (sz 48)) & u16 & - Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) & - Core.Option.t_Option - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5))) - else - let attempt:usize = Libcrux_ml_dsa.Constants.v_REJECTION_SAMPLE_BOUND_SIGN in - let commitment_hash:Core.Option.t_Option (t_Array u8 (sz 48)) = - Core.Option.Option_Some commitment_hash_candidate - <: - Core.Option.t_Option (t_Array u8 (sz 48)) - in - let signer_response:Core.Option.t_Option - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) = - Core.Option.Option_Some mask - <: - Core.Option.t_Option - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) - in - let hint:Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) = - Core.Option.Option_Some hint_candidate - <: - Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) - in - attempt, commitment_hash, domain_separator_for_mask, hint, signer_response - <: - (usize & Core.Option.t_Option (t_Array u8 (sz 48)) & u16 & - Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) & - Core.Option.t_Option - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5))) - ) - in - match commitment_hash <: Core.Option.t_Option (t_Array u8 (sz 48)) with - | Core.Option.Option_Some commitment_hash -> - let commitment_hash:t_Array u8 (sz 48) = commitment_hash in - (match - signer_response - <: - Core.Option.t_Option - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) - with - | Core.Option.Option_Some signer_response -> - let signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 5) = - signer_response - in - (match hint <: Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) with - | Core.Option.Option_Some hint -> - let hint:t_Array (t_Array i32 (sz 256)) (sz 6) = hint in - let signature:t_Array u8 (sz 3309) = Rust_primitives.Hax.repeat 0uy (sz 3309) in - let signature:t_Array u8 (sz 3309) = - Libcrux_ml_dsa.Encoding.Signature.serialize #v_SIMDUnit - (commitment_hash <: t_Slice u8) - (signer_response + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) <: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (hint <: t_Slice (t_Array i32 (sz 256))) - Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COMMITMENT_HASH_SIZE - Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A - Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A - Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE - Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_MAX_ONES_IN_HINT signature - in - Core.Result.Result_Ok (Libcrux_ml_dsa.Types.impl_4__new (sz 3309) signature) - <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) - Libcrux_ml_dsa.Types.t_SigningError - | Core.Option.Option_None -> - Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) <: - Libcrux_ml_dsa.Types.t_SigningError) + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) + in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Libcrux_ml_dsa.Matrix.compute_w_approx #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A + (matrix <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (deserialized_signer_response <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) - Libcrux_ml_dsa.Types.t_SigningError) - | Core.Option.Option_None -> + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + verifier_challenge + t1 + in + let recomputed_commitment_hash:t_Array u8 (sz 48) = Rust_primitives.Hax.repeat 0uy (sz 48) in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Libcrux_ml_dsa.Arithmetic.use_hint #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_GAMMA2 + (deserialized_hint <: t_Slice (t_Array i32 (sz 256))) + t1 + in + let commitment_serialized:t_Array u8 (sz 768) = Rust_primitives.Hax.repeat 0uy (sz 768) in + let commitment_serialized:t_Array u8 (sz 768) = + Libcrux_ml_dsa.Encoding.Commitment.serialize_vector #v_SIMDUnit + v_COMMITMENT_RING_ELEMENT_SIZE + (t1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + commitment_serialized + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + () + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (message_representative <: t_Slice u8) + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (commitment_serialized <: t_Slice u8) + in + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 48)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + recomputed_commitment_hash + in + let shake:v_Shake256Xof = tmp0 in + let recomputed_commitment_hash:t_Array u8 (sz 48) = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + if deserialized_commitment_hash =. recomputed_commitment_hash + then + Core.Result.Result_Ok (() <: Prims.unit) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + else Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + (Libcrux_ml_dsa.Types.VerificationError_CommitmentHashesDontMatchError <: - Libcrux_ml_dsa.Types.t_SigningError) + Libcrux_ml_dsa.Types.t_VerificationError) <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) - Libcrux_ml_dsa.Types.t_SigningError) - | Core.Option.Option_None -> - Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError <: Libcrux_ml_dsa.Types.t_SigningError - ) + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + | Core.Result.Result_Err e -> + Core.Result.Result_Err e <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) - Libcrux_ml_dsa.Types.t_SigningError + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError -let sign - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) +let verify + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i6: + i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i8: + i7: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i9: + i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i10: + i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i11: - Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) - (signing_key message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) + (verification_key_serialized: t_Array u8 (sz 1952)) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 (sz 3309)) = match Libcrux_ml_dsa.Pre_hash.impl_1__new context @@ -617,356 +275,673 @@ let sign with | Core.Result.Result_Ok dsc -> let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in - sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 - signing_key message + verify_internal #v_SIMDUnit + #v_Sampler + #v_Shake128X4 + #v_Shake256 + #v_Shake256Xof + verification_key_serialized + message (Core.Option.Option_Some domain_separation_context <: - Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + signature_serialized | Core.Result.Result_Err _ -> Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) + (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError + <: + Libcrux_ml_dsa.Types.t_VerificationError) <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) - Libcrux_ml_dsa.Types.t_SigningError + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError -let sign_pre_hashed - (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: - Type0) +let verify_pre_hashed + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i8: + i7: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i9: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i8: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i10: + i9: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i11: + i10: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i12: + i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i13: + i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i14: - Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH) - (signing_key message context pre_hash_buffer: t_Slice u8) - (randomness: t_Array u8 (sz 32)) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i13: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH) + (verification_key_serialized: t_Array u8 (sz 1952)) + (message context pre_hash_buffer: t_Slice u8) + (signature_serialized: t_Array u8 (sz 3309)) = - if (Core.Slice.impl__len #u8 context <: usize) >. Libcrux_ml_dsa.Constants.v_CONTEXT_MAX_LEN - then - pre_hash_buffer, - (Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) - <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) - Libcrux_ml_dsa.Types.t_SigningError) + let pre_hash_buffer:t_Slice u8 = + Libcrux_ml_dsa.Pre_hash.f_hash #v_PH + #FStar.Tactics.Typeclasses.solve + #v_Shake128 + message + pre_hash_buffer + in + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_Some + (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #FStar.Tactics.Typeclasses.solve () + <: + t_Array u8 (sz 11)) + <: + Core.Option.t_Option (t_Array u8 (sz 11))) <: - (t_Slice u8 & - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) - Libcrux_ml_dsa.Types.t_SigningError) - else - let pre_hash_buffer:t_Slice u8 = - Libcrux_ml_dsa.Pre_hash.f_hash #v_PH - #FStar.Tactics.Typeclasses.solve - #v_Shake128 - message + Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext + Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + with + | Core.Result.Result_Ok dsc -> + let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + verify_internal #v_SIMDUnit + #v_Sampler + #v_Shake128X4 + #v_Shake256 + #v_Shake256Xof + verification_key_serialized pre_hash_buffer - in - match - Libcrux_ml_dsa.Pre_hash.impl_1__new context - (Core.Option.Option_Some - (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #FStar.Tactics.Typeclasses.solve () - <: - t_Array u8 (sz 11)) - <: - Core.Option.t_Option (t_Array u8 (sz 11))) - <: - Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext - Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError - with - | Core.Result.Result_Ok dsc -> - let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in - let hax_temp_output:Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) - Libcrux_ml_dsa.Types.t_SigningError = - sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 - signing_key pre_hash_buffer - (Core.Option.Option_Some domain_separation_context - <: - Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness - in - pre_hash_buffer, hax_temp_output - <: - (t_Slice u8 & - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) - Libcrux_ml_dsa.Types.t_SigningError) - | Core.Result.Result_Err _ -> - pre_hash_buffer, - (Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError + (Core.Option.Option_Some domain_separation_context <: - Libcrux_ml_dsa.Types.t_SigningError) + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + signature_serialized + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + | Core.Result.Result_Err _ -> + pre_hash_buffer, + (Core.Result.Result_Err + (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) - Libcrux_ml_dsa.Types.t_SigningError) + Libcrux_ml_dsa.Types.t_VerificationError) <: - (t_Slice u8 & - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) - Libcrux_ml_dsa.Types.t_SigningError) + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) -let verify_internal - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) +let sign_internal + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i5: + i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i7: + i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i8: + i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i9: + i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) - (verification_key: t_Array u8 (sz 1952)) - (message: t_Slice u8) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (signing_key message: t_Slice u8) (domain_separation_context: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) - (signature_serialized: t_Array u8 (sz 3309)) + (randomness: t_Array u8 (sz 32)) = - let seed_for_a, t1_serialized:(t_Slice u8 & t_Slice u8) = + let seed_for_a, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 signing_key Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + in + let seed_for_signing, remaining_serialized:(t_Slice u8 & t_Slice u8) = Core.Slice.impl__split_at #u8 - (verification_key <: t_Slice u8) - Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + remaining_serialized + Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE in - let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + let verification_key_hash, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH + in + let s1_serialized, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + (v_ERROR_RING_ELEMENT_SIZE *! Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A <: usize) + in + let s2_serialized, t0_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + (v_ERROR_RING_ELEMENT_SIZE *! Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A <: usize) + in + let s1_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 5) + in + let s2_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 6) + in + let t0_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) in - let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = - Libcrux_ml_dsa.Encoding.Verification_key.deserialize #v_SIMDUnit - Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A - v_VERIFICATION_KEY_SIZE - t1_serialized - t1 + let s1_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + Libcrux_ml_dsa.Encoding.Error.deserialize_to_vector_then_ntt #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ETA + v_ERROR_RING_ELEMENT_SIZE + s1_serialized + s1_as_ntt + in + let s2_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Libcrux_ml_dsa.Encoding.Error.deserialize_to_vector_then_ntt #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ETA + v_ERROR_RING_ELEMENT_SIZE + s2_serialized + s2_as_ntt + in + let t0_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Libcrux_ml_dsa.Encoding.T0.deserialize_to_vector_then_ntt #v_SIMDUnit t0_serialized t0_as_ntt + in + let matrix:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 30) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 30) + in + let matrix:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 30) = + Libcrux_ml_dsa.Samplex4.f_matrix_flat #v_Sampler + #FStar.Tactics.Typeclasses.solve + #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A + seed_for_a + matrix + in + let message_representative:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let message_representative:t_Array u8 (sz 64) = + Libcrux_ml_dsa.Ml_dsa_generic.derive_message_representative #v_Shake256Xof + verification_key_hash + domain_separation_context + message + message_representative + in + let mask_seed:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve () + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + seed_for_signing + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (randomness <: t_Slice u8) + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (message_representative <: t_Slice u8) in - let deserialized_commitment_hash:t_Array u8 (sz 48) = Rust_primitives.Hax.repeat 0uy (sz 48) in - let deserialized_signer_response:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 5) + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 64)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + mask_seed in - let deserialized_hint:t_Array (t_Array i32 (sz 256)) (sz 6) = - Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0l (sz 256) <: t_Array i32 (sz 256)) - (sz 6) + let shake:v_Shake256Xof = tmp0 in + let mask_seed:t_Array u8 (sz 64) = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + let (domain_separator_for_mask: u16):u16 = 0us in + let attempt:usize = sz 0 in + let commitment_hash:Core.Option.t_Option (t_Array u8 (sz 48)) = + Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 48)) in - let tmp0, tmp1, tmp2, out:(t_Array u8 (sz 48) & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) & - t_Array (t_Array i32 (sz 256)) (sz 6) & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = - Libcrux_ml_dsa.Encoding.Signature.deserialize #v_SIMDUnit - Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A - Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A - Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COMMITMENT_HASH_SIZE - Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE - Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_MAX_ONES_IN_HINT v_SIGNATURE_SIZE - (signature_serialized <: t_Slice u8) deserialized_commitment_hash deserialized_signer_response - deserialized_hint + let signer_response:Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) = + Core.Option.Option_None + <: + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) in - let deserialized_commitment_hash:t_Array u8 (sz 48) = tmp0 in - let deserialized_signer_response:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = - tmp1 + let hint:Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) = + Core.Option.Option_None <: Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) in - let deserialized_hint:t_Array (t_Array i32 (sz 256)) (sz 6) = tmp2 in - match out <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError with - | Core.Result.Result_Ok _ -> - let _:Prims.unit = () <: Prims.unit in - if - Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit - (deserialized_signer_response - <: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - ((2l < + let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & + Core.Option.t_Option (t_Array u8 (sz 48)) & + u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5))) = + temp_0_ + in + attempt <. Libcrux_ml_dsa.Constants.v_REJECTION_SAMPLE_BOUND_SIGN <: bool) + (attempt, commitment_hash, domain_separator_for_mask, hint, signer_response <: - Libcrux_ml_dsa.Types.t_VerificationError) - <: - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError - else - let matrix:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 30) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 30) - in - let matrix:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 30) = - Libcrux_ml_dsa.Samplex4.f_matrix_flat #v_Sampler - #FStar.Tactics.Typeclasses.solve - #v_SIMDUnit - Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A - seed_for_a - matrix - in - let verification_key_hash:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in - let verification_key_hash:t_Array u8 (sz 64) = - Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256 #v_Shake256 - #FStar.Tactics.Typeclasses.solve - (sz 64) - (verification_key <: t_Slice u8) - verification_key_hash - in - let message_representative:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in - let message_representative:t_Array u8 (sz 64) = - Libcrux_ml_dsa.Ml_dsa_generic.derive_message_representative #v_Shake256Xof - (verification_key_hash <: t_Slice u8) - domain_separation_context - message - message_representative - in - let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - in - let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Libcrux_ml_dsa.Sample.sample_challenge_ring_element #v_SIMDUnit - #v_Shake256 - (deserialized_commitment_hash <: t_Slice u8) - Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ONES_IN_VERIFIER_CHALLENGE - verifier_challenge - in - let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit verifier_challenge - in - let deserialized_signer_response:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (deserialized_signer_response + (usize & Core.Option.t_Option (t_Array u8 (sz 48)) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)))) + (fun temp_0_ -> + let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & + Core.Option.t_Option (t_Array u8 (sz 48)) & + u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5))) = + temp_0_ + in + let attempt:usize = attempt +! sz 1 in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 5) + in + let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 6) + in + let commitment:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 6) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 6) + in + let tmp0, tmp1:(u16 & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) = + Libcrux_ml_dsa.Sample.sample_mask_vector #v_SIMDUnit + #v_Shake256 + #v_Shake256X4 + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_GAMMA1_EXPONENT + mask_seed + domain_separator_for_mask + mask + in + let domain_separator_for_mask:u16 = tmp0 in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + tmp1 + in + let _:Prims.unit = () in + let a_x_mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) + = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 6) + in + let mask_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) + = + Core.Clone.f_clone #(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) + #FStar.Tactics.Typeclasses.solve + mask + in + let mask_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) + = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (mask_ntt + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + usize) + (fun mask_ntt temp_1_ -> + let mask_ntt:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + mask_ntt + in + let _:usize = temp_1_ in + true) + mask_ntt + (fun mask_ntt i -> + let mask_ntt:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + mask_ntt + in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask_ntt + i + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (mask_ntt.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) + in + let a_x_mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) + = + Libcrux_ml_dsa.Matrix.compute_matrix_x_mask #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A + (matrix <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (mask_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + a_x_mask + in + let tmp0, tmp1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 6) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6)) = + Libcrux_ml_dsa.Arithmetic.decompose_vector #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_GAMMA2 + (a_x_mask <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + w0 + commitment + in + let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + tmp0 + in + let commitment:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 6) = + tmp1 + in + let _:Prims.unit = () in + let _:Prims.unit = () in + let commitment_hash_candidate:t_Array u8 (sz 48) = + Rust_primitives.Hax.repeat 0uy (sz 48) + in + let commitment_serialized:t_Array u8 (sz 768) = Rust_primitives.Hax.repeat 0uy (sz 768) in + let commitment_serialized:t_Array u8 (sz 768) = + Libcrux_ml_dsa.Encoding.Commitment.serialize_vector #v_SIMDUnit + v_COMMITMENT_RING_ELEMENT_SIZE + (commitment <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + commitment_serialized + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + () + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (message_representative <: t_Slice u8) + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (commitment_serialized <: t_Slice u8) + in + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 48)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + commitment_hash_candidate + in + let shake:v_Shake256Xof = tmp0 in + let commitment_hash_candidate:t_Array u8 (sz 48) = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + in + let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Sample.sample_challenge_ring_element #v_SIMDUnit + #v_Shake256 + (commitment_hash_candidate <: t_Slice u8) + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ONES_IN_VERIFIER_CHALLENGE + verifier_challenge + in + let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit verifier_challenge + in + let challenge_times_s1:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + Core.Clone.f_clone #(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) + #FStar.Tactics.Typeclasses.solve + s1_as_ntt + in + let challenge_times_s2:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Core.Clone.f_clone #(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6)) + #FStar.Tactics.Typeclasses.solve + s2_as_ntt + in + let challenge_times_s1:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + Libcrux_ml_dsa.Matrix.vector_times_ring_element #v_SIMDUnit + challenge_times_s1 + verifier_challenge + in + let challenge_times_s2:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Libcrux_ml_dsa.Matrix.vector_times_ring_element #v_SIMDUnit + challenge_times_s2 + verifier_challenge + in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + Libcrux_ml_dsa.Matrix.add_vectors #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A + mask + (challenge_times_s1 + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + in + let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Libcrux_ml_dsa.Matrix.subtract_vectors #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A + w0 + (challenge_times_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + in + if + Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit + (mask <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + ((1l < - let deserialized_signer_response:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = - deserialized_signer_response + (usize & Core.Option.t_Option (t_Array u8 (sz 48)) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5))) + else + if + Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit + (w0 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_GAMMA2 -! v_BETA <: i32) + then + attempt, commitment_hash, domain_separator_for_mask, hint, signer_response + <: + (usize & Core.Option.t_Option (t_Array u8 (sz 48)) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5))) + else + let challenge_times_t0:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Core.Clone.f_clone #(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6)) + #FStar.Tactics.Typeclasses.solve + t0_as_ntt in - let _:usize = temp_1_ in - true) - deserialized_signer_response - (fun deserialized_signer_response i -> - let deserialized_signer_response:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = - deserialized_signer_response + let challenge_times_t0:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Libcrux_ml_dsa.Matrix.vector_times_ring_element #v_SIMDUnit + challenge_times_t0 + verifier_challenge in - let i:usize = i in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize deserialized_signer_response - i - (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit - (deserialized_signer_response.[ i ] + if + Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit + (challenge_times_t0 + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_GAMMA2 + then + attempt, commitment_hash, domain_separator_for_mask, hint, signer_response + <: + (usize & Core.Option.t_Option (t_Array u8 (sz 48)) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5))) + else + let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) + = + Libcrux_ml_dsa.Matrix.add_vectors #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A + w0 + (challenge_times_t0 <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + in + let hint_candidate:t_Array (t_Array i32 (sz 256)) (sz 6) = + Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0l (sz 256) + <: + t_Array i32 (sz 256)) + (sz 6) + in + let tmp0, out:(t_Array (t_Array i32 (sz 256)) (sz 6) & usize) = + Libcrux_ml_dsa.Arithmetic.make_hint #v_SIMDUnit + (sz 6) + 261888l + w0 + commitment + hint_candidate + in + let hint_candidate:t_Array (t_Array i32 (sz 256)) (sz 6) = tmp0 in + let ones_in_hint:usize = out in + if ones_in_hint >. Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_MAX_ONES_IN_HINT + then + attempt, commitment_hash, domain_separator_for_mask, hint, signer_response <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (usize & Core.Option.t_Option (t_Array u8 (sz 48)) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5))) + else + let attempt:usize = Libcrux_ml_dsa.Constants.v_REJECTION_SAMPLE_BOUND_SIGN in + let commitment_hash:Core.Option.t_Option (t_Array u8 (sz 48)) = + Core.Option.Option_Some commitment_hash_candidate + <: + Core.Option.t_Option (t_Array u8 (sz 48)) + in + let signer_response:Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) = + Core.Option.Option_Some mask + <: + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) + in + let hint:Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) = + Core.Option.Option_Some hint_candidate + <: + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) + in + attempt, commitment_hash, domain_separator_for_mask, hint, signer_response + <: + (usize & Core.Option.t_Option (t_Array u8 (sz 48)) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5))) + ) + in + match commitment_hash <: Core.Option.t_Option (t_Array u8 (sz 48)) with + | Core.Option.Option_Some commitment_hash -> + let commitment_hash:t_Array u8 (sz 48) = commitment_hash in + (match + signer_response + <: + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) + with + | Core.Option.Option_Some signer_response -> + let signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 5) = + signer_response + in + (match hint <: Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) with + | Core.Option.Option_Some hint -> + let hint:t_Array (t_Array i32 (sz 256)) (sz 6) = hint in + let signature:t_Array u8 (sz 3309) = Rust_primitives.Hax.repeat 0uy (sz 3309) in + let signature:t_Array u8 (sz 3309) = + Libcrux_ml_dsa.Encoding.Signature.serialize #v_SIMDUnit + (commitment_hash <: t_Slice u8) + (signer_response + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (hint <: t_Slice (t_Array i32 (sz 256))) + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COMMITMENT_HASH_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_MAX_ONES_IN_HINT signature + in + Core.Result.Result_Ok (Libcrux_ml_dsa.Types.impl_4__new (sz 3309) signature) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError + | Core.Option.Option_None -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError <: - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) - in - let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = - Libcrux_ml_dsa.Matrix.compute_w_approx #v_SIMDUnit - Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A - Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A - (matrix <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (deserialized_signer_response + Libcrux_ml_dsa.Types.t_SigningError) <: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - verifier_challenge - t1 - in - let recomputed_commitment_hash:t_Array u8 (sz 48) = Rust_primitives.Hax.repeat 0uy (sz 48) in - let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = - Libcrux_ml_dsa.Arithmetic.use_hint #v_SIMDUnit - Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_GAMMA2 - (deserialized_hint <: t_Slice (t_Array i32 (sz 256))) - t1 - in - let commitment_serialized:t_Array u8 (sz 768) = Rust_primitives.Hax.repeat 0uy (sz 768) in - let commitment_serialized:t_Array u8 (sz 768) = - Libcrux_ml_dsa.Encoding.Commitment.serialize_vector #v_SIMDUnit - v_COMMITMENT_RING_ELEMENT_SIZE - (t1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - commitment_serialized - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - () - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - (message_representative <: t_Slice u8) - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - (commitment_serialized <: t_Slice u8) - in - let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 48)) = - Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - recomputed_commitment_hash - in - let shake:v_Shake256Xof = tmp0 in - let recomputed_commitment_hash:t_Array u8 (sz 48) = tmp1 in - let _:Prims.unit = () in - let _:Prims.unit = () in - if deserialized_commitment_hash =. recomputed_commitment_hash - then - Core.Result.Result_Ok (() <: Prims.unit) - <: - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError - else + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) + | Core.Option.Option_None -> Core.Result.Result_Err - (Libcrux_ml_dsa.Types.VerificationError_CommitmentHashesDontMatchError + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError <: - Libcrux_ml_dsa.Types.t_VerificationError) + Libcrux_ml_dsa.Types.t_SigningError) <: - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError - | Core.Result.Result_Err e -> - Core.Result.Result_Err e + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) + | Core.Option.Option_None -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError <: Libcrux_ml_dsa.Types.t_SigningError + ) <: - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError -let verify - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) +let sign + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i5: + i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i7: + i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i8: + i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i9: + i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) - (verification_key_serialized: t_Array u8 (sz 1952)) - (message context: t_Slice u8) - (signature_serialized: t_Array u8 (sz 3309)) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (signing_key message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) = match Libcrux_ml_dsa.Pre_hash.impl_1__new context @@ -977,95 +952,104 @@ let verify with | Core.Result.Result_Ok dsc -> let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in - verify_internal #v_SIMDUnit - #v_Sampler - #v_Shake128X4 - #v_Shake256 - #v_Shake256Xof - verification_key_serialized - message + sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 + signing_key message (Core.Option.Option_Some domain_separation_context <: - Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) - signature_serialized + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness | Core.Result.Result_Err _ -> Core.Result.Result_Err - (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError - <: - Libcrux_ml_dsa.Types.t_VerificationError) + (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) <: - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError -let verify_pre_hashed - (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0) +let sign_pre_hashed + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: + Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i7: + i8: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i8: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i9: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i9: + i10: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i10: + i11: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i11: + i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i12: + i13: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i13: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH) - (verification_key_serialized: t_Array u8 (sz 1952)) - (message context pre_hash_buffer: t_Slice u8) - (signature_serialized: t_Array u8 (sz 3309)) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i14: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH) + (signing_key message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) = - let pre_hash_buffer:t_Slice u8 = - Libcrux_ml_dsa.Pre_hash.f_hash #v_PH - #FStar.Tactics.Typeclasses.solve - #v_Shake128 - message - pre_hash_buffer - in - match - Libcrux_ml_dsa.Pre_hash.impl_1__new context - (Core.Option.Option_Some - (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #FStar.Tactics.Typeclasses.solve () - <: - t_Array u8 (sz 11)) - <: - Core.Option.t_Option (t_Array u8 (sz 11))) + if (Core.Slice.impl__len #u8 context <: usize) >. Libcrux_ml_dsa.Constants.v_CONTEXT_MAX_LEN + then + pre_hash_buffer, + (Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) <: - Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext - Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError - with - | Core.Result.Result_Ok dsc -> - let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in - let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = - verify_internal #v_SIMDUnit - #v_Sampler - #v_Shake128X4 - #v_Shake256 - #v_Shake256Xof - verification_key_serialized + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) + else + let pre_hash_buffer:t_Slice u8 = + Libcrux_ml_dsa.Pre_hash.f_hash #v_PH + #FStar.Tactics.Typeclasses.solve + #v_Shake128 + message pre_hash_buffer - (Core.Option.Option_Some domain_separation_context - <: - Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) - signature_serialized in - pre_hash_buffer, hax_temp_output - <: - (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) - | Core.Result.Result_Err _ -> - pre_hash_buffer, - (Core.Result.Result_Err - (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_Some + (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #FStar.Tactics.Typeclasses.solve () + <: + t_Array u8 (sz 11)) + <: + Core.Option.t_Option (t_Array u8 (sz 11))) + <: + Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext + Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + with + | Core.Result.Result_Ok dsc -> + let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in + let hax_temp_output:Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError = + sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 + signing_key pre_hash_buffer + (Core.Option.Option_Some domain_separation_context + <: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) + | Core.Result.Result_Err _ -> + pre_hash_buffer, + (Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError + <: + Libcrux_ml_dsa.Types.t_SigningError) <: - Libcrux_ml_dsa.Types.t_VerificationError) + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) <: - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) - <: - (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) let generate_key_pair (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fsti index 46aa5f314..bb879294f 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fsti @@ -54,54 +54,6 @@ let v_SIGNING_KEY_SIZE: usize = let v_VERIFICATION_KEY_SIZE: usize = Libcrux_ml_dsa.Constants.verification_key_size Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A -val sign_internal - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) - {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} - {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} - {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} - {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} - (signing_key message: t_Slice u8) - (domain_separation_context: - Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) - -val sign - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) - {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} - {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} - {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} - {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} - (signing_key message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) - -val sign_pre_hashed - (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: - Type0) - {| i8: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i9: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} - {| i10: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |} - {| i11: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - {| i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} - {| i13: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} - {| i14: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} - {| i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH |} - (signing_key message context pre_hash_buffer: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (t_Slice u8 & - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) - /// The internal verification API. /// If no `domain_separation_context` is supplied, it is assumed that /// `message` already contains the domain separation. @@ -152,6 +104,54 @@ val verify_pre_hashed Prims.l_True (fun _ -> Prims.l_True) +val sign_internal + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (signing_key message: t_Slice u8) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (signing_key message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign_pre_hashed + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: + Type0) + {| i8: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i9: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i13: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i14: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + {| i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH |} + (signing_key message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + val generate_key_pair (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fst index ae888c151..4d3fae318 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fst @@ -14,601 +14,257 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let sign_internal - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) +let verify_internal + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i6: + i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i8: + i7: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i9: + i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i10: + i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i11: - Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) - (signing_key message: t_Slice u8) + (verification_key: t_Array u8 (sz 2592)) + (message: t_Slice u8) (domain_separation_context: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) - (randomness: t_Array u8 (sz 32)) + (signature_serialized: t_Array u8 (sz 4627)) = - let eta:Libcrux_ml_dsa.Constants.t_Eta = - match - cast (Libcrux_ml_dsa.Constants.t_Eta_cast_to_repr Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ETA - <: - isize) - <: - u8 - with - | 2uy -> Libcrux_ml_dsa.Constants.Eta_Two <: Libcrux_ml_dsa.Constants.t_Eta - | 4uy -> Libcrux_ml_dsa.Constants.Eta_Four <: Libcrux_ml_dsa.Constants.t_Eta - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - - <: - Rust_primitives.Hax.t_Never) - in - let seed_for_a, remaining_serialized:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 signing_key Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE - in - let seed_for_signing, remaining_serialized:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - remaining_serialized - Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE - in - let verification_key_hash, remaining_serialized:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - remaining_serialized - Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH - in - let s1_serialized, remaining_serialized:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - remaining_serialized - (v_ERROR_RING_ELEMENT_SIZE *! Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A <: usize) - in - let s2_serialized, t0_serialized:(t_Slice u8 & t_Slice u8) = + let seed_for_a, t1_serialized:(t_Slice u8 & t_Slice u8) = Core.Slice.impl__split_at #u8 - remaining_serialized - (v_ERROR_RING_ELEMENT_SIZE *! Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A <: usize) - in - let s1_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 7) - in - let s2_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 8) + (verification_key <: t_Slice u8) + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE in - let t0_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) in - let s1_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = - Libcrux_ml_dsa.Encoding.Error.deserialize_to_vector_then_ntt #v_SIMDUnit - eta - v_ERROR_RING_ELEMENT_SIZE - s1_serialized - s1_as_ntt - in - let s2_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = - Libcrux_ml_dsa.Encoding.Error.deserialize_to_vector_then_ntt #v_SIMDUnit - eta - v_ERROR_RING_ELEMENT_SIZE - s2_serialized - s2_as_ntt - in - let t0_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = - Libcrux_ml_dsa.Encoding.T0.deserialize_to_vector_then_ntt #v_SIMDUnit t0_serialized t0_as_ntt + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Libcrux_ml_dsa.Encoding.Verification_key.deserialize #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A + v_VERIFICATION_KEY_SIZE + t1_serialized + t1 in - let matrix:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 56) = + let deserialized_commitment_hash:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let deserialized_signer_response:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 56) - in - let matrix:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 56) = - Libcrux_ml_dsa.Samplex4.f_matrix_flat #v_Sampler - #FStar.Tactics.Typeclasses.solve - #v_SIMDUnit - Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A - seed_for_a - matrix - in - let message_representative:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in - let message_representative:t_Array u8 (sz 64) = - Libcrux_ml_dsa.Ml_dsa_generic.derive_message_representative #v_Shake256Xof - verification_key_hash - domain_separation_context - message - message_representative - in - let mask_seed:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve () - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - seed_for_signing - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - (randomness <: t_Slice u8) - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - (message_representative <: t_Slice u8) - in - let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 64)) = - Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - mask_seed + (sz 7) in - let shake:v_Shake256Xof = tmp0 in - let mask_seed:t_Array u8 (sz 64) = tmp1 in - let _:Prims.unit = () in - let _:Prims.unit = () in - let (domain_separator_for_mask: u16):u16 = 0us in - let attempt:usize = sz 0 in - let commitment_hash:Core.Option.t_Option (t_Array u8 (sz 64)) = - Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 64)) + let deserialized_hint:t_Array (t_Array i32 (sz 256)) (sz 8) = + Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0l (sz 256) <: t_Array i32 (sz 256)) + (sz 8) in - let signer_response:Core.Option.t_Option - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) = - Core.Option.Option_None - <: - Core.Option.t_Option - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) + let tmp0, tmp1, tmp2, out:(t_Array u8 (sz 64) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) & + t_Array (t_Array i32 (sz 256)) (sz 8) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Encoding.Signature.deserialize #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COMMITMENT_HASH_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_MAX_ONES_IN_HINT v_SIGNATURE_SIZE + (signature_serialized <: t_Slice u8) deserialized_commitment_hash deserialized_signer_response + deserialized_hint in - let hint:Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) = - Core.Option.Option_None <: Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) + let deserialized_commitment_hash:t_Array u8 (sz 64) = tmp0 in + let deserialized_signer_response:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + tmp1 in - let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & - Core.Option.t_Option (t_Array u8 (sz 64)) & - u16 & - Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) & - Core.Option.t_Option - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7))) = - Rust_primitives.f_while_loop (fun temp_0_ -> - let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & - Core.Option.t_Option (t_Array u8 (sz 64)) & - u16 & - Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) & - Core.Option.t_Option - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7))) = - temp_0_ - in - attempt <. Libcrux_ml_dsa.Constants.v_REJECTION_SAMPLE_BOUND_SIGN <: bool) - (attempt, commitment_hash, domain_separator_for_mask, hint, signer_response + let deserialized_hint:t_Array (t_Array i32 (sz 256)) (sz 8) = tmp2 in + match out <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError with + | Core.Result.Result_Ok _ -> + let _:Prims.unit = () <: Prims.unit in + if + Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit + (deserialized_signer_response + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + ((2l < - let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & - Core.Option.t_Option (t_Array u8 (sz 64)) & - u16 & - Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) & - Core.Option.t_Option - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7))) = - temp_0_ - in - let attempt:usize = attempt +! sz 1 in - let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 7) - in - let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 8) - in - let commitment:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 8) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 8) - in - let tmp0, tmp1:(u16 & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) = - Libcrux_ml_dsa.Sample.sample_mask_vector #v_SIMDUnit - #v_Shake256 - #v_Shake256X4 - Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A - Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_GAMMA1_EXPONENT - mask_seed - domain_separator_for_mask - mask - in - let domain_separator_for_mask:u16 = tmp0 in - let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = - tmp1 - in - let _:Prims.unit = () in - let a_x_mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) - = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 8) - in - let mask_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) - = - Core.Clone.f_clone #(t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) - #FStar.Tactics.Typeclasses.solve - mask - in - let mask_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) - = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (mask_ntt - <: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - <: - usize) - (fun mask_ntt temp_1_ -> - let mask_ntt:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = - mask_ntt - in - let _:usize = temp_1_ in - true) - mask_ntt - (fun mask_ntt i -> - let mask_ntt:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = - mask_ntt - in - let i:usize = i in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask_ntt - i - (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit - (mask_ntt.[ i ] - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - <: - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) - in - let a_x_mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) - = - Libcrux_ml_dsa.Matrix.compute_matrix_x_mask #v_SIMDUnit - Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A - Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A - (matrix <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (mask_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - a_x_mask - in - let tmp0, tmp1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 8) & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8)) = - Libcrux_ml_dsa.Arithmetic.decompose_vector #v_SIMDUnit - Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A - Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_GAMMA2 - (a_x_mask <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - w0 - commitment - in - let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = - tmp0 - in - let commitment:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 8) = - tmp1 - in - let _:Prims.unit = () in - let _:Prims.unit = () in - let commitment_hash_candidate:t_Array u8 (sz 64) = - Rust_primitives.Hax.repeat 0uy (sz 64) - in - let commitment_serialized:t_Array u8 (sz 1024) = - Rust_primitives.Hax.repeat 0uy (sz 1024) - in - let commitment_serialized:t_Array u8 (sz 1024) = - Libcrux_ml_dsa.Encoding.Commitment.serialize_vector #v_SIMDUnit - v_COMMITMENT_RING_ELEMENT_SIZE - (commitment <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - commitment_serialized - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - () - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - (message_representative <: t_Slice u8) - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - (commitment_serialized <: t_Slice u8) - in - let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 64)) = - Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - commitment_hash_candidate - in - let shake:v_Shake256Xof = tmp0 in - let commitment_hash_candidate:t_Array u8 (sz 64) = tmp1 in - let _:Prims.unit = () in - let _:Prims.unit = () in - let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - in - let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Libcrux_ml_dsa.Sample.sample_challenge_ring_element #v_SIMDUnit - #v_Shake256 - (commitment_hash_candidate <: t_Slice u8) - Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ONES_IN_VERIFIER_CHALLENGE - verifier_challenge - in - let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit verifier_challenge - in - let challenge_times_s1:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = - Core.Clone.f_clone #(t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) - #FStar.Tactics.Typeclasses.solve - s1_as_ntt - in - let challenge_times_s2:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = - Core.Clone.f_clone #(t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8)) - #FStar.Tactics.Typeclasses.solve - s2_as_ntt - in - let challenge_times_s1:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = - Libcrux_ml_dsa.Matrix.vector_times_ring_element #v_SIMDUnit - challenge_times_s1 - verifier_challenge - in - let challenge_times_s2:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = - Libcrux_ml_dsa.Matrix.vector_times_ring_element #v_SIMDUnit - challenge_times_s2 - verifier_challenge - in - let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = - Libcrux_ml_dsa.Matrix.add_vectors #v_SIMDUnit - Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A - mask - (challenge_times_s1 - <: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - in - let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = - Libcrux_ml_dsa.Matrix.subtract_vectors #v_SIMDUnit - Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A - w0 - (challenge_times_s2 + Libcrux_ml_dsa.Types.t_VerificationError) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + else + let matrix:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 56) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 56) + in + let matrix:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 56) = + Libcrux_ml_dsa.Samplex4.f_matrix_flat #v_Sampler + #FStar.Tactics.Typeclasses.solve + #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A + seed_for_a + matrix + in + let verification_key_hash:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let verification_key_hash:t_Array u8 (sz 64) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256 #v_Shake256 + #FStar.Tactics.Typeclasses.solve + (sz 64) + (verification_key <: t_Slice u8) + verification_key_hash + in + let message_representative:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let message_representative:t_Array u8 (sz 64) = + Libcrux_ml_dsa.Ml_dsa_generic.derive_message_representative #v_Shake256Xof + (verification_key_hash <: t_Slice u8) + domain_separation_context + message + message_representative + in + let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + in + let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Sample.sample_challenge_ring_element #v_SIMDUnit + #v_Shake256 + (deserialized_commitment_hash <: t_Slice u8) + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ONES_IN_VERIFIER_CHALLENGE + verifier_challenge + in + let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit verifier_challenge + in + let deserialized_signer_response:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (deserialized_signer_response <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - in - if - Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit - (mask <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - ((1l < + let deserialized_signer_response:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + deserialized_signer_response in - let challenge_times_t0:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = - Libcrux_ml_dsa.Matrix.vector_times_ring_element #v_SIMDUnit - challenge_times_t0 - verifier_challenge + let _:usize = temp_1_ in + true) + deserialized_signer_response + (fun deserialized_signer_response i -> + let deserialized_signer_response:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + deserialized_signer_response in - if - Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit - (challenge_times_t0 - <: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_GAMMA2 - then - attempt, commitment_hash, domain_separator_for_mask, hint, signer_response - <: - (usize & Core.Option.t_Option (t_Array u8 (sz 64)) & u16 & - Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) & - Core.Option.t_Option - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7))) - else - let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) - = - Libcrux_ml_dsa.Matrix.add_vectors #v_SIMDUnit - Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A - w0 - (challenge_times_t0 - <: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - in - let hint_candidate:t_Array (t_Array i32 (sz 256)) (sz 8) = - Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0l (sz 256) + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize deserialized_signer_response + i + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (deserialized_signer_response.[ i ] <: - t_Array i32 (sz 256)) - (sz 8) - in - let tmp0, out:(t_Array (t_Array i32 (sz 256)) (sz 8) & usize) = - Libcrux_ml_dsa.Arithmetic.make_hint #v_SIMDUnit - (sz 8) - 261888l - w0 - commitment - hint_candidate - in - let hint_candidate:t_Array (t_Array i32 (sz 256)) (sz 8) = tmp0 in - let ones_in_hint:usize = out in - if ones_in_hint >. Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_MAX_ONES_IN_HINT - then - attempt, commitment_hash, domain_separator_for_mask, hint, signer_response - <: - (usize & Core.Option.t_Option (t_Array u8 (sz 64)) & u16 & - Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) & - Core.Option.t_Option - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7))) - else - let attempt:usize = Libcrux_ml_dsa.Constants.v_REJECTION_SAMPLE_BOUND_SIGN in - let commitment_hash:Core.Option.t_Option (t_Array u8 (sz 64)) = - Core.Option.Option_Some commitment_hash_candidate - <: - Core.Option.t_Option (t_Array u8 (sz 64)) - in - let signer_response:Core.Option.t_Option - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) = - Core.Option.Option_Some mask - <: - Core.Option.t_Option - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) - in - let hint:Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) = - Core.Option.Option_Some hint_candidate - <: - Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) - in - attempt, commitment_hash, domain_separator_for_mask, hint, signer_response - <: - (usize & Core.Option.t_Option (t_Array u8 (sz 64)) & u16 & - Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) & - Core.Option.t_Option - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7))) - ) - in - match commitment_hash <: Core.Option.t_Option (t_Array u8 (sz 64)) with - | Core.Option.Option_Some commitment_hash -> - let commitment_hash:t_Array u8 (sz 64) = commitment_hash in - (match - signer_response - <: - Core.Option.t_Option - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) - with - | Core.Option.Option_Some signer_response -> - let signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 7) = - signer_response - in - (match hint <: Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) with - | Core.Option.Option_Some hint -> - let hint:t_Array (t_Array i32 (sz 256)) (sz 8) = hint in - let signature:t_Array u8 (sz 4627) = Rust_primitives.Hax.repeat 0uy (sz 4627) in - let signature:t_Array u8 (sz 4627) = - Libcrux_ml_dsa.Encoding.Signature.serialize #v_SIMDUnit - (commitment_hash <: t_Slice u8) - (signer_response + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) <: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (hint <: t_Slice (t_Array i32 (sz 256))) - Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COMMITMENT_HASH_SIZE - Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A - Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A - Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE - Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_MAX_ONES_IN_HINT signature - in - Core.Result.Result_Ok (Libcrux_ml_dsa.Types.impl_4__new (sz 4627) signature) - <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) - Libcrux_ml_dsa.Types.t_SigningError - | Core.Option.Option_None -> - Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) <: - Libcrux_ml_dsa.Types.t_SigningError) + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) + in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Libcrux_ml_dsa.Matrix.compute_w_approx #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A + (matrix <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (deserialized_signer_response <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) - Libcrux_ml_dsa.Types.t_SigningError) - | Core.Option.Option_None -> + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + verifier_challenge + t1 + in + let recomputed_commitment_hash:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Libcrux_ml_dsa.Arithmetic.use_hint #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_GAMMA2 + (deserialized_hint <: t_Slice (t_Array i32 (sz 256))) + t1 + in + let commitment_serialized:t_Array u8 (sz 1024) = Rust_primitives.Hax.repeat 0uy (sz 1024) in + let commitment_serialized:t_Array u8 (sz 1024) = + Libcrux_ml_dsa.Encoding.Commitment.serialize_vector #v_SIMDUnit + v_COMMITMENT_RING_ELEMENT_SIZE + (t1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + commitment_serialized + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + () + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (message_representative <: t_Slice u8) + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (commitment_serialized <: t_Slice u8) + in + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 64)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + recomputed_commitment_hash + in + let shake:v_Shake256Xof = tmp0 in + let recomputed_commitment_hash:t_Array u8 (sz 64) = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + if deserialized_commitment_hash =. recomputed_commitment_hash + then + Core.Result.Result_Ok (() <: Prims.unit) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + else Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + (Libcrux_ml_dsa.Types.VerificationError_CommitmentHashesDontMatchError <: - Libcrux_ml_dsa.Types.t_SigningError) + Libcrux_ml_dsa.Types.t_VerificationError) <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) - Libcrux_ml_dsa.Types.t_SigningError) - | Core.Option.Option_None -> - Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError <: Libcrux_ml_dsa.Types.t_SigningError - ) + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + | Core.Result.Result_Err e -> + Core.Result.Result_Err e <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) - Libcrux_ml_dsa.Types.t_SigningError + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError -let sign - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) +let verify + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i6: + i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i8: + i7: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i9: + i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i10: + i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i11: - Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) - (signing_key message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) + (verification_key_serialized: t_Array u8 (sz 2592)) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 (sz 4627)) = match Libcrux_ml_dsa.Pre_hash.impl_1__new context @@ -619,356 +275,675 @@ let sign with | Core.Result.Result_Ok dsc -> let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in - sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 - signing_key message + verify_internal #v_SIMDUnit + #v_Sampler + #v_Shake128X4 + #v_Shake256 + #v_Shake256Xof + verification_key_serialized + message (Core.Option.Option_Some domain_separation_context <: - Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + signature_serialized | Core.Result.Result_Err _ -> Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) + (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError + <: + Libcrux_ml_dsa.Types.t_VerificationError) <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) - Libcrux_ml_dsa.Types.t_SigningError + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError -let sign_pre_hashed - (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: - Type0) +let verify_pre_hashed + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i8: + i7: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i9: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i8: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i10: + i9: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i11: + i10: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i12: + i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i13: + i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i14: - Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH) - (signing_key message context pre_hash_buffer: t_Slice u8) - (randomness: t_Array u8 (sz 32)) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i13: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH) + (verification_key_serialized: t_Array u8 (sz 2592)) + (message context pre_hash_buffer: t_Slice u8) + (signature_serialized: t_Array u8 (sz 4627)) = - if (Core.Slice.impl__len #u8 context <: usize) >. Libcrux_ml_dsa.Constants.v_CONTEXT_MAX_LEN - then - pre_hash_buffer, - (Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) - <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) - Libcrux_ml_dsa.Types.t_SigningError) + let pre_hash_buffer:t_Slice u8 = + Libcrux_ml_dsa.Pre_hash.f_hash #v_PH + #FStar.Tactics.Typeclasses.solve + #v_Shake128 + message + pre_hash_buffer + in + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_Some + (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #FStar.Tactics.Typeclasses.solve () + <: + t_Array u8 (sz 11)) + <: + Core.Option.t_Option (t_Array u8 (sz 11))) <: - (t_Slice u8 & - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) - Libcrux_ml_dsa.Types.t_SigningError) - else - let pre_hash_buffer:t_Slice u8 = - Libcrux_ml_dsa.Pre_hash.f_hash #v_PH - #FStar.Tactics.Typeclasses.solve - #v_Shake128 - message + Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext + Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + with + | Core.Result.Result_Ok dsc -> + let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + verify_internal #v_SIMDUnit + #v_Sampler + #v_Shake128X4 + #v_Shake256 + #v_Shake256Xof + verification_key_serialized pre_hash_buffer - in - match - Libcrux_ml_dsa.Pre_hash.impl_1__new context - (Core.Option.Option_Some - (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #FStar.Tactics.Typeclasses.solve () - <: - t_Array u8 (sz 11)) - <: - Core.Option.t_Option (t_Array u8 (sz 11))) - <: - Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext - Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError - with - | Core.Result.Result_Ok dsc -> - let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in - let hax_temp_output:Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) - Libcrux_ml_dsa.Types.t_SigningError = - sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 - signing_key pre_hash_buffer - (Core.Option.Option_Some domain_separation_context - <: - Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness - in - pre_hash_buffer, hax_temp_output - <: - (t_Slice u8 & - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) - Libcrux_ml_dsa.Types.t_SigningError) - | Core.Result.Result_Err _ -> - pre_hash_buffer, - (Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError + (Core.Option.Option_Some domain_separation_context <: - Libcrux_ml_dsa.Types.t_SigningError) + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + signature_serialized + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + | Core.Result.Result_Err _ -> + pre_hash_buffer, + (Core.Result.Result_Err + (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) - Libcrux_ml_dsa.Types.t_SigningError) + Libcrux_ml_dsa.Types.t_VerificationError) <: - (t_Slice u8 & - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) - Libcrux_ml_dsa.Types.t_SigningError) + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) -let verify_internal - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) +let sign_internal + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i5: + i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i7: + i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i8: + i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i9: + i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) - (verification_key: t_Array u8 (sz 2592)) - (message: t_Slice u8) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (signing_key message: t_Slice u8) (domain_separation_context: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) - (signature_serialized: t_Array u8 (sz 4627)) + (randomness: t_Array u8 (sz 32)) = - let seed_for_a, t1_serialized:(t_Slice u8 & t_Slice u8) = + let seed_for_a, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 signing_key Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + in + let seed_for_signing, remaining_serialized:(t_Slice u8 & t_Slice u8) = Core.Slice.impl__split_at #u8 - (verification_key <: t_Slice u8) - Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + remaining_serialized + Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE in - let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + let verification_key_hash, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH + in + let s1_serialized, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + (v_ERROR_RING_ELEMENT_SIZE *! Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A <: usize) + in + let s2_serialized, t0_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + (v_ERROR_RING_ELEMENT_SIZE *! Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A <: usize) + in + let s1_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 7) + in + let s2_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 8) + in + let t0_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) in - let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = - Libcrux_ml_dsa.Encoding.Verification_key.deserialize #v_SIMDUnit - Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A - v_VERIFICATION_KEY_SIZE - t1_serialized - t1 + let s1_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + Libcrux_ml_dsa.Encoding.Error.deserialize_to_vector_then_ntt #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ETA + v_ERROR_RING_ELEMENT_SIZE + s1_serialized + s1_as_ntt + in + let s2_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Libcrux_ml_dsa.Encoding.Error.deserialize_to_vector_then_ntt #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ETA + v_ERROR_RING_ELEMENT_SIZE + s2_serialized + s2_as_ntt + in + let t0_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Libcrux_ml_dsa.Encoding.T0.deserialize_to_vector_then_ntt #v_SIMDUnit t0_serialized t0_as_ntt + in + let matrix:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 56) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 56) + in + let matrix:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 56) = + Libcrux_ml_dsa.Samplex4.f_matrix_flat #v_Sampler + #FStar.Tactics.Typeclasses.solve + #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A + seed_for_a + matrix + in + let message_representative:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let message_representative:t_Array u8 (sz 64) = + Libcrux_ml_dsa.Ml_dsa_generic.derive_message_representative #v_Shake256Xof + verification_key_hash + domain_separation_context + message + message_representative + in + let mask_seed:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve () + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + seed_for_signing + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (randomness <: t_Slice u8) + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (message_representative <: t_Slice u8) in - let deserialized_commitment_hash:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in - let deserialized_signer_response:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 7) + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 64)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + mask_seed in - let deserialized_hint:t_Array (t_Array i32 (sz 256)) (sz 8) = - Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0l (sz 256) <: t_Array i32 (sz 256)) - (sz 8) + let shake:v_Shake256Xof = tmp0 in + let mask_seed:t_Array u8 (sz 64) = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + let (domain_separator_for_mask: u16):u16 = 0us in + let attempt:usize = sz 0 in + let commitment_hash:Core.Option.t_Option (t_Array u8 (sz 64)) = + Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 64)) in - let tmp0, tmp1, tmp2, out:(t_Array u8 (sz 64) & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) & - t_Array (t_Array i32 (sz 256)) (sz 8) & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = - Libcrux_ml_dsa.Encoding.Signature.deserialize #v_SIMDUnit - Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A - Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A - Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COMMITMENT_HASH_SIZE - Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE - Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_MAX_ONES_IN_HINT v_SIGNATURE_SIZE - (signature_serialized <: t_Slice u8) deserialized_commitment_hash deserialized_signer_response - deserialized_hint + let signer_response:Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) = + Core.Option.Option_None + <: + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) in - let deserialized_commitment_hash:t_Array u8 (sz 64) = tmp0 in - let deserialized_signer_response:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = - tmp1 + let hint:Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) = + Core.Option.Option_None <: Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) in - let deserialized_hint:t_Array (t_Array i32 (sz 256)) (sz 8) = tmp2 in - match out <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError with - | Core.Result.Result_Ok _ -> - let _:Prims.unit = () <: Prims.unit in - if - Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit - (deserialized_signer_response - <: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - ((2l < + let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & + Core.Option.t_Option (t_Array u8 (sz 64)) & + u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7))) = + temp_0_ + in + attempt <. Libcrux_ml_dsa.Constants.v_REJECTION_SAMPLE_BOUND_SIGN <: bool) + (attempt, commitment_hash, domain_separator_for_mask, hint, signer_response <: - Libcrux_ml_dsa.Types.t_VerificationError) - <: - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError - else - let matrix:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 56) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 56) - in - let matrix:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 56) = - Libcrux_ml_dsa.Samplex4.f_matrix_flat #v_Sampler - #FStar.Tactics.Typeclasses.solve - #v_SIMDUnit - Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A - seed_for_a - matrix - in - let verification_key_hash:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in - let verification_key_hash:t_Array u8 (sz 64) = - Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256 #v_Shake256 - #FStar.Tactics.Typeclasses.solve - (sz 64) - (verification_key <: t_Slice u8) - verification_key_hash - in - let message_representative:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in - let message_representative:t_Array u8 (sz 64) = - Libcrux_ml_dsa.Ml_dsa_generic.derive_message_representative #v_Shake256Xof - (verification_key_hash <: t_Slice u8) - domain_separation_context - message - message_representative - in - let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - in - let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Libcrux_ml_dsa.Sample.sample_challenge_ring_element #v_SIMDUnit - #v_Shake256 - (deserialized_commitment_hash <: t_Slice u8) - Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ONES_IN_VERIFIER_CHALLENGE - verifier_challenge - in - let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit verifier_challenge - in - let deserialized_signer_response:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (deserialized_signer_response + (usize & Core.Option.t_Option (t_Array u8 (sz 64)) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)))) + (fun temp_0_ -> + let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & + Core.Option.t_Option (t_Array u8 (sz 64)) & + u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7))) = + temp_0_ + in + let attempt:usize = attempt +! sz 1 in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 7) + in + let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 8) + in + let commitment:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 8) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 8) + in + let tmp0, tmp1:(u16 & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) = + Libcrux_ml_dsa.Sample.sample_mask_vector #v_SIMDUnit + #v_Shake256 + #v_Shake256X4 + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_GAMMA1_EXPONENT + mask_seed + domain_separator_for_mask + mask + in + let domain_separator_for_mask:u16 = tmp0 in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + tmp1 + in + let _:Prims.unit = () in + let a_x_mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) + = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 8) + in + let mask_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) + = + Core.Clone.f_clone #(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) + #FStar.Tactics.Typeclasses.solve + mask + in + let mask_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) + = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (mask_ntt + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + usize) + (fun mask_ntt temp_1_ -> + let mask_ntt:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + mask_ntt + in + let _:usize = temp_1_ in + true) + mask_ntt + (fun mask_ntt i -> + let mask_ntt:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + mask_ntt + in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask_ntt + i + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (mask_ntt.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) + in + let a_x_mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) + = + Libcrux_ml_dsa.Matrix.compute_matrix_x_mask #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A + (matrix <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (mask_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + a_x_mask + in + let tmp0, tmp1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 8) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8)) = + Libcrux_ml_dsa.Arithmetic.decompose_vector #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_GAMMA2 + (a_x_mask <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + w0 + commitment + in + let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + tmp0 + in + let commitment:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 8) = + tmp1 + in + let _:Prims.unit = () in + let _:Prims.unit = () in + let commitment_hash_candidate:t_Array u8 (sz 64) = + Rust_primitives.Hax.repeat 0uy (sz 64) + in + let commitment_serialized:t_Array u8 (sz 1024) = + Rust_primitives.Hax.repeat 0uy (sz 1024) + in + let commitment_serialized:t_Array u8 (sz 1024) = + Libcrux_ml_dsa.Encoding.Commitment.serialize_vector #v_SIMDUnit + v_COMMITMENT_RING_ELEMENT_SIZE + (commitment <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + commitment_serialized + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + () + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (message_representative <: t_Slice u8) + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (commitment_serialized <: t_Slice u8) + in + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 64)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + commitment_hash_candidate + in + let shake:v_Shake256Xof = tmp0 in + let commitment_hash_candidate:t_Array u8 (sz 64) = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + in + let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Sample.sample_challenge_ring_element #v_SIMDUnit + #v_Shake256 + (commitment_hash_candidate <: t_Slice u8) + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ONES_IN_VERIFIER_CHALLENGE + verifier_challenge + in + let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit verifier_challenge + in + let challenge_times_s1:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + Core.Clone.f_clone #(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) + #FStar.Tactics.Typeclasses.solve + s1_as_ntt + in + let challenge_times_s2:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Core.Clone.f_clone #(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8)) + #FStar.Tactics.Typeclasses.solve + s2_as_ntt + in + let challenge_times_s1:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + Libcrux_ml_dsa.Matrix.vector_times_ring_element #v_SIMDUnit + challenge_times_s1 + verifier_challenge + in + let challenge_times_s2:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Libcrux_ml_dsa.Matrix.vector_times_ring_element #v_SIMDUnit + challenge_times_s2 + verifier_challenge + in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + Libcrux_ml_dsa.Matrix.add_vectors #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A + mask + (challenge_times_s1 + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + in + let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Libcrux_ml_dsa.Matrix.subtract_vectors #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A + w0 + (challenge_times_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + in + if + Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit + (mask <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + ((1l < - let deserialized_signer_response:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = - deserialized_signer_response + (usize & Core.Option.t_Option (t_Array u8 (sz 64)) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7))) + else + if + Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit + (w0 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_GAMMA2 -! v_BETA <: i32) + then + attempt, commitment_hash, domain_separator_for_mask, hint, signer_response + <: + (usize & Core.Option.t_Option (t_Array u8 (sz 64)) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7))) + else + let challenge_times_t0:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Core.Clone.f_clone #(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8)) + #FStar.Tactics.Typeclasses.solve + t0_as_ntt in - let _:usize = temp_1_ in - true) - deserialized_signer_response - (fun deserialized_signer_response i -> - let deserialized_signer_response:t_Array - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = - deserialized_signer_response + let challenge_times_t0:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Libcrux_ml_dsa.Matrix.vector_times_ring_element #v_SIMDUnit + challenge_times_t0 + verifier_challenge in - let i:usize = i in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize deserialized_signer_response - i - (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit - (deserialized_signer_response.[ i ] + if + Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit + (challenge_times_t0 + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_GAMMA2 + then + attempt, commitment_hash, domain_separator_for_mask, hint, signer_response + <: + (usize & Core.Option.t_Option (t_Array u8 (sz 64)) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7))) + else + let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) + = + Libcrux_ml_dsa.Matrix.add_vectors #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A + w0 + (challenge_times_t0 <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + in + let hint_candidate:t_Array (t_Array i32 (sz 256)) (sz 8) = + Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0l (sz 256) + <: + t_Array i32 (sz 256)) + (sz 8) + in + let tmp0, out:(t_Array (t_Array i32 (sz 256)) (sz 8) & usize) = + Libcrux_ml_dsa.Arithmetic.make_hint #v_SIMDUnit + (sz 8) + 261888l + w0 + commitment + hint_candidate + in + let hint_candidate:t_Array (t_Array i32 (sz 256)) (sz 8) = tmp0 in + let ones_in_hint:usize = out in + if ones_in_hint >. Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_MAX_ONES_IN_HINT + then + attempt, commitment_hash, domain_separator_for_mask, hint, signer_response <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (usize & Core.Option.t_Option (t_Array u8 (sz 64)) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7))) + else + let attempt:usize = Libcrux_ml_dsa.Constants.v_REJECTION_SAMPLE_BOUND_SIGN in + let commitment_hash:Core.Option.t_Option (t_Array u8 (sz 64)) = + Core.Option.Option_Some commitment_hash_candidate + <: + Core.Option.t_Option (t_Array u8 (sz 64)) + in + let signer_response:Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) = + Core.Option.Option_Some mask + <: + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) + in + let hint:Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) = + Core.Option.Option_Some hint_candidate + <: + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) + in + attempt, commitment_hash, domain_separator_for_mask, hint, signer_response + <: + (usize & Core.Option.t_Option (t_Array u8 (sz 64)) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7))) + ) + in + match commitment_hash <: Core.Option.t_Option (t_Array u8 (sz 64)) with + | Core.Option.Option_Some commitment_hash -> + let commitment_hash:t_Array u8 (sz 64) = commitment_hash in + (match + signer_response + <: + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) + with + | Core.Option.Option_Some signer_response -> + let signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 7) = + signer_response + in + (match hint <: Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) with + | Core.Option.Option_Some hint -> + let hint:t_Array (t_Array i32 (sz 256)) (sz 8) = hint in + let signature:t_Array u8 (sz 4627) = Rust_primitives.Hax.repeat 0uy (sz 4627) in + let signature:t_Array u8 (sz 4627) = + Libcrux_ml_dsa.Encoding.Signature.serialize #v_SIMDUnit + (commitment_hash <: t_Slice u8) + (signer_response + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (hint <: t_Slice (t_Array i32 (sz 256))) + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COMMITMENT_HASH_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_MAX_ONES_IN_HINT signature + in + Core.Result.Result_Ok (Libcrux_ml_dsa.Types.impl_4__new (sz 4627) signature) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError + | Core.Option.Option_None -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError <: - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) - in - let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = - Libcrux_ml_dsa.Matrix.compute_w_approx #v_SIMDUnit - Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A - Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A - (matrix <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (deserialized_signer_response + Libcrux_ml_dsa.Types.t_SigningError) <: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - verifier_challenge - t1 - in - let recomputed_commitment_hash:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in - let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = - Libcrux_ml_dsa.Arithmetic.use_hint #v_SIMDUnit - Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_GAMMA2 - (deserialized_hint <: t_Slice (t_Array i32 (sz 256))) - t1 - in - let commitment_serialized:t_Array u8 (sz 1024) = Rust_primitives.Hax.repeat 0uy (sz 1024) in - let commitment_serialized:t_Array u8 (sz 1024) = - Libcrux_ml_dsa.Encoding.Commitment.serialize_vector #v_SIMDUnit - v_COMMITMENT_RING_ELEMENT_SIZE - (t1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - commitment_serialized - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - () - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - (message_representative <: t_Slice u8) - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - (commitment_serialized <: t_Slice u8) - in - let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 64)) = - Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - recomputed_commitment_hash - in - let shake:v_Shake256Xof = tmp0 in - let recomputed_commitment_hash:t_Array u8 (sz 64) = tmp1 in - let _:Prims.unit = () in - let _:Prims.unit = () in - if deserialized_commitment_hash =. recomputed_commitment_hash - then - Core.Result.Result_Ok (() <: Prims.unit) - <: - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError - else + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) + | Core.Option.Option_None -> Core.Result.Result_Err - (Libcrux_ml_dsa.Types.VerificationError_CommitmentHashesDontMatchError + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError <: - Libcrux_ml_dsa.Types.t_VerificationError) + Libcrux_ml_dsa.Types.t_SigningError) <: - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError - | Core.Result.Result_Err e -> - Core.Result.Result_Err e + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) + | Core.Option.Option_None -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError <: Libcrux_ml_dsa.Types.t_SigningError + ) <: - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError -let verify - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) +let sign + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i5: + i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i7: + i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i8: + i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i9: + i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) - (verification_key_serialized: t_Array u8 (sz 2592)) - (message context: t_Slice u8) - (signature_serialized: t_Array u8 (sz 4627)) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (signing_key message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) = match Libcrux_ml_dsa.Pre_hash.impl_1__new context @@ -979,95 +954,104 @@ let verify with | Core.Result.Result_Ok dsc -> let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in - verify_internal #v_SIMDUnit - #v_Sampler - #v_Shake128X4 - #v_Shake256 - #v_Shake256Xof - verification_key_serialized - message + sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 + signing_key message (Core.Option.Option_Some domain_separation_context <: - Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) - signature_serialized + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness | Core.Result.Result_Err _ -> Core.Result.Result_Err - (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError - <: - Libcrux_ml_dsa.Types.t_VerificationError) + (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) <: - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError -let verify_pre_hashed - (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0) +let sign_pre_hashed + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: + Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i7: + i8: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i8: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i9: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i9: + i10: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i10: + i11: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i11: + i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i12: + i13: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i13: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH) - (verification_key_serialized: t_Array u8 (sz 2592)) - (message context pre_hash_buffer: t_Slice u8) - (signature_serialized: t_Array u8 (sz 4627)) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i14: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH) + (signing_key message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) = - let pre_hash_buffer:t_Slice u8 = - Libcrux_ml_dsa.Pre_hash.f_hash #v_PH - #FStar.Tactics.Typeclasses.solve - #v_Shake128 - message - pre_hash_buffer - in - match - Libcrux_ml_dsa.Pre_hash.impl_1__new context - (Core.Option.Option_Some - (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #FStar.Tactics.Typeclasses.solve () - <: - t_Array u8 (sz 11)) - <: - Core.Option.t_Option (t_Array u8 (sz 11))) + if (Core.Slice.impl__len #u8 context <: usize) >. Libcrux_ml_dsa.Constants.v_CONTEXT_MAX_LEN + then + pre_hash_buffer, + (Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) <: - Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext - Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError - with - | Core.Result.Result_Ok dsc -> - let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in - let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = - verify_internal #v_SIMDUnit - #v_Sampler - #v_Shake128X4 - #v_Shake256 - #v_Shake256Xof - verification_key_serialized + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) + else + let pre_hash_buffer:t_Slice u8 = + Libcrux_ml_dsa.Pre_hash.f_hash #v_PH + #FStar.Tactics.Typeclasses.solve + #v_Shake128 + message pre_hash_buffer - (Core.Option.Option_Some domain_separation_context - <: - Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) - signature_serialized in - pre_hash_buffer, hax_temp_output - <: - (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) - | Core.Result.Result_Err _ -> - pre_hash_buffer, - (Core.Result.Result_Err - (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_Some + (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #FStar.Tactics.Typeclasses.solve () + <: + t_Array u8 (sz 11)) + <: + Core.Option.t_Option (t_Array u8 (sz 11))) + <: + Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext + Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + with + | Core.Result.Result_Ok dsc -> + let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in + let hax_temp_output:Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError = + sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 + signing_key pre_hash_buffer + (Core.Option.Option_Some domain_separation_context + <: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) + | Core.Result.Result_Err _ -> + pre_hash_buffer, + (Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError + <: + Libcrux_ml_dsa.Types.t_SigningError) <: - Libcrux_ml_dsa.Types.t_VerificationError) + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) <: - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) - <: - (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) let generate_key_pair (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fsti index c47847ef4..04d19b3e5 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fsti @@ -54,54 +54,6 @@ let v_SIGNING_KEY_SIZE: usize = let v_VERIFICATION_KEY_SIZE: usize = Libcrux_ml_dsa.Constants.verification_key_size Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A -val sign_internal - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) - {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} - {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} - {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} - {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} - (signing_key message: t_Slice u8) - (domain_separation_context: - Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) - -val sign - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) - {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} - {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} - {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} - {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} - (signing_key message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) - -val sign_pre_hashed - (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: - Type0) - {| i8: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i9: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} - {| i10: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |} - {| i11: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - {| i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} - {| i13: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} - {| i14: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} - {| i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH |} - (signing_key message context pre_hash_buffer: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (t_Slice u8 & - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) - /// The internal verification API. /// If no `domain_separation_context` is supplied, it is assumed that /// `message` already contains the domain separation. @@ -152,6 +104,54 @@ val verify_pre_hashed Prims.l_True (fun _ -> Prims.l_True) +val sign_internal + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (signing_key message: t_Slice u8) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (signing_key message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign_pre_hashed + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: + Type0) + {| i8: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i9: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i13: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i14: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + {| i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH |} + (signing_key message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + val generate_key_pair (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst index f9ceb7c45..d85329e30 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst @@ -60,8 +60,8 @@ let ntt_multiply_montgomery = let lhs:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #i1.f_Coefficient - (lhs.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice i1.f_Coefficient) + (Core.Slice.impl__len #v_SIMDUnit + (lhs.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) <: usize) (fun lhs temp_1_ -> @@ -81,12 +81,12 @@ let ntt_multiply_montgomery i (Libcrux_ml_dsa.Simd.Traits.f_montgomery_multiply #v_SIMDUnit #FStar.Tactics.Typeclasses.solve - (lhs.Libcrux_ml_dsa.Polynomial.f_simd_units.[ i ] <: i1.f_Coefficient) - (rhs.Libcrux_ml_dsa.Polynomial.f_simd_units.[ i ] <: i1.f_Coefficient) + (lhs.Libcrux_ml_dsa.Polynomial.f_simd_units.[ i ] <: v_SIMDUnit) + (rhs.Libcrux_ml_dsa.Polynomial.f_simd_units.[ i ] <: v_SIMDUnit) <: - i1.f_Coefficient) + v_SIMDUnit) <: - t_Array i1.f_Coefficient (sz 32) + t_Array v_SIMDUnit (sz 32) } <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst index 247b0feb9..1960a3305 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst @@ -9,46 +9,37 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let impl__add +[@@ FStar.Tactics.Typeclasses.tcinstance] +assume +val impl_1': + #v_SIMDUnit: Type0 -> + {| i1: Core.Clone.t_Clone v_SIMDUnit |} -> + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + -> Core.Clone.t_Clone (t_PolynomialRingElement v_SIMDUnit) + +let impl_1 (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Core.Clone.t_Clone v_SIMDUnit) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: + i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (self rhs: t_PolynomialRingElement v_SIMDUnit) - = - let self:t_PolynomialRingElement v_SIMDUnit = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #i1.f_Coefficient (self.f_simd_units <: t_Slice i1.f_Coefficient) - <: - usize) - (fun self temp_1_ -> - let self:t_PolynomialRingElement v_SIMDUnit = self in - let _:usize = temp_1_ in - true) - self - (fun self i -> - let self:t_PolynomialRingElement v_SIMDUnit = self in - let i:usize = i in - { - self with - f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_simd_units - i - (Libcrux_ml_dsa.Simd.Traits.f_add #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (self.f_simd_units.[ i ] <: i1.f_Coefficient) - (rhs.f_simd_units.[ i ] <: i1.f_Coefficient) - <: - i1.f_Coefficient) - <: - t_Array i1.f_Coefficient (sz 32) - } - <: - t_PolynomialRingElement v_SIMDUnit) - in - let hax_temp_output:Prims.unit = () <: Prims.unit in - self + = impl_1' #v_SIMDUnit #i1 #i2 + +[@@ FStar.Tactics.Typeclasses.tcinstance] +assume +val impl_2': + #v_SIMDUnit: Type0 -> + {| i1: Core.Marker.t_Copy v_SIMDUnit |} -> + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + -> Core.Marker.t_Copy (t_PolynomialRingElement v_SIMDUnit) + +let impl_2 + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Core.Marker.t_Copy v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + = impl_2' #v_SIMDUnit #i1 #i2 let impl__from_i32_array (#v_SIMDUnit: Type0) @@ -100,11 +91,11 @@ let impl__from_i32_array Core.Ops.Range.t_Range usize ] <: t_Slice i32) - (result.f_simd_units.[ i ] <: i1.f_Coefficient) + (result.f_simd_units.[ i ] <: v_SIMDUnit) <: - i1.f_Coefficient) + v_SIMDUnit) <: - t_Array i1.f_Coefficient (sz 32) + t_Array v_SIMDUnit (sz 32) } <: t_PolynomialRingElement v_SIMDUnit) @@ -112,6 +103,65 @@ let impl__from_i32_array let hax_temp_output:Prims.unit = () <: Prims.unit in result +let impl__zero + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (_: Prims.unit) + = + { + f_simd_units + = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Simd.Traits.f_zero #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + () + <: + v_SIMDUnit) + (sz 32) + } + <: + t_PolynomialRingElement v_SIMDUnit + +let impl__add + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (self rhs: t_PolynomialRingElement v_SIMDUnit) + = + let self:t_PolynomialRingElement v_SIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_SIMDUnit (self.f_simd_units <: t_Slice v_SIMDUnit) <: usize) + (fun self temp_1_ -> + let self:t_PolynomialRingElement v_SIMDUnit = self in + let _:usize = temp_1_ in + true) + self + (fun self i -> + let self:t_PolynomialRingElement v_SIMDUnit = self in + let i:usize = i in + { + self with + f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_simd_units + i + (Libcrux_ml_dsa.Simd.Traits.f_add #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (self.f_simd_units.[ i ] <: v_SIMDUnit) + (rhs.f_simd_units.[ i ] <: v_SIMDUnit) + <: + v_SIMDUnit) + <: + t_Array v_SIMDUnit (sz 32) + } + <: + t_PolynomialRingElement v_SIMDUnit) + in + let hax_temp_output:Prims.unit = () <: Prims.unit in + self + let impl__infinity_norm_exceeds (#v_SIMDUnit: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -123,9 +173,7 @@ let impl__infinity_norm_exceeds let result:bool = false in let result:bool = Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #i1.f_Coefficient (self.f_simd_units <: t_Slice i1.f_Coefficient) - <: - usize) + (Core.Slice.impl__len #v_SIMDUnit (self.f_simd_units <: t_Slice v_SIMDUnit) <: usize) (fun result temp_1_ -> let result:bool = result in let _:usize = temp_1_ in @@ -137,7 +185,7 @@ let impl__infinity_norm_exceeds result || (Libcrux_ml_dsa.Simd.Traits.f_infinity_norm_exceeds #v_SIMDUnit #FStar.Tactics.Typeclasses.solve - (self.f_simd_units.[ i ] <: i1.f_Coefficient) + (self.f_simd_units.[ i ] <: v_SIMDUnit) bound <: bool)) @@ -153,9 +201,7 @@ let impl__subtract = let self:t_PolynomialRingElement v_SIMDUnit = Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #i1.f_Coefficient (self.f_simd_units <: t_Slice i1.f_Coefficient) - <: - usize) + (Core.Slice.impl__len #v_SIMDUnit (self.f_simd_units <: t_Slice v_SIMDUnit) <: usize) (fun self temp_1_ -> let self:t_PolynomialRingElement v_SIMDUnit = self in let _:usize = temp_1_ in @@ -172,12 +218,12 @@ let impl__subtract i (Libcrux_ml_dsa.Simd.Traits.f_subtract #v_SIMDUnit #FStar.Tactics.Typeclasses.solve - (self.f_simd_units.[ i ] <: i1.f_Coefficient) - (rhs.f_simd_units.[ i ] <: i1.f_Coefficient) + (self.f_simd_units.[ i ] <: v_SIMDUnit) + (rhs.f_simd_units.[ i ] <: v_SIMDUnit) <: - i1.f_Coefficient) + v_SIMDUnit) <: - t_Array i1.f_Coefficient (sz 32) + t_Array v_SIMDUnit (sz 32) } <: t_PolynomialRingElement v_SIMDUnit) @@ -194,7 +240,7 @@ let impl__to_i32_array = let result:t_Array i32 (sz 256) = Rust_primitives.Hax.repeat 0l (sz 256) in let result:t_Array i32 (sz 256) = - Rust_primitives.Hax.Folds.fold_enumerated_slice (self.f_simd_units <: t_Slice i1.f_Coefficient) + Rust_primitives.Hax.Folds.fold_enumerated_slice (self.f_simd_units <: t_Slice v_SIMDUnit) (fun result temp_1_ -> let result:t_Array i32 (sz 256) = result in let _:usize = temp_1_ in @@ -202,7 +248,7 @@ let impl__to_i32_array result (fun result temp_1_ -> let result:t_Array i32 (sz 256) = result in - let i, simd_unit:(usize & i1.f_Coefficient) = temp_1_ in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in Rust_primitives.Hax.Monomorphized_update_at.update_at_range result ({ Core.Ops.Range.f_start @@ -239,59 +285,3 @@ let impl__to_i32_array t_Array i32 (sz 256)) in result - -let impl__zero - (#v_SIMDUnit: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (_: Prims.unit) - = - { - f_simd_units - = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Simd.Traits.f_zero #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - () - <: - i1.f_Coefficient) - (sz 32) - } - <: - t_PolynomialRingElement v_SIMDUnit - -[@@ FStar.Tactics.Typeclasses.tcinstance] -assume -val impl_1': - #v_SIMDUnit: Type0 -> - {| i1: Core.Clone.t_Clone v_SIMDUnit |} -> - {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} -> - {| i3: Core.Clone.t_Clone i2.f_Coefficient |} - -> Core.Clone.t_Clone (t_PolynomialRingElement v_SIMDUnit) - -let impl_1 - (#v_SIMDUnit: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Core.Clone.t_Clone v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i3: Core.Clone.t_Clone i2.f_Coefficient) - = impl_1' #v_SIMDUnit #i1 #i2 #i3 - -[@@ FStar.Tactics.Typeclasses.tcinstance] -assume -val impl_2': - #v_SIMDUnit: Type0 -> - {| i1: Core.Marker.t_Copy v_SIMDUnit |} -> - {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} -> - {| i3: Core.Marker.t_Copy i2.f_Coefficient |} - -> Core.Marker.t_Copy (t_PolynomialRingElement v_SIMDUnit) - -let impl_2 - (#v_SIMDUnit: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Core.Marker.t_Copy v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i3: Core.Marker.t_Copy i2.f_Coefficient) - = impl_2' #v_SIMDUnit #i1 #i2 #i3 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fsti index b626583c2..9667cb818 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fsti @@ -11,13 +11,21 @@ let _ = type t_PolynomialRingElement (v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - = { f_simd_units:t_Array i1.f_Coefficient (sz 32) } + = { f_simd_units:t_Array v_SIMDUnit (sz 32) } -val impl__add +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl_1 (#v_SIMDUnit: Type0) - {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (self rhs: t_PolynomialRingElement v_SIMDUnit) - : Prims.Pure (t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) + {| i1: Core.Clone.t_Clone v_SIMDUnit |} + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + : Core.Clone.t_Clone (t_PolynomialRingElement v_SIMDUnit) + +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl_2 + (#v_SIMDUnit: Type0) + {| i1: Core.Marker.t_Copy v_SIMDUnit |} + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + : Core.Marker.t_Copy (t_PolynomialRingElement v_SIMDUnit) val impl__from_i32_array (#v_SIMDUnit: Type0) @@ -26,6 +34,18 @@ val impl__from_i32_array (result: t_PolynomialRingElement v_SIMDUnit) : Prims.Pure (t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) +val impl__zero: + #v_SIMDUnit: Type0 -> + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} -> + Prims.unit + -> Prims.Pure (t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) + +val impl__add + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (self rhs: t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) + val impl__infinity_norm_exceeds (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} @@ -44,25 +64,3 @@ val impl__to_i32_array {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} (self: t_PolynomialRingElement v_SIMDUnit) : Prims.Pure (t_Array i32 (sz 256)) Prims.l_True (fun _ -> Prims.l_True) - -val impl__zero: - #v_SIMDUnit: Type0 -> - {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} -> - Prims.unit - -> Prims.Pure (t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) - -[@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_1 - (#v_SIMDUnit: Type0) - {| i1: Core.Clone.t_Clone v_SIMDUnit |} - {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i3: Core.Clone.t_Clone i2.f_Coefficient |} - : Core.Clone.t_Clone (t_PolynomialRingElement v_SIMDUnit) - -[@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_2 - (#v_SIMDUnit: Type0) - {| i1: Core.Marker.t_Copy v_SIMDUnit |} - {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i3: Core.Marker.t_Copy i2.f_Coefficient |} - : Core.Marker.t_Copy (t_PolynomialRingElement v_SIMDUnit) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst index f6360477a..1a77972f4 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst @@ -17,127 +17,6 @@ let generate_domain_separator (row, column: (u8 & u8)) = let sample_up_to_four_ring_elements_flat__xy (index width: usize) = (cast (index /! width <: usize) <: u8), (cast (index %! width <: usize) <: u8) <: (u8 & u8) -let add_domain_separator (slice: t_Slice u8) (indices: (u8 & u8)) = - let out:t_Array u8 (sz 34) = Rust_primitives.Hax.repeat 0uy (sz 34) in - let out:t_Array u8 (sz 34) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range out - ({ - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = Core.Slice.impl__len #u8 slice <: usize - } - <: - Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 - (out.[ { - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = Core.Slice.impl__len #u8 slice <: usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - slice - <: - t_Slice u8) - in - let domain_separator:u16 = generate_domain_separator indices in - let out:t_Array u8 (sz 34) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out - (sz 32) - (cast (domain_separator <: u16) <: u8) - in - let out:t_Array u8 (sz 34) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out - (sz 33) - (cast (domain_separator >>! 8l <: u16) <: u8) - in - out - -let add_error_domain_separator (slice: t_Slice u8) (domain_separator: u16) = - let out:t_Array u8 (sz 66) = Rust_primitives.Hax.repeat 0uy (sz 66) in - let out:t_Array u8 (sz 66) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range out - ({ - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = Core.Slice.impl__len #u8 slice <: usize - } - <: - Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 - (out.[ { - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = Core.Slice.impl__len #u8 slice <: usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - slice - <: - t_Slice u8) - in - let out:t_Array u8 (sz 66) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out - (sz 64) - (cast (domain_separator <: u16) <: u8) - in - let out:t_Array u8 (sz 66) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out - (sz 65) - (cast (domain_separator >>! 8l <: u16) <: u8) - in - out - -let inside_out_shuffle - (randomness: t_Slice u8) - (out_index: usize) - (signs: u64) - (result: t_Array i32 (sz 256)) - = - let done:bool = false in - let done, out_index, result, signs:(bool & usize & t_Array i32 (sz 256) & u64) = - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Iter - u8) - #FStar.Tactics.Typeclasses.solve - (Core.Slice.impl__iter #u8 randomness <: Core.Slice.Iter.t_Iter u8) - <: - Core.Slice.Iter.t_Iter u8) - (done, out_index, result, signs <: (bool & usize & t_Array i32 (sz 256) & u64)) - (fun temp_0_ byte -> - let done, out_index, result, signs:(bool & usize & t_Array i32 (sz 256) & u64) = - temp_0_ - in - let byte:u8 = byte in - if ~.done <: bool - then - let sample_at:usize = cast (byte <: u8) <: usize in - let out_index, result, signs:(usize & t_Array i32 (sz 256) & u64) = - if sample_at <=. out_index - then - let result:t_Array i32 (sz 256) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result - out_index - (result.[ sample_at ] <: i32) - in - let out_index:usize = out_index +! sz 1 in - let result:t_Array i32 (sz 256) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result - sample_at - (1l -! (2l *! (cast (signs &. 1uL <: u64) <: i32) <: i32) <: i32) - in - let signs:u64 = signs >>! 1l in - out_index, result, signs <: (usize & t_Array i32 (sz 256) & u64) - else out_index, result, signs <: (usize & t_Array i32 (sz 256) & u64) - in - let done:bool = - out_index =. (Core.Slice.impl__len #i32 (result <: t_Slice i32) <: usize) - in - done, out_index, result, signs <: (bool & usize & t_Array i32 (sz 256) & u64) - else done, out_index, result, signs <: (bool & usize & t_Array i32 (sz 256) & u64)) - in - let hax_temp_output:bool = done in - out_index, signs, result, hax_temp_output <: (usize & u64 & t_Array i32 (sz 256) & bool) - let rejection_sample_less_than_eta_equals_2_ (#v_SIMDUnit: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -327,6 +206,127 @@ let rejection_sample_less_than_field_modulus let hax_temp_output:bool = done in sampled_coefficients, out, hax_temp_output <: (usize & t_Array i32 (sz 263) & bool) +let add_domain_separator (slice: t_Slice u8) (indices: (u8 & u8)) = + let out:t_Array u8 (sz 34) = Rust_primitives.Hax.repeat 0uy (sz 34) in + let out:t_Array u8 (sz 34) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range out + ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Core.Slice.impl__len #u8 slice <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (out.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Core.Slice.impl__len #u8 slice <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + slice + <: + t_Slice u8) + in + let domain_separator:u16 = generate_domain_separator indices in + let out:t_Array u8 (sz 34) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + (sz 32) + (cast (domain_separator <: u16) <: u8) + in + let out:t_Array u8 (sz 34) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + (sz 33) + (cast (domain_separator >>! 8l <: u16) <: u8) + in + out + +let add_error_domain_separator (slice: t_Slice u8) (domain_separator: u16) = + let out:t_Array u8 (sz 66) = Rust_primitives.Hax.repeat 0uy (sz 66) in + let out:t_Array u8 (sz 66) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range out + ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Core.Slice.impl__len #u8 slice <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (out.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Core.Slice.impl__len #u8 slice <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + slice + <: + t_Slice u8) + in + let out:t_Array u8 (sz 66) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + (sz 64) + (cast (domain_separator <: u16) <: u8) + in + let out:t_Array u8 (sz 66) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + (sz 65) + (cast (domain_separator >>! 8l <: u16) <: u8) + in + out + +let inside_out_shuffle + (randomness: t_Slice u8) + (out_index: usize) + (signs: u64) + (result: t_Array i32 (sz 256)) + = + let done:bool = false in + let done, out_index, result, signs:(bool & usize & t_Array i32 (sz 256) & u64) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Iter + u8) + #FStar.Tactics.Typeclasses.solve + (Core.Slice.impl__iter #u8 randomness <: Core.Slice.Iter.t_Iter u8) + <: + Core.Slice.Iter.t_Iter u8) + (done, out_index, result, signs <: (bool & usize & t_Array i32 (sz 256) & u64)) + (fun temp_0_ byte -> + let done, out_index, result, signs:(bool & usize & t_Array i32 (sz 256) & u64) = + temp_0_ + in + let byte:u8 = byte in + if ~.done <: bool + then + let sample_at:usize = cast (byte <: u8) <: usize in + let out_index, result, signs:(usize & t_Array i32 (sz 256) & u64) = + if sample_at <=. out_index + then + let result:t_Array i32 (sz 256) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + out_index + (result.[ sample_at ] <: i32) + in + let out_index:usize = out_index +! sz 1 in + let result:t_Array i32 (sz 256) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + sample_at + (1l -! (2l *! (cast (signs &. 1uL <: u64) <: i32) <: i32) <: i32) + in + let signs:u64 = signs >>! 1l in + out_index, result, signs <: (usize & t_Array i32 (sz 256) & u64) + else out_index, result, signs <: (usize & t_Array i32 (sz 256) & u64) + in + let done:bool = + out_index =. (Core.Slice.impl__len #i32 (result <: t_Slice i32) <: usize) + in + done, out_index, result, signs <: (bool & usize & t_Array i32 (sz 256) & u64) + else done, out_index, result, signs <: (bool & usize & t_Array i32 (sz 256) & u64)) + in + let hax_temp_output:bool = done in + out_index, signs, result, hax_temp_output <: (usize & u64 & t_Array i32 (sz 256) & bool) + let sample_challenge_ring_element (#v_SIMDUnit #v_Shake256: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti index b10105ece..7991fde68 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti @@ -16,19 +16,6 @@ val generate_domain_separator: (u8 & u8) -> Prims.Pure u16 Prims.l_True (fun _ - val sample_up_to_four_ring_elements_flat__xy (index width: usize) : Prims.Pure (u8 & u8) Prims.l_True (fun _ -> Prims.l_True) -val add_domain_separator (slice: t_Slice u8) (indices: (u8 & u8)) - : Prims.Pure (t_Array u8 (sz 34)) Prims.l_True (fun _ -> Prims.l_True) - -val add_error_domain_separator (slice: t_Slice u8) (domain_separator: u16) - : Prims.Pure (t_Array u8 (sz 66)) Prims.l_True (fun _ -> Prims.l_True) - -val inside_out_shuffle - (randomness: t_Slice u8) - (out_index: usize) - (signs: u64) - (result: t_Array i32 (sz 256)) - : Prims.Pure (usize & u64 & t_Array i32 (sz 256) & bool) Prims.l_True (fun _ -> Prims.l_True) - val rejection_sample_less_than_eta_equals_2_ (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} @@ -62,6 +49,19 @@ val rejection_sample_less_than_field_modulus (out: t_Array i32 (sz 263)) : Prims.Pure (usize & t_Array i32 (sz 263) & bool) Prims.l_True (fun _ -> Prims.l_True) +val add_domain_separator (slice: t_Slice u8) (indices: (u8 & u8)) + : Prims.Pure (t_Array u8 (sz 34)) Prims.l_True (fun _ -> Prims.l_True) + +val add_error_domain_separator (slice: t_Slice u8) (domain_separator: u16) + : Prims.Pure (t_Array u8 (sz 66)) Prims.l_True (fun _ -> Prims.l_True) + +val inside_out_shuffle + (randomness: t_Slice u8) + (out_index: usize) + (signs: u64) + (result: t_Array i32 (sz 256)) + : Prims.Pure (usize & u64 & t_Array i32 (sz 256) & bool) Prims.l_True (fun _ -> Prims.l_True) + val sample_challenge_ring_element (#v_SIMDUnit #v_Shake256: Type0) {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst index a4bb19249..b1ecfa303 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst @@ -347,7 +347,8 @@ let decompose (gamma2: i32) (r r0 r1: Libcrux_intrinsics.Avx2_extract.t_Vec256) let use_hint (gamma2: i32) (r hint: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let r0, r1:(Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) = - Libcrux_ml_dsa.Simd.Avx2.Vector_type.zero (), Libcrux_ml_dsa.Simd.Avx2.Vector_type.zero () + Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 (), + Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 () <: (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) in diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Invntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Invntt.fst index da803f26d..9a4782dfd 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Invntt.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Invntt.fst @@ -46,96 +46,112 @@ let simd_unit_invert_ntt_at_layer_0_ let b_shuffled:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 sums differences in - let a:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l a_shuffled - in - let b:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l b_shuffled - in - a, b <: (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) + let a:Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 = + { + Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l a_shuffled + } + <: + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 + in + let b:Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 = + { + Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l b_shuffled + } + <: + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 + in + a, b + <: + (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 & Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) let invert_ntt_at_layer_0___round - (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) (index: usize) (zeta00 zeta01 zeta02 zeta03 zeta10 zeta11 zeta12 zeta13: i32) = - let lhs, lhs_1_:(Libcrux_intrinsics.Avx2_extract.t_Vec256 & - Libcrux_intrinsics.Avx2_extract.t_Vec256) = - simd_unit_invert_ntt_at_layer_0_ (re.[ index ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (re.[ index +! sz 1 <: usize ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) zeta00 zeta01 - zeta02 zeta03 zeta10 zeta11 zeta12 zeta13 - in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let lhs, lhs_1_:(Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 & + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) = + simd_unit_invert_ntt_at_layer_0_ (re.[ index ] <: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + (re.[ index +! sz 1 <: usize ] <: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value zeta00 zeta01 zeta02 zeta03 zeta10 zeta11 + zeta12 zeta13 + in + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re index lhs in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (index +! sz 1 <: usize) lhs_1_ in let _:Prims.unit = () in re -let invert_ntt_at_layer_0_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = +let invert_ntt_at_layer_0_ (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_0___round re (sz 0) 1976782l (-846154l) 1400424l 3937738l (-1362209l) (-48306l) 3919660l (-554416l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_0___round re (sz 2) (-3545687l) 1612842l (-976891l) 183443l (-2286327l) (-420899l) (-2235985l) (-2939036l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_0___round re (sz 4) (-3833893l) (-260646l) (-1104333l) (-1667432l) 1910376l (-1803090l) 1723600l (-426683l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_0___round re (sz 6) 472078l 1717735l (-975884l) 2213111l 269760l 3866901l 3523897l (-3038916l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_0___round re (sz 8) (-1799107l) (-3694233l) 1652634l 810149l 3014001l 1616392l 162844l (-3183426l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_0___round re (sz 10) (-1207385l) 185531l 3369112l 1957272l (-164721l) 2454455l 2432395l (-2013608l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_0___round re (sz 12) (-3776993l) 594136l (-3724270l) (-2584293l) (-1846953l) (-1671176l) (-2831860l) (-542412l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_0___round re (sz 14) 3406031l 2235880l 777191l 1500165l (-1374803l) (-2546312l) 1917081l (-1279661l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_0___round re (sz 16) (-1962642l) 3306115l 1312455l (-451100l) (-1430225l) (-3318210l) 1237275l (-1333058l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_0___round re (sz 18) (-1050970l) 1903435l 1869119l (-2994039l) (-3548272l) 2635921l 1250494l (-3767016l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_0___round re (sz 20) 1595974l 2486353l 1247620l 4055324l 1265009l (-2590150l) 2691481l 2842341l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_0___round re (sz 22) 203044l 1735879l (-3342277l) 3437287l 4108315l (-2437823l) 286988l 342297l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_0___round re (sz 24) (-3595838l) (-768622l) (-525098l) (-3556995l) 3207046l 2031748l (-3122442l) (-655327l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_0___round re (sz 26) (-522500l) (-43260l) (-1613174l) 495491l 819034l 909542l 1859098l 900702l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_0___round re (sz 28) (-3193378l) (-1197226l) (-3759364l) (-3520352l) 3513181l (-1235728l) 2434439l 266997l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_0___round re (sz 30) (-3562462l) (-2446433l) 2244091l (-3342478l) 3817976l 2316500l 3407706l 2091667l in @@ -172,84 +188,100 @@ let simd_unit_invert_ntt_at_layer_1_ let differences:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply differences zetas in - let a:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 sums differences - in - let b:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 sums differences - in - a, b <: (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) + let a:Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 = + { + Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + = + Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 sums differences + } + <: + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 + in + let b:Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 = + { + Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + = + Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 sums differences + } + <: + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 + in + a, b + <: + (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 & Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) let invert_ntt_at_layer_1___round - (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) (index: usize) (zeta_00_ zeta_01_ zeta_10_ zeta_11_: i32) = - let lhs, lhs_1_:(Libcrux_intrinsics.Avx2_extract.t_Vec256 & - Libcrux_intrinsics.Avx2_extract.t_Vec256) = - simd_unit_invert_ntt_at_layer_1_ (re.[ index ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (re.[ index +! sz 1 <: usize ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) + let lhs, lhs_1_:(Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 & + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) = + simd_unit_invert_ntt_at_layer_1_ (re.[ index ] <: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + (re.[ index +! sz 1 <: usize ] <: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value zeta_00_ zeta_01_ zeta_10_ zeta_11_ in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re index lhs in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (index +! sz 1 <: usize) lhs_1_ in let _:Prims.unit = () in re -let invert_ntt_at_layer_1_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = +let invert_ntt_at_layer_1_ (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_1___round re (sz 0) 3839961l (-3628969l) (-3881060l) (-3019102l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_1___round re (sz 2) (-1439742l) (-812732l) (-1584928l) 1285669l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_1___round re (sz 4) 1341330l 1315589l (-177440l) (-2409325l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_1___round re (sz 6) (-1851402l) 3159746l (-3553272l) 189548l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_1___round re (sz 8) (-1316856l) 759969l (-210977l) 2389356l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_1___round re (sz 10) (-3249728l) 1653064l (-8578l) (-3724342l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_1___round re (sz 12) 3958618l 904516l (-1100098l) 44288l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_1___round re (sz 14) 3097992l 508951l 264944l (-3343383l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_1___round re (sz 16) (-1430430l) 1852771l 1349076l (-381987l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_1___round re (sz 18) (-1308169l) (-22981l) (-1228525l) (-671102l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_1___round re (sz 20) (-2477047l) (-411027l) (-3693493l) (-2967645l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_1___round re (sz 22) 2715295l 2147896l (-983419l) 3412210l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_1___round re (sz 24) 126922l (-3632928l) (-3157330l) (-3190144l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_1___round re (sz 26) (-1000202l) (-4083598l) 1939314l (-1257611l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_1___round re (sz 28) (-1585221l) 2176455l 3475950l (-1452451l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_1___round re (sz 30) (-3041255l) (-3677745l) (-1528703l) (-3930395l) in re @@ -278,82 +310,98 @@ let simd_unit_invert_ntt_at_layer_2_ let differences:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply differences zetas in - let a:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 32l sums differences - in - let b:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 49l sums differences - in - a, b <: (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) + let a:Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 = + { + Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + = + Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 32l sums differences + } + <: + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 + in + let b:Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 = + { + Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + = + Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 49l sums differences + } + <: + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 + in + a, b + <: + (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 & Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) let invert_ntt_at_layer_2___round - (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) (index: usize) (zeta1 zeta2: i32) = - let lhs, lhs_1_:(Libcrux_intrinsics.Avx2_extract.t_Vec256 & - Libcrux_intrinsics.Avx2_extract.t_Vec256) = - simd_unit_invert_ntt_at_layer_2_ (re.[ index ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (re.[ index +! sz 1 <: usize ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) + let lhs, lhs_1_:(Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 & + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) = + simd_unit_invert_ntt_at_layer_2_ (re.[ index ] <: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + (re.[ index +! sz 1 <: usize ] <: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value zeta1 zeta2 in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re index lhs in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (index +! sz 1 <: usize) lhs_1_ in let _:Prims.unit = () in re -let invert_ntt_at_layer_2_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = +let invert_ntt_at_layer_2_ (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_2___round re (sz 0) (-2797779l) 2071892l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_2___round re (sz 2) (-2556880l) 3900724l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_2___round re (sz 4) 3881043l 954230l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_2___round re (sz 6) 531354l 811944l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_2___round re (sz 8) 3699596l (-1600420l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_2___round re (sz 10) (-2140649l) 3507263l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_2___round re (sz 12) (-3821735l) 3505694l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_2___round re (sz 14) (-1643818l) (-1699267l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_2___round re (sz 16) (-539299l) 2348700l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_2___round re (sz 18) (-300467l) 3539968l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_2___round re (sz 20) (-2867647l) 3574422l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_2___round re (sz 22) (-3043716l) (-3861115l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_2___round re (sz 24) 3915439l (-2537516l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_2___round re (sz 26) (-3592148l) (-1661693l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_2___round re (sz 28) 3530437l 3077325l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_at_layer_2___round re (sz 30) 95776l 2706023l in re @@ -361,194 +409,237 @@ let invert_ntt_at_layer_2_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 let outer_3_plus (v_OFFSET v_STEP_BY: usize) (v_ZETA: i32) - (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) = - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = Rust_primitives.Hax.Folds.fold_range v_OFFSET (v_OFFSET +! v_STEP_BY <: usize) (fun re temp_1_ -> - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = re in + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = re in let _:usize = temp_1_ in true) re (fun re j -> - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = re in + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = re in let j:usize = j in let a_minus_b:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (re.[ j +! v_STEP_BY <: usize ] <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - (re.[ j ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + (re.[ j ] <: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re j - (Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 (re.[ j ] - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - (re.[ j +! v_STEP_BY <: usize ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) + ({ + Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + = + Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 (re.[ j ] + <: + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + (re.[ j +! v_STEP_BY <: usize ] <: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 + ) + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256 + } <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (j +! v_STEP_BY <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply_by_constant a_minus_b v_ZETA + ({ + Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply_by_constant a_minus_b + v_ZETA + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256 + } <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) in re) in let hax_temp_output:Prims.unit = () <: Prims.unit in re -let invert_ntt_at_layer_3_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = +let invert_ntt_at_layer_3_ (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = outer_3_plus (sz 0) (sz 1) 280005l re in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = outer_3_plus (sz 2) (sz 1) 4010497l re in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = outer_3_plus (sz 4) (sz 1) (-19422l) re in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = outer_3_plus (sz 6) (sz 1) 1757237l re in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = outer_3_plus (sz 8) (sz 1) (-3277672l) re in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = outer_3_plus (sz 10) (sz 1) (-1399561l) re in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = outer_3_plus (sz 12) (sz 1) (-3859737l) re in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = outer_3_plus (sz 14) (sz 1) (-2118186l) re in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = outer_3_plus (sz 16) (sz 1) (-2108549l) re in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = outer_3_plus (sz 18) (sz 1) 2619752l re in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = outer_3_plus (sz 20) (sz 1) (-1119584l) re in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = outer_3_plus (sz 22) (sz 1) (-549488l) re in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = outer_3_plus (sz 24) (sz 1) 3585928l re in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = outer_3_plus (sz 26) (sz 1) (-1079900l) re in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = outer_3_plus (sz 28) (sz 1) 1024112l re in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = outer_3_plus (sz 30) (sz 1) 2725464l re in re -let invert_ntt_at_layer_4_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = +let invert_ntt_at_layer_4_ (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = outer_3_plus (sz 0) (sz 2) 2680103l re in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = outer_3_plus (sz 4) (sz 2) 3111497l re in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = outer_3_plus (sz 8) (sz 2) (-2884855l) re in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = outer_3_plus (sz 12) (sz 2) 3119733l re in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = outer_3_plus (sz 16) (sz 2) (-2091905l) re in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = outer_3_plus (sz 20) (sz 2) (-359251l) re in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = outer_3_plus (sz 24) (sz 2) 2353451l re in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = outer_3_plus (sz 28) (sz 2) 1826347l re in re -let invert_ntt_at_layer_5_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = +let invert_ntt_at_layer_5_ (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = outer_3_plus (sz 0) (sz 4) 466468l re in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = outer_3_plus (sz 8) (sz 4) (-876248l) re in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = outer_3_plus (sz 16) (sz 4) (-777960l) re in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = outer_3_plus (sz 24) (sz 4) 237124l re in re -let invert_ntt_at_layer_6_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = +let invert_ntt_at_layer_6_ (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = outer_3_plus (sz 0) (sz 8) (-518909l) re in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = outer_3_plus (sz 16) (sz 8) (-2608894l) re in re -let invert_ntt_at_layer_7_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = +let invert_ntt_at_layer_7_ (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = outer_3_plus (sz 0) (sz 16) 25847l re in re -let invert_ntt_montgomery__inv_inner (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = invert_ntt_at_layer_0_ re in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = invert_ntt_at_layer_1_ re in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = invert_ntt_at_layer_2_ re in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = invert_ntt_at_layer_3_ re in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = invert_ntt_at_layer_4_ re in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = invert_ntt_at_layer_5_ re in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = invert_ntt_at_layer_6_ re in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = invert_ntt_at_layer_7_ re in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = +let invert_ntt_montgomery__inv_inner + (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) + = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = + invert_ntt_at_layer_0_ re + in + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = + invert_ntt_at_layer_1_ re + in + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = + invert_ntt_at_layer_2_ re + in + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = + invert_ntt_at_layer_3_ re + in + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = + invert_ntt_at_layer_4_ re + in + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = + invert_ntt_at_layer_5_ re + in + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = + invert_ntt_at_layer_6_ re + in + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = + invert_ntt_at_layer_7_ re + in + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #Libcrux_intrinsics.Avx2_extract.t_Vec256 - (re <: t_Slice Libcrux_intrinsics.Avx2_extract.t_Vec256) + (Core.Slice.impl__len #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 + (re <: t_Slice Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) <: usize) (fun re temp_1_ -> - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = re in + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = re in let _:usize = temp_1_ in true) re (fun re i -> - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = re in + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = re in let i:usize = i in Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re i - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply_by_constant (re.[ i ] - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - invert_ntt_montgomery__inv_inner__FACTOR + ({ + Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply_by_constant (re.[ i ] + <: + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + invert_ntt_montgomery__inv_inner__FACTOR + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256 + } <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) <: - t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) in let hax_temp_output:Prims.unit = () <: Prims.unit in re -let invert_ntt_montgomery (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = +let invert_ntt_montgomery (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = invert_ntt_montgomery__inv_inner re in re diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Invntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Invntt.fsti index cd43cba2e..0903ff088 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Invntt.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Invntt.fsti @@ -31,20 +31,19 @@ val simd_unit_invert_ntt_at_layer_0_ (simd_unit0 simd_unit1: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta00 zeta01 zeta02 zeta03 zeta10 zeta11 zeta12 zeta13: i32) : Prims.Pure - (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) - Prims.l_True - (fun _ -> Prims.l_True) + (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 & Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 + ) Prims.l_True (fun _ -> Prims.l_True) val invert_ntt_at_layer_0___round - (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) (index: usize) (zeta00 zeta01 zeta02 zeta03 zeta10 zeta11 zeta12 zeta13: i32) - : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -val invert_ntt_at_layer_0_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) - : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) +val invert_ntt_at_layer_0_ (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) @@ -52,20 +51,19 @@ val simd_unit_invert_ntt_at_layer_1_ (simd_unit0 simd_unit1: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta00 zeta01 zeta10 zeta11: i32) : Prims.Pure - (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) - Prims.l_True - (fun _ -> Prims.l_True) + (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 & Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 + ) Prims.l_True (fun _ -> Prims.l_True) val invert_ntt_at_layer_1___round - (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) (index: usize) (zeta_00_ zeta_01_ zeta_10_ zeta_11_: i32) - : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -val invert_ntt_at_layer_1_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) - : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) +val invert_ntt_at_layer_1_ (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) @@ -73,62 +71,62 @@ val simd_unit_invert_ntt_at_layer_2_ (simd_unit0 simd_unit1: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i32) : Prims.Pure - (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) - Prims.l_True - (fun _ -> Prims.l_True) + (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 & Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 + ) Prims.l_True (fun _ -> Prims.l_True) val invert_ntt_at_layer_2___round - (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) (index: usize) (zeta1 zeta2: i32) - : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -val invert_ntt_at_layer_2_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) - : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) +val invert_ntt_at_layer_2_ (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) val outer_3_plus (v_OFFSET v_STEP_BY: usize) (v_ZETA: i32) - (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) - : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -val invert_ntt_at_layer_3_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) - : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) +val invert_ntt_at_layer_3_ (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -val invert_ntt_at_layer_4_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) - : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) +val invert_ntt_at_layer_4_ (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -val invert_ntt_at_layer_5_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) - : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) +val invert_ntt_at_layer_5_ (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -val invert_ntt_at_layer_6_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) - : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) +val invert_ntt_at_layer_6_ (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -val invert_ntt_at_layer_7_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) - : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) +val invert_ntt_at_layer_7_ (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -val invert_ntt_montgomery__inv_inner (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) - : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) +val invert_ntt_montgomery__inv_inner + (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -val invert_ntt_montgomery (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) - : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) +val invert_ntt_montgomery (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst index 0e6894cda..cdc59b38d 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst @@ -4,7 +4,7 @@ open Core open FStar.Mul let ntt_at_layer_7_and_6___mul - (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) (index: usize) (zeta: Libcrux_intrinsics.Avx2_extract.t_Vec256) (step_by: usize) @@ -13,13 +13,15 @@ let ntt_at_layer_7_and_6___mul let prod02:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ index +! step_by <: usize ] <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value zeta in let prod13:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l - (re.[ index +! step_by <: usize ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (re.[ index +! step_by <: usize ] <: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value <: Libcrux_intrinsics.Avx2_extract.t_Vec256) (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta @@ -50,45 +52,63 @@ let ntt_at_layer_7_and_6___mul let t:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (index +! step_by <: usize) - (re.[ index ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (re.[ index ] <: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (index +! step_by <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ index +! step_by <: usize ] - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - t + ({ + (re.[ index +! step_by <: usize ] <: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) with + Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ index +! step_by <: usize ] + <: + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + t + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256 + } <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re index - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ index ] - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - t + ({ + (re.[ index ] <: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) with + Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ index ] + <: + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + t + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256 + } <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) in re let butterfly_2_ - (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) (index: usize) (zeta_a0 zeta_a1 zeta_a2 zeta_a3 zeta_b0 zeta_b1 zeta_b2 zeta_b3: i32) = let a:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l - (re.[ index ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (re.[ index ] <: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value in let b:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l - (re.[ index +! sz 1 <: usize ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (re.[ index +! sz 1 <: usize ] <: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value in let summands:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 a b @@ -121,38 +141,54 @@ let butterfly_2_ let b_terms_shuffled:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 add_terms sub_terms in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re index - (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l a_terms_shuffled + ({ + Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l a_terms_shuffled + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256 + } <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (index +! sz 1 <: usize) - (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l b_terms_shuffled + ({ + Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l b_terms_shuffled + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256 + } <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) in re let butterfly_4_ - (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) (index: usize) (zeta_a0 zeta_a1 zeta_b0 zeta_b1: i32) = let summands:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 (re.[ index ] <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - (re.[ index +! sz 1 <: usize ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + (re.[ index +! sz 1 <: usize ] <: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value in let zeta_products:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 (re.[ index ] <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - (re.[ index +! sz 1 <: usize ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + (re.[ index +! sz 1 <: usize ] <: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value in let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta_b1 @@ -173,42 +209,58 @@ let butterfly_4_ let add_terms:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 summands zeta_products in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re index - (Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 add_terms sub_terms + ({ + Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + = + Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 add_terms sub_terms + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256 + } <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (index +! sz 1 <: usize) - (Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 add_terms sub_terms + ({ + Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + = + Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 add_terms sub_terms + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256 + } <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) in re let butterfly_8_ - (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) (index: usize) (zeta0 zeta1: i32) = let summands:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_set_m128i (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 - (re.[ index +! sz 1 <: usize ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (re.[ index +! sz 1 <: usize ] <: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value <: Libcrux_intrinsics.Avx2_extract.t_Vec128) (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 (re.[ index ] <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value <: Libcrux_intrinsics.Avx2_extract.t_Vec128) in let zeta_products:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 19l - (re.[ index +! sz 1 <: usize ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (re.[ index ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (re.[ index +! sz 1 <: usize ] <: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + (re.[ index ] <: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value in let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta1 zeta1 zeta1 zeta1 zeta0 zeta0 zeta0 zeta0 @@ -222,197 +274,209 @@ let butterfly_8_ let add_terms:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 summands zeta_products in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re index - (Libcrux_intrinsics.Avx2_extract.mm256_set_m128i (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 - sub_terms - <: - Libcrux_intrinsics.Avx2_extract.t_Vec128) - (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 add_terms - <: - Libcrux_intrinsics.Avx2_extract.t_Vec128) + ({ + Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + = + Libcrux_intrinsics.Avx2_extract.mm256_set_m128i (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 + sub_terms + <: + Libcrux_intrinsics.Avx2_extract.t_Vec128) + (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 add_terms + <: + Libcrux_intrinsics.Avx2_extract.t_Vec128) + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256 + } <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (index +! sz 1 <: usize) - (Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 19l sub_terms add_terms + ({ + Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + = + Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 19l sub_terms add_terms + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256 + } <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) in re -let ntt_at_layer_0_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = +let ntt_at_layer_0_ (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_2_ re (sz 0) 2091667l 3407706l 2316500l 3817976l (-3342478l) 2244091l (-2446433l) (-3562462l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_2_ re (sz 2) 266997l 2434439l (-1235728l) 3513181l (-3520352l) (-3759364l) (-1197226l) (-3193378l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_2_ re (sz 4) 900702l 1859098l 909542l 819034l 495491l (-1613174l) (-43260l) (-522500l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_2_ re (sz 6) (-655327l) (-3122442l) 2031748l 3207046l (-3556995l) (-525098l) (-768622l) (-3595838l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_2_ re (sz 8) 342297l 286988l (-2437823l) 4108315l 3437287l (-3342277l) 1735879l 203044l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_2_ re (sz 10) 2842341l 2691481l (-2590150l) 1265009l 4055324l 1247620l 2486353l 1595974l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_2_ re (sz 12) (-3767016l) 1250494l 2635921l (-3548272l) (-2994039l) 1869119l 1903435l (-1050970l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_2_ re (sz 14) (-1333058l) 1237275l (-3318210l) (-1430225l) (-451100l) 1312455l 3306115l (-1962642l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_2_ re (sz 16) (-1279661l) 1917081l (-2546312l) (-1374803l) 1500165l 777191l 2235880l 3406031l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_2_ re (sz 18) (-542412l) (-2831860l) (-1671176l) (-1846953l) (-2584293l) (-3724270l) 594136l (-3776993l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_2_ re (sz 20) (-2013608l) 2432395l 2454455l (-164721l) 1957272l 3369112l 185531l (-1207385l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_2_ re (sz 22) (-3183426l) 162844l 1616392l 3014001l 810149l 1652634l (-3694233l) (-1799107l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_2_ re (sz 24) (-3038916l) 3523897l 3866901l 269760l 2213111l (-975884l) 1717735l 472078l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_2_ re (sz 26) (-426683l) 1723600l (-1803090l) 1910376l (-1667432l) (-1104333l) (-260646l) (-3833893l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_2_ re (sz 28) (-2939036l) (-2235985l) (-420899l) (-2286327l) 183443l (-976891l) 1612842l (-3545687l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_2_ re (sz 30) (-554416l) 3919660l (-48306l) (-1362209l) 3937738l 1400424l (-846154l) 1976782l in re -let ntt_at_layer_1_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = +let ntt_at_layer_1_ (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_4_ re (sz 0) (-3930395l) (-1528703l) (-3677745l) (-3041255l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_4_ re (sz 2) (-1452451l) 3475950l 2176455l (-1585221l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_4_ re (sz 4) (-1257611l) 1939314l (-4083598l) (-1000202l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_4_ re (sz 6) (-3190144l) (-3157330l) (-3632928l) 126922l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_4_ re (sz 8) 3412210l (-983419l) 2147896l 2715295l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_4_ re (sz 10) (-2967645l) (-3693493l) (-411027l) (-2477047l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_4_ re (sz 12) (-671102l) (-1228525l) (-22981l) (-1308169l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_4_ re (sz 14) (-381987l) 1349076l 1852771l (-1430430l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_4_ re (sz 16) (-3343383l) 264944l 508951l 3097992l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_4_ re (sz 18) 44288l (-1100098l) 904516l 3958618l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_4_ re (sz 20) (-3724342l) (-8578l) 1653064l (-3249728l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_4_ re (sz 22) 2389356l (-210977l) 759969l (-1316856l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_4_ re (sz 24) 189548l (-3553272l) 3159746l (-1851402l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_4_ re (sz 26) (-2409325l) (-177440l) 1315589l 1341330l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_4_ re (sz 28) 1285669l (-1584928l) (-812732l) (-1439742l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_4_ re (sz 30) (-3019102l) (-3881060l) (-3628969l) 3839961l in re -let ntt_at_layer_2_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = +let ntt_at_layer_2_ (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_8_ re (sz 0) 2706023l 95776l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_8_ re (sz 2) 3077325l 3530437l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_8_ re (sz 4) (-1661693l) (-3592148l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_8_ re (sz 6) (-2537516l) 3915439l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_8_ re (sz 8) (-3861115l) (-3043716l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_8_ re (sz 10) 3574422l (-2867647l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_8_ re (sz 12) 3539968l (-300467l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_8_ re (sz 14) 2348700l (-539299l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_8_ re (sz 16) (-1699267l) (-1643818l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_8_ re (sz 18) 3505694l (-3821735l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_8_ re (sz 20) 3507263l (-2140649l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_8_ re (sz 22) (-1600420l) 3699596l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_8_ re (sz 24) 811944l 531354l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_8_ re (sz 26) 954230l 3881043l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_8_ re (sz 28) 3900724l (-2556880l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = butterfly_8_ re (sz 30) 2071892l (-2797779l) in re -let ntt_at_layer_7_and_6_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = +let ntt_at_layer_7_and_6_ (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) = let field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS in @@ -432,7 +496,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 let zeta61:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-518909l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_7_and_6___mul re (sz 0) zeta7 @@ -440,7 +504,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 field_modulus inverse_of_modulus_mod_montgomery_r in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_7_and_6___mul re (sz 0 +! sz 1 <: usize) zeta7 @@ -448,7 +512,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 field_modulus inverse_of_modulus_mod_montgomery_r in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_7_and_6___mul re (sz 0 +! sz 2 <: usize) zeta7 @@ -456,7 +520,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 field_modulus inverse_of_modulus_mod_montgomery_r in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_7_and_6___mul re (sz 0 +! sz 3 <: usize) zeta7 @@ -465,7 +529,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 inverse_of_modulus_mod_montgomery_r in let _:Prims.unit = () in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_7_and_6___mul re (sz 8) zeta7 @@ -473,7 +537,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 field_modulus inverse_of_modulus_mod_montgomery_r in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_7_and_6___mul re (sz 8 +! sz 1 <: usize) zeta7 @@ -481,7 +545,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 field_modulus inverse_of_modulus_mod_montgomery_r in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_7_and_6___mul re (sz 8 +! sz 2 <: usize) zeta7 @@ -489,7 +553,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 field_modulus inverse_of_modulus_mod_montgomery_r in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_7_and_6___mul re (sz 8 +! sz 3 <: usize) zeta7 @@ -498,7 +562,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 inverse_of_modulus_mod_montgomery_r in let _:Prims.unit = () in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_7_and_6___mul re (sz 0) zeta60 @@ -506,7 +570,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 field_modulus inverse_of_modulus_mod_montgomery_r in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_7_and_6___mul re (sz 0 +! sz 1 <: usize) zeta60 @@ -514,7 +578,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 field_modulus inverse_of_modulus_mod_montgomery_r in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_7_and_6___mul re (sz 0 +! sz 2 <: usize) zeta60 @@ -522,7 +586,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 field_modulus inverse_of_modulus_mod_montgomery_r in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_7_and_6___mul re (sz 0 +! sz 3 <: usize) zeta60 @@ -531,7 +595,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 inverse_of_modulus_mod_montgomery_r in let _:Prims.unit = () in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_7_and_6___mul re (sz 16) zeta61 @@ -539,7 +603,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 field_modulus inverse_of_modulus_mod_montgomery_r in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_7_and_6___mul re (sz 16 +! sz 1 <: usize) zeta61 @@ -547,7 +611,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 field_modulus inverse_of_modulus_mod_montgomery_r in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_7_and_6___mul re (sz 16 +! sz 2 <: usize) zeta61 @@ -555,7 +619,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 field_modulus inverse_of_modulus_mod_montgomery_r in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_7_and_6___mul re (sz 16 +! sz 3 <: usize) zeta61 @@ -564,7 +628,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 inverse_of_modulus_mod_montgomery_r in let _:Prims.unit = () in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_7_and_6___mul re (sz 4) zeta7 @@ -572,7 +636,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 field_modulus inverse_of_modulus_mod_montgomery_r in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_7_and_6___mul re (sz 4 +! sz 1 <: usize) zeta7 @@ -580,7 +644,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 field_modulus inverse_of_modulus_mod_montgomery_r in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_7_and_6___mul re (sz 4 +! sz 2 <: usize) zeta7 @@ -588,7 +652,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 field_modulus inverse_of_modulus_mod_montgomery_r in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_7_and_6___mul re (sz 4 +! sz 3 <: usize) zeta7 @@ -597,7 +661,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 inverse_of_modulus_mod_montgomery_r in let _:Prims.unit = () in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_7_and_6___mul re (sz 12) zeta7 @@ -605,7 +669,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 field_modulus inverse_of_modulus_mod_montgomery_r in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_7_and_6___mul re (sz 12 +! sz 1 <: usize) zeta7 @@ -613,7 +677,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 field_modulus inverse_of_modulus_mod_montgomery_r in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_7_and_6___mul re (sz 12 +! sz 2 <: usize) zeta7 @@ -621,7 +685,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 field_modulus inverse_of_modulus_mod_montgomery_r in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_7_and_6___mul re (sz 12 +! sz 3 <: usize) zeta7 @@ -630,7 +694,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 inverse_of_modulus_mod_montgomery_r in let _:Prims.unit = () in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_7_and_6___mul re (sz 4) zeta60 @@ -638,7 +702,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 field_modulus inverse_of_modulus_mod_montgomery_r in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_7_and_6___mul re (sz 4 +! sz 1 <: usize) zeta60 @@ -646,7 +710,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 field_modulus inverse_of_modulus_mod_montgomery_r in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_7_and_6___mul re (sz 4 +! sz 2 <: usize) zeta60 @@ -654,7 +718,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 field_modulus inverse_of_modulus_mod_montgomery_r in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_7_and_6___mul re (sz 4 +! sz 3 <: usize) zeta60 @@ -663,7 +727,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 inverse_of_modulus_mod_montgomery_r in let _:Prims.unit = () in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_7_and_6___mul re (sz 20) zeta61 @@ -671,7 +735,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 field_modulus inverse_of_modulus_mod_montgomery_r in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_7_and_6___mul re (sz 20 +! sz 1 <: usize) zeta61 @@ -679,7 +743,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 field_modulus inverse_of_modulus_mod_montgomery_r in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_7_and_6___mul re (sz 20 +! sz 2 <: usize) zeta61 @@ -687,7 +751,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 field_modulus inverse_of_modulus_mod_montgomery_r in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_7_and_6___mul re (sz 20 +! sz 3 <: usize) zeta61 @@ -700,7 +764,7 @@ let ntt_at_layer_7_and_6_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 let ntt_at_layer_5_to_3___round (v_STEP v_STEP_BY: usize) - (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) (index: usize) (zeta: i32) = @@ -711,155 +775,180 @@ let ntt_at_layer_5_to_3___round ((index *! v_STEP <: usize) *! sz 2 <: usize) /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = Rust_primitives.Hax.Folds.fold_range offset (offset +! v_STEP_BY <: usize) (fun re temp_1_ -> - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = re in + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = re in let _:usize = temp_1_ in true) re (fun re j -> - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = re in + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = re in let j:usize = j in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (j +! v_STEP_BY <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! v_STEP_BY <: usize - ] - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - rhs + ({ + (re.[ j +! v_STEP_BY <: usize ] <: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) with + Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! v_STEP_BY + <: + usize ] + <: + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + rhs + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256 + } <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) in let tmp:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (re.[ j ] <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - (re.[ j +! v_STEP_BY <: usize ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + (re.[ j +! v_STEP_BY <: usize ] <: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re j - (Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 (re.[ j ] - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - (re.[ j +! v_STEP_BY <: usize ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) + ({ + Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + = + Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 (re.[ j ] + <: + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + (re.[ j +! v_STEP_BY <: usize ] <: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 + ) + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256 + } <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (j +! v_STEP_BY <: usize) - tmp + ({ Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value = tmp } + <: + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) in re) in let hax_temp_output:Prims.unit = () <: Prims.unit in re -let ntt_at_layer_5_to_3_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = +let ntt_at_layer_5_to_3_ (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_5_to_3___round (sz 32) (sz 4) re (sz 0) 237124l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_5_to_3___round (sz 32) (sz 4) re (sz 1) (-777960l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_5_to_3___round (sz 32) (sz 4) re (sz 2) (-876248l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_5_to_3___round (sz 32) (sz 4) re (sz 3) 466468l in let _:Prims.unit = () in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 0) 1826347l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 1) 2353451l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 2) (-359251l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 3) (-2091905l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 4) 3119733l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 5) (-2884855l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 6) 3111497l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 7) 2680103l in let _:Prims.unit = () in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 0) 2725464l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 1) 1024112l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 2) (-1079900l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 3) 3585928l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 4) (-549488l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 5) (-1119584l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 6) 2619752l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 7) (-2108549l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 8) (-2118186l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 9) (-3859737l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 10) (-1399561l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 11) (-3277672l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 12) 1757237l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 13) (-19422l) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 14) 4010497l in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 15) 280005l in let _:Prims.unit = () in let hax_temp_output:Prims.unit = () <: Prims.unit in re -let ntt__avx2_ntt (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = ntt_at_layer_7_and_6_ re in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = ntt_at_layer_5_to_3_ re in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = ntt_at_layer_2_ re in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = ntt_at_layer_1_ re in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = ntt_at_layer_0_ re in +let ntt__avx2_ntt (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) = + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_7_and_6_ re in + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_5_to_3_ re in + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_2_ re in + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_1_ re in + let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = ntt_at_layer_0_ re in re -let ntt (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = - let hax_temp_output, re:(Prims.unit & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = - (), ntt__avx2_ntt re <: (Prims.unit & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) +let ntt (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) = + let hax_temp_output, re:(Prims.unit & + t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) = + (), ntt__avx2_ntt re + <: + (Prims.unit & t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) in re diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti index da6a0f9c0..02c44d807 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti @@ -12,12 +12,12 @@ let ntt_at_layer_5_to_3___STEP_1: usize = sz 1 < Prims.l_True) @@ -37,75 +37,75 @@ let ntt_at_layer_7_and_6___STEP_BY_7_: usize = sz 2 *! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT val butterfly_2_ - (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) (index: usize) (zeta_a0 zeta_a1 zeta_a2 zeta_a3 zeta_b0 zeta_b1 zeta_b2 zeta_b3: i32) - : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) val butterfly_4_ - (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) (index: usize) (zeta_a0 zeta_a1 zeta_b0 zeta_b1: i32) - : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) val butterfly_8_ - (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) (index: usize) (zeta0 zeta1: i32) - : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -val ntt_at_layer_0_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) - : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) +val ntt_at_layer_0_ (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -val ntt_at_layer_1_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) - : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) +val ntt_at_layer_1_ (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -val ntt_at_layer_2_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) - : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) +val ntt_at_layer_2_ (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) /// This is equivalent to the pqclean 0 and 1 /// This does 32 Montgomery multiplications (192 multiplications). /// This is the same as in pqclean. The only difference is locality of registers. -val ntt_at_layer_7_and_6_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) - : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) +val ntt_at_layer_7_and_6_ (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) val ntt_at_layer_5_to_3___round (v_STEP v_STEP_BY: usize) - (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) (index: usize) (zeta: i32) - : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) /// Layer 5, 4, 3 /// Each layer does 16 Montgomery multiplications -> 3*16 = 48 total /// pqclean does 4 * 4 on each layer -> 48 total | plus 4 * 4 shuffles every time (48) -val ntt_at_layer_5_to_3_ (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) - : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) +val ntt_at_layer_5_to_3_ (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -val ntt__avx2_ntt (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) - : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) +val ntt__avx2_ntt (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -val ntt (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) - : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) +val ntt (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst index 889c3bb6c..223d7ca5e 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst @@ -3,31 +3,32 @@ module Libcrux_ml_dsa.Simd.Avx2.Vector_type open Core open FStar.Mul -let from_coefficient_array - (coefficient_array: t_Slice i32) - (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) - = - let hax_temp_output, out:(Prims.unit & Libcrux_intrinsics.Avx2_extract.t_Vec256) = - (), Libcrux_intrinsics.Avx2_extract.mm256_loadu_si256_i32 coefficient_array +let from_coefficient_array (coefficient_array: t_Slice i32) (out: t_Vec256) = + let hax_temp_output, out:(Prims.unit & t_Vec256) = + (), + ({ out with f_value = Libcrux_intrinsics.Avx2_extract.mm256_loadu_si256_i32 coefficient_array } + <: + t_Vec256) <: - (Prims.unit & Libcrux_intrinsics.Avx2_extract.t_Vec256) + (Prims.unit & t_Vec256) in out -let to_coefficient_array (value: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice i32) = - let out:t_Slice i32 = Libcrux_intrinsics.Avx2_extract.mm256_storeu_si256_i32 out value in +let to_coefficient_array (value: t_Vec256) (out: t_Slice i32) = + let out:t_Slice i32 = Libcrux_intrinsics.Avx2_extract.mm256_storeu_si256_i32 out value.f_value in out -let zero (_: Prims.unit) = Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 () +let zero (_: Prims.unit) = + { f_value = Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 () } <: t_Vec256 [@@ FStar.Tactics.Typeclasses.tcinstance] assume -val impl': Core.Clone.t_Clone t_AVX2SIMDUnit +val impl': Core.Clone.t_Clone t_Vec256 let impl = impl' [@@ FStar.Tactics.Typeclasses.tcinstance] assume -val impl_1': Core.Marker.t_Copy t_AVX2SIMDUnit +val impl_1': Core.Marker.t_Copy t_Vec256 let impl_1 = impl_1' diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti index 04bc27f9d..6d962b8d6 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti @@ -3,25 +3,22 @@ module Libcrux_ml_dsa.Simd.Avx2.Vector_type open Core open FStar.Mul -/// An empty type to implement the SIMD operations on -type t_AVX2SIMDUnit = | AVX2SIMDUnit : t_AVX2SIMDUnit +/// The vector type +type t_Vec256 = { f_value:Libcrux_intrinsics.Avx2_extract.t_Vec256 } /// Create a coefficient from an `i32` array -val from_coefficient_array - (coefficient_array: t_Slice i32) - (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val from_coefficient_array (coefficient_array: t_Slice i32) (out: t_Vec256) + : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) /// Write out the coefficient to an `i32` array -val to_coefficient_array (value: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice i32) +val to_coefficient_array (value: t_Vec256) (out: t_Slice i32) : Prims.Pure (t_Slice i32) Prims.l_True (fun _ -> Prims.l_True) /// Create an all-zero vector coefficient -val zero: Prims.unit - -> Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val zero: Prims.unit -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl:Core.Clone.t_Clone t_AVX2SIMDUnit +val impl:Core.Clone.t_Clone t_Vec256 [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_1:Core.Marker.t_Copy t_AVX2SIMDUnit +val impl_1:Core.Marker.t_Copy t_Vec256 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fsti index c01940791..d0c1cea06 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fsti @@ -6,576 +6,9 @@ open FStar.Mul let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_intrinsics.Avx2_extract in let open Libcrux_ml_dsa.Simd.Avx2.Vector_type in () /// Implementing the [`Operations`] for AVX2. [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl: Libcrux_ml_dsa.Simd.Traits.t_Operations -Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = - { - _super_13011033735201511749 = FStar.Tactics.Typeclasses.solve; - _super_9529721400157967266 = FStar.Tactics.Typeclasses.solve; - f_Coefficient = Libcrux_intrinsics.Avx2_extract.t_Vec256; - f_Coefficient_2030105210046411076 = FStar.Tactics.Typeclasses.solve; - f_zero_pre = (fun (_: Prims.unit) -> true); - f_zero_post = (fun (_: Prims.unit) (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) -> true); - f_zero = (fun (_: Prims.unit) -> Libcrux_ml_dsa.Simd.Avx2.Vector_type.zero ()); - f_from_coefficient_array_pre - = - (fun (coefficient_array: t_Slice i32) (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) -> true); - f_from_coefficient_array_post - = - (fun - (coefficient_array: t_Slice i32) - (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (out1: Libcrux_intrinsics.Avx2_extract.t_Vec256) - -> - true); - f_from_coefficient_array - = - (fun (coefficient_array: t_Slice i32) (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) -> - let hax_temp_output, out:(Prims.unit & Libcrux_intrinsics.Avx2_extract.t_Vec256) = - (), Libcrux_ml_dsa.Simd.Avx2.Vector_type.from_coefficient_array coefficient_array out - <: - (Prims.unit & Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - out); - f_to_coefficient_array_pre - = - (fun (value: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice i32) -> true); - f_to_coefficient_array_post - = - (fun (value: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice i32) (out1: t_Slice i32) -> - true); - f_to_coefficient_array - = - (fun (value: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice i32) -> - let hax_temp_output, out:(Prims.unit & t_Slice i32) = - (), Libcrux_ml_dsa.Simd.Avx2.Vector_type.to_coefficient_array value out - <: - (Prims.unit & t_Slice i32) - in - out); - f_add_pre - = - (fun - (lhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) - -> - true); - f_add_post - = - (fun - (lhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) - -> - true); - f_add - = - (fun - (lhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) - -> - let hax_temp_output, lhs:(Prims.unit & Libcrux_intrinsics.Avx2_extract.t_Vec256) = - (), Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add lhs rhs - <: - (Prims.unit & Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - lhs); - f_subtract_pre - = - (fun - (lhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) - -> - true); - f_subtract_post - = - (fun - (lhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) - -> - true); - f_subtract - = - (fun - (lhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) - -> - let hax_temp_output, lhs:(Prims.unit & Libcrux_intrinsics.Avx2_extract.t_Vec256) = - (), Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract lhs rhs - <: - (Prims.unit & Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - lhs); - f_montgomery_multiply_pre - = - (fun - (lhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) - -> - true); - f_montgomery_multiply_post - = - (fun - (lhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) - -> - true); - f_montgomery_multiply - = - (fun - (lhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) - -> - let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply lhs rhs - in - lhs); - f_shift_left_then_reduce_pre - = - (fun (v_SHIFT_BY: i32) (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) -> true); - f_shift_left_then_reduce_post - = - (fun - (v_SHIFT_BY: i32) - (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) - -> - true); - f_shift_left_then_reduce - = - (fun (v_SHIFT_BY: i32) (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) -> - let hax_temp_output, simd_unit:(Prims.unit & Libcrux_intrinsics.Avx2_extract.t_Vec256) = - (), Libcrux_ml_dsa.Simd.Avx2.Arithmetic.shift_left_then_reduce v_SHIFT_BY simd_unit - <: - (Prims.unit & Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - simd_unit); - f_power2round_pre - = - (fun - (t0: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (t1: Libcrux_intrinsics.Avx2_extract.t_Vec256) - -> - true); - f_power2round_post - = - (fun - (t0: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (t1: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (out: (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256)) - -> - true); - f_power2round - = - (fun - (t0: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (t1: Libcrux_intrinsics.Avx2_extract.t_Vec256) - -> - let tmp0, tmp1:(Libcrux_intrinsics.Avx2_extract.t_Vec256 & - Libcrux_intrinsics.Avx2_extract.t_Vec256) = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.power2round t0 t1 - in - let t0:Libcrux_intrinsics.Avx2_extract.t_Vec256 = tmp0 in - let t1:Libcrux_intrinsics.Avx2_extract.t_Vec256 = tmp1 in - let _:Prims.unit = () in - t0, t1 - <: - (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256)); - f_infinity_norm_exceeds_pre - = - (fun (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (bound: i32) -> true); - f_infinity_norm_exceeds_post - = - (fun (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (bound: i32) (out: bool) -> true); - f_infinity_norm_exceeds - = - (fun (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (bound: i32) -> - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.infinity_norm_exceeds simd_unit bound); - f_decompose_pre - = - (fun - (gamma2: i32) - (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (low: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (high: Libcrux_intrinsics.Avx2_extract.t_Vec256) - -> - true); - f_decompose_post - = - (fun - (gamma2: i32) - (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (low: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (high: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (out: (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256)) - -> - true); - f_decompose - = - (fun - (gamma2: i32) - (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (low: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (high: Libcrux_intrinsics.Avx2_extract.t_Vec256) - -> - let tmp0, tmp1:(Libcrux_intrinsics.Avx2_extract.t_Vec256 & - Libcrux_intrinsics.Avx2_extract.t_Vec256) = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.decompose gamma2 simd_unit low high - in - let low:Libcrux_intrinsics.Avx2_extract.t_Vec256 = tmp0 in - let high:Libcrux_intrinsics.Avx2_extract.t_Vec256 = tmp1 in - let _:Prims.unit = () in - low, high - <: - (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256)); - f_compute_hint_pre - = - (fun - (v_GAMMA2: i32) - (low: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (high: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (hint: Libcrux_intrinsics.Avx2_extract.t_Vec256) - -> - true); - f_compute_hint_post - = - (fun - (v_GAMMA2: i32) - (low: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (high: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (hint: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (out2: (Libcrux_intrinsics.Avx2_extract.t_Vec256 & usize)) - -> - true); - f_compute_hint - = - (fun - (v_GAMMA2: i32) - (low: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (high: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (hint: Libcrux_intrinsics.Avx2_extract.t_Vec256) - -> - let tmp0, out1:(Libcrux_intrinsics.Avx2_extract.t_Vec256 & usize) = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.compute_hint v_GAMMA2 low high hint - in - let hint:Libcrux_intrinsics.Avx2_extract.t_Vec256 = tmp0 in - let hax_temp_output:usize = out1 in - hint, hax_temp_output <: (Libcrux_intrinsics.Avx2_extract.t_Vec256 & usize)); - f_use_hint_pre - = - (fun - (gamma2: i32) - (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (hint: Libcrux_intrinsics.Avx2_extract.t_Vec256) - -> - true); - f_use_hint_post - = - (fun - (gamma2: i32) - (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (hint: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) - -> - true); - f_use_hint - = - (fun - (gamma2: i32) - (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (hint: Libcrux_intrinsics.Avx2_extract.t_Vec256) - -> - let hint:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.use_hint gamma2 simd_unit hint - in - hint); - f_rejection_sample_less_than_field_modulus_pre - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); - f_rejection_sample_less_than_field_modulus_post - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); - f_rejection_sample_less_than_field_modulus - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) -> - let tmp0, out1:(t_Slice i32 & usize) = - Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.sample randomness out - in - let out:t_Slice i32 = tmp0 in - let hax_temp_output:usize = out1 in - out, hax_temp_output <: (t_Slice i32 & usize)); - f_rejection_sample_less_than_eta_equals_2_pre - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); - f_rejection_sample_less_than_eta_equals_2_post - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); - f_rejection_sample_less_than_eta_equals_2_ - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) -> - let tmp0, out1:(t_Slice i32 & usize) = - Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.sample (sz 2) randomness out - in - let out:t_Slice i32 = tmp0 in - let hax_temp_output:usize = out1 in - out, hax_temp_output <: (t_Slice i32 & usize)); - f_rejection_sample_less_than_eta_equals_4_pre - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); - f_rejection_sample_less_than_eta_equals_4_post - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); - f_rejection_sample_less_than_eta_equals_4_ - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) -> - let tmp0, out1:(t_Slice i32 & usize) = - Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.sample (sz 4) randomness out - in - let out:t_Slice i32 = tmp0 in - let hax_temp_output:usize = out1 in - out, hax_temp_output <: (t_Slice i32 & usize)); - f_gamma1_serialize_pre - = - (fun - (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (serialized: t_Slice u8) - (gamma1_exponent: usize) - -> - true); - f_gamma1_serialize_post - = - (fun - (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (serialized: t_Slice u8) - (gamma1_exponent: usize) - (out: t_Slice u8) - -> - true); - f_gamma1_serialize - = - (fun - (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (serialized: t_Slice u8) - (gamma1_exponent: usize) - -> - let hax_temp_output, serialized:(Prims.unit & t_Slice u8) = - (), - Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.serialize simd_unit serialized gamma1_exponent - <: - (Prims.unit & t_Slice u8) - in - serialized); - f_gamma1_deserialize_pre - = - (fun - (serialized: t_Slice u8) - (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (gamma1_exponent: usize) - -> - true); - f_gamma1_deserialize_post - = - (fun - (serialized: t_Slice u8) - (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (gamma1_exponent: usize) - (out1: Libcrux_intrinsics.Avx2_extract.t_Vec256) - -> - true); - f_gamma1_deserialize - = - (fun - (serialized: t_Slice u8) - (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (gamma1_exponent: usize) - -> - let out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.deserialize serialized out gamma1_exponent - in - out); - f_commitment_serialize_pre - = - (fun (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (serialized: t_Slice u8) -> true); - f_commitment_serialize_post - = - (fun - (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (serialized: t_Slice u8) - (out: t_Slice u8) - -> - true); - f_commitment_serialize - = - (fun (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (serialized: t_Slice u8) -> - let hax_temp_output, serialized:(Prims.unit & t_Slice u8) = - (), Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.serialize simd_unit serialized - <: - (Prims.unit & t_Slice u8) - in - serialized); - f_error_serialize_pre - = - (fun - (eta: Libcrux_ml_dsa.Constants.t_Eta) - (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (serialized: t_Slice u8) - -> - true); - f_error_serialize_post - = - (fun - (eta: Libcrux_ml_dsa.Constants.t_Eta) - (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (serialized: t_Slice u8) - (out: t_Slice u8) - -> - true); - f_error_serialize - = - (fun - (eta: Libcrux_ml_dsa.Constants.t_Eta) - (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (serialized: t_Slice u8) - -> - let hax_temp_output, serialized:(Prims.unit & t_Slice u8) = - (), Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.serialize eta simd_unit serialized - <: - (Prims.unit & t_Slice u8) - in - serialized); - f_error_deserialize_pre - = - (fun - (eta: Libcrux_ml_dsa.Constants.t_Eta) - (serialized: t_Slice u8) - (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) - -> - true); - f_error_deserialize_post - = - (fun - (eta: Libcrux_ml_dsa.Constants.t_Eta) - (serialized: t_Slice u8) - (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (out1: Libcrux_intrinsics.Avx2_extract.t_Vec256) - -> - true); - f_error_deserialize - = - (fun - (eta: Libcrux_ml_dsa.Constants.t_Eta) - (serialized: t_Slice u8) - (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) - -> - let out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.deserialize eta serialized out - in - out); - f_t0_serialize_pre - = - (fun (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice u8) -> true); - f_t0_serialize_post - = - (fun - (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (out: t_Slice u8) - (out1: t_Slice u8) - -> - true); - f_t0_serialize - = - (fun (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice u8) -> - let out:t_Slice u8 = Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.serialize simd_unit out in - out); - f_t0_deserialize_pre - = - (fun (serialized: t_Slice u8) (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) -> true); - f_t0_deserialize_post - = - (fun - (serialized: t_Slice u8) - (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (out1: Libcrux_intrinsics.Avx2_extract.t_Vec256) - -> - true); - f_t0_deserialize - = - (fun (serialized: t_Slice u8) (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) -> - let out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.deserialize serialized out - in - out); - f_t1_serialize_pre - = - (fun (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice u8) -> true); - f_t1_serialize_post - = - (fun - (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (out: t_Slice u8) - (out1: t_Slice u8) - -> - true); - f_t1_serialize - = - (fun (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice u8) -> - let out:t_Slice u8 = Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.serialize simd_unit out in - out); - f_t1_deserialize_pre - = - (fun (serialized: t_Slice u8) (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) -> true); - f_t1_deserialize_post - = - (fun - (serialized: t_Slice u8) - (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (out1: Libcrux_intrinsics.Avx2_extract.t_Vec256) - -> - true); - f_t1_deserialize - = - (fun (serialized: t_Slice u8) (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) -> - let out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.deserialize serialized out - in - out); - f_ntt_pre = (fun (simd_units: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) -> true); - f_ntt_post - = - (fun - (simd_units: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) - (out: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) - -> - true); - f_ntt - = - (fun (simd_units: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) -> - let simd_units:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - Libcrux_ml_dsa.Simd.Avx2.Ntt.ntt simd_units - in - simd_units); - f_invert_ntt_montgomery_pre - = - (fun (simd_units: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) -> true); - f_invert_ntt_montgomery_post - = - (fun - (simd_units: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) - (out: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) - -> - true); - f_invert_ntt_montgomery - = - fun (simd_units: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) -> - let simd_units:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = - Libcrux_ml_dsa.Simd.Avx2.Invntt.invert_ntt_montgomery simd_units - in - simd_units - } +val impl:Libcrux_ml_dsa.Simd.Traits.t_Operations Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst index 2e36713a6..a10f7996f 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst @@ -120,88 +120,182 @@ let use_one_hint (gamma2 r hint: i32) = <: Rust_primitives.Hax.t_Never) -let add (lhs rhs: t_Array i32 (sz 8)) = - let lhs:t_Array i32 (sz 8) = +let add (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) = + let lhs:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #i32 (lhs <: t_Slice i32) <: usize) + (Core.Slice.impl__len #i32 + (lhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values <: t_Slice i32) + <: + usize) (fun lhs temp_1_ -> - let lhs:t_Array i32 (sz 8) = lhs in + let lhs:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = lhs in let _:usize = temp_1_ in true) lhs (fun lhs i -> - let lhs:t_Array i32 (sz 8) = lhs in + let lhs:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = lhs in let i:usize = i in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs - i - ((lhs.[ i ] <: i32) +! (rhs.[ i ] <: i32) <: i32) + { + lhs with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + i + ((lhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] <: i32) +! + (rhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] <: i32) + <: + i32) + <: + t_Array i32 (sz 8) + } <: - t_Array i32 (sz 8)) + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) in let hax_temp_output:Prims.unit = () <: Prims.unit in lhs -let compute_hint (v_GAMMA2: i32) (low high hint: t_Array i32 (sz 8)) = +let compute_hint + (v_GAMMA2: i32) + (low high hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + = let one_hints_count:usize = sz 0 in - let hint, one_hints_count:(t_Array i32 (sz 8) & usize) = + let hint, one_hints_count:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & usize) = Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #i32 (hint <: t_Slice i32) <: usize) + (Core.Slice.impl__len #i32 + (hint.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values <: t_Slice i32) + <: + usize) (fun temp_0_ temp_1_ -> - let hint, one_hints_count:(t_Array i32 (sz 8) & usize) = temp_0_ in + let hint, one_hints_count:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & usize + ) = + temp_0_ + in let _:usize = temp_1_ in true) - (hint, one_hints_count <: (t_Array i32 (sz 8) & usize)) + (hint, one_hints_count <: (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & usize)) (fun temp_0_ i -> - let hint, one_hints_count:(t_Array i32 (sz 8) & usize) = temp_0_ in + let hint, one_hints_count:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & usize + ) = + temp_0_ + in let i:usize = i in - let hint:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize hint - i - (compute_one_hint v_GAMMA2 (low.[ i ] <: i32) (high.[ i ] <: i32) <: i32) + let hint:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + hint with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize hint + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + i + (compute_one_hint v_GAMMA2 + (low.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] <: i32) + (high.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + in + let one_hints_count:usize = + one_hints_count +! + (cast (hint.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] <: i32) <: usize) in - let one_hints_count:usize = one_hints_count +! (cast (hint.[ i ] <: i32) <: usize) in - hint, one_hints_count <: (t_Array i32 (sz 8) & usize)) + hint, one_hints_count <: (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & usize) + ) in let hax_temp_output:usize = one_hints_count in - hint, hax_temp_output <: (t_Array i32 (sz 8) & usize) + hint, hax_temp_output <: (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & usize) -let decompose (gamma2: i32) (simd_unit low high: t_Array i32 (sz 8)) = - let high, low:(t_Array i32 (sz 8) & t_Array i32 (sz 8)) = +let decompose + (gamma2: i32) + (simd_unit low high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + = + let high, low:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) = Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #i32 (low <: t_Slice i32) <: usize) + (Core.Slice.impl__len #i32 + (low.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values <: t_Slice i32) + <: + usize) (fun temp_0_ temp_1_ -> - let high, low:(t_Array i32 (sz 8) & t_Array i32 (sz 8)) = temp_0_ in + let high, low:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) = + temp_0_ + in let _:usize = temp_1_ in true) - (high, low <: (t_Array i32 (sz 8) & t_Array i32 (sz 8))) + (high, low + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)) (fun temp_0_ i -> - let high, low:(t_Array i32 (sz 8) & t_Array i32 (sz 8)) = temp_0_ in + let high, low:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) = + temp_0_ + in let i:usize = i in - let lhs, lhs_1_:(i32 & i32) = decompose_element gamma2 (simd_unit.[ i ] <: i32) in - let low:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize low i lhs + let lhs, lhs_1_:(i32 & i32) = + decompose_element gamma2 + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] <: i32) + in + let low:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + low with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize low + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + i + lhs + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients in - let high:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize high i lhs_1_ + let high:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + high with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize high + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + i + lhs_1_ + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients in - high, low <: (t_Array i32 (sz 8) & t_Array i32 (sz 8))) + high, low + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)) in let hax_temp_output:Prims.unit = () <: Prims.unit in - low, high <: (t_Array i32 (sz 8) & t_Array i32 (sz 8)) + low, high + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) -let infinity_norm_exceeds (simd_unit: t_Array i32 (sz 8)) (bound: i32) = +let infinity_norm_exceeds + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (bound: i32) + = let result:bool = false in let result:bool = - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Iter - i32) - #FStar.Tactics.Typeclasses.solve - (Core.Slice.impl__iter #i32 (simd_unit <: t_Slice i32) <: Core.Slice.Iter.t_Iter i32) + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #i32 + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values <: t_Slice i32) <: - Core.Slice.Iter.t_Iter i32) + usize) + (fun result temp_1_ -> + let result:bool = result in + let _:usize = temp_1_ in + true) result - (fun result coefficient -> + (fun result i -> let result:bool = result in - let coefficient:i32 = coefficient in + let i:usize = i in + let coefficient:i32 = simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] in let _:Prims.unit = if true then @@ -221,141 +315,269 @@ let infinity_norm_exceeds (simd_unit: t_Array i32 (sz 8)) (bound: i32) = in result -let montgomery_multiply (lhs rhs: t_Array i32 (sz 8)) = - let lhs:t_Array i32 (sz 8) = +let montgomery_multiply (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) = + let lhs:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #i32 (lhs <: t_Slice i32) <: usize) + (Core.Slice.impl__len #i32 + (lhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values <: t_Slice i32) + <: + usize) (fun lhs temp_1_ -> - let lhs:t_Array i32 (sz 8) = lhs in + let lhs:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = lhs in let _:usize = temp_1_ in true) lhs (fun lhs i -> - let lhs:t_Array i32 (sz 8) = lhs in + let lhs:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = lhs in let i:usize = i in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs - i - (montgomery_reduce_element ((cast (lhs.[ i ] <: i32) <: i64) *! - (cast (rhs.[ i ] <: i32) <: i64) - <: - i64) - <: - i32) + { + lhs with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + i + (montgomery_reduce_element ((cast (lhs + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] + <: + i32) + <: + i64) *! + (cast (rhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] <: i32) + <: + i64) + <: + i64) + <: + i32) + <: + t_Array i32 (sz 8) + } <: - t_Array i32 (sz 8)) + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) in let hax_temp_output:Prims.unit = () <: Prims.unit in lhs -let montgomery_multiply_by_constant (simd_unit: t_Array i32 (sz 8)) (c: i32) = - let simd_unit:t_Array i32 (sz 8) = +let montgomery_multiply_by_constant + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (c: i32) + = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #i32 (simd_unit <: t_Slice i32) <: usize) + (Core.Slice.impl__len #i32 + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values <: t_Slice i32) + <: + usize) (fun simd_unit temp_1_ -> - let simd_unit:t_Array i32 (sz 8) = simd_unit in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = simd_unit in let _:usize = temp_1_ in true) simd_unit (fun simd_unit i -> - let simd_unit:t_Array i32 (sz 8) = simd_unit in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = simd_unit in let i:usize = i in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - i - (montgomery_reduce_element ((cast (simd_unit.[ i ] <: i32) <: i64) *! - (cast (c <: i32) <: i64) - <: - i64) - <: - i32) + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + i + (montgomery_reduce_element ((cast (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] + <: + i32) + <: + i64) *! + (cast (c <: i32) <: i64) + <: + i64) + <: + i32) + <: + t_Array i32 (sz 8) + } <: - t_Array i32 (sz 8)) + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) in let hax_temp_output:Prims.unit = () <: Prims.unit in simd_unit -let power2round (t0 t1: t_Array i32 (sz 8)) = - let t0, t1:(t_Array i32 (sz 8) & t_Array i32 (sz 8)) = +let power2round (t0 t1: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) = + let t0, t1:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) = Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #i32 (t0 <: t_Slice i32) <: usize) + (Core.Slice.impl__len #i32 + (t0.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values <: t_Slice i32) + <: + usize) (fun temp_0_ temp_1_ -> - let t0, t1:(t_Array i32 (sz 8) & t_Array i32 (sz 8)) = temp_0_ in + let t0, t1:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) = + temp_0_ + in let _:usize = temp_1_ in true) - (t0, t1 <: (t_Array i32 (sz 8) & t_Array i32 (sz 8))) + (t0, t1 + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)) (fun temp_0_ i -> - let t0, t1:(t_Array i32 (sz 8) & t_Array i32 (sz 8)) = temp_0_ in + let t0, t1:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) = + temp_0_ + in let i:usize = i in - let lhs, lhs_1_:(i32 & i32) = power2round_element (t0.[ i ] <: i32) in - let t0:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t0 i lhs + let lhs, lhs_1_:(i32 & i32) = + power2round_element (t0.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] <: i32) + in + let t0:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + t0 with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t0 + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + i + lhs + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients in - let t1:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t1 i lhs_1_ + let t1:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + t1 with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t1 + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + i + lhs_1_ + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients in - t0, t1 <: (t_Array i32 (sz 8) & t_Array i32 (sz 8))) + t0, t1 + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)) in let hax_temp_output:Prims.unit = () <: Prims.unit in - t0, t1 <: (t_Array i32 (sz 8) & t_Array i32 (sz 8)) + t0, t1 + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) -let shift_left_then_reduce (v_SHIFT_BY: i32) (simd_unit: t_Array i32 (sz 8)) = - let simd_unit:t_Array i32 (sz 8) = +let shift_left_then_reduce + (v_SHIFT_BY: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #i32 (simd_unit <: t_Slice i32) <: usize) + (Core.Slice.impl__len #i32 + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values <: t_Slice i32) + <: + usize) (fun simd_unit temp_1_ -> - let simd_unit:t_Array i32 (sz 8) = simd_unit in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = simd_unit in let _:usize = temp_1_ in true) simd_unit (fun simd_unit i -> - let simd_unit:t_Array i32 (sz 8) = simd_unit in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = simd_unit in let i:usize = i in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - i - (reduce_element ((simd_unit.[ i ] <: i32) < - let lhs:t_Array i32 (sz 8) = lhs in + let lhs:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = lhs in let _:usize = temp_1_ in true) lhs (fun lhs i -> - let lhs:t_Array i32 (sz 8) = lhs in + let lhs:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = lhs in let i:usize = i in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs - i - ((lhs.[ i ] <: i32) -! (rhs.[ i ] <: i32) <: i32) + { + lhs with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + i + ((lhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] <: i32) -! + (rhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] <: i32) + <: + i32) + <: + t_Array i32 (sz 8) + } <: - t_Array i32 (sz 8)) + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) in let hax_temp_output:Prims.unit = () <: Prims.unit in lhs -let use_hint (gamma2: i32) (simd_unit hint: t_Array i32 (sz 8)) = - let hint:t_Array i32 (sz 8) = +let use_hint (gamma2: i32) (simd_unit hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) = + let hint:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #i32 (hint <: t_Slice i32) <: usize) + (Core.Slice.impl__len #i32 + (hint.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values <: t_Slice i32) + <: + usize) (fun hint temp_1_ -> - let hint:t_Array i32 (sz 8) = hint in + let hint:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = hint in let _:usize = temp_1_ in true) hint (fun hint i -> - let hint:t_Array i32 (sz 8) = hint in + let hint:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = hint in let i:usize = i in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize hint - i - (use_one_hint gamma2 (simd_unit.[ i ] <: i32) (hint.[ i ] <: i32) <: i32) + { + hint with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize hint + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + i + (use_one_hint gamma2 + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] <: i32) + (hint.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] <: i32) + <: + i32) + <: + t_Array i32 (sz 8) + } <: - t_Array i32 (sz 8)) + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) in let hax_temp_output:Prims.unit = () <: Prims.unit in hint diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti index 0a75f3d22..d0f35c5ba 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti @@ -23,32 +23,64 @@ val power2round_element (t: i32) : Prims.Pure (i32 & i32) Prims.l_True (fun _ -> val use_one_hint (gamma2 r hint: i32) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) -val add (lhs rhs: t_Array i32 (sz 8)) - : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) - -val compute_hint (v_GAMMA2: i32) (low high hint: t_Array i32 (sz 8)) - : Prims.Pure (t_Array i32 (sz 8) & usize) Prims.l_True (fun _ -> Prims.l_True) - -val decompose (gamma2: i32) (simd_unit low high: t_Array i32 (sz 8)) - : Prims.Pure (t_Array i32 (sz 8) & t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) - -val infinity_norm_exceeds (simd_unit: t_Array i32 (sz 8)) (bound: i32) +val add (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + Prims.l_True + (fun _ -> Prims.l_True) + +val compute_hint + (v_GAMMA2: i32) + (low high hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + : Prims.Pure (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & usize) + Prims.l_True + (fun _ -> Prims.l_True) + +val decompose + (gamma2: i32) + (simd_unit low high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + : Prims.Pure + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + Prims.l_True + (fun _ -> Prims.l_True) + +val infinity_norm_exceeds + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (bound: i32) : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) -val montgomery_multiply (lhs rhs: t_Array i32 (sz 8)) - : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) - -val montgomery_multiply_by_constant (simd_unit: t_Array i32 (sz 8)) (c: i32) - : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) - -val power2round (t0 t1: t_Array i32 (sz 8)) - : Prims.Pure (t_Array i32 (sz 8) & t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) - -val shift_left_then_reduce (v_SHIFT_BY: i32) (simd_unit: t_Array i32 (sz 8)) - : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) - -val subtract (lhs rhs: t_Array i32 (sz 8)) - : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) - -val use_hint (gamma2: i32) (simd_unit hint: t_Array i32 (sz 8)) - : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) +val montgomery_multiply (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + Prims.l_True + (fun _ -> Prims.l_True) + +val montgomery_multiply_by_constant + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (c: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + Prims.l_True + (fun _ -> Prims.l_True) + +val power2round (t0 t1: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + : Prims.Pure + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + Prims.l_True + (fun _ -> Prims.l_True) + +val shift_left_then_reduce + (v_SHIFT_BY: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + Prims.l_True + (fun _ -> Prims.l_True) + +val subtract (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + Prims.l_True + (fun _ -> Prims.l_True) + +val use_hint (gamma2: i32) (simd_unit hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fst index e89cbc069..5539eba4b 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fst @@ -3,13 +3,16 @@ module Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment open Core open FStar.Mul -let serialize (simd_unit: t_Array i32 (sz 8)) (serialized: t_Slice u8) = +let serialize + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (serialized: t_Slice u8) + = let serialized, hax_temp_output:(t_Slice u8 & Prims.unit) = match cast (Core.Slice.impl__len #u8 serialized <: usize) <: u8 with | 4uy -> let serialized:t_Slice u8 = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 2) - (simd_unit <: t_Slice i32) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values <: t_Slice i32) (fun serialized temp_1_ -> let serialized:t_Slice u8 = serialized in let _:usize = temp_1_ in @@ -31,7 +34,7 @@ let serialize (simd_unit: t_Array i32 (sz 8)) (serialized: t_Slice u8) = | 6uy -> let serialized:t_Slice u8 = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 4) - (simd_unit <: t_Slice i32) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values <: t_Slice i32) (fun serialized temp_1_ -> let serialized:t_Slice u8 = serialized in let _:usize = temp_1_ in diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fsti index 49715b93a..457e10b9b 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fsti @@ -3,5 +3,7 @@ module Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment open Core open FStar.Mul -val serialize (simd_unit: t_Array i32 (sz 8)) (serialized: t_Slice u8) +val serialize + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (serialized: t_Slice u8) : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst index ccf545016..1de900ea9 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst @@ -3,7 +3,10 @@ module Libcrux_ml_dsa.Simd.Portable.Encoding.Error open Core open FStar.Mul -let deserialize_when_eta_is_2_ (serialized: t_Slice u8) (simd_unit: t_Array i32 (sz 8)) = +let deserialize_when_eta_is_2_ + (serialized: t_Slice u8) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + = let _:Prims.unit = if true then @@ -15,55 +18,122 @@ let deserialize_when_eta_is_2_ (serialized: t_Slice u8) (simd_unit: t_Array i32 let byte0:i32 = cast (serialized.[ sz 0 ] <: u8) <: i32 in let byte1:i32 = cast (serialized.[ sz 1 ] <: u8) <: i32 in let byte2:i32 = cast (serialized.[ sz 2 ] <: u8) <: i32 in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 0) - (deserialize_when_eta_is_2___ETA -! (byte0 &. 7l <: i32) <: i32) + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 0) + (deserialize_when_eta_is_2___ETA -! (byte0 &. 7l <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 1) - (deserialize_when_eta_is_2___ETA -! ((byte0 >>! 3l <: i32) &. 7l <: i32) <: i32) + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 1) + (deserialize_when_eta_is_2___ETA -! ((byte0 >>! 3l <: i32) &. 7l <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 2) - (deserialize_when_eta_is_2___ETA -! - (((byte0 >>! 6l <: i32) |. (byte1 <>! 6l <: i32) |. (byte1 <>! 1l <: i32) &. 7l <: i32) <: i32) - in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 4) - (deserialize_when_eta_is_2___ETA -! ((byte1 >>! 4l <: i32) &. 7l <: i32) <: i32) - in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 5) - (deserialize_when_eta_is_2___ETA -! - (((byte1 >>! 7l <: i32) |. (byte2 <>! 1l <: i32) &. 7l <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 4) + (deserialize_when_eta_is_2___ETA -! ((byte1 >>! 4l <: i32) &. 7l <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 6) - (deserialize_when_eta_is_2___ETA -! ((byte2 >>! 2l <: i32) &. 7l <: i32) <: i32) + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 5) + (deserialize_when_eta_is_2___ETA -! + (((byte1 >>! 7l <: i32) |. (byte2 <>! 5l <: i32) &. 7l <: i32) <: i32) + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 6) + (deserialize_when_eta_is_2___ETA -! ((byte2 >>! 2l <: i32) &. 7l <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 7) + (deserialize_when_eta_is_2___ETA -! ((byte2 >>! 5l <: i32) &. 7l <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients in simd_unit -let deserialize_when_eta_is_4_ (serialized: t_Slice u8) (simd_units: t_Array i32 (sz 8)) = +let deserialize_when_eta_is_4_ + (serialized: t_Slice u8) + (simd_units: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + = let _:Prims.unit = if true then @@ -72,25 +142,41 @@ let deserialize_when_eta_is_4_ (serialized: t_Slice u8) (simd_units: t_Array i32 in () in - let simd_units:t_Array i32 (sz 8) = + let simd_units:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = Rust_primitives.Hax.Folds.fold_enumerated_slice serialized (fun simd_units temp_1_ -> - let simd_units:t_Array i32 (sz 8) = simd_units in + let simd_units:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = simd_units in let _:usize = temp_1_ in true) simd_units (fun simd_units temp_1_ -> - let simd_units:t_Array i32 (sz 8) = simd_units in + let simd_units:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = simd_units in let i, byte:(usize & u8) = temp_1_ in - let simd_units:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_units - (sz 2 *! i <: usize) - (deserialize_when_eta_is_4___ETA -! (cast (byte &. 15uy <: u8) <: i32) <: i32) + let simd_units:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_units with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_units + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 2 *! i <: usize) + (deserialize_when_eta_is_4___ETA -! (cast (byte &. 15uy <: u8) <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients in - let simd_units:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_units - ((sz 2 *! i <: usize) +! sz 1 <: usize) - (deserialize_when_eta_is_4___ETA -! (cast (byte >>! 4l <: u8) <: i32) <: i32) + let simd_units:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_units with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_units + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + ((sz 2 *! i <: usize) +! sz 1 <: usize) + (deserialize_when_eta_is_4___ETA -! (cast (byte >>! 4l <: u8) <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients in simd_units) in @@ -100,18 +186,25 @@ let deserialize_when_eta_is_4_ (serialized: t_Slice u8) (simd_units: t_Array i32 let deserialize (eta: Libcrux_ml_dsa.Constants.t_Eta) (serialized: t_Slice u8) - (out: t_Array i32 (sz 8)) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) = - let out, hax_temp_output:(t_Array i32 (sz 8) & Prims.unit) = + let out, hax_temp_output:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & Prims.unit) = match eta <: Libcrux_ml_dsa.Constants.t_Eta with | Libcrux_ml_dsa.Constants.Eta_Two -> - deserialize_when_eta_is_2_ serialized out, () <: (t_Array i32 (sz 8) & Prims.unit) + deserialize_when_eta_is_2_ serialized out, () + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & Prims.unit) | Libcrux_ml_dsa.Constants.Eta_Four -> - deserialize_when_eta_is_4_ serialized out, () <: (t_Array i32 (sz 8) & Prims.unit) + deserialize_when_eta_is_4_ serialized out, () + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & Prims.unit) in out -let serialize_when_eta_is_2_ (simd_unit: t_Array i32 (sz 8)) (serialized: t_Slice u8) = +let serialize_when_eta_is_2_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (serialized: t_Slice u8) + = let _:Prims.unit = if true then @@ -121,28 +214,68 @@ let serialize_when_eta_is_2_ (simd_unit: t_Array i32 (sz 8)) (serialized: t_Slic () in let coefficient0:u8 = - cast (serialize_when_eta_is_2___ETA -! (simd_unit.[ sz 0 ] <: i32) <: i32) <: u8 + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 0 ] <: i32) + <: + i32) + <: + u8 in let coefficient1:u8 = - cast (serialize_when_eta_is_2___ETA -! (simd_unit.[ sz 1 ] <: i32) <: i32) <: u8 + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 1 ] <: i32) + <: + i32) + <: + u8 in let coefficient2:u8 = - cast (serialize_when_eta_is_2___ETA -! (simd_unit.[ sz 2 ] <: i32) <: i32) <: u8 + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 2 ] <: i32) + <: + i32) + <: + u8 in let coefficient3:u8 = - cast (serialize_when_eta_is_2___ETA -! (simd_unit.[ sz 3 ] <: i32) <: i32) <: u8 + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 3 ] <: i32) + <: + i32) + <: + u8 in let coefficient4:u8 = - cast (serialize_when_eta_is_2___ETA -! (simd_unit.[ sz 4 ] <: i32) <: i32) <: u8 + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 4 ] <: i32) + <: + i32) + <: + u8 in let coefficient5:u8 = - cast (serialize_when_eta_is_2___ETA -! (simd_unit.[ sz 5 ] <: i32) <: i32) <: u8 + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 5 ] <: i32) + <: + i32) + <: + u8 in let coefficient6:u8 = - cast (serialize_when_eta_is_2___ETA -! (simd_unit.[ sz 6 ] <: i32) <: i32) <: u8 + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 6 ] <: i32) + <: + i32) + <: + u8 in let coefficient7:u8 = - cast (serialize_when_eta_is_2___ETA -! (simd_unit.[ sz 7 ] <: i32) <: i32) <: u8 + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 7 ] <: i32) + <: + i32) + <: + u8 in let serialized:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized @@ -170,10 +303,13 @@ let serialize_when_eta_is_2_ (simd_unit: t_Array i32 (sz 8)) (serialized: t_Slic in serialized -let serialize_when_eta_is_4_ (simd_unit: t_Array i32 (sz 8)) (serialized: t_Slice u8) = +let serialize_when_eta_is_4_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (serialized: t_Slice u8) + = let serialized:t_Slice u8 = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 2) - (simd_unit <: t_Slice i32) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values <: t_Slice i32) (fun serialized temp_1_ -> let serialized:t_Slice u8 = serialized in let _:usize = temp_1_ in @@ -200,7 +336,7 @@ let serialize_when_eta_is_4_ (simd_unit: t_Array i32 (sz 8)) (serialized: t_Slic let serialize (eta: Libcrux_ml_dsa.Constants.t_Eta) - (simd_unit: t_Array i32 (sz 8)) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) (serialized: t_Slice u8) = let serialized, hax_temp_output:(t_Slice u8 & Prims.unit) = diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti index ee25b5b18..6ebce847f 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti @@ -11,26 +11,40 @@ let serialize_when_eta_is_2___ETA: i32 = 2l let serialize_when_eta_is_4___ETA: i32 = 4l -val deserialize_when_eta_is_2_ (serialized: t_Slice u8) (simd_unit: t_Array i32 (sz 8)) - : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) +val deserialize_when_eta_is_2_ + (serialized: t_Slice u8) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + Prims.l_True + (fun _ -> Prims.l_True) -val deserialize_when_eta_is_4_ (serialized: t_Slice u8) (simd_units: t_Array i32 (sz 8)) - : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) +val deserialize_when_eta_is_4_ + (serialized: t_Slice u8) + (simd_units: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + Prims.l_True + (fun _ -> Prims.l_True) val deserialize (eta: Libcrux_ml_dsa.Constants.t_Eta) (serialized: t_Slice u8) - (out: t_Array i32 (sz 8)) - : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + Prims.l_True + (fun _ -> Prims.l_True) -val serialize_when_eta_is_2_ (simd_unit: t_Array i32 (sz 8)) (serialized: t_Slice u8) +val serialize_when_eta_is_2_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (serialized: t_Slice u8) : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) -val serialize_when_eta_is_4_ (simd_unit: t_Array i32 (sz 8)) (serialized: t_Slice u8) +val serialize_when_eta_is_4_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (serialized: t_Slice u8) : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) val serialize (eta: Libcrux_ml_dsa.Constants.t_Eta) - (simd_unit: t_Array i32 (sz 8)) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) (serialized: t_Slice u8) : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst index 228bf6211..e95fd8d89 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst @@ -3,7 +3,10 @@ module Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1 open Core open FStar.Mul -let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) (simd_unit: t_Array i32 (sz 8)) = +let deserialize_when_gamma1_is_2_pow_17_ + (serialized: t_Slice u8) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + = let _:Prims.unit = if true then @@ -12,16 +15,16 @@ let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) (simd_unit: t_ in () in - let simd_unit:t_Array i32 (sz 8) = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 9) serialized (fun simd_unit temp_1_ -> - let simd_unit:t_Array i32 (sz 8) = simd_unit in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = simd_unit in let _:usize = temp_1_ in true) simd_unit (fun simd_unit temp_1_ -> - let simd_unit:t_Array i32 (sz 8) = simd_unit in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = simd_unit in let i, bytes:(usize & t_Slice u8) = temp_1_ in let coefficient0:i32 = cast (bytes.[ sz 0 ] <: u8) <: i32 in let coefficient0:i32 = @@ -63,32 +66,67 @@ let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) (simd_unit: t_ let coefficient3:i32 = coefficient3 &. deserialize_when_gamma1_is_2_pow_17___GAMMA1_TIMES_2_BITMASK in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 4 *! i <: usize) - (deserialize_when_gamma1_is_2_pow_17___GAMMA1 -! coefficient0 <: i32) - in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - ((sz 4 *! i <: usize) +! sz 1 <: usize) - (deserialize_when_gamma1_is_2_pow_17___GAMMA1 -! coefficient1 <: i32) - in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - ((sz 4 *! i <: usize) +! sz 2 <: usize) - (deserialize_when_gamma1_is_2_pow_17___GAMMA1 -! coefficient2 <: i32) - in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - ((sz 4 *! i <: usize) +! sz 3 <: usize) - (deserialize_when_gamma1_is_2_pow_17___GAMMA1 -! coefficient3 <: i32) + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 4 *! i <: usize) + (deserialize_when_gamma1_is_2_pow_17___GAMMA1 -! coefficient0 <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + ((sz 4 *! i <: usize) +! sz 1 <: usize) + (deserialize_when_gamma1_is_2_pow_17___GAMMA1 -! coefficient1 <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + ((sz 4 *! i <: usize) +! sz 2 <: usize) + (deserialize_when_gamma1_is_2_pow_17___GAMMA1 -! coefficient2 <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + ((sz 4 *! i <: usize) +! sz 3 <: usize) + (deserialize_when_gamma1_is_2_pow_17___GAMMA1 -! coefficient3 <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients in simd_unit) in let hax_temp_output:Prims.unit = () <: Prims.unit in simd_unit -let deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) (simd_unit: t_Array i32 (sz 8)) = +let deserialize_when_gamma1_is_2_pow_19_ + (serialized: t_Slice u8) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + = let _:Prims.unit = if true then @@ -97,16 +135,16 @@ let deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) (simd_unit: t_ in () in - let simd_unit:t_Array i32 (sz 8) = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 5) serialized (fun simd_unit temp_1_ -> - let simd_unit:t_Array i32 (sz 8) = simd_unit in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = simd_unit in let _:usize = temp_1_ in true) simd_unit (fun simd_unit temp_1_ -> - let simd_unit:t_Array i32 (sz 8) = simd_unit in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = simd_unit in let i, bytes:(usize & t_Slice u8) = temp_1_ in let coefficient0:i32 = cast (bytes.[ sz 0 ] <: u8) <: i32 in let coefficient0:i32 = @@ -125,28 +163,52 @@ let deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) (simd_unit: t_ let coefficient1:i32 = coefficient1 |. ((cast (bytes.[ sz 4 ] <: u8) <: i32) < - deserialize_when_gamma1_is_2_pow_17_ serialized out, () <: (t_Array i32 (sz 8) & Prims.unit) + deserialize_when_gamma1_is_2_pow_17_ serialized out, () + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & Prims.unit) | 19uy -> - deserialize_when_gamma1_is_2_pow_19_ serialized out, () <: (t_Array i32 (sz 8) & Prims.unit) + deserialize_when_gamma1_is_2_pow_19_ serialized out, () + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & Prims.unit) | _ -> out, Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" @@ -154,14 +216,17 @@ let deserialize (serialized: t_Slice u8) (out: t_Array i32 (sz 8)) (gamma1_expon <: Rust_primitives.Hax.t_Never) <: - (t_Array i32 (sz 8) & Prims.unit) + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & Prims.unit) in out -let serialize_when_gamma1_is_2_pow_17_ (simd_unit: t_Array i32 (sz 8)) (serialized: t_Slice u8) = +let serialize_when_gamma1_is_2_pow_17_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (serialized: t_Slice u8) + = let serialized:t_Slice u8 = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 4) - (simd_unit <: t_Slice i32) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values <: t_Slice i32) (fun serialized temp_1_ -> let serialized:t_Slice u8 = serialized in let _:usize = temp_1_ in @@ -256,10 +321,13 @@ let serialize_when_gamma1_is_2_pow_17_ (simd_unit: t_Array i32 (sz 8)) (serializ let hax_temp_output:Prims.unit = () <: Prims.unit in serialized -let serialize_when_gamma1_is_2_pow_19_ (simd_unit: t_Array i32 (sz 8)) (serialized: t_Slice u8) = +let serialize_when_gamma1_is_2_pow_19_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (serialized: t_Slice u8) + = let serialized:t_Slice u8 = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 2) - (simd_unit <: t_Slice i32) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values <: t_Slice i32) (fun serialized temp_1_ -> let serialized:t_Slice u8 = serialized in let _:usize = temp_1_ in @@ -312,7 +380,11 @@ let serialize_when_gamma1_is_2_pow_19_ (simd_unit: t_Array i32 (sz 8)) (serializ let hax_temp_output:Prims.unit = () <: Prims.unit in serialized -let serialize (simd_unit: t_Array i32 (sz 8)) (serialized: t_Slice u8) (gamma1_exponent: usize) = +let serialize + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (serialized: t_Slice u8) + (gamma1_exponent: usize) + = let serialized, hax_temp_output:(t_Slice u8 & Prims.unit) = match cast (gamma1_exponent <: usize) <: u8 with | 17uy -> diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti index 0c419dc90..4c6ce1b08 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti @@ -17,20 +17,40 @@ let serialize_when_gamma1_is_2_pow_17___GAMMA1: i32 = 1l < Prims.l_True) - -val deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) (simd_unit: t_Array i32 (sz 8)) - : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) - -val deserialize (serialized: t_Slice u8) (out: t_Array i32 (sz 8)) (gamma1_exponent: usize) - : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) - -val serialize_when_gamma1_is_2_pow_17_ (simd_unit: t_Array i32 (sz 8)) (serialized: t_Slice u8) +val deserialize_when_gamma1_is_2_pow_17_ + (serialized: t_Slice u8) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + Prims.l_True + (fun _ -> Prims.l_True) + +val deserialize_when_gamma1_is_2_pow_19_ + (serialized: t_Slice u8) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + Prims.l_True + (fun _ -> Prims.l_True) + +val deserialize + (serialized: t_Slice u8) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (gamma1_exponent: usize) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + Prims.l_True + (fun _ -> Prims.l_True) + +val serialize_when_gamma1_is_2_pow_17_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (serialized: t_Slice u8) : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) -val serialize_when_gamma1_is_2_pow_19_ (simd_unit: t_Array i32 (sz 8)) (serialized: t_Slice u8) +val serialize_when_gamma1_is_2_pow_19_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (serialized: t_Slice u8) : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) -val serialize (simd_unit: t_Array i32 (sz 8)) (serialized: t_Slice u8) (gamma1_exponent: usize) +val serialize + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (serialized: t_Slice u8) + (gamma1_exponent: usize) : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fst index 115f600f7..e39c1468a 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fst @@ -6,7 +6,10 @@ open FStar.Mul let change_t0_interval (t0: i32) = (1l <>! 3l in let coefficient7:i32 = coefficient7 |. (byte12 < Prims.l let deserialize__BITS_IN_LOWER_PART_OF_T_MASK: i32 = (1l < Prims.l_True) +val deserialize + (serialized: t_Slice u8) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + Prims.l_True + (fun _ -> Prims.l_True) -val serialize (simd_unit: t_Array i32 (sz 8)) (serialized: t_Slice u8) +val serialize + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (serialized: t_Slice u8) : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fst index f04008433..ed7685a93 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fst @@ -3,7 +3,10 @@ module Libcrux_ml_dsa.Simd.Portable.Encoding.T1 open Core open FStar.Mul -let deserialize (serialized: t_Slice u8) (simd_unit: t_Array i32 (sz 8)) = +let deserialize + (serialized: t_Slice u8) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + = let _:Prims.unit = if true then @@ -13,48 +16,83 @@ let deserialize (serialized: t_Slice u8) (simd_unit: t_Array i32 (sz 8)) = () in let mask:i32 = (1l < - let simd_unit:t_Array i32 (sz 8) = simd_unit in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = simd_unit in let _:usize = temp_1_ in true) simd_unit (fun simd_unit temp_1_ -> - let simd_unit:t_Array i32 (sz 8) = simd_unit in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = simd_unit in let i, bytes:(usize & t_Slice u8) = temp_1_ in let byte0:i32 = cast (bytes.[ sz 0 ] <: u8) <: i32 in let byte1:i32 = cast (bytes.[ sz 1 ] <: u8) <: i32 in let byte2:i32 = cast (bytes.[ sz 2 ] <: u8) <: i32 in let byte3:i32 = cast (bytes.[ sz 3 ] <: u8) <: i32 in let byte4:i32 = cast (bytes.[ sz 4 ] <: u8) <: i32 in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 4 *! i <: usize) - ((byte0 |. (byte1 <>! 2l <: i32) |. (byte2 <>! 2l <: i32) |. (byte2 <>! 4l <: i32) |. (byte3 <>! 4l <: i32) |. (byte3 <>! 6l <: i32) |. (byte4 <>! 6l <: i32) |. (byte4 < let serialized:t_Slice u8 = serialized in let _:usize = temp_1_ in diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fsti index 9d31471bc..2ae66a6cb 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fsti @@ -3,8 +3,14 @@ module Libcrux_ml_dsa.Simd.Portable.Encoding.T1 open Core open FStar.Mul -val deserialize (serialized: t_Slice u8) (simd_unit: t_Array i32 (sz 8)) - : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) +val deserialize + (serialized: t_Slice u8) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + Prims.l_True + (fun _ -> Prims.l_True) -val serialize (simd_unit: t_Array i32 (sz 8)) (serialized: t_Slice u8) +val serialize + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (serialized: t_Slice u8) : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Invntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Invntt.fst index 868d2a328..16fb78743 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Invntt.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Invntt.fst @@ -3,493 +3,852 @@ module Libcrux_ml_dsa.Simd.Portable.Invntt open Core open FStar.Mul -let simd_unit_invert_ntt_at_layer_0_ (simd_unit: t_Array i32 (sz 8)) (zeta0 zeta1 zeta2 zeta3: i32) = - let a_minus_b:i32 = (simd_unit.[ sz 1 ] <: i32) -! (simd_unit.[ sz 0 ] <: i32) in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 0) - ((simd_unit.[ sz 0 ] <: i32) +! (simd_unit.[ sz 1 ] <: i32) <: i32) - in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 1) - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta0 <: i32) - in - let a_minus_b:i32 = (simd_unit.[ sz 3 ] <: i32) -! (simd_unit.[ sz 2 ] <: i32) in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 2) - ((simd_unit.[ sz 2 ] <: i32) +! (simd_unit.[ sz 3 ] <: i32) <: i32) - in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 3) - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta1 <: i32) - in - let a_minus_b:i32 = (simd_unit.[ sz 5 ] <: i32) -! (simd_unit.[ sz 4 ] <: i32) in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 4) - ((simd_unit.[ sz 4 ] <: i32) +! (simd_unit.[ sz 5 ] <: i32) <: i32) - in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 5) - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta2 <: i32) - in - let a_minus_b:i32 = (simd_unit.[ sz 7 ] <: i32) -! (simd_unit.[ sz 6 ] <: i32) in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 6) - ((simd_unit.[ sz 6 ] <: i32) +! (simd_unit.[ sz 7 ] <: i32) <: i32) - in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 7) - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta3 <: i32) +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Portable.Vector_type in + () + +let simd_unit_invert_ntt_at_layer_0_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (zeta0 zeta1 zeta2 zeta3: i32) + = + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 1 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 0 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 0) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 0 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 1 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 1) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta0 + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 3 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 2 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 2) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 2 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 3 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 3) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta1 + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 5 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 4 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 4) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 4 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 5 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 5) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta2 + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 7 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 6 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 6) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 6 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 7 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 7) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta3 + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients in simd_unit let invert_ntt_at_layer_0___round - (re: t_Array (t_Array i32 (sz 8)) (sz 32)) + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) (index: usize) (zeta0 zeta1 zeta2 zeta3: i32) = - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re index - (simd_unit_invert_ntt_at_layer_0_ (re.[ index ] <: t_Array i32 (sz 8)) zeta0 zeta1 zeta2 zeta3 + (simd_unit_invert_ntt_at_layer_0_ (re.[ index ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + zeta0 + zeta1 + zeta2 + zeta3 <: - t_Array i32 (sz 8)) + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) in re -let invert_ntt_at_layer_0_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) = - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = +let invert_ntt_at_layer_0_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_0___round re (sz 0) 1976782l (-846154l) 1400424l 3937738l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_0___round re (sz 1) (-1362209l) (-48306l) 3919660l (-554416l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_0___round re (sz 2) (-3545687l) 1612842l (-976891l) 183443l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_0___round re (sz 3) (-2286327l) (-420899l) (-2235985l) (-2939036l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_0___round re (sz 4) (-3833893l) (-260646l) (-1104333l) (-1667432l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_0___round re (sz 5) 1910376l (-1803090l) 1723600l (-426683l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_0___round re (sz 6) 472078l 1717735l (-975884l) 2213111l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_0___round re (sz 7) 269760l 3866901l 3523897l (-3038916l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_0___round re (sz 8) (-1799107l) (-3694233l) 1652634l 810149l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_0___round re (sz 9) 3014001l 1616392l 162844l (-3183426l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_0___round re (sz 10) (-1207385l) 185531l 3369112l 1957272l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_0___round re (sz 11) (-164721l) 2454455l 2432395l (-2013608l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_0___round re (sz 12) (-3776993l) 594136l (-3724270l) (-2584293l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_0___round re (sz 13) (-1846953l) (-1671176l) (-2831860l) (-542412l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_0___round re (sz 14) 3406031l 2235880l 777191l 1500165l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_0___round re (sz 15) (-1374803l) (-2546312l) 1917081l (-1279661l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_0___round re (sz 16) (-1962642l) 3306115l 1312455l (-451100l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_0___round re (sz 17) (-1430225l) (-3318210l) 1237275l (-1333058l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_0___round re (sz 18) (-1050970l) 1903435l 1869119l (-2994039l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_0___round re (sz 19) (-3548272l) 2635921l 1250494l (-3767016l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_0___round re (sz 20) 1595974l 2486353l 1247620l 4055324l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_0___round re (sz 21) 1265009l (-2590150l) 2691481l 2842341l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_0___round re (sz 22) 203044l 1735879l (-3342277l) 3437287l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_0___round re (sz 23) 4108315l (-2437823l) 286988l 342297l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_0___round re (sz 24) (-3595838l) (-768622l) (-525098l) (-3556995l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_0___round re (sz 25) 3207046l 2031748l (-3122442l) (-655327l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_0___round re (sz 26) (-522500l) (-43260l) (-1613174l) 495491l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_0___round re (sz 27) 819034l 909542l 1859098l 900702l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_0___round re (sz 28) (-3193378l) (-1197226l) (-3759364l) (-3520352l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_0___round re (sz 29) 3513181l (-1235728l) 2434439l 266997l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_0___round re (sz 30) (-3562462l) (-2446433l) 2244091l (-3342478l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_0___round re (sz 31) 3817976l 2316500l 3407706l 2091667l in re -let simd_unit_invert_ntt_at_layer_1_ (simd_unit: t_Array i32 (sz 8)) (zeta0 zeta1: i32) = - let a_minus_b:i32 = (simd_unit.[ sz 2 ] <: i32) -! (simd_unit.[ sz 0 ] <: i32) in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 0) - ((simd_unit.[ sz 0 ] <: i32) +! (simd_unit.[ sz 2 ] <: i32) <: i32) - in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 2) - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta0 <: i32) - in - let a_minus_b:i32 = (simd_unit.[ sz 3 ] <: i32) -! (simd_unit.[ sz 1 ] <: i32) in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 1) - ((simd_unit.[ sz 1 ] <: i32) +! (simd_unit.[ sz 3 ] <: i32) <: i32) - in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 3) - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta0 <: i32) - in - let a_minus_b:i32 = (simd_unit.[ sz 6 ] <: i32) -! (simd_unit.[ sz 4 ] <: i32) in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 4) - ((simd_unit.[ sz 4 ] <: i32) +! (simd_unit.[ sz 6 ] <: i32) <: i32) - in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 6) - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta1 <: i32) - in - let a_minus_b:i32 = (simd_unit.[ sz 7 ] <: i32) -! (simd_unit.[ sz 5 ] <: i32) in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 5) - ((simd_unit.[ sz 5 ] <: i32) +! (simd_unit.[ sz 7 ] <: i32) <: i32) - in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 7) - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta1 <: i32) +let simd_unit_invert_ntt_at_layer_1_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (zeta0 zeta1: i32) + = + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 2 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 0 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 0) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 0 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 2 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 2) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta0 + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 3 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 1 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 1) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 1 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 3 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 3) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta0 + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 6 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 4 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 4) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 4 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 6 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 6) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta1 + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 7 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 5 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 5) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 5 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 7 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 7) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta1 + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients in simd_unit let invert_ntt_at_layer_1___round - (re: t_Array (t_Array i32 (sz 8)) (sz 32)) + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) (index: usize) (zeta_00_ zeta_01_: i32) = - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re index - (simd_unit_invert_ntt_at_layer_1_ (re.[ index ] <: t_Array i32 (sz 8)) zeta_00_ zeta_01_ + (simd_unit_invert_ntt_at_layer_1_ (re.[ index ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + zeta_00_ + zeta_01_ <: - t_Array i32 (sz 8)) + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) in re -let invert_ntt_at_layer_1_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) = - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = +let invert_ntt_at_layer_1_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_1___round re (sz 0) 3839961l (-3628969l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_1___round re (sz 1) (-3881060l) (-3019102l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_1___round re (sz 2) (-1439742l) (-812732l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_1___round re (sz 3) (-1584928l) 1285669l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_1___round re (sz 4) 1341330l 1315589l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_1___round re (sz 5) (-177440l) (-2409325l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_1___round re (sz 6) (-1851402l) 3159746l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_1___round re (sz 7) (-3553272l) 189548l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_1___round re (sz 8) (-1316856l) 759969l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_1___round re (sz 9) (-210977l) 2389356l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_1___round re (sz 10) (-3249728l) 1653064l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_1___round re (sz 11) (-8578l) (-3724342l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_1___round re (sz 12) 3958618l 904516l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_1___round re (sz 13) (-1100098l) 44288l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_1___round re (sz 14) 3097992l 508951l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_1___round re (sz 15) 264944l (-3343383l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_1___round re (sz 16) (-1430430l) 1852771l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_1___round re (sz 17) 1349076l (-381987l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_1___round re (sz 18) (-1308169l) (-22981l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_1___round re (sz 19) (-1228525l) (-671102l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_1___round re (sz 20) (-2477047l) (-411027l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_1___round re (sz 21) (-3693493l) (-2967645l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_1___round re (sz 22) 2715295l 2147896l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_1___round re (sz 23) (-983419l) 3412210l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_1___round re (sz 24) 126922l (-3632928l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_1___round re (sz 25) (-3157330l) (-3190144l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_1___round re (sz 26) (-1000202l) (-4083598l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_1___round re (sz 27) 1939314l (-1257611l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_1___round re (sz 28) (-1585221l) 2176455l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_1___round re (sz 29) 3475950l (-1452451l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_1___round re (sz 30) (-3041255l) (-3677745l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_1___round re (sz 31) (-1528703l) (-3930395l) in re -let simd_unit_invert_ntt_at_layer_2_ (simd_unit: t_Array i32 (sz 8)) (zeta: i32) = - let a_minus_b:i32 = (simd_unit.[ sz 4 ] <: i32) -! (simd_unit.[ sz 0 ] <: i32) in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 0) - ((simd_unit.[ sz 0 ] <: i32) +! (simd_unit.[ sz 4 ] <: i32) <: i32) - in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 4) - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta <: i32) - in - let a_minus_b:i32 = (simd_unit.[ sz 5 ] <: i32) -! (simd_unit.[ sz 1 ] <: i32) in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 1) - ((simd_unit.[ sz 1 ] <: i32) +! (simd_unit.[ sz 5 ] <: i32) <: i32) - in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 5) - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta <: i32) - in - let a_minus_b:i32 = (simd_unit.[ sz 6 ] <: i32) -! (simd_unit.[ sz 2 ] <: i32) in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 2) - ((simd_unit.[ sz 2 ] <: i32) +! (simd_unit.[ sz 6 ] <: i32) <: i32) - in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 6) - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta <: i32) - in - let a_minus_b:i32 = (simd_unit.[ sz 7 ] <: i32) -! (simd_unit.[ sz 3 ] <: i32) in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 3) - ((simd_unit.[ sz 3 ] <: i32) +! (simd_unit.[ sz 7 ] <: i32) <: i32) - in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 7) - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta <: i32) +let simd_unit_invert_ntt_at_layer_2_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (zeta: i32) + = + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 4 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 0 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 0) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 0 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 4 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 4) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta <: i32 + ) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 5 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 1 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 1) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 1 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 5 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 5) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta <: i32 + ) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 6 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 2 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 2) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 2 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 6 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 6) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta <: i32 + ) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 7 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 3 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 3) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 3 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 7 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 7) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta <: i32 + ) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients in simd_unit let invert_ntt_at_layer_2___round - (re: t_Array (t_Array i32 (sz 8)) (sz 32)) + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) (index: usize) (zeta1: i32) = - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re index - (simd_unit_invert_ntt_at_layer_2_ (re.[ index ] <: t_Array i32 (sz 8)) zeta1 + (simd_unit_invert_ntt_at_layer_2_ (re.[ index ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + zeta1 <: - t_Array i32 (sz 8)) + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) in re -let invert_ntt_at_layer_2_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) = - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = +let invert_ntt_at_layer_2_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_2___round re (sz 0) (-2797779l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 1) 2071892l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_2___round re (sz 1) 2071892l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_2___round re (sz 2) (-2556880l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 3) 3900724l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 4) 3881043l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 5) 954230l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 6) 531354l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 7) 811944l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 8) 3699596l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_2___round re (sz 3) 3900724l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_2___round re (sz 4) 3881043l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_2___round re (sz 5) 954230l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_2___round re (sz 6) 531354l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_2___round re (sz 7) 811944l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_2___round re (sz 8) 3699596l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_2___round re (sz 9) (-1600420l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_2___round re (sz 10) (-2140649l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 11) 3507263l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_2___round re (sz 11) 3507263l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_2___round re (sz 12) (-3821735l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 13) 3505694l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_2___round re (sz 13) 3505694l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_2___round re (sz 14) (-1643818l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_2___round re (sz 15) (-1699267l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_2___round re (sz 16) (-539299l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 17) 2348700l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_2___round re (sz 17) 2348700l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_2___round re (sz 18) (-300467l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 19) 3539968l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_2___round re (sz 19) 3539968l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_2___round re (sz 20) (-2867647l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 21) 3574422l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_2___round re (sz 21) 3574422l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_2___round re (sz 22) (-3043716l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_2___round re (sz 23) (-3861115l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 24) 3915439l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_2___round re (sz 24) 3915439l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_2___round re (sz 25) (-2537516l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_2___round re (sz 26) (-3592148l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = invert_ntt_at_layer_2___round re (sz 27) (-1661693l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 28) 3530437l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 29) 3077325l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 30) 95776l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2___round re (sz 31) 2706023l in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_2___round re (sz 28) 3530437l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_2___round re (sz 29) 3077325l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_2___round re (sz 30) 95776l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_2___round re (sz 31) 2706023l + in re let outer_3_plus (v_OFFSET v_STEP_BY: usize) (v_ZETA: i32) - (re: t_Array (t_Array i32 (sz 8)) (sz 32)) + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) = - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = Rust_primitives.Hax.Folds.fold_range v_OFFSET (v_OFFSET +! v_STEP_BY <: usize) (fun re temp_1_ -> - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = re in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = re in let _:usize = temp_1_ in true) re (fun re j -> - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = re in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = re in let j:usize = j in - let rejs:t_Array i32 (sz 8) = - Core.Clone.f_clone #(t_Array i32 (sz 8)) + let rejs:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + Core.Clone.f_clone #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients #FStar.Tactics.Typeclasses.solve - (re.[ j +! v_STEP_BY <: usize ] <: t_Array i32 (sz 8)) + (re.[ j +! v_STEP_BY <: usize ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) in - let a_minus_b:t_Array i32 (sz 8) = - Core.Clone.f_clone #(t_Array i32 (sz 8)) #FStar.Tactics.Typeclasses.solve rejs + let a_minus_b:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + Core.Clone.f_clone #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + #FStar.Tactics.Typeclasses.solve + rejs in - let a_minus_b:t_Array i32 (sz 8) = + let a_minus_b:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = Libcrux_ml_dsa.Simd.Portable.Arithmetic.subtract a_minus_b - (re.[ j ] <: t_Array i32 (sz 8)) + (re.[ j ] <: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re j - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.add (re.[ j ] <: t_Array i32 (sz 8)) rejs + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.add (re.[ j ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + rejs <: - t_Array i32 (sz 8)) + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (j +! v_STEP_BY <: usize) a_minus_b in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (j +! v_STEP_BY <: usize) (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_by_constant (re.[ j +! @@ -497,92 +856,185 @@ let outer_3_plus <: usize ] <: - t_Array i32 (sz 8)) + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) v_ZETA <: - t_Array i32 (sz 8)) + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) in re) in let hax_temp_output:Prims.unit = () <: Prims.unit in re -let invert_ntt_at_layer_3_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) = - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 0) (sz 1) 280005l re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 2) (sz 1) 4010497l re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 4) (sz 1) (-19422l) re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 6) (sz 1) 1757237l re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 8) (sz 1) (-3277672l) re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 10) (sz 1) (-1399561l) re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 12) (sz 1) (-3859737l) re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 14) (sz 1) (-2118186l) re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 16) (sz 1) (-2108549l) re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 18) (sz 1) 2619752l re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 20) (sz 1) (-1119584l) re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 22) (sz 1) (-549488l) re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 24) (sz 1) 3585928l re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 26) (sz 1) (-1079900l) re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 28) (sz 1) 1024112l re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 30) (sz 1) 2725464l re in +let invert_ntt_at_layer_3_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 0) (sz 1) 280005l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 2) (sz 1) 4010497l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 4) (sz 1) (-19422l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 6) (sz 1) 1757237l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 8) (sz 1) (-3277672l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 10) (sz 1) (-1399561l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 12) (sz 1) (-3859737l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 14) (sz 1) (-2118186l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 16) (sz 1) (-2108549l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 18) (sz 1) 2619752l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 20) (sz 1) (-1119584l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 22) (sz 1) (-549488l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 24) (sz 1) 3585928l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 26) (sz 1) (-1079900l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 28) (sz 1) 1024112l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 30) (sz 1) 2725464l re + in re -let invert_ntt_at_layer_4_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) = - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 0) (sz 2) 2680103l re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 4) (sz 2) 3111497l re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 8) (sz 2) (-2884855l) re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 12) (sz 2) 3119733l re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 16) (sz 2) (-2091905l) re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 20) (sz 2) (-359251l) re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 24) (sz 2) 2353451l re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 28) (sz 2) 1826347l re in +let invert_ntt_at_layer_4_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 0) (sz 2) 2680103l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 4) (sz 2) 3111497l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 8) (sz 2) (-2884855l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 12) (sz 2) 3119733l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 16) (sz 2) (-2091905l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 20) (sz 2) (-359251l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 24) (sz 2) 2353451l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 28) (sz 2) 1826347l re + in re -let invert_ntt_at_layer_5_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) = - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 0) (sz 4) 466468l re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 8) (sz 4) (-876248l) re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 16) (sz 4) (-777960l) re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 24) (sz 4) 237124l re in +let invert_ntt_at_layer_5_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 0) (sz 4) 466468l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 8) (sz 4) (-876248l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 16) (sz 4) (-777960l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 24) (sz 4) 237124l re + in re -let invert_ntt_at_layer_6_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) = - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 0) (sz 8) (-518909l) re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 16) (sz 8) (-2608894l) re in +let invert_ntt_at_layer_6_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 0) (sz 8) (-518909l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 16) (sz 8) (-2608894l) re + in re -let invert_ntt_at_layer_7_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) = - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 0) (sz 16) 25847l re in +let invert_ntt_at_layer_7_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 0) (sz 16) 25847l re + in re -let invert_ntt_montgomery (re: t_Array (t_Array i32 (sz 8)) (sz 32)) = - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_0_ re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_1_ re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_2_ re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_3_ re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_4_ re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_5_ re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_6_ re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = invert_ntt_at_layer_7_ re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = +let invert_ntt_montgomery + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_0_ re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_1_ re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_2_ re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_3_ re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_4_ re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_5_ re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_6_ re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_7_ re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #(t_Array i32 (sz 8)) (re <: t_Slice (t_Array i32 (sz 8))) <: usize) + (Core.Slice.impl__len #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + (re <: t_Slice Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + <: + usize) (fun re temp_1_ -> - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = re in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = re in let _:usize = temp_1_ in true) re (fun re i -> - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = re in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = re in let i:usize = i in Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re i (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_by_constant (re.[ i ] <: - t_Array i32 (sz 8)) + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) 41978l <: - t_Array i32 (sz 8)) + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) <: - t_Array (t_Array i32 (sz 8)) (sz 32)) + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) in let hax_temp_output:Prims.unit = () <: Prims.unit in re diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Invntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Invntt.fsti index 6a4a2fd5d..d5accef63 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Invntt.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Invntt.fsti @@ -3,6 +3,12 @@ module Libcrux_ml_dsa.Simd.Portable.Invntt open Core open FStar.Mul +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Portable.Vector_type in + () + let invert_ntt_at_layer_3___STEP: usize = sz 8 let invert_ntt_at_layer_3___STEP_BY: usize = sz 1 @@ -23,62 +29,109 @@ let invert_ntt_at_layer_7___STEP: usize = sz 128 let invert_ntt_at_layer_7___STEP_BY: usize = sz 16 -val simd_unit_invert_ntt_at_layer_0_ (simd_unit: t_Array i32 (sz 8)) (zeta0 zeta1 zeta2 zeta3: i32) - : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) +val simd_unit_invert_ntt_at_layer_0_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (zeta0 zeta1 zeta2 zeta3: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + Prims.l_True + (fun _ -> Prims.l_True) val invert_ntt_at_layer_0___round - (re: t_Array (t_Array i32 (sz 8)) (sz 32)) + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) (index: usize) (zeta0 zeta1 zeta2 zeta3: i32) - : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -val invert_ntt_at_layer_0_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) - : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -val simd_unit_invert_ntt_at_layer_1_ (simd_unit: t_Array i32 (sz 8)) (zeta0 zeta1: i32) - : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_0_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val simd_unit_invert_ntt_at_layer_1_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (zeta0 zeta1: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + Prims.l_True + (fun _ -> Prims.l_True) val invert_ntt_at_layer_1___round - (re: t_Array (t_Array i32 (sz 8)) (sz 32)) + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) (index: usize) (zeta_00_ zeta_01_: i32) - : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -val invert_ntt_at_layer_1_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) - : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -val simd_unit_invert_ntt_at_layer_2_ (simd_unit: t_Array i32 (sz 8)) (zeta: i32) - : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_1_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val simd_unit_invert_ntt_at_layer_2_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (zeta: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + Prims.l_True + (fun _ -> Prims.l_True) val invert_ntt_at_layer_2___round - (re: t_Array (t_Array i32 (sz 8)) (sz 32)) + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) (index: usize) (zeta1: i32) - : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) -val invert_ntt_at_layer_2_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) - : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) +val invert_ntt_at_layer_2_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) val outer_3_plus (v_OFFSET v_STEP_BY: usize) (v_ZETA: i32) - (re: t_Array (t_Array i32 (sz 8)) (sz 32)) - : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -val invert_ntt_at_layer_3_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) - : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -val invert_ntt_at_layer_4_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) - : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -val invert_ntt_at_layer_5_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) - : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -val invert_ntt_at_layer_6_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) - : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -val invert_ntt_at_layer_7_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) - : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -val invert_ntt_montgomery (re: t_Array (t_Array i32 (sz 8)) (sz 32)) - : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_3_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_4_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_5_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_6_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_7_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_montgomery + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst index 568d9ac0a..8378cebc1 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst @@ -3,568 +3,955 @@ module Libcrux_ml_dsa.Simd.Portable.Ntt open Core open FStar.Mul -let simd_unit_ntt_at_layer_0_ (simd_unit: t_Array i32 (sz 8)) (zeta0 zeta1 zeta2 zeta3: i32) = +let simd_unit_ntt_at_layer_0_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (zeta0 zeta1 zeta2 zeta3: i32) + = let t:i32 = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit.[ sz 1 ] <: i32 - ) + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 1 ] + <: + i32) zeta0 in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 1) - ((simd_unit.[ sz 0 ] <: i32) -! t <: i32) - in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 0) - ((simd_unit.[ sz 0 ] <: i32) +! t <: i32) + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 1) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 0 ] <: i32) -! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 0) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 0 ] <: i32) +! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients in let t:i32 = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit.[ sz 3 ] <: i32 - ) + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 3 ] + <: + i32) zeta1 in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 3) - ((simd_unit.[ sz 2 ] <: i32) -! t <: i32) - in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 2) - ((simd_unit.[ sz 2 ] <: i32) +! t <: i32) + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 3) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 2 ] <: i32) -! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 2) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 2 ] <: i32) +! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients in let t:i32 = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit.[ sz 5 ] <: i32 - ) + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 5 ] + <: + i32) zeta2 in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 5) - ((simd_unit.[ sz 4 ] <: i32) -! t <: i32) - in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 4) - ((simd_unit.[ sz 4 ] <: i32) +! t <: i32) + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 5) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 4 ] <: i32) -! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 4) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 4 ] <: i32) +! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients in let t:i32 = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit.[ sz 7 ] <: i32 - ) + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 7 ] + <: + i32) zeta3 in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 7) - ((simd_unit.[ sz 6 ] <: i32) -! t <: i32) - in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 6) - ((simd_unit.[ sz 6 ] <: i32) +! t <: i32) + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 7) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 6 ] <: i32) -! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 6) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 6 ] <: i32) +! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients in simd_unit let ntt_at_layer_0___round - (re: t_Array (t_Array i32 (sz 8)) (sz 32)) + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) (index: usize) (zeta_0_ zeta_1_ zeta_2_ zeta_3_: i32) = - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re index - (simd_unit_ntt_at_layer_0_ (re.[ index ] <: t_Array i32 (sz 8)) + (simd_unit_ntt_at_layer_0_ (re.[ index ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) zeta_0_ zeta_1_ zeta_2_ zeta_3_ <: - t_Array i32 (sz 8)) + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) in re -let ntt_at_layer_0_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) = - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = +let ntt_at_layer_0_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_0___round re (sz 0) 2091667l 3407706l 2316500l 3817976l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_0___round re (sz 1) (-3342478l) 2244091l (-2446433l) (-3562462l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_0___round re (sz 2) 266997l 2434439l (-1235728l) 3513181l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_0___round re (sz 3) (-3520352l) (-3759364l) (-1197226l) (-3193378l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_0___round re (sz 4) 900702l 1859098l 909542l 819034l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_0___round re (sz 5) 495491l (-1613174l) (-43260l) (-522500l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_0___round re (sz 6) (-655327l) (-3122442l) 2031748l 3207046l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_0___round re (sz 7) (-3556995l) (-525098l) (-768622l) (-3595838l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_0___round re (sz 8) 342297l 286988l (-2437823l) 4108315l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_0___round re (sz 9) 3437287l (-3342277l) 1735879l 203044l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_0___round re (sz 10) 2842341l 2691481l (-2590150l) 1265009l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_0___round re (sz 11) 4055324l 1247620l 2486353l 1595974l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_0___round re (sz 12) (-3767016l) 1250494l 2635921l (-3548272l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_0___round re (sz 13) (-2994039l) 1869119l 1903435l (-1050970l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_0___round re (sz 14) (-1333058l) 1237275l (-3318210l) (-1430225l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_0___round re (sz 15) (-451100l) 1312455l 3306115l (-1962642l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_0___round re (sz 16) (-1279661l) 1917081l (-2546312l) (-1374803l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_0___round re (sz 17) 1500165l 777191l 2235880l 3406031l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_0___round re (sz 18) (-542412l) (-2831860l) (-1671176l) (-1846953l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_0___round re (sz 19) (-2584293l) (-3724270l) 594136l (-3776993l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_0___round re (sz 20) (-2013608l) 2432395l 2454455l (-164721l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_0___round re (sz 21) 1957272l 3369112l 185531l (-1207385l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_0___round re (sz 22) (-3183426l) 162844l 1616392l 3014001l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_0___round re (sz 23) 810149l 1652634l (-3694233l) (-1799107l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_0___round re (sz 24) (-3038916l) 3523897l 3866901l 269760l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_0___round re (sz 25) 2213111l (-975884l) 1717735l 472078l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_0___round re (sz 26) (-426683l) 1723600l (-1803090l) 1910376l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_0___round re (sz 27) (-1667432l) (-1104333l) (-260646l) (-3833893l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_0___round re (sz 28) (-2939036l) (-2235985l) (-420899l) (-2286327l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_0___round re (sz 29) 183443l (-976891l) 1612842l (-3545687l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_0___round re (sz 30) (-554416l) 3919660l (-48306l) (-1362209l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_0___round re (sz 31) 3937738l 1400424l (-846154l) 1976782l in re -let simd_unit_ntt_at_layer_1_ (simd_unit: t_Array i32 (sz 8)) (zeta1 zeta2: i32) = +let simd_unit_ntt_at_layer_1_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (zeta1 zeta2: i32) + = let t:i32 = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit.[ sz 2 ] <: i32 - ) + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 2 ] + <: + i32) zeta1 in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 2) - ((simd_unit.[ sz 0 ] <: i32) -! t <: i32) - in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 0) - ((simd_unit.[ sz 0 ] <: i32) +! t <: i32) + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 2) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 0 ] <: i32) -! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 0) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 0 ] <: i32) +! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients in let t:i32 = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit.[ sz 3 ] <: i32 - ) + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 3 ] + <: + i32) zeta1 in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 3) - ((simd_unit.[ sz 1 ] <: i32) -! t <: i32) - in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 1) - ((simd_unit.[ sz 1 ] <: i32) +! t <: i32) + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 3) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 1 ] <: i32) -! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 1) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 1 ] <: i32) +! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients in let t:i32 = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit.[ sz 6 ] <: i32 - ) + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 6 ] + <: + i32) zeta2 in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 6) - ((simd_unit.[ sz 4 ] <: i32) -! t <: i32) - in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 4) - ((simd_unit.[ sz 4 ] <: i32) +! t <: i32) + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 6) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 4 ] <: i32) -! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 4) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 4 ] <: i32) +! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients in let t:i32 = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit.[ sz 7 ] <: i32 - ) + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 7 ] + <: + i32) zeta2 in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 7) - ((simd_unit.[ sz 5 ] <: i32) -! t <: i32) - in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 5) - ((simd_unit.[ sz 5 ] <: i32) +! t <: i32) + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 7) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 5 ] <: i32) -! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 5) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 5 ] <: i32) +! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients in simd_unit let ntt_at_layer_1___round - (re: t_Array (t_Array i32 (sz 8)) (sz 32)) + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) (index: usize) (zeta_0_ zeta_1_: i32) = - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re index - (simd_unit_ntt_at_layer_1_ (re.[ index ] <: t_Array i32 (sz 8)) zeta_0_ zeta_1_ + (simd_unit_ntt_at_layer_1_ (re.[ index ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + zeta_0_ + zeta_1_ <: - t_Array i32 (sz 8)) + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) in re -let ntt_at_layer_1_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) = - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = +let ntt_at_layer_1_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_1___round re (sz 0) (-3930395l) (-1528703l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_1___round re (sz 1) (-3677745l) (-3041255l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_1___round re (sz 2) (-1452451l) 3475950l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_1___round re (sz 3) 2176455l (-1585221l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_1___round re (sz 4) (-1257611l) 1939314l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_1___round re (sz 5) (-4083598l) (-1000202l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_1___round re (sz 6) (-3190144l) (-3157330l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_1___round re (sz 7) (-3632928l) 126922l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_1___round re (sz 8) 3412210l (-983419l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_1___round re (sz 9) 2147896l 2715295l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_1___round re (sz 10) (-2967645l) (-3693493l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_1___round re (sz 11) (-411027l) (-2477047l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_1___round re (sz 12) (-671102l) (-1228525l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_1___round re (sz 13) (-22981l) (-1308169l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_1___round re (sz 14) (-381987l) 1349076l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_1___round re (sz 15) 1852771l (-1430430l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_1___round re (sz 16) (-3343383l) 264944l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_1___round re (sz 17) 508951l 3097992l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_1___round re (sz 18) 44288l (-1100098l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_1___round re (sz 19) 904516l 3958618l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_1___round re (sz 20) (-3724342l) (-8578l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_1___round re (sz 21) 1653064l (-3249728l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_1___round re (sz 22) 2389356l (-210977l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_1___round re (sz 23) 759969l (-1316856l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_1___round re (sz 24) 189548l (-3553272l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_1___round re (sz 25) 3159746l (-1851402l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_1___round re (sz 26) (-2409325l) (-177440l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_1___round re (sz 27) 1315589l 1341330l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_1___round re (sz 28) 1285669l (-1584928l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_1___round re (sz 29) (-812732l) (-1439742l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_1___round re (sz 30) (-3019102l) (-3881060l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = ntt_at_layer_1___round re (sz 31) (-3628969l) 3839961l in re -let simd_unit_ntt_at_layer_2_ (simd_unit: t_Array i32 (sz 8)) (zeta: i32) = +let simd_unit_ntt_at_layer_2_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (zeta: i32) + = let t:i32 = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit.[ sz 4 ] <: i32 - ) + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 4 ] + <: + i32) zeta in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 4) - ((simd_unit.[ sz 0 ] <: i32) -! t <: i32) - in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 0) - ((simd_unit.[ sz 0 ] <: i32) +! t <: i32) + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 4) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 0 ] <: i32) -! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 0) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 0 ] <: i32) +! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients in let t:i32 = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit.[ sz 5 ] <: i32 - ) + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 5 ] + <: + i32) zeta in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 5) - ((simd_unit.[ sz 1 ] <: i32) -! t <: i32) - in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 1) - ((simd_unit.[ sz 1 ] <: i32) +! t <: i32) + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 5) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 1 ] <: i32) -! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 1) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 1 ] <: i32) +! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients in let t:i32 = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit.[ sz 6 ] <: i32 - ) + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 6 ] + <: + i32) zeta in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 6) - ((simd_unit.[ sz 2 ] <: i32) -! t <: i32) - in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 2) - ((simd_unit.[ sz 2 ] <: i32) +! t <: i32) + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 6) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 2 ] <: i32) -! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 2) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 2 ] <: i32) +! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients in let t:i32 = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit.[ sz 7 ] <: i32 - ) + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 7 ] + <: + i32) zeta in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 7) - ((simd_unit.[ sz 3 ] <: i32) -! t <: i32) - in - let simd_unit:t_Array i32 (sz 8) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - (sz 3) - ((simd_unit.[ sz 3 ] <: i32) +! t <: i32) + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 7) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 3 ] <: i32) -! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + (sz 3) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 3 ] <: i32) +! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients in simd_unit -let ntt_at_layer_2___round (re: t_Array (t_Array i32 (sz 8)) (sz 32)) (index: usize) (zeta: i32) = - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = +let ntt_at_layer_2___round + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + (index: usize) + (zeta: i32) + = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re index - (simd_unit_ntt_at_layer_2_ (re.[ index ] <: t_Array i32 (sz 8)) zeta <: t_Array i32 (sz 8)) + (simd_unit_ntt_at_layer_2_ (re.[ index ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + zeta + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) in re -let ntt_at_layer_2_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) = - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 0) 2706023l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 1) 95776l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 2) 3077325l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 3) 3530437l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 4) (-1661693l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 5) (-3592148l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 6) (-2537516l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 7) 3915439l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 8) (-3861115l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 9) (-3043716l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 10) 3574422l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 11) (-2867647l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 12) 3539968l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 13) (-300467l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 14) 2348700l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 15) (-539299l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 16) (-1699267l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 17) (-1643818l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 18) 3505694l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 19) (-3821735l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 20) 3507263l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 21) (-2140649l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 22) (-1600420l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 23) 3699596l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 24) 811944l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 25) 531354l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 26) 954230l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 27) 3881043l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 28) 3900724l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 29) (-2556880l) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 30) 2071892l in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2___round re (sz 31) (-2797779l) in +let ntt_at_layer_2_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_2___round re (sz 0) 2706023l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_2___round re (sz 1) 95776l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_2___round re (sz 2) 3077325l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_2___round re (sz 3) 3530437l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_2___round re (sz 4) (-1661693l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_2___round re (sz 5) (-3592148l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_2___round re (sz 6) (-2537516l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_2___round re (sz 7) 3915439l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_2___round re (sz 8) (-3861115l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_2___round re (sz 9) (-3043716l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_2___round re (sz 10) 3574422l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_2___round re (sz 11) (-2867647l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_2___round re (sz 12) 3539968l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_2___round re (sz 13) (-300467l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_2___round re (sz 14) 2348700l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_2___round re (sz 15) (-539299l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_2___round re (sz 16) (-1699267l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_2___round re (sz 17) (-1643818l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_2___round re (sz 18) 3505694l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_2___round re (sz 19) (-3821735l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_2___round re (sz 20) 3507263l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_2___round re (sz 21) (-2140649l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_2___round re (sz 22) (-1600420l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_2___round re (sz 23) 3699596l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_2___round re (sz 24) 811944l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_2___round re (sz 25) 531354l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_2___round re (sz 26) 954230l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_2___round re (sz 27) 3881043l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_2___round re (sz 28) 3900724l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_2___round re (sz 29) (-2556880l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_2___round re (sz 30) 2071892l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_2___round re (sz 31) (-2797779l) + in re let outer_3_plus (v_OFFSET v_STEP_BY: usize) (v_ZETA: i32) - (re: t_Array (t_Array i32 (sz 8)) (sz 32)) + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) = - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = Rust_primitives.Hax.Folds.fold_range v_OFFSET (v_OFFSET +! v_STEP_BY <: usize) (fun re temp_1_ -> - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = re in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = re in let _:usize = temp_1_ in true) re (fun re j -> - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = re in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = re in let j:usize = j in - let tmp:t_Array i32 (sz 8) = re.[ j +! v_STEP_BY <: usize ] in - let tmp:t_Array i32 (sz 8) = + let tmp:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + re.[ j +! v_STEP_BY <: usize ] + in + let tmp:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_by_constant tmp v_ZETA in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (j +! v_STEP_BY <: usize) - (re.[ j ] <: t_Array i32 (sz 8)) + (re.[ j ] <: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (j +! v_STEP_BY <: usize) (Libcrux_ml_dsa.Simd.Portable.Arithmetic.subtract (re.[ j +! v_STEP_BY <: usize ] <: - t_Array i32 (sz 8)) + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) tmp <: - t_Array i32 (sz 8)) + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re j - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.add (re.[ j ] <: t_Array i32 (sz 8)) tmp + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.add (re.[ j ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + tmp <: - t_Array i32 (sz 8)) + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) in re) in let hax_temp_output:Prims.unit = () <: Prims.unit in re -let ntt_at_layer_3_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) = - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 0) (sz 1) 2725464l re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 2) (sz 1) 1024112l re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 4) (sz 1) (-1079900l) re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 6) (sz 1) 3585928l re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 8) (sz 1) (-549488l) re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 10) (sz 1) (-1119584l) re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 12) (sz 1) 2619752l re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 14) (sz 1) (-2108549l) re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 16) (sz 1) (-2118186l) re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 18) (sz 1) (-3859737l) re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 20) (sz 1) (-1399561l) re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 22) (sz 1) (-3277672l) re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 24) (sz 1) 1757237l re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 26) (sz 1) (-19422l) re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 28) (sz 1) 4010497l re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 30) (sz 1) 280005l re in +let ntt_at_layer_3_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 0) (sz 1) 2725464l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 2) (sz 1) 1024112l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 4) (sz 1) (-1079900l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 6) (sz 1) 3585928l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 8) (sz 1) (-549488l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 10) (sz 1) (-1119584l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 12) (sz 1) 2619752l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 14) (sz 1) (-2108549l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 16) (sz 1) (-2118186l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 18) (sz 1) (-3859737l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 20) (sz 1) (-1399561l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 22) (sz 1) (-3277672l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 24) (sz 1) 1757237l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 26) (sz 1) (-19422l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 28) (sz 1) 4010497l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 30) (sz 1) 280005l re + in re -let ntt_at_layer_4_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) = - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 0) (sz 2) 1826347l re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 4) (sz 2) 2353451l re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 8) (sz 2) (-359251l) re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 12) (sz 2) (-2091905l) re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 16) (sz 2) 3119733l re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 20) (sz 2) (-2884855l) re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 24) (sz 2) 3111497l re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 28) (sz 2) 2680103l re in +let ntt_at_layer_4_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 0) (sz 2) 1826347l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 4) (sz 2) 2353451l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 8) (sz 2) (-359251l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 12) (sz 2) (-2091905l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 16) (sz 2) 3119733l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 20) (sz 2) (-2884855l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 24) (sz 2) 3111497l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 28) (sz 2) 2680103l re + in re -let ntt_at_layer_5_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) = - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 0) (sz 4) 237124l re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 8) (sz 4) (-777960l) re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 16) (sz 4) (-876248l) re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 24) (sz 4) 466468l re in +let ntt_at_layer_5_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 0) (sz 4) 237124l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 8) (sz 4) (-777960l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 16) (sz 4) (-876248l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 24) (sz 4) 466468l re + in re -let ntt_at_layer_6_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) = - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 0) (sz 8) (-2608894l) re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 16) (sz 8) (-518909l) re in +let ntt_at_layer_6_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 0) (sz 8) (-2608894l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 16) (sz 8) (-518909l) re + in re -let ntt_at_layer_7_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) = - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = outer_3_plus (sz 0) (sz 16) 25847l re in +let ntt_at_layer_7_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + outer_3_plus (sz 0) (sz 16) 25847l re + in re -let ntt (re: t_Array (t_Array i32 (sz 8)) (sz 32)) = - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_7_ re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_6_ re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_5_ re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_4_ re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_3_ re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_2_ re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_1_ re in - let re:t_Array (t_Array i32 (sz 8)) (sz 32) = ntt_at_layer_0_ re in +let ntt (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_7_ re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_6_ re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_5_ re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_4_ re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_3_ re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_2_ re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_1_ re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_0_ re + in re diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti index 350089b14..71ab0dd53 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti @@ -23,59 +23,100 @@ let ntt_at_layer_7___STEP: usize = sz 128 let ntt_at_layer_7___STEP_BY: usize = sz 16 -val simd_unit_ntt_at_layer_0_ (simd_unit: t_Array i32 (sz 8)) (zeta0 zeta1 zeta2 zeta3: i32) - : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) +val simd_unit_ntt_at_layer_0_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (zeta0 zeta1 zeta2 zeta3: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + Prims.l_True + (fun _ -> Prims.l_True) val ntt_at_layer_0___round - (re: t_Array (t_Array i32 (sz 8)) (sz 32)) + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) (index: usize) (zeta_0_ zeta_1_ zeta_2_ zeta_3_: i32) - : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -val ntt_at_layer_0_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) - : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -val simd_unit_ntt_at_layer_1_ (simd_unit: t_Array i32 (sz 8)) (zeta1 zeta2: i32) - : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_0_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val simd_unit_ntt_at_layer_1_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (zeta1 zeta2: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + Prims.l_True + (fun _ -> Prims.l_True) val ntt_at_layer_1___round - (re: t_Array (t_Array i32 (sz 8)) (sz 32)) + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) (index: usize) (zeta_0_ zeta_1_: i32) - : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -val ntt_at_layer_1_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) - : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -val simd_unit_ntt_at_layer_2_ (simd_unit: t_Array i32 (sz 8)) (zeta: i32) - : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) - -val ntt_at_layer_2___round (re: t_Array (t_Array i32 (sz 8)) (sz 32)) (index: usize) (zeta: i32) - : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_1_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val simd_unit_ntt_at_layer_2_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (zeta: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_2___round + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + (index: usize) + (zeta: i32) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) -val ntt_at_layer_2_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) - : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) +val ntt_at_layer_2_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) val outer_3_plus (v_OFFSET v_STEP_BY: usize) (v_ZETA: i32) - (re: t_Array (t_Array i32 (sz 8)) (sz 32)) - : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -val ntt_at_layer_3_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) - : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -val ntt_at_layer_4_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) - : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -val ntt_at_layer_5_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) - : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -val ntt_at_layer_6_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) - : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -val ntt_at_layer_7_ (re: t_Array (t_Array i32 (sz 8)) (sz 32)) - : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -val ntt (re: t_Array (t_Array i32 (sz 8)) (sz 32)) - : Prims.Pure (t_Array (t_Array i32 (sz 8)) (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_3_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_4_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_5_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_6_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_7_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fst index 81ce54423..d33b18595 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fst @@ -5,36 +5,43 @@ open FStar.Mul [@@ FStar.Tactics.Typeclasses.tcinstance] assume -val impl': Core.Clone.t_Clone t_PortableSIMDUnit +val impl': Core.Clone.t_Clone t_Coefficients let impl = impl' [@@ FStar.Tactics.Typeclasses.tcinstance] assume -val impl_1': Core.Marker.t_Copy t_PortableSIMDUnit +val impl_1': Core.Marker.t_Copy t_Coefficients let impl_1 = impl_1' -let zero (_: Prims.unit) = Rust_primitives.Hax.repeat 0l (sz 8) +let zero (_: Prims.unit) = { f_values = Rust_primitives.Hax.repeat 0l (sz 8) } <: t_Coefficients -let from_coefficient_array (array: t_Slice i32) (out: t_Array i32 (sz 8)) = - let hax_temp_output, out:(Prims.unit & t_Array i32 (sz 8)) = +let from_coefficient_array (array: t_Slice i32) (out: t_Coefficients) = + let hax_temp_output, out:(Prims.unit & t_Coefficients) = (), - Core.Slice.impl__copy_from_slice #i32 - out - (array.[ { - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice i32) + ({ + out with + f_values + = + Core.Slice.impl__copy_from_slice #i32 + out.f_values + (array.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i32) + } + <: + t_Coefficients) <: - (Prims.unit & t_Array i32 (sz 8)) + (Prims.unit & t_Coefficients) in out -let to_coefficient_array (value: t_Array i32 (sz 8)) (out: t_Slice i32) = - let out:t_Slice i32 = Core.Slice.impl__copy_from_slice #i32 out (value <: t_Slice i32) in +let to_coefficient_array (value: t_Coefficients) (out: t_Slice i32) = + let out:t_Slice i32 = Core.Slice.impl__copy_from_slice #i32 out (value.f_values <: t_Slice i32) in out diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fsti index 688159e96..9084fe638 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fsti @@ -3,18 +3,18 @@ module Libcrux_ml_dsa.Simd.Portable.Vector_type open Core open FStar.Mul -type t_PortableSIMDUnit = | PortableSIMDUnit : t_PortableSIMDUnit +type t_Coefficients = { f_values:t_Array i32 (sz 8) } [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl:Core.Clone.t_Clone t_PortableSIMDUnit +val impl:Core.Clone.t_Clone t_Coefficients [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_1:Core.Marker.t_Copy t_PortableSIMDUnit +val impl_1:Core.Marker.t_Copy t_Coefficients -val zero: Prims.unit -> Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) +val zero: Prims.unit -> Prims.Pure t_Coefficients Prims.l_True (fun _ -> Prims.l_True) -val from_coefficient_array (array: t_Slice i32) (out: t_Array i32 (sz 8)) - : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) +val from_coefficient_array (array: t_Slice i32) (out: t_Coefficients) + : Prims.Pure t_Coefficients Prims.l_True (fun _ -> Prims.l_True) -val to_coefficient_array (value: t_Array i32 (sz 8)) (out: t_Slice i32) +val to_coefficient_array (value: t_Coefficients) (out: t_Slice i32) : Prims.Pure (t_Slice i32) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fsti index dce1635e5..4afcf9416 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fsti @@ -10,442 +10,5 @@ let _ = () [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl: Libcrux_ml_dsa.Simd.Traits.t_Operations -Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - _super_13011033735201511749 = FStar.Tactics.Typeclasses.solve; - _super_9529721400157967266 = FStar.Tactics.Typeclasses.solve; - f_Coefficient = t_Array i32 (sz 8); - f_Coefficient_2030105210046411076 = FStar.Tactics.Typeclasses.solve; - f_zero_pre = (fun (_: Prims.unit) -> true); - f_zero_post = (fun (_: Prims.unit) (out: t_Array i32 (sz 8)) -> true); - f_zero = (fun (_: Prims.unit) -> Libcrux_ml_dsa.Simd.Portable.Vector_type.zero ()); - f_from_coefficient_array_pre = (fun (array: t_Slice i32) (out: t_Array i32 (sz 8)) -> true); - f_from_coefficient_array_post - = - (fun (array: t_Slice i32) (out: t_Array i32 (sz 8)) (out1: t_Array i32 (sz 8)) -> true); - f_from_coefficient_array - = - (fun (array: t_Slice i32) (out: t_Array i32 (sz 8)) -> - let hax_temp_output, out:(Prims.unit & t_Array i32 (sz 8)) = - (), Libcrux_ml_dsa.Simd.Portable.Vector_type.from_coefficient_array array out - <: - (Prims.unit & t_Array i32 (sz 8)) - in - out); - f_to_coefficient_array_pre = (fun (value: t_Array i32 (sz 8)) (out: t_Slice i32) -> true); - f_to_coefficient_array_post - = - (fun (value: t_Array i32 (sz 8)) (out: t_Slice i32) (out1: t_Slice i32) -> true); - f_to_coefficient_array - = - (fun (value: t_Array i32 (sz 8)) (out: t_Slice i32) -> - let hax_temp_output, out:(Prims.unit & t_Slice i32) = - (), Libcrux_ml_dsa.Simd.Portable.Vector_type.to_coefficient_array value out - <: - (Prims.unit & t_Slice i32) - in - out); - f_add_pre = (fun (lhs: t_Array i32 (sz 8)) (rhs: t_Array i32 (sz 8)) -> true); - f_add_post - = - (fun (lhs: t_Array i32 (sz 8)) (rhs: t_Array i32 (sz 8)) (out: t_Array i32 (sz 8)) -> true); - f_add - = - (fun (lhs: t_Array i32 (sz 8)) (rhs: t_Array i32 (sz 8)) -> - let hax_temp_output, lhs:(Prims.unit & t_Array i32 (sz 8)) = - (), Libcrux_ml_dsa.Simd.Portable.Arithmetic.add lhs rhs - <: - (Prims.unit & t_Array i32 (sz 8)) - in - lhs); - f_subtract_pre = (fun (lhs: t_Array i32 (sz 8)) (rhs: t_Array i32 (sz 8)) -> true); - f_subtract_post - = - (fun (lhs: t_Array i32 (sz 8)) (rhs: t_Array i32 (sz 8)) (out: t_Array i32 (sz 8)) -> true); - f_subtract - = - (fun (lhs: t_Array i32 (sz 8)) (rhs: t_Array i32 (sz 8)) -> - let hax_temp_output, lhs:(Prims.unit & t_Array i32 (sz 8)) = - (), Libcrux_ml_dsa.Simd.Portable.Arithmetic.subtract lhs rhs - <: - (Prims.unit & t_Array i32 (sz 8)) - in - lhs); - f_montgomery_multiply_pre = (fun (lhs: t_Array i32 (sz 8)) (rhs: t_Array i32 (sz 8)) -> true); - f_montgomery_multiply_post - = - (fun (lhs: t_Array i32 (sz 8)) (rhs: t_Array i32 (sz 8)) (out: t_Array i32 (sz 8)) -> true); - f_montgomery_multiply - = - (fun (lhs: t_Array i32 (sz 8)) (rhs: t_Array i32 (sz 8)) -> - let lhs:t_Array i32 (sz 8) = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply lhs rhs - in - lhs); - f_shift_left_then_reduce_pre = (fun (v_SHIFT_BY: i32) (simd_unit: t_Array i32 (sz 8)) -> true); - f_shift_left_then_reduce_post - = - (fun (v_SHIFT_BY: i32) (simd_unit: t_Array i32 (sz 8)) (out: t_Array i32 (sz 8)) -> true); - f_shift_left_then_reduce - = - (fun (v_SHIFT_BY: i32) (simd_unit: t_Array i32 (sz 8)) -> - let simd_unit:t_Array i32 (sz 8) = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.shift_left_then_reduce v_SHIFT_BY simd_unit - in - simd_unit); - f_power2round_pre = (fun (t0: t_Array i32 (sz 8)) (t1: t_Array i32 (sz 8)) -> true); - f_power2round_post - = - (fun - (t0: t_Array i32 (sz 8)) - (t1: t_Array i32 (sz 8)) - (out: (t_Array i32 (sz 8) & t_Array i32 (sz 8))) - -> - true); - f_power2round - = - (fun (t0: t_Array i32 (sz 8)) (t1: t_Array i32 (sz 8)) -> - let tmp0, tmp1:(t_Array i32 (sz 8) & t_Array i32 (sz 8)) = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.power2round t0 t1 - in - let t0:t_Array i32 (sz 8) = tmp0 in - let t1:t_Array i32 (sz 8) = tmp1 in - let hax_temp_output:Prims.unit = () in - t0, t1 <: (t_Array i32 (sz 8) & t_Array i32 (sz 8))); - f_infinity_norm_exceeds_pre = (fun (simd_unit: t_Array i32 (sz 8)) (bound: i32) -> true); - f_infinity_norm_exceeds_post - = - (fun (simd_unit: t_Array i32 (sz 8)) (bound: i32) (out: bool) -> true); - f_infinity_norm_exceeds - = - (fun (simd_unit: t_Array i32 (sz 8)) (bound: i32) -> - Libcrux_ml_dsa.Simd.Portable.Arithmetic.infinity_norm_exceeds simd_unit bound); - f_decompose_pre - = - (fun - (gamma2: i32) - (simd_unit: t_Array i32 (sz 8)) - (low: t_Array i32 (sz 8)) - (high: t_Array i32 (sz 8)) - -> - true); - f_decompose_post - = - (fun - (gamma2: i32) - (simd_unit: t_Array i32 (sz 8)) - (low: t_Array i32 (sz 8)) - (high: t_Array i32 (sz 8)) - (out: (t_Array i32 (sz 8) & t_Array i32 (sz 8))) - -> - true); - f_decompose - = - (fun - (gamma2: i32) - (simd_unit: t_Array i32 (sz 8)) - (low: t_Array i32 (sz 8)) - (high: t_Array i32 (sz 8)) - -> - let tmp0, tmp1:(t_Array i32 (sz 8) & t_Array i32 (sz 8)) = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.decompose gamma2 simd_unit low high - in - let low:t_Array i32 (sz 8) = tmp0 in - let high:t_Array i32 (sz 8) = tmp1 in - let hax_temp_output:Prims.unit = () in - low, high <: (t_Array i32 (sz 8) & t_Array i32 (sz 8))); - f_compute_hint_pre - = - (fun - (v_GAMMA2: i32) - (low: t_Array i32 (sz 8)) - (high: t_Array i32 (sz 8)) - (hint: t_Array i32 (sz 8)) - -> - true); - f_compute_hint_post - = - (fun - (v_GAMMA2: i32) - (low: t_Array i32 (sz 8)) - (high: t_Array i32 (sz 8)) - (hint: t_Array i32 (sz 8)) - (out2: (t_Array i32 (sz 8) & usize)) - -> - true); - f_compute_hint - = - (fun - (v_GAMMA2: i32) - (low: t_Array i32 (sz 8)) - (high: t_Array i32 (sz 8)) - (hint: t_Array i32 (sz 8)) - -> - let tmp0, out1:(t_Array i32 (sz 8) & usize) = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.compute_hint v_GAMMA2 low high hint - in - let hint:t_Array i32 (sz 8) = tmp0 in - let hax_temp_output:usize = out1 in - hint, hax_temp_output <: (t_Array i32 (sz 8) & usize)); - f_use_hint_pre - = - (fun (gamma2: i32) (simd_unit: t_Array i32 (sz 8)) (hint: t_Array i32 (sz 8)) -> true); - f_use_hint_post - = - (fun - (gamma2: i32) - (simd_unit: t_Array i32 (sz 8)) - (hint: t_Array i32 (sz 8)) - (out: t_Array i32 (sz 8)) - -> - true); - f_use_hint - = - (fun (gamma2: i32) (simd_unit: t_Array i32 (sz 8)) (hint: t_Array i32 (sz 8)) -> - let hax_temp_output, hint:(Prims.unit & t_Array i32 (sz 8)) = - (), Libcrux_ml_dsa.Simd.Portable.Arithmetic.use_hint gamma2 simd_unit hint - <: - (Prims.unit & t_Array i32 (sz 8)) - in - hint); - f_rejection_sample_less_than_field_modulus_pre - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); - f_rejection_sample_less_than_field_modulus_post - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); - f_rejection_sample_less_than_field_modulus - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) -> - let tmp0, out1:(t_Slice i32 & usize) = - Libcrux_ml_dsa.Simd.Portable.Sample.rejection_sample_less_than_field_modulus randomness - out - in - let out:t_Slice i32 = tmp0 in - let hax_temp_output:usize = out1 in - out, hax_temp_output <: (t_Slice i32 & usize)); - f_rejection_sample_less_than_eta_equals_2_pre - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); - f_rejection_sample_less_than_eta_equals_2_post - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); - f_rejection_sample_less_than_eta_equals_2_ - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) -> - let tmp0, out1:(t_Slice i32 & usize) = - Libcrux_ml_dsa.Simd.Portable.Sample.rejection_sample_less_than_eta_equals_2_ randomness - out - in - let out:t_Slice i32 = tmp0 in - let hax_temp_output:usize = out1 in - out, hax_temp_output <: (t_Slice i32 & usize)); - f_rejection_sample_less_than_eta_equals_4_pre - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); - f_rejection_sample_less_than_eta_equals_4_post - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); - f_rejection_sample_less_than_eta_equals_4_ - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) -> - let tmp0, out1:(t_Slice i32 & usize) = - Libcrux_ml_dsa.Simd.Portable.Sample.rejection_sample_less_than_eta_equals_4_ randomness - out - in - let out:t_Slice i32 = tmp0 in - let hax_temp_output:usize = out1 in - out, hax_temp_output <: (t_Slice i32 & usize)); - f_gamma1_serialize_pre - = - (fun (simd_unit: t_Array i32 (sz 8)) (serialized: t_Slice u8) (gamma1_exponent: usize) -> true); - f_gamma1_serialize_post - = - (fun - (simd_unit: t_Array i32 (sz 8)) - (serialized: t_Slice u8) - (gamma1_exponent: usize) - (out: t_Slice u8) - -> - true); - f_gamma1_serialize - = - (fun (simd_unit: t_Array i32 (sz 8)) (serialized: t_Slice u8) (gamma1_exponent: usize) -> - let hax_temp_output, serialized:(Prims.unit & t_Slice u8) = - (), - Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.serialize simd_unit - serialized - gamma1_exponent - <: - (Prims.unit & t_Slice u8) - in - serialized); - f_gamma1_deserialize_pre - = - (fun (serialized: t_Slice u8) (out: t_Array i32 (sz 8)) (gamma1_exponent: usize) -> true); - f_gamma1_deserialize_post - = - (fun - (serialized: t_Slice u8) - (out: t_Array i32 (sz 8)) - (gamma1_exponent: usize) - (out1: t_Array i32 (sz 8)) - -> - true); - f_gamma1_deserialize - = - (fun (serialized: t_Slice u8) (out: t_Array i32 (sz 8)) (gamma1_exponent: usize) -> - let hax_temp_output, out:(Prims.unit & t_Array i32 (sz 8)) = - (), - Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.deserialize serialized out gamma1_exponent - <: - (Prims.unit & t_Array i32 (sz 8)) - in - out); - f_commitment_serialize_pre - = - (fun (simd_unit: t_Array i32 (sz 8)) (serialized: t_Slice u8) -> true); - f_commitment_serialize_post - = - (fun (simd_unit: t_Array i32 (sz 8)) (serialized: t_Slice u8) (out: t_Slice u8) -> true); - f_commitment_serialize - = - (fun (simd_unit: t_Array i32 (sz 8)) (serialized: t_Slice u8) -> - let hax_temp_output, serialized:(Prims.unit & t_Slice u8) = - (), Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.serialize simd_unit serialized - <: - (Prims.unit & t_Slice u8) - in - serialized); - f_error_serialize_pre - = - (fun - (eta: Libcrux_ml_dsa.Constants.t_Eta) - (simd_unit: t_Array i32 (sz 8)) - (serialized: t_Slice u8) - -> - true); - f_error_serialize_post - = - (fun - (eta: Libcrux_ml_dsa.Constants.t_Eta) - (simd_unit: t_Array i32 (sz 8)) - (serialized: t_Slice u8) - (out: t_Slice u8) - -> - true); - f_error_serialize - = - (fun - (eta: Libcrux_ml_dsa.Constants.t_Eta) - (simd_unit: t_Array i32 (sz 8)) - (serialized: t_Slice u8) - -> - let hax_temp_output, serialized:(Prims.unit & t_Slice u8) = - (), Libcrux_ml_dsa.Simd.Portable.Encoding.Error.serialize eta simd_unit serialized - <: - (Prims.unit & t_Slice u8) - in - serialized); - f_error_deserialize_pre - = - (fun (eta: Libcrux_ml_dsa.Constants.t_Eta) (serialized: t_Slice u8) (out: t_Array i32 (sz 8)) -> - true); - f_error_deserialize_post - = - (fun - (eta: Libcrux_ml_dsa.Constants.t_Eta) - (serialized: t_Slice u8) - (out: t_Array i32 (sz 8)) - (out1: t_Array i32 (sz 8)) - -> - true); - f_error_deserialize - = - (fun (eta: Libcrux_ml_dsa.Constants.t_Eta) (serialized: t_Slice u8) (out: t_Array i32 (sz 8)) -> - let out:t_Array i32 (sz 8) = - Libcrux_ml_dsa.Simd.Portable.Encoding.Error.deserialize eta serialized out - in - out); - f_t0_serialize_pre = (fun (simd_unit: t_Array i32 (sz 8)) (out: t_Slice u8) -> true); - f_t0_serialize_post - = - (fun (simd_unit: t_Array i32 (sz 8)) (out: t_Slice u8) (out1: t_Slice u8) -> true); - f_t0_serialize - = - (fun (simd_unit: t_Array i32 (sz 8)) (out: t_Slice u8) -> - let hax_temp_output, out:(Prims.unit & t_Slice u8) = - (), Libcrux_ml_dsa.Simd.Portable.Encoding.T0.serialize simd_unit out - <: - (Prims.unit & t_Slice u8) - in - out); - f_t0_deserialize_pre = (fun (serialized: t_Slice u8) (out: t_Array i32 (sz 8)) -> true); - f_t0_deserialize_post - = - (fun (serialized: t_Slice u8) (out: t_Array i32 (sz 8)) (out1: t_Array i32 (sz 8)) -> true); - f_t0_deserialize - = - (fun (serialized: t_Slice u8) (out: t_Array i32 (sz 8)) -> - let hax_temp_output, out:(Prims.unit & t_Array i32 (sz 8)) = - (), Libcrux_ml_dsa.Simd.Portable.Encoding.T0.deserialize serialized out - <: - (Prims.unit & t_Array i32 (sz 8)) - in - out); - f_t1_serialize_pre = (fun (simd_unit: t_Array i32 (sz 8)) (out: t_Slice u8) -> true); - f_t1_serialize_post - = - (fun (simd_unit: t_Array i32 (sz 8)) (out: t_Slice u8) (out1: t_Slice u8) -> true); - f_t1_serialize - = - (fun (simd_unit: t_Array i32 (sz 8)) (out: t_Slice u8) -> - let out:t_Slice u8 = Libcrux_ml_dsa.Simd.Portable.Encoding.T1.serialize simd_unit out in - out); - f_t1_deserialize_pre = (fun (serialized: t_Slice u8) (out: t_Array i32 (sz 8)) -> true); - f_t1_deserialize_post - = - (fun (serialized: t_Slice u8) (out: t_Array i32 (sz 8)) (out1: t_Array i32 (sz 8)) -> true); - f_t1_deserialize - = - (fun (serialized: t_Slice u8) (out: t_Array i32 (sz 8)) -> - let out:t_Array i32 (sz 8) = - Libcrux_ml_dsa.Simd.Portable.Encoding.T1.deserialize serialized out - in - out); - f_ntt_pre = (fun (simd_units: t_Array (t_Array i32 (sz 8)) (sz 32)) -> true); - f_ntt_post - = - (fun - (simd_units: t_Array (t_Array i32 (sz 8)) (sz 32)) - (out: t_Array (t_Array i32 (sz 8)) (sz 32)) - -> - true); - f_ntt - = - (fun (simd_units: t_Array (t_Array i32 (sz 8)) (sz 32)) -> - let hax_temp_output, simd_units:(Prims.unit & t_Array (t_Array i32 (sz 8)) (sz 32)) = - (), Libcrux_ml_dsa.Simd.Portable.Ntt.ntt simd_units - <: - (Prims.unit & t_Array (t_Array i32 (sz 8)) (sz 32)) - in - simd_units); - f_invert_ntt_montgomery_pre = (fun (simd_units: t_Array (t_Array i32 (sz 8)) (sz 32)) -> true); - f_invert_ntt_montgomery_post - = - (fun - (simd_units: t_Array (t_Array i32 (sz 8)) (sz 32)) - (out: t_Array (t_Array i32 (sz 8)) (sz 32)) - -> - true); - f_invert_ntt_montgomery - = - fun (simd_units: t_Array (t_Array i32 (sz 8)) (sz 32)) -> - let hax_temp_output, simd_units:(Prims.unit & t_Array (t_Array i32 (sz 8)) (sz 32)) = - (), Libcrux_ml_dsa.Simd.Portable.Invntt.invert_ntt_montgomery simd_units - <: - (Prims.unit & t_Array (t_Array i32 (sz 8)) (sz 32)) - in - simd_units - } +val impl:Libcrux_ml_dsa.Simd.Traits.t_Operations +Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti index b97243e72..ff8e6360b 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti @@ -3,96 +3,70 @@ module Libcrux_ml_dsa.Simd.Traits open Core open FStar.Mul -let v_COEFFICIENTS_IN_SIMD_UNIT: usize = sz 8 - -let v_FIELD_MODULUS: i32 = 8380417l - -let v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R: u64 = 58728449uL - -let v_SIMD_UNITS_IN_RING_ELEMENT: usize = - Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /! v_COEFFICIENTS_IN_SIMD_UNIT - class t_Operations (v_Self: Type0) = { [@@@ FStar.Tactics.Typeclasses.no_method]_super_13011033735201511749:Core.Marker.t_Copy v_Self; [@@@ FStar.Tactics.Typeclasses.no_method]_super_9529721400157967266:Core.Clone.t_Clone v_Self; - f_Coefficient:Type0; - f_Coefficient_2030105210046411076:Core.Marker.t_Copy f_Coefficient; f_zero_pre:Prims.unit -> Type0; - f_zero_post:Prims.unit -> f_Coefficient -> Type0; - f_zero:x0: Prims.unit - -> Prims.Pure f_Coefficient (f_zero_pre x0) (fun result -> f_zero_post x0 result); - f_from_coefficient_array_pre:t_Slice i32 -> f_Coefficient -> Type0; - f_from_coefficient_array_post:t_Slice i32 -> f_Coefficient -> f_Coefficient -> Type0; - f_from_coefficient_array:x0: t_Slice i32 -> x1: f_Coefficient - -> Prims.Pure f_Coefficient + f_zero_post:Prims.unit -> v_Self -> Type0; + f_zero:x0: Prims.unit -> Prims.Pure v_Self (f_zero_pre x0) (fun result -> f_zero_post x0 result); + f_from_coefficient_array_pre:t_Slice i32 -> v_Self -> Type0; + f_from_coefficient_array_post:t_Slice i32 -> v_Self -> v_Self -> Type0; + f_from_coefficient_array:x0: t_Slice i32 -> x1: v_Self + -> Prims.Pure v_Self (f_from_coefficient_array_pre x0 x1) (fun result -> f_from_coefficient_array_post x0 x1 result); - f_to_coefficient_array_pre:f_Coefficient -> t_Slice i32 -> Type0; - f_to_coefficient_array_post:f_Coefficient -> t_Slice i32 -> t_Slice i32 -> Type0; - f_to_coefficient_array:x0: f_Coefficient -> x1: t_Slice i32 + f_to_coefficient_array_pre:v_Self -> t_Slice i32 -> Type0; + f_to_coefficient_array_post:v_Self -> t_Slice i32 -> t_Slice i32 -> Type0; + f_to_coefficient_array:x0: v_Self -> x1: t_Slice i32 -> Prims.Pure (t_Slice i32) (f_to_coefficient_array_pre x0 x1) (fun result -> f_to_coefficient_array_post x0 x1 result); - f_add_pre:f_Coefficient -> f_Coefficient -> Type0; - f_add_post:f_Coefficient -> f_Coefficient -> f_Coefficient -> Type0; - f_add:x0: f_Coefficient -> x1: f_Coefficient - -> Prims.Pure f_Coefficient (f_add_pre x0 x1) (fun result -> f_add_post x0 x1 result); - f_subtract_pre:f_Coefficient -> f_Coefficient -> Type0; - f_subtract_post:f_Coefficient -> f_Coefficient -> f_Coefficient -> Type0; - f_subtract:x0: f_Coefficient -> x1: f_Coefficient - -> Prims.Pure f_Coefficient (f_subtract_pre x0 x1) (fun result -> f_subtract_post x0 x1 result); - f_infinity_norm_exceeds_pre:f_Coefficient -> i32 -> Type0; - f_infinity_norm_exceeds_post:f_Coefficient -> i32 -> bool -> Type0; - f_infinity_norm_exceeds:x0: f_Coefficient -> x1: i32 + f_add_pre:v_Self -> v_Self -> Type0; + f_add_post:v_Self -> v_Self -> v_Self -> Type0; + f_add:x0: v_Self -> x1: v_Self + -> Prims.Pure v_Self (f_add_pre x0 x1) (fun result -> f_add_post x0 x1 result); + f_subtract_pre:v_Self -> v_Self -> Type0; + f_subtract_post:v_Self -> v_Self -> v_Self -> Type0; + f_subtract:x0: v_Self -> x1: v_Self + -> Prims.Pure v_Self (f_subtract_pre x0 x1) (fun result -> f_subtract_post x0 x1 result); + f_infinity_norm_exceeds_pre:v_Self -> i32 -> Type0; + f_infinity_norm_exceeds_post:v_Self -> i32 -> bool -> Type0; + f_infinity_norm_exceeds:x0: v_Self -> x1: i32 -> Prims.Pure bool (f_infinity_norm_exceeds_pre x0 x1) (fun result -> f_infinity_norm_exceeds_post x0 x1 result); - f_decompose_pre:i32 -> f_Coefficient -> f_Coefficient -> f_Coefficient -> Type0; - f_decompose_post: - i32 -> - f_Coefficient -> - f_Coefficient -> - f_Coefficient -> - (f_Coefficient & f_Coefficient) - -> Type0; - f_decompose:x0: i32 -> x1: f_Coefficient -> x2: f_Coefficient -> x3: f_Coefficient - -> Prims.Pure (f_Coefficient & f_Coefficient) + f_decompose_pre:i32 -> v_Self -> v_Self -> v_Self -> Type0; + f_decompose_post:i32 -> v_Self -> v_Self -> v_Self -> (v_Self & v_Self) -> Type0; + f_decompose:x0: i32 -> x1: v_Self -> x2: v_Self -> x3: v_Self + -> Prims.Pure (v_Self & v_Self) (f_decompose_pre x0 x1 x2 x3) (fun result -> f_decompose_post x0 x1 x2 x3 result); - f_compute_hint_pre:v_GAMMA2: i32 -> f_Coefficient -> f_Coefficient -> f_Coefficient -> Type0; - f_compute_hint_post: - v_GAMMA2: i32 -> - f_Coefficient -> - f_Coefficient -> - f_Coefficient -> - (f_Coefficient & usize) - -> Type0; - f_compute_hint:v_GAMMA2: i32 -> x0: f_Coefficient -> x1: f_Coefficient -> x2: f_Coefficient - -> Prims.Pure (f_Coefficient & usize) + f_compute_hint_pre:v_GAMMA2: i32 -> v_Self -> v_Self -> v_Self -> Type0; + f_compute_hint_post:v_GAMMA2: i32 -> v_Self -> v_Self -> v_Self -> (v_Self & usize) -> Type0; + f_compute_hint:v_GAMMA2: i32 -> x0: v_Self -> x1: v_Self -> x2: v_Self + -> Prims.Pure (v_Self & usize) (f_compute_hint_pre v_GAMMA2 x0 x1 x2) (fun result -> f_compute_hint_post v_GAMMA2 x0 x1 x2 result); - f_use_hint_pre:i32 -> f_Coefficient -> f_Coefficient -> Type0; - f_use_hint_post:i32 -> f_Coefficient -> f_Coefficient -> f_Coefficient -> Type0; - f_use_hint:x0: i32 -> x1: f_Coefficient -> x2: f_Coefficient - -> Prims.Pure f_Coefficient - (f_use_hint_pre x0 x1 x2) - (fun result -> f_use_hint_post x0 x1 x2 result); - f_montgomery_multiply_pre:f_Coefficient -> f_Coefficient -> Type0; - f_montgomery_multiply_post:f_Coefficient -> f_Coefficient -> f_Coefficient -> Type0; - f_montgomery_multiply:x0: f_Coefficient -> x1: f_Coefficient - -> Prims.Pure f_Coefficient + f_use_hint_pre:i32 -> v_Self -> v_Self -> Type0; + f_use_hint_post:i32 -> v_Self -> v_Self -> v_Self -> Type0; + f_use_hint:x0: i32 -> x1: v_Self -> x2: v_Self + -> Prims.Pure v_Self (f_use_hint_pre x0 x1 x2) (fun result -> f_use_hint_post x0 x1 x2 result); + f_montgomery_multiply_pre:v_Self -> v_Self -> Type0; + f_montgomery_multiply_post:v_Self -> v_Self -> v_Self -> Type0; + f_montgomery_multiply:x0: v_Self -> x1: v_Self + -> Prims.Pure v_Self (f_montgomery_multiply_pre x0 x1) (fun result -> f_montgomery_multiply_post x0 x1 result); - f_shift_left_then_reduce_pre:v_SHIFT_BY: i32 -> f_Coefficient -> Type0; - f_shift_left_then_reduce_post:v_SHIFT_BY: i32 -> f_Coefficient -> f_Coefficient -> Type0; - f_shift_left_then_reduce:v_SHIFT_BY: i32 -> x0: f_Coefficient - -> Prims.Pure f_Coefficient + f_shift_left_then_reduce_pre:v_SHIFT_BY: i32 -> v_Self -> Type0; + f_shift_left_then_reduce_post:v_SHIFT_BY: i32 -> v_Self -> v_Self -> Type0; + f_shift_left_then_reduce:v_SHIFT_BY: i32 -> x0: v_Self + -> Prims.Pure v_Self (f_shift_left_then_reduce_pre v_SHIFT_BY x0) (fun result -> f_shift_left_then_reduce_post v_SHIFT_BY x0 result); - f_power2round_pre:f_Coefficient -> f_Coefficient -> Type0; - f_power2round_post:f_Coefficient -> f_Coefficient -> (f_Coefficient & f_Coefficient) -> Type0; - f_power2round:x0: f_Coefficient -> x1: f_Coefficient - -> Prims.Pure (f_Coefficient & f_Coefficient) + f_power2round_pre:v_Self -> v_Self -> Type0; + f_power2round_post:v_Self -> v_Self -> (v_Self & v_Self) -> Type0; + f_power2round:x0: v_Self -> x1: v_Self + -> Prims.Pure (v_Self & v_Self) (f_power2round_pre x0 x1) (fun result -> f_power2round_post x0 x1 result); f_rejection_sample_less_than_field_modulus_pre:t_Slice u8 -> t_Slice i32 -> Type0; @@ -116,77 +90,78 @@ class t_Operations (v_Self: Type0) = { -> Prims.Pure (t_Slice i32 & usize) (f_rejection_sample_less_than_eta_equals_4_pre x0 x1) (fun result -> f_rejection_sample_less_than_eta_equals_4_post x0 x1 result); - f_gamma1_serialize_pre:f_Coefficient -> t_Slice u8 -> usize -> Type0; - f_gamma1_serialize_post:f_Coefficient -> t_Slice u8 -> usize -> t_Slice u8 -> Type0; - f_gamma1_serialize:x0: f_Coefficient -> x1: t_Slice u8 -> x2: usize + f_gamma1_serialize_pre:v_Self -> t_Slice u8 -> usize -> Type0; + f_gamma1_serialize_post:v_Self -> t_Slice u8 -> usize -> t_Slice u8 -> Type0; + f_gamma1_serialize:x0: v_Self -> x1: t_Slice u8 -> x2: usize -> Prims.Pure (t_Slice u8) (f_gamma1_serialize_pre x0 x1 x2) (fun result -> f_gamma1_serialize_post x0 x1 x2 result); - f_gamma1_deserialize_pre:t_Slice u8 -> f_Coefficient -> usize -> Type0; - f_gamma1_deserialize_post:t_Slice u8 -> f_Coefficient -> usize -> f_Coefficient -> Type0; - f_gamma1_deserialize:x0: t_Slice u8 -> x1: f_Coefficient -> x2: usize - -> Prims.Pure f_Coefficient + f_gamma1_deserialize_pre:t_Slice u8 -> v_Self -> usize -> Type0; + f_gamma1_deserialize_post:t_Slice u8 -> v_Self -> usize -> v_Self -> Type0; + f_gamma1_deserialize:x0: t_Slice u8 -> x1: v_Self -> x2: usize + -> Prims.Pure v_Self (f_gamma1_deserialize_pre x0 x1 x2) (fun result -> f_gamma1_deserialize_post x0 x1 x2 result); - f_commitment_serialize_pre:f_Coefficient -> t_Slice u8 -> Type0; - f_commitment_serialize_post:f_Coefficient -> t_Slice u8 -> t_Slice u8 -> Type0; - f_commitment_serialize:x0: f_Coefficient -> x1: t_Slice u8 + f_commitment_serialize_pre:v_Self -> t_Slice u8 -> Type0; + f_commitment_serialize_post:v_Self -> t_Slice u8 -> t_Slice u8 -> Type0; + f_commitment_serialize:x0: v_Self -> x1: t_Slice u8 -> Prims.Pure (t_Slice u8) (f_commitment_serialize_pre x0 x1) (fun result -> f_commitment_serialize_post x0 x1 result); - f_error_serialize_pre:Libcrux_ml_dsa.Constants.t_Eta -> f_Coefficient -> t_Slice u8 -> Type0; - f_error_serialize_post:Libcrux_ml_dsa.Constants.t_Eta -> f_Coefficient -> t_Slice u8 -> t_Slice u8 + f_error_serialize_pre:Libcrux_ml_dsa.Constants.t_Eta -> v_Self -> t_Slice u8 -> Type0; + f_error_serialize_post:Libcrux_ml_dsa.Constants.t_Eta -> v_Self -> t_Slice u8 -> t_Slice u8 -> Type0; - f_error_serialize:x0: Libcrux_ml_dsa.Constants.t_Eta -> x1: f_Coefficient -> x2: t_Slice u8 + f_error_serialize:x0: Libcrux_ml_dsa.Constants.t_Eta -> x1: v_Self -> x2: t_Slice u8 -> Prims.Pure (t_Slice u8) (f_error_serialize_pre x0 x1 x2) (fun result -> f_error_serialize_post x0 x1 x2 result); - f_error_deserialize_pre:Libcrux_ml_dsa.Constants.t_Eta -> t_Slice u8 -> f_Coefficient -> Type0; - f_error_deserialize_post: - Libcrux_ml_dsa.Constants.t_Eta -> - t_Slice u8 -> - f_Coefficient -> - f_Coefficient - -> Type0; - f_error_deserialize:x0: Libcrux_ml_dsa.Constants.t_Eta -> x1: t_Slice u8 -> x2: f_Coefficient - -> Prims.Pure f_Coefficient + f_error_deserialize_pre:Libcrux_ml_dsa.Constants.t_Eta -> t_Slice u8 -> v_Self -> Type0; + f_error_deserialize_post:Libcrux_ml_dsa.Constants.t_Eta -> t_Slice u8 -> v_Self -> v_Self -> Type0; + f_error_deserialize:x0: Libcrux_ml_dsa.Constants.t_Eta -> x1: t_Slice u8 -> x2: v_Self + -> Prims.Pure v_Self (f_error_deserialize_pre x0 x1 x2) (fun result -> f_error_deserialize_post x0 x1 x2 result); - f_t0_serialize_pre:f_Coefficient -> t_Slice u8 -> Type0; - f_t0_serialize_post:f_Coefficient -> t_Slice u8 -> t_Slice u8 -> Type0; - f_t0_serialize:x0: f_Coefficient -> x1: t_Slice u8 + f_t0_serialize_pre:v_Self -> t_Slice u8 -> Type0; + f_t0_serialize_post:v_Self -> t_Slice u8 -> t_Slice u8 -> Type0; + f_t0_serialize:x0: v_Self -> x1: t_Slice u8 -> Prims.Pure (t_Slice u8) (f_t0_serialize_pre x0 x1) (fun result -> f_t0_serialize_post x0 x1 result); - f_t0_deserialize_pre:t_Slice u8 -> f_Coefficient -> Type0; - f_t0_deserialize_post:t_Slice u8 -> f_Coefficient -> f_Coefficient -> Type0; - f_t0_deserialize:x0: t_Slice u8 -> x1: f_Coefficient - -> Prims.Pure f_Coefficient + f_t0_deserialize_pre:t_Slice u8 -> v_Self -> Type0; + f_t0_deserialize_post:t_Slice u8 -> v_Self -> v_Self -> Type0; + f_t0_deserialize:x0: t_Slice u8 -> x1: v_Self + -> Prims.Pure v_Self (f_t0_deserialize_pre x0 x1) (fun result -> f_t0_deserialize_post x0 x1 result); - f_t1_serialize_pre:f_Coefficient -> t_Slice u8 -> Type0; - f_t1_serialize_post:f_Coefficient -> t_Slice u8 -> t_Slice u8 -> Type0; - f_t1_serialize:x0: f_Coefficient -> x1: t_Slice u8 + f_t1_serialize_pre:v_Self -> t_Slice u8 -> Type0; + f_t1_serialize_post:v_Self -> t_Slice u8 -> t_Slice u8 -> Type0; + f_t1_serialize:x0: v_Self -> x1: t_Slice u8 -> Prims.Pure (t_Slice u8) (f_t1_serialize_pre x0 x1) (fun result -> f_t1_serialize_post x0 x1 result); - f_t1_deserialize_pre:t_Slice u8 -> f_Coefficient -> Type0; - f_t1_deserialize_post:t_Slice u8 -> f_Coefficient -> f_Coefficient -> Type0; - f_t1_deserialize:x0: t_Slice u8 -> x1: f_Coefficient - -> Prims.Pure f_Coefficient + f_t1_deserialize_pre:t_Slice u8 -> v_Self -> Type0; + f_t1_deserialize_post:t_Slice u8 -> v_Self -> v_Self -> Type0; + f_t1_deserialize:x0: t_Slice u8 -> x1: v_Self + -> Prims.Pure v_Self (f_t1_deserialize_pre x0 x1) (fun result -> f_t1_deserialize_post x0 x1 result); - f_ntt_pre:t_Array f_Coefficient (sz 32) -> Type0; - f_ntt_post:t_Array f_Coefficient (sz 32) -> t_Array f_Coefficient (sz 32) -> Type0; - f_ntt:x0: t_Array f_Coefficient (sz 32) - -> Prims.Pure (t_Array f_Coefficient (sz 32)) - (f_ntt_pre x0) - (fun result -> f_ntt_post x0 result); - f_invert_ntt_montgomery_pre:t_Array f_Coefficient (sz 32) -> Type0; - f_invert_ntt_montgomery_post:t_Array f_Coefficient (sz 32) -> t_Array f_Coefficient (sz 32) - -> Type0; - f_invert_ntt_montgomery:x0: t_Array f_Coefficient (sz 32) - -> Prims.Pure (t_Array f_Coefficient (sz 32)) + f_ntt_pre:t_Array v_Self (sz 32) -> Type0; + f_ntt_post:t_Array v_Self (sz 32) -> t_Array v_Self (sz 32) -> Type0; + f_ntt:x0: t_Array v_Self (sz 32) + -> Prims.Pure (t_Array v_Self (sz 32)) (f_ntt_pre x0) (fun result -> f_ntt_post x0 result); + f_invert_ntt_montgomery_pre:t_Array v_Self (sz 32) -> Type0; + f_invert_ntt_montgomery_post:t_Array v_Self (sz 32) -> t_Array v_Self (sz 32) -> Type0; + f_invert_ntt_montgomery:x0: t_Array v_Self (sz 32) + -> Prims.Pure (t_Array v_Self (sz 32)) (f_invert_ntt_montgomery_pre x0) (fun result -> f_invert_ntt_montgomery_post x0 result) } + +let v_COEFFICIENTS_IN_SIMD_UNIT: usize = sz 8 + +let v_FIELD_MODULUS: i32 = 8380417l + +let v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R: u64 = 58728449uL + +let v_SIMD_UNITS_IN_RING_ELEMENT: usize = + Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /! v_COEFFICIENTS_IN_SIMD_UNIT From 1ab2c3a2e86c5b3ca2ebbdfe71edeff16eb09269 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Wed, 8 Jan 2025 12:51:35 +0100 Subject: [PATCH 49/58] Update libcrux-ml-dsa/src/polynomial.rs Co-authored-by: Jonas Schneider-Bensch <124457079+jschneider-bensch@users.noreply.github.com> --- libcrux-ml-dsa/src/polynomial.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libcrux-ml-dsa/src/polynomial.rs b/libcrux-ml-dsa/src/polynomial.rs index 9c4b42372..4cf104952 100644 --- a/libcrux-ml-dsa/src/polynomial.rs +++ b/libcrux-ml-dsa/src/polynomial.rs @@ -15,7 +15,7 @@ impl PolynomialRingElement { } } - // This is used in `make_int` and for tests + // This is used in `make_hint` and for tests pub(crate) fn to_i32_array(&self) -> [i32; 256] { let mut result = [0i32; 256]; From 92971e059d8d91c7ac3e75f11d343f59afb33d86 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Wed, 8 Jan 2025 12:51:44 +0100 Subject: [PATCH 50/58] Update libcrux-ml-dsa/src/simd/avx2/arithmetic.rs Co-authored-by: Jonas Schneider-Bensch <124457079+jschneider-bensch@users.noreply.github.com> --- libcrux-ml-dsa/src/simd/avx2/arithmetic.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs b/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs index 6aaeaf408..ab18109ca 100644 --- a/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs +++ b/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs @@ -3,7 +3,7 @@ use crate::{ simd::traits::{FIELD_MODULUS, INVERSE_OF_MODULUS_MOD_MONTGOMERY_R}, }; -use libcrux_intrinsics::avx2::{mm256_setzero_si256, *}; +use libcrux_intrinsics::avx2::*; use super::Gamma2; From fa013e55ef573c280b5f34866ca551a15391713c Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Wed, 8 Jan 2025 11:53:18 +0000 Subject: [PATCH 51/58] mldsa: update comment --- libcrux-ml-dsa/boring.sh | 3 ++- libcrux-ml-dsa/src/simd/portable/encoding/error.rs | 1 - 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libcrux-ml-dsa/boring.sh b/libcrux-ml-dsa/boring.sh index 546800612..5d0261c87 100755 --- a/libcrux-ml-dsa/boring.sh +++ b/libcrux-ml-dsa/boring.sh @@ -17,7 +17,8 @@ done # Extract the C code if [[ "$no_clean" = 0 ]]; then - cargo clean + # It's enough to clean sha3 to work around the charon bug. + cargo clean -p libcrux-sha3 fi ./c.sh --config cg.yaml --out cg --mldsa65\ diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/error.rs b/libcrux-ml-dsa/src/simd/portable/encoding/error.rs index c83d82895..da747fbbd 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/error.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/error.rs @@ -41,7 +41,6 @@ fn serialize_when_eta_is_4(simd_unit: &Coefficients, serialized: &mut [u8]) { #[inline(always)] pub(crate) fn serialize(eta: Eta, simd_unit: &Coefficients, serialized: &mut [u8]) { // [eurydice] injects an unused variable here in the C code for some reason. - // That's why we don't match here. match eta { Eta::Two => serialize_when_eta_is_2(simd_unit, serialized), Eta::Four => serialize_when_eta_is_4(simd_unit, serialized), From 0184b5286bc130336b5c4e65dd8f79be46c003bd Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Wed, 8 Jan 2025 11:54:13 +0000 Subject: [PATCH 52/58] mldsa: add missing F* files --- .../extraction/Libcrux_ml_dsa.Simd.Avx2.fst | 720 ++++++++++++++++++ .../Libcrux_ml_dsa.Simd.Portable.fst | 638 ++++++++++++++++ 2 files changed, 1358 insertions(+) create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fst diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fst new file mode 100644 index 000000000..58a3321e0 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fst @@ -0,0 +1,720 @@ +module Libcrux_ml_dsa.Simd.Avx2 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Avx2.Vector_type in + () + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl: Libcrux_ml_dsa.Simd.Traits.t_Operations Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 = + { + _super_13011033735201511749 = FStar.Tactics.Typeclasses.solve; + _super_9529721400157967266 = FStar.Tactics.Typeclasses.solve; + f_zero_pre = (fun (_: Prims.unit) -> true); + f_zero_post = (fun (_: Prims.unit) (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) -> true); + f_zero = (fun (_: Prims.unit) -> Libcrux_ml_dsa.Simd.Avx2.Vector_type.zero ()); + f_from_coefficient_array_pre + = + (fun (coefficient_array: t_Slice i32) (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) -> + true); + f_from_coefficient_array_post + = + (fun + (coefficient_array: t_Slice i32) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (out1: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + -> + true); + f_from_coefficient_array + = + (fun (coefficient_array: t_Slice i32) (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) -> + let hax_temp_output, out:(Prims.unit & Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) = + (), Libcrux_ml_dsa.Simd.Avx2.Vector_type.from_coefficient_array coefficient_array out + <: + (Prims.unit & Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + in + out); + f_to_coefficient_array_pre + = + (fun (value: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) (out: t_Slice i32) -> true); + f_to_coefficient_array_post + = + (fun + (value: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (out: t_Slice i32) + (out1: t_Slice i32) + -> + true); + f_to_coefficient_array + = + (fun (value: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) (out: t_Slice i32) -> + let hax_temp_output, out:(Prims.unit & t_Slice i32) = + (), Libcrux_ml_dsa.Simd.Avx2.Vector_type.to_coefficient_array value out + <: + (Prims.unit & t_Slice i32) + in + out); + f_add_pre + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + -> + true); + f_add_post + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + -> + true); + f_add + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + -> + let hax_temp_output, lhs:(Prims.unit & Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) = + (), + ({ + lhs with + Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add lhs + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + rhs.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + } + <: + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + <: + (Prims.unit & Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + in + lhs); + f_subtract_pre + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + -> + true); + f_subtract_post + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + -> + true); + f_subtract + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + -> + let hax_temp_output, lhs:(Prims.unit & Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) = + (), + ({ + lhs with + Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract lhs + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + rhs.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + } + <: + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + <: + (Prims.unit & Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + in + lhs); + f_montgomery_multiply_pre + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + -> + true); + f_montgomery_multiply_post + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + -> + true); + f_montgomery_multiply + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + -> + let lhs:Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 = + { + lhs with + Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply lhs + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + rhs.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + } + <: + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 + in + lhs); + f_shift_left_then_reduce_pre + = + (fun (v_SHIFT_BY: i32) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) -> true); + f_shift_left_then_reduce_post + = + (fun + (v_SHIFT_BY: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + -> + true); + f_shift_left_then_reduce + = + (fun (v_SHIFT_BY: i32) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) -> + let hax_temp_output, simd_unit:(Prims.unit & Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + = + (), + ({ + simd_unit with + Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.shift_left_then_reduce v_SHIFT_BY + simd_unit.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + } + <: + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + <: + (Prims.unit & Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + in + simd_unit); + f_power2round_pre + = + (fun + (t0: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (t1: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + -> + true); + f_power2round_post + = + (fun + (t0: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (t1: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (out: + (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 & + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256)) + -> + true); + f_power2round + = + (fun + (t0: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (t1: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + -> + let tmp0, tmp1:(Libcrux_intrinsics.Avx2_extract.t_Vec256 & + Libcrux_intrinsics.Avx2_extract.t_Vec256) = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.power2round t0 + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + t1.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + in + let t0:Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 = + { t0 with Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value = tmp0 } + <: + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 + in + let t1:Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 = + { t1 with Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value = tmp1 } + <: + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 + in + let _:Prims.unit = () in + t0, t1 + <: + (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 & + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256)); + f_infinity_norm_exceeds_pre + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) (bound: i32) -> true); + f_infinity_norm_exceeds_post + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) (bound: i32) (out: bool) -> true + ); + f_infinity_norm_exceeds + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) (bound: i32) -> + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.infinity_norm_exceeds simd_unit + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + bound); + f_decompose_pre + = + (fun + (gamma2: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (low: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (high: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + -> + true); + f_decompose_post + = + (fun + (gamma2: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (low: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (high: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (out: + (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 & + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256)) + -> + true); + f_decompose + = + (fun + (gamma2: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (low: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (high: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + -> + let tmp0, tmp1:(Libcrux_intrinsics.Avx2_extract.t_Vec256 & + Libcrux_intrinsics.Avx2_extract.t_Vec256) = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.decompose gamma2 + simd_unit.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + low.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + high.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + in + let low:Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 = + { low with Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value = tmp0 } + <: + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 + in + let high:Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 = + { high with Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value = tmp1 } + <: + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 + in + let _:Prims.unit = () in + low, high + <: + (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 & + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256)); + f_compute_hint_pre + = + (fun + (v_GAMMA2: i32) + (low: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (high: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (hint: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + -> + true); + f_compute_hint_post + = + (fun + (v_GAMMA2: i32) + (low: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (high: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (hint: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (out2: (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 & usize)) + -> + true); + f_compute_hint + = + (fun + (v_GAMMA2: i32) + (low: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (high: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (hint: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + -> + let tmp0, out1:(Libcrux_intrinsics.Avx2_extract.t_Vec256 & usize) = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.compute_hint v_GAMMA2 + low.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + high.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + hint.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + in + let hint:Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 = + { hint with Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value = tmp0 } + <: + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 + in + let hax_temp_output:usize = out1 in + hint, hax_temp_output <: (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 & usize)); + f_use_hint_pre + = + (fun + (gamma2: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (hint: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + -> + true); + f_use_hint_post + = + (fun + (gamma2: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (hint: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + -> + true); + f_use_hint + = + (fun + (gamma2: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (hint: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + -> + let hint:Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 = + { + hint with + Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.use_hint gamma2 + simd_unit.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + hint.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + } + <: + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 + in + hint); + f_rejection_sample_less_than_field_modulus_pre + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); + f_rejection_sample_less_than_field_modulus_post + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); + f_rejection_sample_less_than_field_modulus + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.sample randomness out + in + let out:t_Slice i32 = tmp0 in + let hax_temp_output:usize = out1 in + out, hax_temp_output <: (t_Slice i32 & usize)); + f_rejection_sample_less_than_eta_equals_2_pre + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); + f_rejection_sample_less_than_eta_equals_2_post + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); + f_rejection_sample_less_than_eta_equals_2_ + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.sample (sz 2) randomness out + in + let out:t_Slice i32 = tmp0 in + let hax_temp_output:usize = out1 in + out, hax_temp_output <: (t_Slice i32 & usize)); + f_rejection_sample_less_than_eta_equals_4_pre + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); + f_rejection_sample_less_than_eta_equals_4_post + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); + f_rejection_sample_less_than_eta_equals_4_ + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.sample (sz 4) randomness out + in + let out:t_Slice i32 = tmp0 in + let hax_temp_output:usize = out1 in + out, hax_temp_output <: (t_Slice i32 & usize)); + f_gamma1_serialize_pre + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (serialized: t_Slice u8) + (gamma1_exponent: usize) + -> + true); + f_gamma1_serialize_post + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (serialized: t_Slice u8) + (gamma1_exponent: usize) + (out: t_Slice u8) + -> + true); + f_gamma1_serialize + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (serialized: t_Slice u8) + (gamma1_exponent: usize) + -> + let hax_temp_output, serialized:(Prims.unit & t_Slice u8) = + (), + Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.serialize simd_unit + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + serialized + gamma1_exponent + <: + (Prims.unit & t_Slice u8) + in + serialized); + f_gamma1_deserialize_pre + = + (fun + (serialized: t_Slice u8) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (gamma1_exponent: usize) + -> + true); + f_gamma1_deserialize_post + = + (fun + (serialized: t_Slice u8) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (gamma1_exponent: usize) + (out1: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + -> + true); + f_gamma1_deserialize + = + (fun + (serialized: t_Slice u8) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (gamma1_exponent: usize) + -> + let out:Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 = + { + out with + Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + = + Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.deserialize serialized + out.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + gamma1_exponent + } + <: + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 + in + out); + f_commitment_serialize_pre + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) (serialized: t_Slice u8) -> true + ); + f_commitment_serialize_post + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (serialized: t_Slice u8) + (out: t_Slice u8) + -> + true); + f_commitment_serialize + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) (serialized: t_Slice u8) -> + let hax_temp_output, serialized:(Prims.unit & t_Slice u8) = + (), + Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.serialize simd_unit + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + serialized + <: + (Prims.unit & t_Slice u8) + in + serialized); + f_error_serialize_pre + = + (fun + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (serialized: t_Slice u8) + -> + true); + f_error_serialize_post + = + (fun + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (serialized: t_Slice u8) + (out: t_Slice u8) + -> + true); + f_error_serialize + = + (fun + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (serialized: t_Slice u8) + -> + let hax_temp_output, serialized:(Prims.unit & t_Slice u8) = + (), + Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.serialize eta + simd_unit.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + serialized + <: + (Prims.unit & t_Slice u8) + in + serialized); + f_error_deserialize_pre + = + (fun + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (serialized: t_Slice u8) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + -> + true); + f_error_deserialize_post + = + (fun + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (serialized: t_Slice u8) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (out1: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + -> + true); + f_error_deserialize + = + (fun + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (serialized: t_Slice u8) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + -> + let out:Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 = + { + out with + Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + = + Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.deserialize eta + serialized + out.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + } + <: + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 + in + out); + f_t0_serialize_pre + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) (out: t_Slice u8) -> true); + f_t0_serialize_post + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (out: t_Slice u8) + (out1: t_Slice u8) + -> + true); + f_t0_serialize + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) (out: t_Slice u8) -> + let out:t_Slice u8 = + Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.serialize simd_unit + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + out + in + out); + f_t0_deserialize_pre + = + (fun (serialized: t_Slice u8) (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) -> true); + f_t0_deserialize_post + = + (fun + (serialized: t_Slice u8) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (out1: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + -> + true); + f_t0_deserialize + = + (fun (serialized: t_Slice u8) (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) -> + let out:Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 = + { + out with + Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + = + Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.deserialize serialized + out.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + } + <: + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 + in + out); + f_t1_serialize_pre + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) (out: t_Slice u8) -> true); + f_t1_serialize_post + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (out: t_Slice u8) + (out1: t_Slice u8) + -> + true); + f_t1_serialize + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) (out: t_Slice u8) -> + let out:t_Slice u8 = + Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.serialize simd_unit + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + out + in + out); + f_t1_deserialize_pre + = + (fun (serialized: t_Slice u8) (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) -> true); + f_t1_deserialize_post + = + (fun + (serialized: t_Slice u8) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (out1: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + -> + true); + f_t1_deserialize + = + (fun (serialized: t_Slice u8) (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) -> + let out:Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 = + { + out with + Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + = + Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.deserialize serialized + out.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + } + <: + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 + in + out); + f_ntt_pre + = + (fun (simd_units: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) -> true); + f_ntt_post + = + (fun + (simd_units: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) + (out: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) + -> + true); + f_ntt + = + (fun (simd_units: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) -> + let simd_units:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = + Libcrux_ml_dsa.Simd.Avx2.Ntt.ntt simd_units + in + simd_units); + f_invert_ntt_montgomery_pre + = + (fun (simd_units: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) -> true); + f_invert_ntt_montgomery_post + = + (fun + (simd_units: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) + (out: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) + -> + true); + f_invert_ntt_montgomery + = + fun (simd_units: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) -> + let simd_units:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) = + Libcrux_ml_dsa.Simd.Avx2.Invntt.invert_ntt_montgomery simd_units + in + simd_units + } diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fst new file mode 100644 index 000000000..b6dcd45d7 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fst @@ -0,0 +1,638 @@ +module Libcrux_ml_dsa.Simd.Portable +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Portable.Vector_type in + () + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl: Libcrux_ml_dsa.Simd.Traits.t_Operations +Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + { + _super_13011033735201511749 = FStar.Tactics.Typeclasses.solve; + _super_9529721400157967266 = FStar.Tactics.Typeclasses.solve; + f_zero_pre = (fun (_: Prims.unit) -> true); + f_zero_post + = + (fun (_: Prims.unit) (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) -> true); + f_zero = (fun (_: Prims.unit) -> Libcrux_ml_dsa.Simd.Portable.Vector_type.zero ()); + f_from_coefficient_array_pre + = + (fun (array: t_Slice i32) (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) -> true + ); + f_from_coefficient_array_post + = + (fun + (array: t_Slice i32) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (out1: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + -> + true); + f_from_coefficient_array + = + (fun (array: t_Slice i32) (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) -> + let hax_temp_output, out:(Prims.unit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) = + (), Libcrux_ml_dsa.Simd.Portable.Vector_type.from_coefficient_array array out + <: + (Prims.unit & Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + in + out); + f_to_coefficient_array_pre + = + (fun (value: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) (out: t_Slice i32) -> true + ); + f_to_coefficient_array_post + = + (fun + (value: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (out: t_Slice i32) + (out1: t_Slice i32) + -> + true); + f_to_coefficient_array + = + (fun (value: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) (out: t_Slice i32) -> + let hax_temp_output, out:(Prims.unit & t_Slice i32) = + (), Libcrux_ml_dsa.Simd.Portable.Vector_type.to_coefficient_array value out + <: + (Prims.unit & t_Slice i32) + in + out); + f_add_pre + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + -> + true); + f_add_post + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + -> + true); + f_add + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + -> + let hax_temp_output, lhs:(Prims.unit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) = + (), Libcrux_ml_dsa.Simd.Portable.Arithmetic.add lhs rhs + <: + (Prims.unit & Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + in + lhs); + f_subtract_pre + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + -> + true); + f_subtract_post + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + -> + true); + f_subtract + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + -> + let hax_temp_output, lhs:(Prims.unit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) = + (), Libcrux_ml_dsa.Simd.Portable.Arithmetic.subtract lhs rhs + <: + (Prims.unit & Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + in + lhs); + f_montgomery_multiply_pre + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + -> + true); + f_montgomery_multiply_post + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + -> + true); + f_montgomery_multiply + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + -> + let lhs:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply lhs rhs + in + lhs); + f_shift_left_then_reduce_pre + = + (fun (v_SHIFT_BY: i32) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) -> + true); + f_shift_left_then_reduce_post + = + (fun + (v_SHIFT_BY: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + -> + true); + f_shift_left_then_reduce + = + (fun (v_SHIFT_BY: i32) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) -> + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.shift_left_then_reduce v_SHIFT_BY simd_unit + in + simd_unit); + f_power2round_pre + = + (fun + (t0: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (t1: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + -> + true); + f_power2round_post + = + (fun + (t0: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (t1: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (out: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)) + -> + true); + f_power2round + = + (fun + (t0: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (t1: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + -> + let tmp0, tmp1:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.power2round t0 t1 + in + let t0:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = tmp0 in + let t1:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = tmp1 in + let hax_temp_output:Prims.unit = () in + t0, t1 + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)); + f_infinity_norm_exceeds_pre + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) (bound: i32) -> true); + f_infinity_norm_exceeds_post + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (bound: i32) + (out: bool) + -> + true); + f_infinity_norm_exceeds + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) (bound: i32) -> + Libcrux_ml_dsa.Simd.Portable.Arithmetic.infinity_norm_exceeds simd_unit bound); + f_decompose_pre + = + (fun + (gamma2: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (low: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + -> + true); + f_decompose_post + = + (fun + (gamma2: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (low: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (out: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)) + -> + true); + f_decompose + = + (fun + (gamma2: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (low: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + -> + let tmp0, tmp1:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.decompose gamma2 simd_unit low high + in + let low:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = tmp0 in + let high:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = tmp1 in + let hax_temp_output:Prims.unit = () in + low, high + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)); + f_compute_hint_pre + = + (fun + (v_GAMMA2: i32) + (low: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + -> + true); + f_compute_hint_post + = + (fun + (v_GAMMA2: i32) + (low: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (out2: (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & usize)) + -> + true); + f_compute_hint + = + (fun + (v_GAMMA2: i32) + (low: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + -> + let tmp0, out1:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & usize) = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.compute_hint v_GAMMA2 low high hint + in + let hint:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = tmp0 in + let hax_temp_output:usize = out1 in + hint, hax_temp_output <: (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & usize)); + f_use_hint_pre + = + (fun + (gamma2: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + -> + true); + f_use_hint_post + = + (fun + (gamma2: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + -> + true); + f_use_hint + = + (fun + (gamma2: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + -> + let hax_temp_output, hint:(Prims.unit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) = + (), Libcrux_ml_dsa.Simd.Portable.Arithmetic.use_hint gamma2 simd_unit hint + <: + (Prims.unit & Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + in + hint); + f_rejection_sample_less_than_field_modulus_pre + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); + f_rejection_sample_less_than_field_modulus_post + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); + f_rejection_sample_less_than_field_modulus + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Portable.Sample.rejection_sample_less_than_field_modulus randomness + out + in + let out:t_Slice i32 = tmp0 in + let hax_temp_output:usize = out1 in + out, hax_temp_output <: (t_Slice i32 & usize)); + f_rejection_sample_less_than_eta_equals_2_pre + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); + f_rejection_sample_less_than_eta_equals_2_post + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); + f_rejection_sample_less_than_eta_equals_2_ + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Portable.Sample.rejection_sample_less_than_eta_equals_2_ randomness + out + in + let out:t_Slice i32 = tmp0 in + let hax_temp_output:usize = out1 in + out, hax_temp_output <: (t_Slice i32 & usize)); + f_rejection_sample_less_than_eta_equals_4_pre + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); + f_rejection_sample_less_than_eta_equals_4_post + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); + f_rejection_sample_less_than_eta_equals_4_ + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Portable.Sample.rejection_sample_less_than_eta_equals_4_ randomness + out + in + let out:t_Slice i32 = tmp0 in + let hax_temp_output:usize = out1 in + out, hax_temp_output <: (t_Slice i32 & usize)); + f_gamma1_serialize_pre + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (serialized: t_Slice u8) + (gamma1_exponent: usize) + -> + true); + f_gamma1_serialize_post + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (serialized: t_Slice u8) + (gamma1_exponent: usize) + (out: t_Slice u8) + -> + true); + f_gamma1_serialize + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (serialized: t_Slice u8) + (gamma1_exponent: usize) + -> + let hax_temp_output, serialized:(Prims.unit & t_Slice u8) = + (), + Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.serialize simd_unit + serialized + gamma1_exponent + <: + (Prims.unit & t_Slice u8) + in + serialized); + f_gamma1_deserialize_pre + = + (fun + (serialized: t_Slice u8) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (gamma1_exponent: usize) + -> + true); + f_gamma1_deserialize_post + = + (fun + (serialized: t_Slice u8) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (gamma1_exponent: usize) + (out1: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + -> + true); + f_gamma1_deserialize + = + (fun + (serialized: t_Slice u8) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (gamma1_exponent: usize) + -> + let hax_temp_output, out:(Prims.unit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) = + (), + Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.deserialize serialized out gamma1_exponent + <: + (Prims.unit & Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + in + out); + f_commitment_serialize_pre + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (serialized: t_Slice u8) + -> + true); + f_commitment_serialize_post + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (serialized: t_Slice u8) + (out: t_Slice u8) + -> + true); + f_commitment_serialize + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (serialized: t_Slice u8) + -> + let hax_temp_output, serialized:(Prims.unit & t_Slice u8) = + (), Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.serialize simd_unit serialized + <: + (Prims.unit & t_Slice u8) + in + serialized); + f_error_serialize_pre + = + (fun + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (serialized: t_Slice u8) + -> + true); + f_error_serialize_post + = + (fun + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (serialized: t_Slice u8) + (out: t_Slice u8) + -> + true); + f_error_serialize + = + (fun + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (serialized: t_Slice u8) + -> + let hax_temp_output, serialized:(Prims.unit & t_Slice u8) = + (), Libcrux_ml_dsa.Simd.Portable.Encoding.Error.serialize eta simd_unit serialized + <: + (Prims.unit & t_Slice u8) + in + serialized); + f_error_deserialize_pre + = + (fun + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (serialized: t_Slice u8) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + -> + true); + f_error_deserialize_post + = + (fun + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (serialized: t_Slice u8) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (out1: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + -> + true); + f_error_deserialize + = + (fun + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (serialized: t_Slice u8) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + -> + let out:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + Libcrux_ml_dsa.Simd.Portable.Encoding.Error.deserialize eta serialized out + in + out); + f_t0_serialize_pre + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) (out: t_Slice u8) -> + true); + f_t0_serialize_post + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (out: t_Slice u8) + (out1: t_Slice u8) + -> + true); + f_t0_serialize + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) (out: t_Slice u8) -> + let hax_temp_output, out:(Prims.unit & t_Slice u8) = + (), Libcrux_ml_dsa.Simd.Portable.Encoding.T0.serialize simd_unit out + <: + (Prims.unit & t_Slice u8) + in + out); + f_t0_deserialize_pre + = + (fun (serialized: t_Slice u8) (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) -> + true); + f_t0_deserialize_post + = + (fun + (serialized: t_Slice u8) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (out1: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + -> + true); + f_t0_deserialize + = + (fun (serialized: t_Slice u8) (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) -> + let hax_temp_output, out:(Prims.unit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) = + (), Libcrux_ml_dsa.Simd.Portable.Encoding.T0.deserialize serialized out + <: + (Prims.unit & Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + in + out); + f_t1_serialize_pre + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) (out: t_Slice u8) -> + true); + f_t1_serialize_post + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (out: t_Slice u8) + (out1: t_Slice u8) + -> + true); + f_t1_serialize + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) (out: t_Slice u8) -> + let out:t_Slice u8 = Libcrux_ml_dsa.Simd.Portable.Encoding.T1.serialize simd_unit out in + out); + f_t1_deserialize_pre + = + (fun (serialized: t_Slice u8) (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) -> + true); + f_t1_deserialize_post + = + (fun + (serialized: t_Slice u8) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (out1: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + -> + true); + f_t1_deserialize + = + (fun (serialized: t_Slice u8) (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) -> + let out:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + Libcrux_ml_dsa.Simd.Portable.Encoding.T1.deserialize serialized out + in + out); + f_ntt_pre + = + (fun (simd_units: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) -> + true); + f_ntt_post + = + (fun + (simd_units: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + (out: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + -> + true); + f_ntt + = + (fun (simd_units: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) -> + let hax_temp_output, simd_units:(Prims.unit & + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) = + (), Libcrux_ml_dsa.Simd.Portable.Ntt.ntt simd_units + <: + (Prims.unit & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + in + simd_units); + f_invert_ntt_montgomery_pre + = + (fun (simd_units: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) -> + true); + f_invert_ntt_montgomery_post + = + (fun + (simd_units: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + (out: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + -> + true); + f_invert_ntt_montgomery + = + fun (simd_units: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) -> + let hax_temp_output, simd_units:(Prims.unit & + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) = + (), Libcrux_ml_dsa.Simd.Portable.Invntt.invert_ntt_montgomery simd_units + <: + (Prims.unit & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + in + simd_units + } From 69735312b7a996d3208cb5ff74bf5446369c991f Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Wed, 8 Jan 2025 12:31:42 +0000 Subject: [PATCH 53/58] mldsa: address some comments --- libcrux-ml-dsa/src/arithmetic.rs | 18 ++++++++-------- libcrux-ml-dsa/src/encoding/t1.rs | 21 +++++++++---------- .../src/encoding/verification_key.rs | 6 ++++-- libcrux-ml-dsa/src/ml_dsa_generic.rs | 7 ++----- libcrux-ml-dsa/src/simd/avx2.rs | 4 ++-- libcrux-ml-dsa/src/simd/avx2/arithmetic.rs | 10 +++------ libcrux-ml-dsa/src/simd/portable.rs | 7 ++++--- .../src/simd/portable/arithmetic.rs | 9 ++++---- libcrux-ml-dsa/src/simd/traits.rs | 2 +- 9 files changed, 40 insertions(+), 44 deletions(-) diff --git a/libcrux-ml-dsa/src/arithmetic.rs b/libcrux-ml-dsa/src/arithmetic.rs index 4b2d14a7e..a86aa7752 100644 --- a/libcrux-ml-dsa/src/arithmetic.rs +++ b/libcrux-ml-dsa/src/arithmetic.rs @@ -13,9 +13,7 @@ pub(crate) fn vector_infinity_norm_exceeds( let mut result = false; cloop! { for ring_element in vector.iter() { - if !result && ring_element.infinity_norm_exceeds(bound) { - result = true; - } + result = result || ring_element.infinity_norm_exceeds(bound); } } @@ -70,19 +68,21 @@ pub(crate) fn decompose_vector( } #[inline(always)] -pub(crate) fn make_hint( - low: &[PolynomialRingElement; DIMENSION], - high: &[PolynomialRingElement; DIMENSION], - hint: &mut [[i32; COEFFICIENTS_IN_RING_ELEMENT]; DIMENSION], +pub(crate) fn make_hint( + low: &[PolynomialRingElement], + high: &[PolynomialRingElement], + gamma2: i32, + hint: &mut [[i32; COEFFICIENTS_IN_RING_ELEMENT]], ) -> usize { let mut true_hints = 0; let mut hint_simd = PolynomialRingElement::::zero(); - for i in 0..DIMENSION { + for i in 0..low.len() { for j in 0..hint_simd.simd_units.len() { - let one_hints_count = SIMDUnit::compute_hint::( + let one_hints_count = SIMDUnit::compute_hint( &low[i].simd_units[j], &high[i].simd_units[j], + gamma2, &mut hint_simd.simd_units[j], ); diff --git a/libcrux-ml-dsa/src/encoding/t1.rs b/libcrux-ml-dsa/src/encoding/t1.rs index 2af54926e..3ebc1e314 100644 --- a/libcrux-ml-dsa/src/encoding/t1.rs +++ b/libcrux-ml-dsa/src/encoding/t1.rs @@ -1,16 +1,12 @@ -use crate::{ - constants::RING_ELEMENT_OF_T1S_SIZE, helper::cloop, polynomial::PolynomialRingElement, - simd::traits::Operations, -}; +use crate::{helper::cloop, polynomial::PolynomialRingElement, simd::traits::Operations}; // Each coefficient takes up 10 bits. #[inline(always)] pub(crate) fn serialize( re: &PolynomialRingElement, -) -> [u8; RING_ELEMENT_OF_T1S_SIZE] { - let mut serialized = [0u8; RING_ELEMENT_OF_T1S_SIZE]; - + serialized: &mut [u8], // len RING_ELEMENT_OF_T1S_SIZE +) { const OUTPUT_BYTES_PER_SIMD_UNIT: usize = 10; cloop! { @@ -18,8 +14,6 @@ pub(crate) fn serialize( SIMDUnit::t1_serialize(simd_unit, &mut serialized[i * OUTPUT_BYTES_PER_SIMD_UNIT..(i + 1) * OUTPUT_BYTES_PER_SIMD_UNIT]); } } - - serialized } pub(crate) fn deserialize( @@ -40,7 +34,10 @@ pub(crate) fn deserialize( mod tests { use super::*; - use crate::simd::{self, traits::Operations}; + use crate::{ + constants::RING_ELEMENT_OF_T1S_SIZE, + simd::{self, traits::Operations}, + }; fn test_serialize_generic() { let coefficients = [ @@ -83,7 +80,9 @@ mod tests { 122, ]; - assert_eq!(serialize::(&re), expected_bytes); + let mut result = [0u8; RING_ELEMENT_OF_T1S_SIZE]; + serialize::(&re, &mut result); + assert_eq!(result, expected_bytes); } fn test_deserialize_generic() { diff --git a/libcrux-ml-dsa/src/encoding/verification_key.rs b/libcrux-ml-dsa/src/encoding/verification_key.rs index 51e3905a0..1dd8043f9 100644 --- a/libcrux-ml-dsa/src/encoding/verification_key.rs +++ b/libcrux-ml-dsa/src/encoding/verification_key.rs @@ -17,8 +17,10 @@ pub(crate) fn generate_serialized( cloop! { for (i, ring_element) in t1.iter().enumerate() { let offset = SEED_FOR_A_SIZE + (i * RING_ELEMENT_OF_T1S_SIZE); - verification_key_serialized[offset..offset + RING_ELEMENT_OF_T1S_SIZE] - .copy_from_slice(&t1::serialize::(ring_element)); + t1::serialize::( + ring_element, + &mut verification_key_serialized[offset..offset + RING_ELEMENT_OF_T1S_SIZE], + ); } } // [hax] https://github.com/hacspec/hax/issues/720 diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index bfae816f9..c551fb69e 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -299,11 +299,8 @@ pub(crate) mod generic { } else { add_vectors::(ROWS_IN_A, &mut w0, &challenge_times_t0); let mut hint_candidate = [[0; COEFFICIENTS_IN_RING_ELEMENT]; ROWS_IN_A]; - let ones_in_hint = make_hint::( - &w0, - &commitment, - &mut hint_candidate, - ); + let ones_in_hint = + make_hint::(&w0, &commitment, GAMMA2, &mut hint_candidate); if ones_in_hint > MAX_ONES_IN_HINT { // XXX: https://github.com/hacspec/hax/issues/1171 diff --git a/libcrux-ml-dsa/src/simd/avx2.rs b/libcrux-ml-dsa/src/simd/avx2.rs index 12ff3e638..560b3fc24 100644 --- a/libcrux-ml-dsa/src/simd/avx2.rs +++ b/libcrux-ml-dsa/src/simd/avx2.rs @@ -65,8 +65,8 @@ impl Operations for AVX2SIMDUnit { } #[inline(always)] - fn compute_hint(low: &Self, high: &Self, hint: &mut Self) -> usize { - arithmetic::compute_hint::(&low.value, &high.value, &mut hint.value) + fn compute_hint(low: &Self, high: &Self, gamma2: i32, hint: &mut Self) -> usize { + arithmetic::compute_hint(&low.value, &high.value, gamma2, &mut hint.value) } #[inline(always)] diff --git a/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs b/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs index ab18109ca..d41e21449 100644 --- a/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs +++ b/libcrux-ml-dsa/src/simd/avx2/arithmetic.rs @@ -180,13 +180,9 @@ pub(super) fn decompose(gamma2: Gamma2, r: &Vec256, r0: &mut Vec256, r1: &mut Ve } #[inline(always)] -pub(super) fn compute_hint( - low: &Vec256, - high: &Vec256, - hint: &mut Vec256, -) -> usize { - let gamma2 = mm256_set1_epi32(GAMMA2); - let minus_gamma2 = mm256_set1_epi32(-GAMMA2); +pub(super) fn compute_hint(low: &Vec256, high: &Vec256, gamma2: i32, hint: &mut Vec256) -> usize { + let minus_gamma2 = mm256_set1_epi32(-gamma2); + let gamma2 = mm256_set1_epi32(gamma2); let low_within_bound = mm256_cmpgt_epi32(mm256_abs_epi32(*low), gamma2); let low_equals_minus_gamma2 = mm256_cmpeq_epi32(*low, minus_gamma2); diff --git a/libcrux-ml-dsa/src/simd/portable.rs b/libcrux-ml-dsa/src/simd/portable.rs index 9e90bd026..3cbeb1baf 100644 --- a/libcrux-ml-dsa/src/simd/portable.rs +++ b/libcrux-ml-dsa/src/simd/portable.rs @@ -57,12 +57,13 @@ impl Operations for Coefficients { arithmetic::decompose(gamma2, simd_unit, low, high) } - fn compute_hint( + fn compute_hint( low: &Coefficients, high: &Coefficients, - hint: &mut Self, + gamma2: i32, + hint: &mut Coefficients, ) -> usize { - arithmetic::compute_hint::(low, high, hint) + arithmetic::compute_hint(low, high, gamma2, hint) } fn use_hint(gamma2: Gamma2, simd_unit: &Coefficients, hint: &mut Coefficients) { diff --git a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs index e2d2eb788..9e4df9a44 100644 --- a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs +++ b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs @@ -159,8 +159,8 @@ pub(super) fn shift_left_then_reduce(simd_unit: &mut Coeffi } #[inline(always)] -fn compute_one_hint(low: i32, high: i32) -> i32 { - if (low > GAMMA2) || (low < -GAMMA2) || (low == -GAMMA2 && high != 0) { +fn compute_one_hint(low: i32, high: i32, gamma2: i32) -> i32 { + if (low > gamma2) || (low < -gamma2) || (low == -gamma2 && high != 0) { 1 } else { 0 @@ -168,15 +168,16 @@ fn compute_one_hint(low: i32, high: i32) -> i32 { } #[inline(always)] -pub(super) fn compute_hint( +pub(super) fn compute_hint( low: &Coefficients, high: &Coefficients, + gamma2: i32, hint: &mut Coefficients, ) -> usize { let mut one_hints_count = 0; for i in 0..hint.values.len() { - hint.values[i] = compute_one_hint::(low.values[i], high.values[i]); + hint.values[i] = compute_one_hint(low.values[i], high.values[i], gamma2); one_hints_count += hint.values[i] as usize; } diff --git a/libcrux-ml-dsa/src/simd/traits.rs b/libcrux-ml-dsa/src/simd/traits.rs index e96b25d2a..f2af11ac5 100644 --- a/libcrux-ml-dsa/src/simd/traits.rs +++ b/libcrux-ml-dsa/src/simd/traits.rs @@ -27,7 +27,7 @@ pub(crate) trait Operations: Copy + Clone { fn subtract(lhs: &mut Self, rhs: &Self); fn infinity_norm_exceeds(simd_unit: &Self, bound: i32) -> bool; fn decompose(gamma2: Gamma2, simd_unit: &Self, low: &mut Self, high: &mut Self); - fn compute_hint(low: &Self, high: &Self, hint: &mut Self) -> usize; + fn compute_hint(low: &Self, high: &Self, gamma2: i32, hint: &mut Self) -> usize; fn use_hint(gamma2: Gamma2, simd_unit: &Self, hint: &mut Self); // Modular operations From a09987d066ac254dbc0e455cbc83aa5bbe096741 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Wed, 8 Jan 2025 12:37:39 +0000 Subject: [PATCH 54/58] rustfmt --- libcrux-ml-dsa/src/simd/avx2/invntt.rs | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libcrux-ml-dsa/src/simd/avx2/invntt.rs b/libcrux-ml-dsa/src/simd/avx2/invntt.rs index 7c46fb206..f266992ac 100644 --- a/libcrux-ml-dsa/src/simd/avx2/invntt.rs +++ b/libcrux-ml-dsa/src/simd/avx2/invntt.rs @@ -297,8 +297,7 @@ fn outer_3_plus( value: mm256_add_epi32(re[j].value, re[j + STEP_BY].value), }; re[j + STEP_BY] = AVX2SIMDUnit { - value: arithmetic::montgomery_multiply_by_constant(a_minus_b - , ZETA), + value: arithmetic::montgomery_multiply_by_constant(a_minus_b, ZETA), }; } From 071b005c064e257ac26744f8ece052f63c500079 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Wed, 8 Jan 2025 12:58:03 +0000 Subject: [PATCH 55/58] mldsa: double return hax --- libcrux-ml-dsa/src/encoding/t1.rs | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libcrux-ml-dsa/src/encoding/t1.rs b/libcrux-ml-dsa/src/encoding/t1.rs index 3ebc1e314..9de90bc62 100644 --- a/libcrux-ml-dsa/src/encoding/t1.rs +++ b/libcrux-ml-dsa/src/encoding/t1.rs @@ -14,6 +14,9 @@ pub(crate) fn serialize( SIMDUnit::t1_serialize(simd_unit, &mut serialized[i * OUTPUT_BYTES_PER_SIMD_UNIT..(i + 1) * OUTPUT_BYTES_PER_SIMD_UNIT]); } } + + // [hax] https://github.com/hacspec/hax/issues/720 + () } pub(crate) fn deserialize( @@ -27,6 +30,8 @@ pub(crate) fn deserialize( &mut result.simd_units[i], ); } + + // [hax] https://github.com/hacspec/hax/issues/720 () } From df159eaa3261535ee464453ccc254dae4c7484b5 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Wed, 8 Jan 2025 12:58:13 +0000 Subject: [PATCH 56/58] updated C and F* extraction --- libcrux-ml-dsa/cg/code_gen.txt | 2 +- libcrux-ml-dsa/cg/header.txt | 2 +- libcrux-ml-dsa/cg/libcrux_core.h | 2 +- libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h | 156 +++++++------- libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h | 194 +++++++++--------- libcrux-ml-dsa/cg/libcrux_sha3_avx2.h | 2 +- libcrux-ml-dsa/cg/libcrux_sha3_portable.h | 2 +- .../extraction/Libcrux_ml_dsa.Arithmetic.fst | 40 ++-- .../extraction/Libcrux_ml_dsa.Arithmetic.fsti | 11 +- .../extraction/Libcrux_ml_dsa.Encoding.T1.fst | 11 +- .../Libcrux_ml_dsa.Encoding.T1.fsti | 3 +- ...bcrux_ml_dsa.Encoding.Verification_key.fst | 4 +- ...bcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fst | 9 +- ...bcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fst | 9 +- ...bcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fst | 9 +- .../Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst | 14 +- .../Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fsti | 5 +- .../extraction/Libcrux_ml_dsa.Simd.Avx2.fst | 11 +- ...ibcrux_ml_dsa.Simd.Portable.Arithmetic.fst | 17 +- ...bcrux_ml_dsa.Simd.Portable.Arithmetic.fsti | 7 +- .../Libcrux_ml_dsa.Simd.Portable.fst | 8 +- .../Libcrux_ml_dsa.Simd.Traits.fsti | 10 +- 22 files changed, 271 insertions(+), 257 deletions(-) diff --git a/libcrux-ml-dsa/cg/code_gen.txt b/libcrux-ml-dsa/cg/code_gen.txt index adf942008..cd247e7dd 100644 --- a/libcrux-ml-dsa/cg/code_gen.txt +++ b/libcrux-ml-dsa/cg/code_gen.txt @@ -3,4 +3,4 @@ Charon: 0de54092afb546bf53cd8261c79499f3cae2c24b Eurydice: 8e112cd3065d2c1eb6c023cd37111300dbf9fc9a Karamel: f82ecfe9b99edd64642d47b4e3fb6314a8e2320b F*: b0961063393215ca65927f017720cb365a193833-dirty -Libcrux: b895bda560d248ec1373c7ad6c27192090ff3311 +Libcrux: a09987d066ac254dbc0e455cbc83aa5bbe096741 diff --git a/libcrux-ml-dsa/cg/header.txt b/libcrux-ml-dsa/cg/header.txt index 5eb58886c..e8ff5d358 100644 --- a/libcrux-ml-dsa/cg/header.txt +++ b/libcrux-ml-dsa/cg/header.txt @@ -8,5 +8,5 @@ * Eurydice: 8e112cd3065d2c1eb6c023cd37111300dbf9fc9a * Karamel: f82ecfe9b99edd64642d47b4e3fb6314a8e2320b * F*: b0961063393215ca65927f017720cb365a193833-dirty - * Libcrux: b895bda560d248ec1373c7ad6c27192090ff3311 + * Libcrux: a09987d066ac254dbc0e455cbc83aa5bbe096741 */ diff --git a/libcrux-ml-dsa/cg/libcrux_core.h b/libcrux-ml-dsa/cg/libcrux_core.h index 56ede5059..4e74069fe 100644 --- a/libcrux-ml-dsa/cg/libcrux_core.h +++ b/libcrux-ml-dsa/cg/libcrux_core.h @@ -8,7 +8,7 @@ * Eurydice: 8e112cd3065d2c1eb6c023cd37111300dbf9fc9a * Karamel: f82ecfe9b99edd64642d47b4e3fb6314a8e2320b * F*: b0961063393215ca65927f017720cb365a193833-dirty - * Libcrux: b895bda560d248ec1373c7ad6c27192090ff3311 + * Libcrux: a09987d066ac254dbc0e455cbc83aa5bbe096741 */ #ifndef __libcrux_core_H diff --git a/libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h b/libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h index 5cd50dc45..2ec0118b2 100644 --- a/libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h +++ b/libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h @@ -8,7 +8,7 @@ * Eurydice: 8e112cd3065d2c1eb6c023cd37111300dbf9fc9a * Karamel: f82ecfe9b99edd64642d47b4e3fb6314a8e2320b * F*: b0961063393215ca65927f017720cb365a193833-dirty - * Libcrux: b895bda560d248ec1373c7ad6c27192090ff3311 + * Libcrux: a09987d066ac254dbc0e455cbc83aa5bbe096741 */ #ifndef __libcrux_mldsa65_avx2_H @@ -517,6 +517,38 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_decompose_22( libcrux_ml_dsa_simd_avx2_arithmetic_decompose(gamma2, simd_unit, low, high); } +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE size_t libcrux_ml_dsa_simd_avx2_arithmetic_compute_hint( + __m256i *low, __m256i *high, int32_t gamma2, __m256i *hint) { + __m256i minus_gamma2 = libcrux_intrinsics_avx2_mm256_set1_epi32(-gamma2); + __m256i gamma20 = libcrux_intrinsics_avx2_mm256_set1_epi32(gamma2); + __m256i low_within_bound = libcrux_intrinsics_avx2_mm256_cmpgt_epi32( + libcrux_intrinsics_avx2_mm256_abs_epi32(low[0U]), gamma20); + __m256i low_equals_minus_gamma2 = + libcrux_intrinsics_avx2_mm256_cmpeq_epi32(low[0U], minus_gamma2); + __m256i low_equals_minus_gamma2_and_high_is_nonzero = + libcrux_intrinsics_avx2_mm256_sign_epi32(low_equals_minus_gamma2, + high[0U]); + hint[0U] = libcrux_intrinsics_avx2_mm256_or_si256( + low_within_bound, low_equals_minus_gamma2_and_high_is_nonzero); + int32_t hints_mask = libcrux_intrinsics_avx2_mm256_movemask_ps( + libcrux_intrinsics_avx2_mm256_castsi256_ps(hint[0U])); + hint[0U] = libcrux_intrinsics_avx2_mm256_and_si256( + hint[0U], libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)1)); + return (size_t)core_num__i32_2__count_ones(hints_mask); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::Vec256)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE size_t libcrux_ml_dsa_simd_avx2_compute_hint_22( + __m256i *low, __m256i *high, int32_t gamma2, __m256i *hint) { + return libcrux_ml_dsa_simd_avx2_arithmetic_compute_hint(low, high, gamma2, + hint); +} + typedef struct core_core_arch_x86___m256i_x2_s { __m256i fst; __m256i snd; @@ -4313,8 +4345,8 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_t1_serialize_21( - libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *re, uint8_t ret[320U]) { - uint8_t serialized[320U] = {0U}; + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *re, + Eurydice_slice serialized) { for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice((size_t)32U, re->simd_units, __m256i), @@ -4322,10 +4354,9 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_t1_serialize_21( i++) { size_t i0 = i; __m256i *simd_unit = &re->simd_units[i0]; - __m256i *uu____0 = simd_unit; libcrux_ml_dsa_simd_avx2_t1_serialize_22( - uu____0, - Eurydice_array_to_subslice2( + simd_unit, + Eurydice_slice_subslice2( serialized, i0 * LIBCRUX_ML_DSA_ENCODING_T1_SERIALIZE_OUTPUT_BYTES_PER_SIMD_UNIT, @@ -4333,7 +4364,6 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_t1_serialize_21( LIBCRUX_ML_DSA_ENCODING_T1_SERIALIZE_OUTPUT_BYTES_PER_SIMD_UNIT, uint8_t)); } - memcpy(ret, serialized, (size_t)320U * sizeof(uint8_t)); } /** @@ -4362,13 +4392,12 @@ libcrux_ml_dsa_encoding_verification_key_generate_serialized_21( libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *); size_t offset = LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE + i0 * LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T1S_SIZE; - Eurydice_slice uu____0 = Eurydice_slice_subslice2( - verification_key_serialized, offset, - offset + LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T1S_SIZE, uint8_t); - uint8_t ret[320U]; - libcrux_ml_dsa_encoding_t1_serialize_21(ring_element, ret); - Eurydice_slice_copy( - uu____0, Eurydice_array_to_slice((size_t)320U, ret, uint8_t), uint8_t); + libcrux_ml_dsa_encoding_t1_serialize_21( + ring_element, + Eurydice_slice_subslice2( + verification_key_serialized, offset, + offset + LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T1S_SIZE, + uint8_t)); } } @@ -5482,60 +5511,18 @@ libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_21(Eurydice_slice vector, vector, _cloop_j, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *); - if (!result) { - if (libcrux_ml_dsa_polynomial_infinity_norm_exceeds_ff_21(ring_element, - bound)) { - result = true; - continue; - } + bool uu____0; + if (result) { + uu____0 = true; + } else { + uu____0 = libcrux_ml_dsa_polynomial_infinity_norm_exceeds_ff_21( + ring_element, bound); } + result = uu____0; } return result; } -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.arithmetic.compute_hint -with const generics -- GAMMA2= 261888 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE size_t -libcrux_ml_dsa_simd_avx2_arithmetic_compute_hint_80(__m256i *low, __m256i *high, - __m256i *hint) { - __m256i gamma2 = libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)261888); - __m256i minus_gamma2 = - libcrux_intrinsics_avx2_mm256_set1_epi32(-(int32_t)261888); - __m256i low_within_bound = libcrux_intrinsics_avx2_mm256_cmpgt_epi32( - libcrux_intrinsics_avx2_mm256_abs_epi32(low[0U]), gamma2); - __m256i low_equals_minus_gamma2 = - libcrux_intrinsics_avx2_mm256_cmpeq_epi32(low[0U], minus_gamma2); - __m256i low_equals_minus_gamma2_and_high_is_nonzero = - libcrux_intrinsics_avx2_mm256_sign_epi32(low_equals_minus_gamma2, - high[0U]); - hint[0U] = libcrux_intrinsics_avx2_mm256_or_si256( - low_within_bound, low_equals_minus_gamma2_and_high_is_nonzero); - int32_t hints_mask = libcrux_intrinsics_avx2_mm256_movemask_ps( - libcrux_intrinsics_avx2_mm256_castsi256_ps(hint[0U])); - hint[0U] = libcrux_intrinsics_avx2_mm256_and_si256( - hint[0U], libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)1)); - return (size_t)core_num__i32_2__count_ones(hints_mask); -} - -/** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::avx2::vector_type::Vec256)} -*/ -/** -A monomorphic instance of libcrux_ml_dsa.simd.avx2.compute_hint_22 -with const generics -- GAMMA2= 261888 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE size_t libcrux_ml_dsa_simd_avx2_compute_hint_22_80( - __m256i *low, __m256i *high, __m256i *hint) { - return libcrux_ml_dsa_simd_avx2_arithmetic_compute_hint_80(low, high, hint); -} - /** This function found in impl {libcrux_ml_dsa::polynomial::PolynomialRingElement[TraitClause@0, @@ -5575,18 +5562,19 @@ static inline void libcrux_ml_dsa_polynomial_to_i32_array_ff_21( A monomorphic instance of libcrux_ml_dsa.arithmetic.make_hint with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256 with const generics -- DIMENSION= 6 -- GAMMA2= 261888 + */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE size_t libcrux_ml_dsa_arithmetic_make_hint_d7( - libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *low, - libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *high, - int32_t (*hint)[256U]) { +static KRML_MUSTINLINE size_t +libcrux_ml_dsa_arithmetic_make_hint_21(Eurydice_slice low, Eurydice_slice high, + int32_t gamma2, Eurydice_slice hint) { size_t true_hints = (size_t)0U; libcrux_ml_dsa_polynomial_PolynomialRingElement_4b hint_simd = libcrux_ml_dsa_polynomial_zero_ff_21(); - for (size_t i0 = (size_t)0U; i0 < (size_t)6U; i0++) { + for (size_t i0 = (size_t)0U; + i0 < Eurydice_slice_len( + low, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b); + i0++) { size_t i1 = i0; for (size_t i = (size_t)0U; i < Eurydice_slice_len(Eurydice_array_to_slice( @@ -5594,14 +5582,22 @@ static KRML_MUSTINLINE size_t libcrux_ml_dsa_arithmetic_make_hint_d7( __m256i); i++) { size_t j = i; - size_t one_hints_count = libcrux_ml_dsa_simd_avx2_compute_hint_22_80( - &low[i1].simd_units[j], &high[i1].simd_units[j], - &hint_simd.simd_units[j]); + size_t one_hints_count = libcrux_ml_dsa_simd_avx2_compute_hint_22( + &Eurydice_slice_index( + low, i1, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *) + .simd_units[j], + &Eurydice_slice_index( + high, i1, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *) + .simd_units[j], + gamma2, &hint_simd.simd_units[j]); true_hints = true_hints + one_hints_count; } int32_t uu____0[256U]; libcrux_ml_dsa_polynomial_to_i32_array_ff_21(&hint_simd, uu____0); - memcpy(hint[i1], uu____0, (size_t)256U * sizeof(int32_t)); + memcpy(Eurydice_slice_index(hint, i1, int32_t[256U], int32_t(*)[256U]), + uu____0, (size_t)256U * sizeof(int32_t)); } return true_hints; } @@ -5950,8 +5946,16 @@ libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_internal_07( (size_t)6U, challenge_times_t0, libcrux_ml_dsa_polynomial_PolynomialRingElement_4b)); int32_t hint_candidate[6U][256U] = {{0U}}; - size_t ones_in_hint = libcrux_ml_dsa_arithmetic_make_hint_d7( - w0, commitment, hint_candidate); + size_t ones_in_hint = libcrux_ml_dsa_arithmetic_make_hint_21( + Eurydice_array_to_slice( + (size_t)6U, w0, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b), + Eurydice_array_to_slice( + (size_t)6U, commitment, + libcrux_ml_dsa_polynomial_PolynomialRingElement_4b), + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_GAMMA2, + Eurydice_array_to_slice((size_t)6U, hint_candidate, + int32_t[256U])); if (!(ones_in_hint > LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_MAX_ONES_IN_HINT)) { attempt = LIBCRUX_ML_DSA_CONSTANTS_REJECTION_SAMPLE_BOUND_SIGN; diff --git a/libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h b/libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h index c0c85d238..5c1bec2a0 100644 --- a/libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h +++ b/libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h @@ -8,7 +8,7 @@ * Eurydice: 8e112cd3065d2c1eb6c023cd37111300dbf9fc9a * Karamel: f82ecfe9b99edd64642d47b4e3fb6314a8e2320b * F*: b0961063393215ca65927f017720cb365a193833-dirty - * Libcrux: b895bda560d248ec1373c7ad6c27192090ff3311 + * Libcrux: a09987d066ac254dbc0e455cbc83aa5bbe096741 */ #ifndef __libcrux_mldsa65_portable_H @@ -1009,6 +1009,55 @@ static inline void libcrux_ml_dsa_simd_portable_decompose_e9( high); } +static KRML_MUSTINLINE int32_t +libcrux_ml_dsa_simd_portable_arithmetic_compute_one_hint(int32_t low, + int32_t high, + int32_t gamma2) { + if (!(low > gamma2)) { + if (!(low < -gamma2)) { + if (low == -gamma2) { + if (!(high != (int32_t)0)) { + return (int32_t)0; + } + } else { + return (int32_t)0; + } + } + } + return (int32_t)1; +} + +static KRML_MUSTINLINE size_t +libcrux_ml_dsa_simd_portable_arithmetic_compute_hint( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *low, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *high, int32_t gamma2, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *hint) { + size_t one_hints_count = (size_t)0U; + for (size_t i = (size_t)0U; + i < + Eurydice_slice_len( + Eurydice_array_to_slice((size_t)8U, hint->values, int32_t), int32_t); + i++) { + size_t i0 = i; + hint->values[i0] = libcrux_ml_dsa_simd_portable_arithmetic_compute_one_hint( + low->values[i0], high->values[i0], gamma2); + one_hints_count = one_hints_count + (size_t)hint->values[i0]; + } + return one_hints_count; +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::Coefficients)} +*/ +static inline size_t libcrux_ml_dsa_simd_portable_compute_hint_e9( + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *low, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *high, int32_t gamma2, + libcrux_ml_dsa_simd_portable_vector_type_Coefficients *hint) { + return libcrux_ml_dsa_simd_portable_arithmetic_compute_hint(low, high, gamma2, + hint); +} + static KRML_MUSTINLINE int32_t libcrux_ml_dsa_simd_portable_arithmetic_use_one_hint(int32_t gamma2, int32_t r, int32_t hint) { @@ -5348,8 +5397,8 @@ with const generics */ static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_t1_serialize_5b( - libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *re, uint8_t ret[320U]) { - uint8_t serialized[320U] = {0U}; + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *re, + Eurydice_slice serialized) { for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice( @@ -5360,10 +5409,9 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_t1_serialize_5b( size_t i0 = i; libcrux_ml_dsa_simd_portable_vector_type_Coefficients *simd_unit = &re->simd_units[i0]; - libcrux_ml_dsa_simd_portable_vector_type_Coefficients *uu____0 = simd_unit; libcrux_ml_dsa_simd_portable_t1_serialize_e9( - uu____0, - Eurydice_array_to_subslice2( + simd_unit, + Eurydice_slice_subslice2( serialized, i0 * LIBCRUX_ML_DSA_ENCODING_T1_SERIALIZE_OUTPUT_BYTES_PER_SIMD_UNIT, @@ -5371,7 +5419,6 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_t1_serialize_5b( LIBCRUX_ML_DSA_ENCODING_T1_SERIALIZE_OUTPUT_BYTES_PER_SIMD_UNIT, uint8_t)); } - memcpy(ret, serialized, (size_t)320U * sizeof(uint8_t)); } /** @@ -5399,13 +5446,12 @@ libcrux_ml_dsa_encoding_verification_key_generate_serialized_5b( libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *); size_t offset = LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE + i0 * LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T1S_SIZE; - Eurydice_slice uu____0 = Eurydice_slice_subslice2( - verification_key_serialized, offset, - offset + LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T1S_SIZE, uint8_t); - uint8_t ret[320U]; - libcrux_ml_dsa_encoding_t1_serialize_5b(ring_element, ret); - Eurydice_slice_copy( - uu____0, Eurydice_array_to_slice((size_t)320U, ret, uint8_t), uint8_t); + libcrux_ml_dsa_encoding_t1_serialize_5b( + ring_element, + Eurydice_slice_subslice2( + verification_key_serialized, offset, + offset + LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T1S_SIZE, + uint8_t)); } } @@ -6538,81 +6584,18 @@ libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_5b(Eurydice_slice vector, vector, _cloop_j, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *); - if (!result) { - if (libcrux_ml_dsa_polynomial_infinity_norm_exceeds_ff_5b(ring_element, - bound)) { - result = true; - continue; - } + bool uu____0; + if (result) { + uu____0 = true; + } else { + uu____0 = libcrux_ml_dsa_polynomial_infinity_norm_exceeds_ff_5b( + ring_element, bound); } + result = uu____0; } return result; } -/** -A monomorphic instance of -libcrux_ml_dsa.simd.portable.arithmetic.compute_one_hint with const generics -- GAMMA2= 261888 -*/ -static KRML_MUSTINLINE int32_t -libcrux_ml_dsa_simd_portable_arithmetic_compute_one_hint_80(int32_t low, - int32_t high) { - if (!(low > (int32_t)261888)) { - if (!(low < -(int32_t)261888)) { - if (low == -(int32_t)261888) { - if (!(high != (int32_t)0)) { - return (int32_t)0; - } - } else { - return (int32_t)0; - } - } - } - return (int32_t)1; -} - -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.arithmetic.compute_hint -with const generics -- GAMMA2= 261888 -*/ -static KRML_MUSTINLINE size_t -libcrux_ml_dsa_simd_portable_arithmetic_compute_hint_80( - libcrux_ml_dsa_simd_portable_vector_type_Coefficients *low, - libcrux_ml_dsa_simd_portable_vector_type_Coefficients *high, - libcrux_ml_dsa_simd_portable_vector_type_Coefficients *hint) { - size_t one_hints_count = (size_t)0U; - for (size_t i = (size_t)0U; - i < - Eurydice_slice_len( - Eurydice_array_to_slice((size_t)8U, hint->values, int32_t), int32_t); - i++) { - size_t i0 = i; - hint->values[i0] = - libcrux_ml_dsa_simd_portable_arithmetic_compute_one_hint_80( - low->values[i0], high->values[i0]); - one_hints_count = one_hints_count + (size_t)hint->values[i0]; - } - return one_hints_count; -} - -/** -This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for -libcrux_ml_dsa::simd::portable::vector_type::Coefficients)} -*/ -/** -A monomorphic instance of libcrux_ml_dsa.simd.portable.compute_hint_e9 -with const generics -- GAMMA2= 261888 -*/ -static inline size_t libcrux_ml_dsa_simd_portable_compute_hint_e9_80( - libcrux_ml_dsa_simd_portable_vector_type_Coefficients *low, - libcrux_ml_dsa_simd_portable_vector_type_Coefficients *high, - libcrux_ml_dsa_simd_portable_vector_type_Coefficients *hint) { - return libcrux_ml_dsa_simd_portable_arithmetic_compute_hint_80(low, high, - hint); -} - /** This function found in impl {libcrux_ml_dsa::polynomial::PolynomialRingElement[TraitClause@0, @@ -6654,17 +6637,18 @@ static inline void libcrux_ml_dsa_polynomial_to_i32_array_ff_5b( A monomorphic instance of libcrux_ml_dsa.arithmetic.make_hint with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients with const generics -- DIMENSION= 6 -- GAMMA2= 261888 + */ -static KRML_MUSTINLINE size_t libcrux_ml_dsa_arithmetic_make_hint_4a( - libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *low, - libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *high, - int32_t (*hint)[256U]) { +static KRML_MUSTINLINE size_t +libcrux_ml_dsa_arithmetic_make_hint_5b(Eurydice_slice low, Eurydice_slice high, + int32_t gamma2, Eurydice_slice hint) { size_t true_hints = (size_t)0U; libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 hint_simd = libcrux_ml_dsa_polynomial_zero_ff_5b(); - for (size_t i0 = (size_t)0U; i0 < (size_t)6U; i0++) { + for (size_t i0 = (size_t)0U; + i0 < Eurydice_slice_len( + low, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8); + i0++) { size_t i1 = i0; for (size_t i = (size_t)0U; i < Eurydice_slice_len( @@ -6674,14 +6658,22 @@ static KRML_MUSTINLINE size_t libcrux_ml_dsa_arithmetic_make_hint_4a( libcrux_ml_dsa_simd_portable_vector_type_Coefficients); i++) { size_t j = i; - size_t one_hints_count = libcrux_ml_dsa_simd_portable_compute_hint_e9_80( - &low[i1].simd_units[j], &high[i1].simd_units[j], - &hint_simd.simd_units[j]); + size_t one_hints_count = libcrux_ml_dsa_simd_portable_compute_hint_e9( + &Eurydice_slice_index( + low, i1, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *) + .simd_units[j], + &Eurydice_slice_index( + high, i1, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *) + .simd_units[j], + gamma2, &hint_simd.simd_units[j]); true_hints = true_hints + one_hints_count; } int32_t uu____0[256U]; libcrux_ml_dsa_polynomial_to_i32_array_ff_5b(&hint_simd, uu____0); - memcpy(hint[i1], uu____0, (size_t)256U * sizeof(int32_t)); + memcpy(Eurydice_slice_index(hint, i1, int32_t[256U], int32_t(*)[256U]), + uu____0, (size_t)256U * sizeof(int32_t)); } return true_hints; } @@ -7030,8 +7022,16 @@ libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_internal_5a( (size_t)6U, challenge_times_t0, libcrux_ml_dsa_polynomial_PolynomialRingElement_e8)); int32_t hint_candidate[6U][256U] = {{0U}}; - size_t ones_in_hint = libcrux_ml_dsa_arithmetic_make_hint_4a( - w0, commitment, hint_candidate); + size_t ones_in_hint = libcrux_ml_dsa_arithmetic_make_hint_5b( + Eurydice_array_to_slice( + (size_t)6U, w0, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8), + Eurydice_array_to_slice( + (size_t)6U, commitment, + libcrux_ml_dsa_polynomial_PolynomialRingElement_e8), + LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_GAMMA2, + Eurydice_array_to_slice((size_t)6U, hint_candidate, + int32_t[256U])); if (!(ones_in_hint > LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_MAX_ONES_IN_HINT)) { attempt = LIBCRUX_ML_DSA_CONSTANTS_REJECTION_SAMPLE_BOUND_SIGN; diff --git a/libcrux-ml-dsa/cg/libcrux_sha3_avx2.h b/libcrux-ml-dsa/cg/libcrux_sha3_avx2.h index e17ad3b09..d3a25d7cc 100644 --- a/libcrux-ml-dsa/cg/libcrux_sha3_avx2.h +++ b/libcrux-ml-dsa/cg/libcrux_sha3_avx2.h @@ -8,7 +8,7 @@ * Eurydice: 8e112cd3065d2c1eb6c023cd37111300dbf9fc9a * Karamel: f82ecfe9b99edd64642d47b4e3fb6314a8e2320b * F*: b0961063393215ca65927f017720cb365a193833-dirty - * Libcrux: b895bda560d248ec1373c7ad6c27192090ff3311 + * Libcrux: a09987d066ac254dbc0e455cbc83aa5bbe096741 */ #ifndef __libcrux_sha3_avx2_H diff --git a/libcrux-ml-dsa/cg/libcrux_sha3_portable.h b/libcrux-ml-dsa/cg/libcrux_sha3_portable.h index e03133555..d3193b72c 100644 --- a/libcrux-ml-dsa/cg/libcrux_sha3_portable.h +++ b/libcrux-ml-dsa/cg/libcrux_sha3_portable.h @@ -8,7 +8,7 @@ * Eurydice: 8e112cd3065d2c1eb6c023cd37111300dbf9fc9a * Karamel: f82ecfe9b99edd64642d47b4e3fb6314a8e2320b * F*: b0961063393215ca65927f017720cb365a193833-dirty - * Libcrux: b895bda560d248ec1373c7ad6c27192090ff3311 + * Libcrux: a09987d066ac254dbc0e455cbc83aa5bbe096741 */ #ifndef __libcrux_sha3_portable_H diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst index 17457022f..f6d345f9d 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst @@ -400,39 +400,35 @@ let vector_infinity_norm_exceeds let ring_element:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = ring_element in - if - (~.result <: bool) && - (Libcrux_ml_dsa.Polynomial.impl__infinity_norm_exceeds #v_SIMDUnit ring_element bound - <: - bool) - then - let result:bool = true in - result - else result) + result || + (Libcrux_ml_dsa.Polynomial.impl__infinity_norm_exceeds #v_SIMDUnit ring_element bound + <: + bool)) in result let make_hint (#v_SIMDUnit: Type0) - (v_DIMENSION: usize) - (v_GAMMA2: i32) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (low high: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) - (hint: t_Array (t_Array i32 (sz 256)) v_DIMENSION) + (low high: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (gamma2: i32) + (hint: t_Slice (t_Array i32 (sz 256))) = let true_hints:usize = sz 0 in let hint_simd:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () in - let hint, hint_simd, true_hints:(t_Array (t_Array i32 (sz 256)) v_DIMENSION & + let hint, hint_simd, true_hints:(t_Slice (t_Array i32 (sz 256)) & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = Rust_primitives.Hax.Folds.fold_range (sz 0) - v_DIMENSION + (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) low + <: + usize) (fun temp_0_ temp_1_ -> - let hint, hint_simd, true_hints:(t_Array (t_Array i32 (sz 256)) v_DIMENSION & + let hint, hint_simd, true_hints:(t_Slice (t_Array i32 (sz 256)) & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = temp_0_ @@ -441,11 +437,11 @@ let make_hint true) (hint, hint_simd, true_hints <: - (t_Array (t_Array i32 (sz 256)) v_DIMENSION & + (t_Slice (t_Array i32 (sz 256)) & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) (fun temp_0_ i -> - let hint, hint_simd, true_hints:(t_Array (t_Array i32 (sz 256)) v_DIMENSION & + let hint, hint_simd, true_hints:(t_Slice (t_Array i32 (sz 256)) & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = temp_0_ @@ -479,7 +475,6 @@ let make_hint let tmp0, out:(v_SIMDUnit & usize) = Libcrux_ml_dsa.Simd.Traits.f_compute_hint #v_SIMDUnit #FStar.Tactics.Typeclasses.solve - v_GAMMA2 ((low.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: @@ -488,6 +483,7 @@ let make_hint .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: v_SIMDUnit) + gamma2 (hint_simd.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: v_SIMDUnit) in let hint_simd:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = @@ -509,7 +505,7 @@ let make_hint <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) in - let hint:t_Array (t_Array i32 (sz 256)) v_DIMENSION = + let hint:t_Slice (t_Array i32 (sz 256)) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize hint i (Libcrux_ml_dsa.Polynomial.impl__to_i32_array #v_SIMDUnit hint_simd @@ -518,9 +514,9 @@ let make_hint in hint, hint_simd, true_hints <: - (t_Array (t_Array i32 (sz 256)) v_DIMENSION & + (t_Slice (t_Array i32 (sz 256)) & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) in let hax_temp_output:usize = true_hints in - hint, hax_temp_output <: (t_Array (t_Array i32 (sz 256)) v_DIMENSION & usize) + hint, hax_temp_output <: (t_Slice (t_Array i32 (sz 256)) & usize) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fsti index dd98b1d77..5816dd136 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fsti @@ -59,11 +59,8 @@ val vector_infinity_norm_exceeds val make_hint (#v_SIMDUnit: Type0) - (v_DIMENSION: usize) - (v_GAMMA2: i32) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (low high: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) - (hint: t_Array (t_Array i32 (sz 256)) v_DIMENSION) - : Prims.Pure (t_Array (t_Array i32 (sz 256)) v_DIMENSION & usize) - Prims.l_True - (fun _ -> Prims.l_True) + (low high: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (gamma2: i32) + (hint: t_Slice (t_Array i32 (sz 256))) + : Prims.Pure (t_Slice (t_Array i32 (sz 256)) & usize) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst index faf046732..02ad5957d 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst @@ -66,19 +66,19 @@ let serialize i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (serialized: t_Slice u8) = - let serialized:t_Array u8 (sz 320) = Rust_primitives.Hax.repeat 0uy (sz 320) in - let serialized:t_Array u8 (sz 320) = + let serialized:t_Slice u8 = Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) (fun serialized temp_1_ -> - let serialized:t_Array u8 (sz 320) = serialized in + let serialized:t_Slice u8 = serialized in let _:usize = temp_1_ in true) serialized (fun serialized temp_1_ -> - let serialized:t_Array u8 (sz 320) = serialized in + let serialized:t_Slice u8 = serialized in let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized ({ @@ -105,6 +105,7 @@ let serialize <: t_Slice u8) <: - t_Array u8 (sz 320)) + t_Slice u8) in + let hax_temp_output:Prims.unit = () <: Prims.unit in serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fsti index b1b59a0dc..26d77dadf 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fsti @@ -26,4 +26,5 @@ val serialize (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - : Prims.Pure (t_Array u8 (sz 320)) Prims.l_True (fun _ -> Prims.l_True) + (serialized: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fst index cb4c0cb30..2066af081 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fst @@ -123,7 +123,8 @@ let generate_serialized } <: Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 + (Libcrux_ml_dsa.Encoding.T1.serialize #v_SIMDUnit + ring_element (verification_key_serialized.[ { Core.Ops.Range.f_start = offset; Core.Ops.Range.f_end @@ -134,7 +135,6 @@ let generate_serialized Core.Ops.Range.t_Range usize ] <: t_Slice u8) - (Libcrux_ml_dsa.Encoding.T1.serialize #v_SIMDUnit ring_element <: t_Slice u8) <: t_Slice u8) in diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fst index b3f75d893..e040e5dac 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fst @@ -820,10 +820,11 @@ let sign_internal in let tmp0, out:(t_Array (t_Array i32 (sz 256)) (sz 4) & usize) = Libcrux_ml_dsa.Arithmetic.make_hint #v_SIMDUnit - (sz 4) - 95232l - w0 - commitment + (w0 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (commitment + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_GAMMA2 hint_candidate in let hint_candidate:t_Array (t_Array i32 (sz 256)) (sz 4) = tmp0 in diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fst index 0d0d24ae6..ff4ccf2a6 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fst @@ -820,10 +820,11 @@ let sign_internal in let tmp0, out:(t_Array (t_Array i32 (sz 256)) (sz 6) & usize) = Libcrux_ml_dsa.Arithmetic.make_hint #v_SIMDUnit - (sz 6) - 261888l - w0 - commitment + (w0 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (commitment + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_GAMMA2 hint_candidate in let hint_candidate:t_Array (t_Array i32 (sz 256)) (sz 6) = tmp0 in diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fst index 4d3fae318..58dc92f1f 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fst @@ -822,10 +822,11 @@ let sign_internal in let tmp0, out:(t_Array (t_Array i32 (sz 256)) (sz 8) & usize) = Libcrux_ml_dsa.Arithmetic.make_hint #v_SIMDUnit - (sz 8) - 261888l - w0 - commitment + (w0 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (commitment + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_GAMMA2 hint_candidate in let hint_candidate:t_Array (t_Array i32 (sz 256)) (sz 8) = tmp0 in diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst index b1ecfa303..4b5f42cbb 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst @@ -11,12 +11,16 @@ let add (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) = in lhs -let compute_hint (v_GAMMA2: i32) (low high hint: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let gamma2:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 v_GAMMA2 - in +let compute_hint + (low high: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (gamma2: i32) + (hint: Libcrux_intrinsics.Avx2_extract.t_Vec256) + = let minus_gamma2:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (Core.Ops.Arith.Neg.neg v_GAMMA2 <: i32) + Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (Core.Ops.Arith.Neg.neg gamma2 <: i32) + in + let gamma2:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 gamma2 in let low_within_bound:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_cmpgt_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_abs_epi32 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fsti index d8830444f..c5dcffb2e 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fsti @@ -6,7 +6,10 @@ open FStar.Mul val add (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) -val compute_hint (v_GAMMA2: i32) (low high hint: Libcrux_intrinsics.Avx2_extract.t_Vec256) +val compute_hint + (low high: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (gamma2: i32) + (hint: Libcrux_intrinsics.Avx2_extract.t_Vec256) : Prims.Pure (Libcrux_intrinsics.Avx2_extract.t_Vec256 & usize) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fst index 58a3321e0..7fd8a989d 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fst @@ -307,18 +307,18 @@ let impl: Libcrux_ml_dsa.Simd.Traits.t_Operations Libcrux_ml_dsa.Simd.Avx2.Vecto f_compute_hint_pre = (fun - (v_GAMMA2: i32) (low: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) (high: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (gamma2: i32) (hint: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) -> true); f_compute_hint_post = (fun - (v_GAMMA2: i32) (low: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) (high: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (gamma2: i32) (hint: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) (out2: (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 & usize)) -> @@ -326,15 +326,16 @@ let impl: Libcrux_ml_dsa.Simd.Traits.t_Operations Libcrux_ml_dsa.Simd.Avx2.Vecto f_compute_hint = (fun - (v_GAMMA2: i32) (low: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) (high: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + (gamma2: i32) (hint: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) -> let tmp0, out1:(Libcrux_intrinsics.Avx2_extract.t_Vec256 & usize) = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.compute_hint v_GAMMA2 - low.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.compute_hint low + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value high.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + gamma2 hint.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value in let hint:Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 = diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst index a10f7996f..58fdeb5e6 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst @@ -3,10 +3,10 @@ module Libcrux_ml_dsa.Simd.Portable.Arithmetic open Core open FStar.Mul -let compute_one_hint (v_GAMMA2 low high: i32) = +let compute_one_hint (low high gamma2: i32) = if - low >. v_GAMMA2 || low <. (Core.Ops.Arith.Neg.neg v_GAMMA2 <: i32) || - low =. (Core.Ops.Arith.Neg.neg v_GAMMA2 <: i32) && high <>. 0l + low >. gamma2 || low <. (Core.Ops.Arith.Neg.neg gamma2 <: i32) || + low =. (Core.Ops.Arith.Neg.neg gamma2 <: i32) && high <>. 0l then 1l else 0l @@ -156,8 +156,9 @@ let add (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) = lhs let compute_hint - (v_GAMMA2: i32) - (low high hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (low high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (gamma2: i32) + (hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) = let one_hints_count:usize = sz 0 in let hint, one_hints_count:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & usize) = @@ -188,9 +189,11 @@ let compute_hint Rust_primitives.Hax.Monomorphized_update_at.update_at_usize hint .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values i - (compute_one_hint v_GAMMA2 - (low.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] <: i32) + (compute_one_hint (low.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] + <: + i32) (high.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] <: i32) + gamma2 <: i32) } diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti index d0f35c5ba..afb9b56a4 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti @@ -5,7 +5,7 @@ open FStar.Mul let v_MONTGOMERY_SHIFT: u8 = 32uy -val compute_one_hint (v_GAMMA2 low high: i32) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) +val compute_one_hint (low high gamma2: i32) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) val get_n_least_significant_bits (n: u8) (value: u64) : Prims.Pure u64 Prims.l_True (fun _ -> Prims.l_True) @@ -29,8 +29,9 @@ val add (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) (fun _ -> Prims.l_True) val compute_hint - (v_GAMMA2: i32) - (low high hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (low high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (gamma2: i32) + (hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) : Prims.Pure (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & usize) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fst index b6dcd45d7..1bdaefb89 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fst @@ -255,18 +255,18 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = f_compute_hint_pre = (fun - (v_GAMMA2: i32) (low: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) (high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (gamma2: i32) (hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) -> true); f_compute_hint_post = (fun - (v_GAMMA2: i32) (low: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) (high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (gamma2: i32) (hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) (out2: (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & usize)) -> @@ -274,13 +274,13 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = f_compute_hint = (fun - (v_GAMMA2: i32) (low: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) (high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (gamma2: i32) (hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) -> let tmp0, out1:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & usize) = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.compute_hint v_GAMMA2 low high hint + Libcrux_ml_dsa.Simd.Portable.Arithmetic.compute_hint low high gamma2 hint in let hint:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = tmp0 in let hax_temp_output:usize = out1 in diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti index ff8e6360b..b67afeff8 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti @@ -41,12 +41,12 @@ class t_Operations (v_Self: Type0) = { -> Prims.Pure (v_Self & v_Self) (f_decompose_pre x0 x1 x2 x3) (fun result -> f_decompose_post x0 x1 x2 x3 result); - f_compute_hint_pre:v_GAMMA2: i32 -> v_Self -> v_Self -> v_Self -> Type0; - f_compute_hint_post:v_GAMMA2: i32 -> v_Self -> v_Self -> v_Self -> (v_Self & usize) -> Type0; - f_compute_hint:v_GAMMA2: i32 -> x0: v_Self -> x1: v_Self -> x2: v_Self + f_compute_hint_pre:v_Self -> v_Self -> i32 -> v_Self -> Type0; + f_compute_hint_post:v_Self -> v_Self -> i32 -> v_Self -> (v_Self & usize) -> Type0; + f_compute_hint:x0: v_Self -> x1: v_Self -> x2: i32 -> x3: v_Self -> Prims.Pure (v_Self & usize) - (f_compute_hint_pre v_GAMMA2 x0 x1 x2) - (fun result -> f_compute_hint_post v_GAMMA2 x0 x1 x2 result); + (f_compute_hint_pre x0 x1 x2 x3) + (fun result -> f_compute_hint_post x0 x1 x2 x3 result); f_use_hint_pre:i32 -> v_Self -> v_Self -> Type0; f_use_hint_post:i32 -> v_Self -> v_Self -> v_Self -> Type0; f_use_hint:x0: i32 -> x1: v_Self -> x2: v_Self From 66afce2b7d2b86febb97fb1fc5de2fbba7419d74 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Wed, 8 Jan 2025 13:42:01 +0000 Subject: [PATCH 57/58] don't use floating point xor on avx2 for now --- libcrux-intrinsics/src/avx2.rs | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/libcrux-intrinsics/src/avx2.rs b/libcrux-intrinsics/src/avx2.rs index aa9960271..9c419e557 100644 --- a/libcrux-intrinsics/src/avx2.rs +++ b/libcrux-intrinsics/src/avx2.rs @@ -361,12 +361,16 @@ pub fn mm256_xor_si256(lhs: Vec256, rhs: Vec256) -> Vec256 { // Local testing seems to indicate that it's a little more stable in // benchmarks though. // See https://stackoverflow.com/questions/27804476/difference-between-mm256-xor-si256-and-mm256-xor-ps - unsafe { - _mm256_castps_si256(_mm256_xor_ps( - _mm256_castsi256_ps(lhs), - _mm256_castsi256_ps(rhs), - )) - } + // + // However, using this pushes the doc test in ml-kem over the limit for + // stack size on Windows. + // unsafe { + // _mm256_castps_si256(_mm256_xor_ps( + // _mm256_castsi256_ps(lhs), + // _mm256_castsi256_ps(rhs), + // )) + // } + unsafe { _mm256_xor_si256(lhs, rhs) } } #[inline(always)] From 2173ec88b9152fbf1e12b09aff430e7d71e9a13d Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Thu, 9 Jan 2025 09:26:25 +0000 Subject: [PATCH 58/58] mldsa: mutable APIs --- libcrux-ml-dsa/cg/CMakeLists.txt | 1 + libcrux-ml-dsa/cg/code_gen.txt | 2 +- libcrux-ml-dsa/cg/header.txt | 2 +- libcrux-ml-dsa/cg/libcrux_core.h | 3357 ++++++++++++++++- libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h | 288 +- libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h | 272 +- libcrux-ml-dsa/cg/libcrux_sha3_avx2.h | 2 +- libcrux-ml-dsa/cg/libcrux_sha3_portable.h | 2 +- libcrux-ml-dsa/cg/tests/mldsa65.cc | 33 +- .../Libcrux_ml_dsa.Encoding.Signature.fst | 66 +- .../Libcrux_ml_dsa.Encoding.Signature.fsti | 3 + .../Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst | 24 + .../Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fsti | 14 + .../Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst | 24 + .../Libcrux_ml_dsa.Ml_dsa_44_.Neon.fsti | 14 + .../Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst | 24 + .../Libcrux_ml_dsa.Ml_dsa_44_.Portable.fsti | 14 + .../Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst | 35 + .../Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fsti | 21 + .../Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst | 35 + .../Libcrux_ml_dsa.Ml_dsa_65_.Neon.fsti | 21 + .../Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst | 35 + .../Libcrux_ml_dsa.Ml_dsa_65_.Portable.fsti | 21 + .../Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst | 24 + .../Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fsti | 14 + .../Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst | 24 + .../Libcrux_ml_dsa.Ml_dsa_87_.Neon.fsti | 14 + .../Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst | 24 + .../Libcrux_ml_dsa.Ml_dsa_87_.Portable.fsti | 14 + ...generic.Instantiations.Avx2.Ml_dsa_44_.fst | 38 + ...eneric.Instantiations.Avx2.Ml_dsa_44_.fsti | 21 + ...generic.Instantiations.Avx2.Ml_dsa_65_.fst | 38 + ...eneric.Instantiations.Avx2.Ml_dsa_65_.fsti | 21 + ...generic.Instantiations.Avx2.Ml_dsa_87_.fst | 38 + ...eneric.Instantiations.Avx2.Ml_dsa_87_.fsti | 21 + ...generic.Instantiations.Neon.Ml_dsa_44_.fst | 21 + ...eneric.Instantiations.Neon.Ml_dsa_44_.fsti | 11 + ...generic.Instantiations.Neon.Ml_dsa_65_.fst | 21 + ...eneric.Instantiations.Neon.Ml_dsa_65_.fsti | 11 + ...generic.Instantiations.Neon.Ml_dsa_87_.fst | 21 + ...eneric.Instantiations.Neon.Ml_dsa_87_.fsti | 11 + ...ric.Instantiations.Portable.Ml_dsa_44_.fst | 22 + ...ic.Instantiations.Portable.Ml_dsa_44_.fsti | 11 + ...ric.Instantiations.Portable.Ml_dsa_65_.fst | 22 + ...ic.Instantiations.Portable.Ml_dsa_65_.fsti | 11 + ...ric.Instantiations.Portable.Ml_dsa_87_.fst | 22 + ...ic.Instantiations.Portable.Ml_dsa_87_.fsti | 11 + ...bcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fst | 225 +- ...crux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fsti | 42 +- ...bcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fst | 225 +- ...crux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fsti | 42 +- ...bcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fst | 225 +- ...crux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fsti | 42 +- libcrux-ml-dsa/src/encoding/signature.rs | 17 +- libcrux-ml-dsa/src/ml_dsa_44.rs | 21 + libcrux-ml-dsa/src/ml_dsa_65.rs | 34 + libcrux-ml-dsa/src/ml_dsa_87.rs | 21 + libcrux-ml-dsa/src/ml_dsa_generic.rs | 97 +- .../src/ml_dsa_generic/instantiations.rs | 24 +- .../src/ml_dsa_generic/instantiations/avx2.rs | 45 +- 60 files changed, 5484 insertions(+), 372 deletions(-) diff --git a/libcrux-ml-dsa/cg/CMakeLists.txt b/libcrux-ml-dsa/cg/CMakeLists.txt index 8460674da..147d092a3 100644 --- a/libcrux-ml-dsa/cg/CMakeLists.txt +++ b/libcrux-ml-dsa/cg/CMakeLists.txt @@ -19,6 +19,7 @@ if(NOT MSVC) -fstack-usage -Wunused-function # -Wno-unused-function + -Wno-unused-variable $<$:-g> $<$:-Og> $<$:-g> diff --git a/libcrux-ml-dsa/cg/code_gen.txt b/libcrux-ml-dsa/cg/code_gen.txt index cd247e7dd..f2323957e 100644 --- a/libcrux-ml-dsa/cg/code_gen.txt +++ b/libcrux-ml-dsa/cg/code_gen.txt @@ -3,4 +3,4 @@ Charon: 0de54092afb546bf53cd8261c79499f3cae2c24b Eurydice: 8e112cd3065d2c1eb6c023cd37111300dbf9fc9a Karamel: f82ecfe9b99edd64642d47b4e3fb6314a8e2320b F*: b0961063393215ca65927f017720cb365a193833-dirty -Libcrux: a09987d066ac254dbc0e455cbc83aa5bbe096741 +Libcrux: 66afce2b7d2b86febb97fb1fc5de2fbba7419d74 diff --git a/libcrux-ml-dsa/cg/header.txt b/libcrux-ml-dsa/cg/header.txt index e8ff5d358..635d52cd8 100644 --- a/libcrux-ml-dsa/cg/header.txt +++ b/libcrux-ml-dsa/cg/header.txt @@ -8,5 +8,5 @@ * Eurydice: 8e112cd3065d2c1eb6c023cd37111300dbf9fc9a * Karamel: f82ecfe9b99edd64642d47b4e3fb6314a8e2320b * F*: b0961063393215ca65927f017720cb365a193833-dirty - * Libcrux: a09987d066ac254dbc0e455cbc83aa5bbe096741 + * Libcrux: 66afce2b7d2b86febb97fb1fc5de2fbba7419d74 */ diff --git a/libcrux-ml-dsa/cg/libcrux_core.h b/libcrux-ml-dsa/cg/libcrux_core.h index 4e74069fe..e3d7b8766 100644 --- a/libcrux-ml-dsa/cg/libcrux_core.h +++ b/libcrux-ml-dsa/cg/libcrux_core.h @@ -8,7 +8,7 @@ * Eurydice: 8e112cd3065d2c1eb6c023cd37111300dbf9fc9a * Karamel: f82ecfe9b99edd64642d47b4e3fb6314a8e2320b * F*: b0961063393215ca65927f017720cb365a193833-dirty - * Libcrux: a09987d066ac254dbc0e455cbc83aa5bbe096741 + * Libcrux: 66afce2b7d2b86febb97fb1fc5de2fbba7419d74 */ #ifndef __libcrux_core_H @@ -153,6 +153,25 @@ static inline uint8_t *libcrux_ml_dsa_types_as_ref_9b_09( return self->value; } +#define libcrux_ml_dsa_types_SigningError_RejectionSamplingError 0 +#define libcrux_ml_dsa_types_SigningError_ContextTooLongError 1 + +typedef uint8_t libcrux_ml_dsa_types_SigningError; + +/** +A monomorphic instance of core.result.Result +with types libcrux_ml_dsa_types_MLDSASignature[[$3309size_t]], +libcrux_ml_dsa_types_SigningError + +*/ +typedef struct Result_2e_s { + Result_a9_tags tag; + union { + libcrux_ml_dsa_types_MLDSASignature_8f case_Ok; + libcrux_ml_dsa_types_SigningError case_Err; + } val; +} Result_2e; + /** A monomorphic instance of core.option.Option with types int32_t[256size_t][6size_t] @@ -173,43 +192,3339 @@ typedef struct Option_67_s { uint8_t f0[48U]; } Option_67; -#define libcrux_ml_dsa_types_SigningError_RejectionSamplingError 0 -#define libcrux_ml_dsa_types_SigningError_ContextTooLongError 1 - -typedef uint8_t libcrux_ml_dsa_types_SigningError; - /** A monomorphic instance of core.result.Result -with types libcrux_ml_dsa_types_MLDSASignature[[$3309size_t]], -libcrux_ml_dsa_types_SigningError +with types (), libcrux_ml_dsa_types_SigningError */ -typedef struct Result_2e_s { +typedef struct Result_53_s { Result_a9_tags tag; - union { - libcrux_ml_dsa_types_MLDSASignature_8f case_Ok; - libcrux_ml_dsa_types_SigningError case_Err; - } val; -} Result_2e; + libcrux_ml_dsa_types_SigningError f0; +} Result_53; /** - Build + Init with zero */ /** This function found in impl {libcrux_ml_dsa::types::MLDSASignature#4} */ /** -A monomorphic instance of libcrux_ml_dsa.types.new_8f +A monomorphic instance of libcrux_ml_dsa.types.zero_8f with const generics - SIZE= 3309 */ static inline libcrux_ml_dsa_types_MLDSASignature_8f -libcrux_ml_dsa_types_new_8f_fa(uint8_t value[3309U]) { - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_value[3309U]; - memcpy(copy_of_value, value, (size_t)3309U * sizeof(uint8_t)); +libcrux_ml_dsa_types_zero_8f_fa(void) { libcrux_ml_dsa_types_MLDSASignature_8f lit; - memcpy(lit.value, copy_of_value, (size_t)3309U * sizeof(uint8_t)); + lit.value[0U] = 0U; + lit.value[1U] = 0U; + lit.value[2U] = 0U; + lit.value[3U] = 0U; + lit.value[4U] = 0U; + lit.value[5U] = 0U; + lit.value[6U] = 0U; + lit.value[7U] = 0U; + lit.value[8U] = 0U; + lit.value[9U] = 0U; + lit.value[10U] = 0U; + lit.value[11U] = 0U; + lit.value[12U] = 0U; + lit.value[13U] = 0U; + lit.value[14U] = 0U; + lit.value[15U] = 0U; + lit.value[16U] = 0U; + lit.value[17U] = 0U; + lit.value[18U] = 0U; + lit.value[19U] = 0U; + lit.value[20U] = 0U; + lit.value[21U] = 0U; + lit.value[22U] = 0U; + lit.value[23U] = 0U; + lit.value[24U] = 0U; + lit.value[25U] = 0U; + lit.value[26U] = 0U; + lit.value[27U] = 0U; + lit.value[28U] = 0U; + lit.value[29U] = 0U; + lit.value[30U] = 0U; + lit.value[31U] = 0U; + lit.value[32U] = 0U; + lit.value[33U] = 0U; + lit.value[34U] = 0U; + lit.value[35U] = 0U; + lit.value[36U] = 0U; + lit.value[37U] = 0U; + lit.value[38U] = 0U; + lit.value[39U] = 0U; + lit.value[40U] = 0U; + lit.value[41U] = 0U; + lit.value[42U] = 0U; + lit.value[43U] = 0U; + lit.value[44U] = 0U; + lit.value[45U] = 0U; + lit.value[46U] = 0U; + lit.value[47U] = 0U; + lit.value[48U] = 0U; + lit.value[49U] = 0U; + lit.value[50U] = 0U; + lit.value[51U] = 0U; + lit.value[52U] = 0U; + lit.value[53U] = 0U; + lit.value[54U] = 0U; + lit.value[55U] = 0U; + lit.value[56U] = 0U; + lit.value[57U] = 0U; + lit.value[58U] = 0U; + lit.value[59U] = 0U; + lit.value[60U] = 0U; + lit.value[61U] = 0U; + lit.value[62U] = 0U; + lit.value[63U] = 0U; + lit.value[64U] = 0U; + lit.value[65U] = 0U; + lit.value[66U] = 0U; + lit.value[67U] = 0U; + lit.value[68U] = 0U; + lit.value[69U] = 0U; + lit.value[70U] = 0U; + lit.value[71U] = 0U; + lit.value[72U] = 0U; + lit.value[73U] = 0U; + lit.value[74U] = 0U; + lit.value[75U] = 0U; + lit.value[76U] = 0U; + lit.value[77U] = 0U; + lit.value[78U] = 0U; + lit.value[79U] = 0U; + lit.value[80U] = 0U; + lit.value[81U] = 0U; + lit.value[82U] = 0U; + lit.value[83U] = 0U; + lit.value[84U] = 0U; + lit.value[85U] = 0U; + lit.value[86U] = 0U; + lit.value[87U] = 0U; + lit.value[88U] = 0U; + lit.value[89U] = 0U; + lit.value[90U] = 0U; + lit.value[91U] = 0U; + lit.value[92U] = 0U; + lit.value[93U] = 0U; + lit.value[94U] = 0U; + lit.value[95U] = 0U; + lit.value[96U] = 0U; + lit.value[97U] = 0U; + lit.value[98U] = 0U; + lit.value[99U] = 0U; + lit.value[100U] = 0U; + lit.value[101U] = 0U; + lit.value[102U] = 0U; + lit.value[103U] = 0U; + lit.value[104U] = 0U; + lit.value[105U] = 0U; + lit.value[106U] = 0U; + lit.value[107U] = 0U; + lit.value[108U] = 0U; + lit.value[109U] = 0U; + lit.value[110U] = 0U; + lit.value[111U] = 0U; + lit.value[112U] = 0U; + lit.value[113U] = 0U; + lit.value[114U] = 0U; + lit.value[115U] = 0U; + lit.value[116U] = 0U; + lit.value[117U] = 0U; + lit.value[118U] = 0U; + lit.value[119U] = 0U; + lit.value[120U] = 0U; + lit.value[121U] = 0U; + lit.value[122U] = 0U; + lit.value[123U] = 0U; + lit.value[124U] = 0U; + lit.value[125U] = 0U; + lit.value[126U] = 0U; + lit.value[127U] = 0U; + lit.value[128U] = 0U; + lit.value[129U] = 0U; + lit.value[130U] = 0U; + lit.value[131U] = 0U; + lit.value[132U] = 0U; + lit.value[133U] = 0U; + lit.value[134U] = 0U; + lit.value[135U] = 0U; + lit.value[136U] = 0U; + lit.value[137U] = 0U; + lit.value[138U] = 0U; + lit.value[139U] = 0U; + lit.value[140U] = 0U; + lit.value[141U] = 0U; + lit.value[142U] = 0U; + lit.value[143U] = 0U; + lit.value[144U] = 0U; + lit.value[145U] = 0U; + lit.value[146U] = 0U; + lit.value[147U] = 0U; + lit.value[148U] = 0U; + lit.value[149U] = 0U; + lit.value[150U] = 0U; + lit.value[151U] = 0U; + lit.value[152U] = 0U; + lit.value[153U] = 0U; + lit.value[154U] = 0U; + lit.value[155U] = 0U; + lit.value[156U] = 0U; + lit.value[157U] = 0U; + lit.value[158U] = 0U; + lit.value[159U] = 0U; + lit.value[160U] = 0U; + lit.value[161U] = 0U; + lit.value[162U] = 0U; + lit.value[163U] = 0U; + lit.value[164U] = 0U; + lit.value[165U] = 0U; + lit.value[166U] = 0U; + lit.value[167U] = 0U; + lit.value[168U] = 0U; + lit.value[169U] = 0U; + lit.value[170U] = 0U; + lit.value[171U] = 0U; + lit.value[172U] = 0U; + lit.value[173U] = 0U; + lit.value[174U] = 0U; + lit.value[175U] = 0U; + lit.value[176U] = 0U; + lit.value[177U] = 0U; + lit.value[178U] = 0U; + lit.value[179U] = 0U; + lit.value[180U] = 0U; + lit.value[181U] = 0U; + lit.value[182U] = 0U; + lit.value[183U] = 0U; + lit.value[184U] = 0U; + lit.value[185U] = 0U; + lit.value[186U] = 0U; + lit.value[187U] = 0U; + lit.value[188U] = 0U; + lit.value[189U] = 0U; + lit.value[190U] = 0U; + lit.value[191U] = 0U; + lit.value[192U] = 0U; + lit.value[193U] = 0U; + lit.value[194U] = 0U; + lit.value[195U] = 0U; + lit.value[196U] = 0U; + lit.value[197U] = 0U; + lit.value[198U] = 0U; + lit.value[199U] = 0U; + lit.value[200U] = 0U; + lit.value[201U] = 0U; + lit.value[202U] = 0U; + lit.value[203U] = 0U; + lit.value[204U] = 0U; + lit.value[205U] = 0U; + lit.value[206U] = 0U; + lit.value[207U] = 0U; + lit.value[208U] = 0U; + lit.value[209U] = 0U; + lit.value[210U] = 0U; + lit.value[211U] = 0U; + lit.value[212U] = 0U; + lit.value[213U] = 0U; + lit.value[214U] = 0U; + lit.value[215U] = 0U; + lit.value[216U] = 0U; + lit.value[217U] = 0U; + lit.value[218U] = 0U; + lit.value[219U] = 0U; + lit.value[220U] = 0U; + lit.value[221U] = 0U; + lit.value[222U] = 0U; + lit.value[223U] = 0U; + lit.value[224U] = 0U; + lit.value[225U] = 0U; + lit.value[226U] = 0U; + lit.value[227U] = 0U; + lit.value[228U] = 0U; + lit.value[229U] = 0U; + lit.value[230U] = 0U; + lit.value[231U] = 0U; + lit.value[232U] = 0U; + lit.value[233U] = 0U; + lit.value[234U] = 0U; + lit.value[235U] = 0U; + lit.value[236U] = 0U; + lit.value[237U] = 0U; + lit.value[238U] = 0U; + lit.value[239U] = 0U; + lit.value[240U] = 0U; + lit.value[241U] = 0U; + lit.value[242U] = 0U; + lit.value[243U] = 0U; + lit.value[244U] = 0U; + lit.value[245U] = 0U; + lit.value[246U] = 0U; + lit.value[247U] = 0U; + lit.value[248U] = 0U; + lit.value[249U] = 0U; + lit.value[250U] = 0U; + lit.value[251U] = 0U; + lit.value[252U] = 0U; + lit.value[253U] = 0U; + lit.value[254U] = 0U; + lit.value[255U] = 0U; + lit.value[256U] = 0U; + lit.value[257U] = 0U; + lit.value[258U] = 0U; + lit.value[259U] = 0U; + lit.value[260U] = 0U; + lit.value[261U] = 0U; + lit.value[262U] = 0U; + lit.value[263U] = 0U; + lit.value[264U] = 0U; + lit.value[265U] = 0U; + lit.value[266U] = 0U; + lit.value[267U] = 0U; + lit.value[268U] = 0U; + lit.value[269U] = 0U; + lit.value[270U] = 0U; + lit.value[271U] = 0U; + lit.value[272U] = 0U; + lit.value[273U] = 0U; + lit.value[274U] = 0U; + lit.value[275U] = 0U; + lit.value[276U] = 0U; + lit.value[277U] = 0U; + lit.value[278U] = 0U; + lit.value[279U] = 0U; + lit.value[280U] = 0U; + lit.value[281U] = 0U; + lit.value[282U] = 0U; + lit.value[283U] = 0U; + lit.value[284U] = 0U; + lit.value[285U] = 0U; + lit.value[286U] = 0U; + lit.value[287U] = 0U; + lit.value[288U] = 0U; + lit.value[289U] = 0U; + lit.value[290U] = 0U; + lit.value[291U] = 0U; + lit.value[292U] = 0U; + lit.value[293U] = 0U; + lit.value[294U] = 0U; + lit.value[295U] = 0U; + lit.value[296U] = 0U; + lit.value[297U] = 0U; + lit.value[298U] = 0U; + lit.value[299U] = 0U; + lit.value[300U] = 0U; + lit.value[301U] = 0U; + lit.value[302U] = 0U; + lit.value[303U] = 0U; + lit.value[304U] = 0U; + lit.value[305U] = 0U; + lit.value[306U] = 0U; + lit.value[307U] = 0U; + lit.value[308U] = 0U; + lit.value[309U] = 0U; + lit.value[310U] = 0U; + lit.value[311U] = 0U; + lit.value[312U] = 0U; + lit.value[313U] = 0U; + lit.value[314U] = 0U; + lit.value[315U] = 0U; + lit.value[316U] = 0U; + lit.value[317U] = 0U; + lit.value[318U] = 0U; + lit.value[319U] = 0U; + lit.value[320U] = 0U; + lit.value[321U] = 0U; + lit.value[322U] = 0U; + lit.value[323U] = 0U; + lit.value[324U] = 0U; + lit.value[325U] = 0U; + lit.value[326U] = 0U; + lit.value[327U] = 0U; + lit.value[328U] = 0U; + lit.value[329U] = 0U; + lit.value[330U] = 0U; + lit.value[331U] = 0U; + lit.value[332U] = 0U; + lit.value[333U] = 0U; + lit.value[334U] = 0U; + lit.value[335U] = 0U; + lit.value[336U] = 0U; + lit.value[337U] = 0U; + lit.value[338U] = 0U; + lit.value[339U] = 0U; + lit.value[340U] = 0U; + lit.value[341U] = 0U; + lit.value[342U] = 0U; + lit.value[343U] = 0U; + lit.value[344U] = 0U; + lit.value[345U] = 0U; + lit.value[346U] = 0U; + lit.value[347U] = 0U; + lit.value[348U] = 0U; + lit.value[349U] = 0U; + lit.value[350U] = 0U; + lit.value[351U] = 0U; + lit.value[352U] = 0U; + lit.value[353U] = 0U; + lit.value[354U] = 0U; + lit.value[355U] = 0U; + lit.value[356U] = 0U; + lit.value[357U] = 0U; + lit.value[358U] = 0U; + lit.value[359U] = 0U; + lit.value[360U] = 0U; + lit.value[361U] = 0U; + lit.value[362U] = 0U; + lit.value[363U] = 0U; + lit.value[364U] = 0U; + lit.value[365U] = 0U; + lit.value[366U] = 0U; + lit.value[367U] = 0U; + lit.value[368U] = 0U; + lit.value[369U] = 0U; + lit.value[370U] = 0U; + lit.value[371U] = 0U; + lit.value[372U] = 0U; + lit.value[373U] = 0U; + lit.value[374U] = 0U; + lit.value[375U] = 0U; + lit.value[376U] = 0U; + lit.value[377U] = 0U; + lit.value[378U] = 0U; + lit.value[379U] = 0U; + lit.value[380U] = 0U; + lit.value[381U] = 0U; + lit.value[382U] = 0U; + lit.value[383U] = 0U; + lit.value[384U] = 0U; + lit.value[385U] = 0U; + lit.value[386U] = 0U; + lit.value[387U] = 0U; + lit.value[388U] = 0U; + lit.value[389U] = 0U; + lit.value[390U] = 0U; + lit.value[391U] = 0U; + lit.value[392U] = 0U; + lit.value[393U] = 0U; + lit.value[394U] = 0U; + lit.value[395U] = 0U; + lit.value[396U] = 0U; + lit.value[397U] = 0U; + lit.value[398U] = 0U; + lit.value[399U] = 0U; + lit.value[400U] = 0U; + lit.value[401U] = 0U; + lit.value[402U] = 0U; + lit.value[403U] = 0U; + lit.value[404U] = 0U; + lit.value[405U] = 0U; + lit.value[406U] = 0U; + lit.value[407U] = 0U; + lit.value[408U] = 0U; + lit.value[409U] = 0U; + lit.value[410U] = 0U; + lit.value[411U] = 0U; + lit.value[412U] = 0U; + lit.value[413U] = 0U; + lit.value[414U] = 0U; + lit.value[415U] = 0U; + lit.value[416U] = 0U; + lit.value[417U] = 0U; + lit.value[418U] = 0U; + lit.value[419U] = 0U; + lit.value[420U] = 0U; + lit.value[421U] = 0U; + lit.value[422U] = 0U; + lit.value[423U] = 0U; + lit.value[424U] = 0U; + lit.value[425U] = 0U; + lit.value[426U] = 0U; + lit.value[427U] = 0U; + lit.value[428U] = 0U; + lit.value[429U] = 0U; + lit.value[430U] = 0U; + lit.value[431U] = 0U; + lit.value[432U] = 0U; + lit.value[433U] = 0U; + lit.value[434U] = 0U; + lit.value[435U] = 0U; + lit.value[436U] = 0U; + lit.value[437U] = 0U; + lit.value[438U] = 0U; + lit.value[439U] = 0U; + lit.value[440U] = 0U; + lit.value[441U] = 0U; + lit.value[442U] = 0U; + lit.value[443U] = 0U; + lit.value[444U] = 0U; + lit.value[445U] = 0U; + lit.value[446U] = 0U; + lit.value[447U] = 0U; + lit.value[448U] = 0U; + lit.value[449U] = 0U; + lit.value[450U] = 0U; + lit.value[451U] = 0U; + lit.value[452U] = 0U; + lit.value[453U] = 0U; + lit.value[454U] = 0U; + lit.value[455U] = 0U; + lit.value[456U] = 0U; + lit.value[457U] = 0U; + lit.value[458U] = 0U; + lit.value[459U] = 0U; + lit.value[460U] = 0U; + lit.value[461U] = 0U; + lit.value[462U] = 0U; + lit.value[463U] = 0U; + lit.value[464U] = 0U; + lit.value[465U] = 0U; + lit.value[466U] = 0U; + lit.value[467U] = 0U; + lit.value[468U] = 0U; + lit.value[469U] = 0U; + lit.value[470U] = 0U; + lit.value[471U] = 0U; + lit.value[472U] = 0U; + lit.value[473U] = 0U; + lit.value[474U] = 0U; + lit.value[475U] = 0U; + lit.value[476U] = 0U; + lit.value[477U] = 0U; + lit.value[478U] = 0U; + lit.value[479U] = 0U; + lit.value[480U] = 0U; + lit.value[481U] = 0U; + lit.value[482U] = 0U; + lit.value[483U] = 0U; + lit.value[484U] = 0U; + lit.value[485U] = 0U; + lit.value[486U] = 0U; + lit.value[487U] = 0U; + lit.value[488U] = 0U; + lit.value[489U] = 0U; + lit.value[490U] = 0U; + lit.value[491U] = 0U; + lit.value[492U] = 0U; + lit.value[493U] = 0U; + lit.value[494U] = 0U; + lit.value[495U] = 0U; + lit.value[496U] = 0U; + lit.value[497U] = 0U; + lit.value[498U] = 0U; + lit.value[499U] = 0U; + lit.value[500U] = 0U; + lit.value[501U] = 0U; + lit.value[502U] = 0U; + lit.value[503U] = 0U; + lit.value[504U] = 0U; + lit.value[505U] = 0U; + lit.value[506U] = 0U; + lit.value[507U] = 0U; + lit.value[508U] = 0U; + lit.value[509U] = 0U; + lit.value[510U] = 0U; + lit.value[511U] = 0U; + lit.value[512U] = 0U; + lit.value[513U] = 0U; + lit.value[514U] = 0U; + lit.value[515U] = 0U; + lit.value[516U] = 0U; + lit.value[517U] = 0U; + lit.value[518U] = 0U; + lit.value[519U] = 0U; + lit.value[520U] = 0U; + lit.value[521U] = 0U; + lit.value[522U] = 0U; + lit.value[523U] = 0U; + lit.value[524U] = 0U; + lit.value[525U] = 0U; + lit.value[526U] = 0U; + lit.value[527U] = 0U; + lit.value[528U] = 0U; + lit.value[529U] = 0U; + lit.value[530U] = 0U; + lit.value[531U] = 0U; + lit.value[532U] = 0U; + lit.value[533U] = 0U; + lit.value[534U] = 0U; + lit.value[535U] = 0U; + lit.value[536U] = 0U; + lit.value[537U] = 0U; + lit.value[538U] = 0U; + lit.value[539U] = 0U; + lit.value[540U] = 0U; + lit.value[541U] = 0U; + lit.value[542U] = 0U; + lit.value[543U] = 0U; + lit.value[544U] = 0U; + lit.value[545U] = 0U; + lit.value[546U] = 0U; + lit.value[547U] = 0U; + lit.value[548U] = 0U; + lit.value[549U] = 0U; + lit.value[550U] = 0U; + lit.value[551U] = 0U; + lit.value[552U] = 0U; + lit.value[553U] = 0U; + lit.value[554U] = 0U; + lit.value[555U] = 0U; + lit.value[556U] = 0U; + lit.value[557U] = 0U; + lit.value[558U] = 0U; + lit.value[559U] = 0U; + lit.value[560U] = 0U; + lit.value[561U] = 0U; + lit.value[562U] = 0U; + lit.value[563U] = 0U; + lit.value[564U] = 0U; + lit.value[565U] = 0U; + lit.value[566U] = 0U; + lit.value[567U] = 0U; + lit.value[568U] = 0U; + lit.value[569U] = 0U; + lit.value[570U] = 0U; + lit.value[571U] = 0U; + lit.value[572U] = 0U; + lit.value[573U] = 0U; + lit.value[574U] = 0U; + lit.value[575U] = 0U; + lit.value[576U] = 0U; + lit.value[577U] = 0U; + lit.value[578U] = 0U; + lit.value[579U] = 0U; + lit.value[580U] = 0U; + lit.value[581U] = 0U; + lit.value[582U] = 0U; + lit.value[583U] = 0U; + lit.value[584U] = 0U; + lit.value[585U] = 0U; + lit.value[586U] = 0U; + lit.value[587U] = 0U; + lit.value[588U] = 0U; + lit.value[589U] = 0U; + lit.value[590U] = 0U; + lit.value[591U] = 0U; + lit.value[592U] = 0U; + lit.value[593U] = 0U; + lit.value[594U] = 0U; + lit.value[595U] = 0U; + lit.value[596U] = 0U; + lit.value[597U] = 0U; + lit.value[598U] = 0U; + lit.value[599U] = 0U; + lit.value[600U] = 0U; + lit.value[601U] = 0U; + lit.value[602U] = 0U; + lit.value[603U] = 0U; + lit.value[604U] = 0U; + lit.value[605U] = 0U; + lit.value[606U] = 0U; + lit.value[607U] = 0U; + lit.value[608U] = 0U; + lit.value[609U] = 0U; + lit.value[610U] = 0U; + lit.value[611U] = 0U; + lit.value[612U] = 0U; + lit.value[613U] = 0U; + lit.value[614U] = 0U; + lit.value[615U] = 0U; + lit.value[616U] = 0U; + lit.value[617U] = 0U; + lit.value[618U] = 0U; + lit.value[619U] = 0U; + lit.value[620U] = 0U; + lit.value[621U] = 0U; + lit.value[622U] = 0U; + lit.value[623U] = 0U; + lit.value[624U] = 0U; + lit.value[625U] = 0U; + lit.value[626U] = 0U; + lit.value[627U] = 0U; + lit.value[628U] = 0U; + lit.value[629U] = 0U; + lit.value[630U] = 0U; + lit.value[631U] = 0U; + lit.value[632U] = 0U; + lit.value[633U] = 0U; + lit.value[634U] = 0U; + lit.value[635U] = 0U; + lit.value[636U] = 0U; + lit.value[637U] = 0U; + lit.value[638U] = 0U; + lit.value[639U] = 0U; + lit.value[640U] = 0U; + lit.value[641U] = 0U; + lit.value[642U] = 0U; + lit.value[643U] = 0U; + lit.value[644U] = 0U; + lit.value[645U] = 0U; + lit.value[646U] = 0U; + lit.value[647U] = 0U; + lit.value[648U] = 0U; + lit.value[649U] = 0U; + lit.value[650U] = 0U; + lit.value[651U] = 0U; + lit.value[652U] = 0U; + lit.value[653U] = 0U; + lit.value[654U] = 0U; + lit.value[655U] = 0U; + lit.value[656U] = 0U; + lit.value[657U] = 0U; + lit.value[658U] = 0U; + lit.value[659U] = 0U; + lit.value[660U] = 0U; + lit.value[661U] = 0U; + lit.value[662U] = 0U; + lit.value[663U] = 0U; + lit.value[664U] = 0U; + lit.value[665U] = 0U; + lit.value[666U] = 0U; + lit.value[667U] = 0U; + lit.value[668U] = 0U; + lit.value[669U] = 0U; + lit.value[670U] = 0U; + lit.value[671U] = 0U; + lit.value[672U] = 0U; + lit.value[673U] = 0U; + lit.value[674U] = 0U; + lit.value[675U] = 0U; + lit.value[676U] = 0U; + lit.value[677U] = 0U; + lit.value[678U] = 0U; + lit.value[679U] = 0U; + lit.value[680U] = 0U; + lit.value[681U] = 0U; + lit.value[682U] = 0U; + lit.value[683U] = 0U; + lit.value[684U] = 0U; + lit.value[685U] = 0U; + lit.value[686U] = 0U; + lit.value[687U] = 0U; + lit.value[688U] = 0U; + lit.value[689U] = 0U; + lit.value[690U] = 0U; + lit.value[691U] = 0U; + lit.value[692U] = 0U; + lit.value[693U] = 0U; + lit.value[694U] = 0U; + lit.value[695U] = 0U; + lit.value[696U] = 0U; + lit.value[697U] = 0U; + lit.value[698U] = 0U; + lit.value[699U] = 0U; + lit.value[700U] = 0U; + lit.value[701U] = 0U; + lit.value[702U] = 0U; + lit.value[703U] = 0U; + lit.value[704U] = 0U; + lit.value[705U] = 0U; + lit.value[706U] = 0U; + lit.value[707U] = 0U; + lit.value[708U] = 0U; + lit.value[709U] = 0U; + lit.value[710U] = 0U; + lit.value[711U] = 0U; + lit.value[712U] = 0U; + lit.value[713U] = 0U; + lit.value[714U] = 0U; + lit.value[715U] = 0U; + lit.value[716U] = 0U; + lit.value[717U] = 0U; + lit.value[718U] = 0U; + lit.value[719U] = 0U; + lit.value[720U] = 0U; + lit.value[721U] = 0U; + lit.value[722U] = 0U; + lit.value[723U] = 0U; + lit.value[724U] = 0U; + lit.value[725U] = 0U; + lit.value[726U] = 0U; + lit.value[727U] = 0U; + lit.value[728U] = 0U; + lit.value[729U] = 0U; + lit.value[730U] = 0U; + lit.value[731U] = 0U; + lit.value[732U] = 0U; + lit.value[733U] = 0U; + lit.value[734U] = 0U; + lit.value[735U] = 0U; + lit.value[736U] = 0U; + lit.value[737U] = 0U; + lit.value[738U] = 0U; + lit.value[739U] = 0U; + lit.value[740U] = 0U; + lit.value[741U] = 0U; + lit.value[742U] = 0U; + lit.value[743U] = 0U; + lit.value[744U] = 0U; + lit.value[745U] = 0U; + lit.value[746U] = 0U; + lit.value[747U] = 0U; + lit.value[748U] = 0U; + lit.value[749U] = 0U; + lit.value[750U] = 0U; + lit.value[751U] = 0U; + lit.value[752U] = 0U; + lit.value[753U] = 0U; + lit.value[754U] = 0U; + lit.value[755U] = 0U; + lit.value[756U] = 0U; + lit.value[757U] = 0U; + lit.value[758U] = 0U; + lit.value[759U] = 0U; + lit.value[760U] = 0U; + lit.value[761U] = 0U; + lit.value[762U] = 0U; + lit.value[763U] = 0U; + lit.value[764U] = 0U; + lit.value[765U] = 0U; + lit.value[766U] = 0U; + lit.value[767U] = 0U; + lit.value[768U] = 0U; + lit.value[769U] = 0U; + lit.value[770U] = 0U; + lit.value[771U] = 0U; + lit.value[772U] = 0U; + lit.value[773U] = 0U; + lit.value[774U] = 0U; + lit.value[775U] = 0U; + lit.value[776U] = 0U; + lit.value[777U] = 0U; + lit.value[778U] = 0U; + lit.value[779U] = 0U; + lit.value[780U] = 0U; + lit.value[781U] = 0U; + lit.value[782U] = 0U; + lit.value[783U] = 0U; + lit.value[784U] = 0U; + lit.value[785U] = 0U; + lit.value[786U] = 0U; + lit.value[787U] = 0U; + lit.value[788U] = 0U; + lit.value[789U] = 0U; + lit.value[790U] = 0U; + lit.value[791U] = 0U; + lit.value[792U] = 0U; + lit.value[793U] = 0U; + lit.value[794U] = 0U; + lit.value[795U] = 0U; + lit.value[796U] = 0U; + lit.value[797U] = 0U; + lit.value[798U] = 0U; + lit.value[799U] = 0U; + lit.value[800U] = 0U; + lit.value[801U] = 0U; + lit.value[802U] = 0U; + lit.value[803U] = 0U; + lit.value[804U] = 0U; + lit.value[805U] = 0U; + lit.value[806U] = 0U; + lit.value[807U] = 0U; + lit.value[808U] = 0U; + lit.value[809U] = 0U; + lit.value[810U] = 0U; + lit.value[811U] = 0U; + lit.value[812U] = 0U; + lit.value[813U] = 0U; + lit.value[814U] = 0U; + lit.value[815U] = 0U; + lit.value[816U] = 0U; + lit.value[817U] = 0U; + lit.value[818U] = 0U; + lit.value[819U] = 0U; + lit.value[820U] = 0U; + lit.value[821U] = 0U; + lit.value[822U] = 0U; + lit.value[823U] = 0U; + lit.value[824U] = 0U; + lit.value[825U] = 0U; + lit.value[826U] = 0U; + lit.value[827U] = 0U; + lit.value[828U] = 0U; + lit.value[829U] = 0U; + lit.value[830U] = 0U; + lit.value[831U] = 0U; + lit.value[832U] = 0U; + lit.value[833U] = 0U; + lit.value[834U] = 0U; + lit.value[835U] = 0U; + lit.value[836U] = 0U; + lit.value[837U] = 0U; + lit.value[838U] = 0U; + lit.value[839U] = 0U; + lit.value[840U] = 0U; + lit.value[841U] = 0U; + lit.value[842U] = 0U; + lit.value[843U] = 0U; + lit.value[844U] = 0U; + lit.value[845U] = 0U; + lit.value[846U] = 0U; + lit.value[847U] = 0U; + lit.value[848U] = 0U; + lit.value[849U] = 0U; + lit.value[850U] = 0U; + lit.value[851U] = 0U; + lit.value[852U] = 0U; + lit.value[853U] = 0U; + lit.value[854U] = 0U; + lit.value[855U] = 0U; + lit.value[856U] = 0U; + lit.value[857U] = 0U; + lit.value[858U] = 0U; + lit.value[859U] = 0U; + lit.value[860U] = 0U; + lit.value[861U] = 0U; + lit.value[862U] = 0U; + lit.value[863U] = 0U; + lit.value[864U] = 0U; + lit.value[865U] = 0U; + lit.value[866U] = 0U; + lit.value[867U] = 0U; + lit.value[868U] = 0U; + lit.value[869U] = 0U; + lit.value[870U] = 0U; + lit.value[871U] = 0U; + lit.value[872U] = 0U; + lit.value[873U] = 0U; + lit.value[874U] = 0U; + lit.value[875U] = 0U; + lit.value[876U] = 0U; + lit.value[877U] = 0U; + lit.value[878U] = 0U; + lit.value[879U] = 0U; + lit.value[880U] = 0U; + lit.value[881U] = 0U; + lit.value[882U] = 0U; + lit.value[883U] = 0U; + lit.value[884U] = 0U; + lit.value[885U] = 0U; + lit.value[886U] = 0U; + lit.value[887U] = 0U; + lit.value[888U] = 0U; + lit.value[889U] = 0U; + lit.value[890U] = 0U; + lit.value[891U] = 0U; + lit.value[892U] = 0U; + lit.value[893U] = 0U; + lit.value[894U] = 0U; + lit.value[895U] = 0U; + lit.value[896U] = 0U; + lit.value[897U] = 0U; + lit.value[898U] = 0U; + lit.value[899U] = 0U; + lit.value[900U] = 0U; + lit.value[901U] = 0U; + lit.value[902U] = 0U; + lit.value[903U] = 0U; + lit.value[904U] = 0U; + lit.value[905U] = 0U; + lit.value[906U] = 0U; + lit.value[907U] = 0U; + lit.value[908U] = 0U; + lit.value[909U] = 0U; + lit.value[910U] = 0U; + lit.value[911U] = 0U; + lit.value[912U] = 0U; + lit.value[913U] = 0U; + lit.value[914U] = 0U; + lit.value[915U] = 0U; + lit.value[916U] = 0U; + lit.value[917U] = 0U; + lit.value[918U] = 0U; + lit.value[919U] = 0U; + lit.value[920U] = 0U; + lit.value[921U] = 0U; + lit.value[922U] = 0U; + lit.value[923U] = 0U; + lit.value[924U] = 0U; + lit.value[925U] = 0U; + lit.value[926U] = 0U; + lit.value[927U] = 0U; + lit.value[928U] = 0U; + lit.value[929U] = 0U; + lit.value[930U] = 0U; + lit.value[931U] = 0U; + lit.value[932U] = 0U; + lit.value[933U] = 0U; + lit.value[934U] = 0U; + lit.value[935U] = 0U; + lit.value[936U] = 0U; + lit.value[937U] = 0U; + lit.value[938U] = 0U; + lit.value[939U] = 0U; + lit.value[940U] = 0U; + lit.value[941U] = 0U; + lit.value[942U] = 0U; + lit.value[943U] = 0U; + lit.value[944U] = 0U; + lit.value[945U] = 0U; + lit.value[946U] = 0U; + lit.value[947U] = 0U; + lit.value[948U] = 0U; + lit.value[949U] = 0U; + lit.value[950U] = 0U; + lit.value[951U] = 0U; + lit.value[952U] = 0U; + lit.value[953U] = 0U; + lit.value[954U] = 0U; + lit.value[955U] = 0U; + lit.value[956U] = 0U; + lit.value[957U] = 0U; + lit.value[958U] = 0U; + lit.value[959U] = 0U; + lit.value[960U] = 0U; + lit.value[961U] = 0U; + lit.value[962U] = 0U; + lit.value[963U] = 0U; + lit.value[964U] = 0U; + lit.value[965U] = 0U; + lit.value[966U] = 0U; + lit.value[967U] = 0U; + lit.value[968U] = 0U; + lit.value[969U] = 0U; + lit.value[970U] = 0U; + lit.value[971U] = 0U; + lit.value[972U] = 0U; + lit.value[973U] = 0U; + lit.value[974U] = 0U; + lit.value[975U] = 0U; + lit.value[976U] = 0U; + lit.value[977U] = 0U; + lit.value[978U] = 0U; + lit.value[979U] = 0U; + lit.value[980U] = 0U; + lit.value[981U] = 0U; + lit.value[982U] = 0U; + lit.value[983U] = 0U; + lit.value[984U] = 0U; + lit.value[985U] = 0U; + lit.value[986U] = 0U; + lit.value[987U] = 0U; + lit.value[988U] = 0U; + lit.value[989U] = 0U; + lit.value[990U] = 0U; + lit.value[991U] = 0U; + lit.value[992U] = 0U; + lit.value[993U] = 0U; + lit.value[994U] = 0U; + lit.value[995U] = 0U; + lit.value[996U] = 0U; + lit.value[997U] = 0U; + lit.value[998U] = 0U; + lit.value[999U] = 0U; + lit.value[1000U] = 0U; + lit.value[1001U] = 0U; + lit.value[1002U] = 0U; + lit.value[1003U] = 0U; + lit.value[1004U] = 0U; + lit.value[1005U] = 0U; + lit.value[1006U] = 0U; + lit.value[1007U] = 0U; + lit.value[1008U] = 0U; + lit.value[1009U] = 0U; + lit.value[1010U] = 0U; + lit.value[1011U] = 0U; + lit.value[1012U] = 0U; + lit.value[1013U] = 0U; + lit.value[1014U] = 0U; + lit.value[1015U] = 0U; + lit.value[1016U] = 0U; + lit.value[1017U] = 0U; + lit.value[1018U] = 0U; + lit.value[1019U] = 0U; + lit.value[1020U] = 0U; + lit.value[1021U] = 0U; + lit.value[1022U] = 0U; + lit.value[1023U] = 0U; + lit.value[1024U] = 0U; + lit.value[1025U] = 0U; + lit.value[1026U] = 0U; + lit.value[1027U] = 0U; + lit.value[1028U] = 0U; + lit.value[1029U] = 0U; + lit.value[1030U] = 0U; + lit.value[1031U] = 0U; + lit.value[1032U] = 0U; + lit.value[1033U] = 0U; + lit.value[1034U] = 0U; + lit.value[1035U] = 0U; + lit.value[1036U] = 0U; + lit.value[1037U] = 0U; + lit.value[1038U] = 0U; + lit.value[1039U] = 0U; + lit.value[1040U] = 0U; + lit.value[1041U] = 0U; + lit.value[1042U] = 0U; + lit.value[1043U] = 0U; + lit.value[1044U] = 0U; + lit.value[1045U] = 0U; + lit.value[1046U] = 0U; + lit.value[1047U] = 0U; + lit.value[1048U] = 0U; + lit.value[1049U] = 0U; + lit.value[1050U] = 0U; + lit.value[1051U] = 0U; + lit.value[1052U] = 0U; + lit.value[1053U] = 0U; + lit.value[1054U] = 0U; + lit.value[1055U] = 0U; + lit.value[1056U] = 0U; + lit.value[1057U] = 0U; + lit.value[1058U] = 0U; + lit.value[1059U] = 0U; + lit.value[1060U] = 0U; + lit.value[1061U] = 0U; + lit.value[1062U] = 0U; + lit.value[1063U] = 0U; + lit.value[1064U] = 0U; + lit.value[1065U] = 0U; + lit.value[1066U] = 0U; + lit.value[1067U] = 0U; + lit.value[1068U] = 0U; + lit.value[1069U] = 0U; + lit.value[1070U] = 0U; + lit.value[1071U] = 0U; + lit.value[1072U] = 0U; + lit.value[1073U] = 0U; + lit.value[1074U] = 0U; + lit.value[1075U] = 0U; + lit.value[1076U] = 0U; + lit.value[1077U] = 0U; + lit.value[1078U] = 0U; + lit.value[1079U] = 0U; + lit.value[1080U] = 0U; + lit.value[1081U] = 0U; + lit.value[1082U] = 0U; + lit.value[1083U] = 0U; + lit.value[1084U] = 0U; + lit.value[1085U] = 0U; + lit.value[1086U] = 0U; + lit.value[1087U] = 0U; + lit.value[1088U] = 0U; + lit.value[1089U] = 0U; + lit.value[1090U] = 0U; + lit.value[1091U] = 0U; + lit.value[1092U] = 0U; + lit.value[1093U] = 0U; + lit.value[1094U] = 0U; + lit.value[1095U] = 0U; + lit.value[1096U] = 0U; + lit.value[1097U] = 0U; + lit.value[1098U] = 0U; + lit.value[1099U] = 0U; + lit.value[1100U] = 0U; + lit.value[1101U] = 0U; + lit.value[1102U] = 0U; + lit.value[1103U] = 0U; + lit.value[1104U] = 0U; + lit.value[1105U] = 0U; + lit.value[1106U] = 0U; + lit.value[1107U] = 0U; + lit.value[1108U] = 0U; + lit.value[1109U] = 0U; + lit.value[1110U] = 0U; + lit.value[1111U] = 0U; + lit.value[1112U] = 0U; + lit.value[1113U] = 0U; + lit.value[1114U] = 0U; + lit.value[1115U] = 0U; + lit.value[1116U] = 0U; + lit.value[1117U] = 0U; + lit.value[1118U] = 0U; + lit.value[1119U] = 0U; + lit.value[1120U] = 0U; + lit.value[1121U] = 0U; + lit.value[1122U] = 0U; + lit.value[1123U] = 0U; + lit.value[1124U] = 0U; + lit.value[1125U] = 0U; + lit.value[1126U] = 0U; + lit.value[1127U] = 0U; + lit.value[1128U] = 0U; + lit.value[1129U] = 0U; + lit.value[1130U] = 0U; + lit.value[1131U] = 0U; + lit.value[1132U] = 0U; + lit.value[1133U] = 0U; + lit.value[1134U] = 0U; + lit.value[1135U] = 0U; + lit.value[1136U] = 0U; + lit.value[1137U] = 0U; + lit.value[1138U] = 0U; + lit.value[1139U] = 0U; + lit.value[1140U] = 0U; + lit.value[1141U] = 0U; + lit.value[1142U] = 0U; + lit.value[1143U] = 0U; + lit.value[1144U] = 0U; + lit.value[1145U] = 0U; + lit.value[1146U] = 0U; + lit.value[1147U] = 0U; + lit.value[1148U] = 0U; + lit.value[1149U] = 0U; + lit.value[1150U] = 0U; + lit.value[1151U] = 0U; + lit.value[1152U] = 0U; + lit.value[1153U] = 0U; + lit.value[1154U] = 0U; + lit.value[1155U] = 0U; + lit.value[1156U] = 0U; + lit.value[1157U] = 0U; + lit.value[1158U] = 0U; + lit.value[1159U] = 0U; + lit.value[1160U] = 0U; + lit.value[1161U] = 0U; + lit.value[1162U] = 0U; + lit.value[1163U] = 0U; + lit.value[1164U] = 0U; + lit.value[1165U] = 0U; + lit.value[1166U] = 0U; + lit.value[1167U] = 0U; + lit.value[1168U] = 0U; + lit.value[1169U] = 0U; + lit.value[1170U] = 0U; + lit.value[1171U] = 0U; + lit.value[1172U] = 0U; + lit.value[1173U] = 0U; + lit.value[1174U] = 0U; + lit.value[1175U] = 0U; + lit.value[1176U] = 0U; + lit.value[1177U] = 0U; + lit.value[1178U] = 0U; + lit.value[1179U] = 0U; + lit.value[1180U] = 0U; + lit.value[1181U] = 0U; + lit.value[1182U] = 0U; + lit.value[1183U] = 0U; + lit.value[1184U] = 0U; + lit.value[1185U] = 0U; + lit.value[1186U] = 0U; + lit.value[1187U] = 0U; + lit.value[1188U] = 0U; + lit.value[1189U] = 0U; + lit.value[1190U] = 0U; + lit.value[1191U] = 0U; + lit.value[1192U] = 0U; + lit.value[1193U] = 0U; + lit.value[1194U] = 0U; + lit.value[1195U] = 0U; + lit.value[1196U] = 0U; + lit.value[1197U] = 0U; + lit.value[1198U] = 0U; + lit.value[1199U] = 0U; + lit.value[1200U] = 0U; + lit.value[1201U] = 0U; + lit.value[1202U] = 0U; + lit.value[1203U] = 0U; + lit.value[1204U] = 0U; + lit.value[1205U] = 0U; + lit.value[1206U] = 0U; + lit.value[1207U] = 0U; + lit.value[1208U] = 0U; + lit.value[1209U] = 0U; + lit.value[1210U] = 0U; + lit.value[1211U] = 0U; + lit.value[1212U] = 0U; + lit.value[1213U] = 0U; + lit.value[1214U] = 0U; + lit.value[1215U] = 0U; + lit.value[1216U] = 0U; + lit.value[1217U] = 0U; + lit.value[1218U] = 0U; + lit.value[1219U] = 0U; + lit.value[1220U] = 0U; + lit.value[1221U] = 0U; + lit.value[1222U] = 0U; + lit.value[1223U] = 0U; + lit.value[1224U] = 0U; + lit.value[1225U] = 0U; + lit.value[1226U] = 0U; + lit.value[1227U] = 0U; + lit.value[1228U] = 0U; + lit.value[1229U] = 0U; + lit.value[1230U] = 0U; + lit.value[1231U] = 0U; + lit.value[1232U] = 0U; + lit.value[1233U] = 0U; + lit.value[1234U] = 0U; + lit.value[1235U] = 0U; + lit.value[1236U] = 0U; + lit.value[1237U] = 0U; + lit.value[1238U] = 0U; + lit.value[1239U] = 0U; + lit.value[1240U] = 0U; + lit.value[1241U] = 0U; + lit.value[1242U] = 0U; + lit.value[1243U] = 0U; + lit.value[1244U] = 0U; + lit.value[1245U] = 0U; + lit.value[1246U] = 0U; + lit.value[1247U] = 0U; + lit.value[1248U] = 0U; + lit.value[1249U] = 0U; + lit.value[1250U] = 0U; + lit.value[1251U] = 0U; + lit.value[1252U] = 0U; + lit.value[1253U] = 0U; + lit.value[1254U] = 0U; + lit.value[1255U] = 0U; + lit.value[1256U] = 0U; + lit.value[1257U] = 0U; + lit.value[1258U] = 0U; + lit.value[1259U] = 0U; + lit.value[1260U] = 0U; + lit.value[1261U] = 0U; + lit.value[1262U] = 0U; + lit.value[1263U] = 0U; + lit.value[1264U] = 0U; + lit.value[1265U] = 0U; + lit.value[1266U] = 0U; + lit.value[1267U] = 0U; + lit.value[1268U] = 0U; + lit.value[1269U] = 0U; + lit.value[1270U] = 0U; + lit.value[1271U] = 0U; + lit.value[1272U] = 0U; + lit.value[1273U] = 0U; + lit.value[1274U] = 0U; + lit.value[1275U] = 0U; + lit.value[1276U] = 0U; + lit.value[1277U] = 0U; + lit.value[1278U] = 0U; + lit.value[1279U] = 0U; + lit.value[1280U] = 0U; + lit.value[1281U] = 0U; + lit.value[1282U] = 0U; + lit.value[1283U] = 0U; + lit.value[1284U] = 0U; + lit.value[1285U] = 0U; + lit.value[1286U] = 0U; + lit.value[1287U] = 0U; + lit.value[1288U] = 0U; + lit.value[1289U] = 0U; + lit.value[1290U] = 0U; + lit.value[1291U] = 0U; + lit.value[1292U] = 0U; + lit.value[1293U] = 0U; + lit.value[1294U] = 0U; + lit.value[1295U] = 0U; + lit.value[1296U] = 0U; + lit.value[1297U] = 0U; + lit.value[1298U] = 0U; + lit.value[1299U] = 0U; + lit.value[1300U] = 0U; + lit.value[1301U] = 0U; + lit.value[1302U] = 0U; + lit.value[1303U] = 0U; + lit.value[1304U] = 0U; + lit.value[1305U] = 0U; + lit.value[1306U] = 0U; + lit.value[1307U] = 0U; + lit.value[1308U] = 0U; + lit.value[1309U] = 0U; + lit.value[1310U] = 0U; + lit.value[1311U] = 0U; + lit.value[1312U] = 0U; + lit.value[1313U] = 0U; + lit.value[1314U] = 0U; + lit.value[1315U] = 0U; + lit.value[1316U] = 0U; + lit.value[1317U] = 0U; + lit.value[1318U] = 0U; + lit.value[1319U] = 0U; + lit.value[1320U] = 0U; + lit.value[1321U] = 0U; + lit.value[1322U] = 0U; + lit.value[1323U] = 0U; + lit.value[1324U] = 0U; + lit.value[1325U] = 0U; + lit.value[1326U] = 0U; + lit.value[1327U] = 0U; + lit.value[1328U] = 0U; + lit.value[1329U] = 0U; + lit.value[1330U] = 0U; + lit.value[1331U] = 0U; + lit.value[1332U] = 0U; + lit.value[1333U] = 0U; + lit.value[1334U] = 0U; + lit.value[1335U] = 0U; + lit.value[1336U] = 0U; + lit.value[1337U] = 0U; + lit.value[1338U] = 0U; + lit.value[1339U] = 0U; + lit.value[1340U] = 0U; + lit.value[1341U] = 0U; + lit.value[1342U] = 0U; + lit.value[1343U] = 0U; + lit.value[1344U] = 0U; + lit.value[1345U] = 0U; + lit.value[1346U] = 0U; + lit.value[1347U] = 0U; + lit.value[1348U] = 0U; + lit.value[1349U] = 0U; + lit.value[1350U] = 0U; + lit.value[1351U] = 0U; + lit.value[1352U] = 0U; + lit.value[1353U] = 0U; + lit.value[1354U] = 0U; + lit.value[1355U] = 0U; + lit.value[1356U] = 0U; + lit.value[1357U] = 0U; + lit.value[1358U] = 0U; + lit.value[1359U] = 0U; + lit.value[1360U] = 0U; + lit.value[1361U] = 0U; + lit.value[1362U] = 0U; + lit.value[1363U] = 0U; + lit.value[1364U] = 0U; + lit.value[1365U] = 0U; + lit.value[1366U] = 0U; + lit.value[1367U] = 0U; + lit.value[1368U] = 0U; + lit.value[1369U] = 0U; + lit.value[1370U] = 0U; + lit.value[1371U] = 0U; + lit.value[1372U] = 0U; + lit.value[1373U] = 0U; + lit.value[1374U] = 0U; + lit.value[1375U] = 0U; + lit.value[1376U] = 0U; + lit.value[1377U] = 0U; + lit.value[1378U] = 0U; + lit.value[1379U] = 0U; + lit.value[1380U] = 0U; + lit.value[1381U] = 0U; + lit.value[1382U] = 0U; + lit.value[1383U] = 0U; + lit.value[1384U] = 0U; + lit.value[1385U] = 0U; + lit.value[1386U] = 0U; + lit.value[1387U] = 0U; + lit.value[1388U] = 0U; + lit.value[1389U] = 0U; + lit.value[1390U] = 0U; + lit.value[1391U] = 0U; + lit.value[1392U] = 0U; + lit.value[1393U] = 0U; + lit.value[1394U] = 0U; + lit.value[1395U] = 0U; + lit.value[1396U] = 0U; + lit.value[1397U] = 0U; + lit.value[1398U] = 0U; + lit.value[1399U] = 0U; + lit.value[1400U] = 0U; + lit.value[1401U] = 0U; + lit.value[1402U] = 0U; + lit.value[1403U] = 0U; + lit.value[1404U] = 0U; + lit.value[1405U] = 0U; + lit.value[1406U] = 0U; + lit.value[1407U] = 0U; + lit.value[1408U] = 0U; + lit.value[1409U] = 0U; + lit.value[1410U] = 0U; + lit.value[1411U] = 0U; + lit.value[1412U] = 0U; + lit.value[1413U] = 0U; + lit.value[1414U] = 0U; + lit.value[1415U] = 0U; + lit.value[1416U] = 0U; + lit.value[1417U] = 0U; + lit.value[1418U] = 0U; + lit.value[1419U] = 0U; + lit.value[1420U] = 0U; + lit.value[1421U] = 0U; + lit.value[1422U] = 0U; + lit.value[1423U] = 0U; + lit.value[1424U] = 0U; + lit.value[1425U] = 0U; + lit.value[1426U] = 0U; + lit.value[1427U] = 0U; + lit.value[1428U] = 0U; + lit.value[1429U] = 0U; + lit.value[1430U] = 0U; + lit.value[1431U] = 0U; + lit.value[1432U] = 0U; + lit.value[1433U] = 0U; + lit.value[1434U] = 0U; + lit.value[1435U] = 0U; + lit.value[1436U] = 0U; + lit.value[1437U] = 0U; + lit.value[1438U] = 0U; + lit.value[1439U] = 0U; + lit.value[1440U] = 0U; + lit.value[1441U] = 0U; + lit.value[1442U] = 0U; + lit.value[1443U] = 0U; + lit.value[1444U] = 0U; + lit.value[1445U] = 0U; + lit.value[1446U] = 0U; + lit.value[1447U] = 0U; + lit.value[1448U] = 0U; + lit.value[1449U] = 0U; + lit.value[1450U] = 0U; + lit.value[1451U] = 0U; + lit.value[1452U] = 0U; + lit.value[1453U] = 0U; + lit.value[1454U] = 0U; + lit.value[1455U] = 0U; + lit.value[1456U] = 0U; + lit.value[1457U] = 0U; + lit.value[1458U] = 0U; + lit.value[1459U] = 0U; + lit.value[1460U] = 0U; + lit.value[1461U] = 0U; + lit.value[1462U] = 0U; + lit.value[1463U] = 0U; + lit.value[1464U] = 0U; + lit.value[1465U] = 0U; + lit.value[1466U] = 0U; + lit.value[1467U] = 0U; + lit.value[1468U] = 0U; + lit.value[1469U] = 0U; + lit.value[1470U] = 0U; + lit.value[1471U] = 0U; + lit.value[1472U] = 0U; + lit.value[1473U] = 0U; + lit.value[1474U] = 0U; + lit.value[1475U] = 0U; + lit.value[1476U] = 0U; + lit.value[1477U] = 0U; + lit.value[1478U] = 0U; + lit.value[1479U] = 0U; + lit.value[1480U] = 0U; + lit.value[1481U] = 0U; + lit.value[1482U] = 0U; + lit.value[1483U] = 0U; + lit.value[1484U] = 0U; + lit.value[1485U] = 0U; + lit.value[1486U] = 0U; + lit.value[1487U] = 0U; + lit.value[1488U] = 0U; + lit.value[1489U] = 0U; + lit.value[1490U] = 0U; + lit.value[1491U] = 0U; + lit.value[1492U] = 0U; + lit.value[1493U] = 0U; + lit.value[1494U] = 0U; + lit.value[1495U] = 0U; + lit.value[1496U] = 0U; + lit.value[1497U] = 0U; + lit.value[1498U] = 0U; + lit.value[1499U] = 0U; + lit.value[1500U] = 0U; + lit.value[1501U] = 0U; + lit.value[1502U] = 0U; + lit.value[1503U] = 0U; + lit.value[1504U] = 0U; + lit.value[1505U] = 0U; + lit.value[1506U] = 0U; + lit.value[1507U] = 0U; + lit.value[1508U] = 0U; + lit.value[1509U] = 0U; + lit.value[1510U] = 0U; + lit.value[1511U] = 0U; + lit.value[1512U] = 0U; + lit.value[1513U] = 0U; + lit.value[1514U] = 0U; + lit.value[1515U] = 0U; + lit.value[1516U] = 0U; + lit.value[1517U] = 0U; + lit.value[1518U] = 0U; + lit.value[1519U] = 0U; + lit.value[1520U] = 0U; + lit.value[1521U] = 0U; + lit.value[1522U] = 0U; + lit.value[1523U] = 0U; + lit.value[1524U] = 0U; + lit.value[1525U] = 0U; + lit.value[1526U] = 0U; + lit.value[1527U] = 0U; + lit.value[1528U] = 0U; + lit.value[1529U] = 0U; + lit.value[1530U] = 0U; + lit.value[1531U] = 0U; + lit.value[1532U] = 0U; + lit.value[1533U] = 0U; + lit.value[1534U] = 0U; + lit.value[1535U] = 0U; + lit.value[1536U] = 0U; + lit.value[1537U] = 0U; + lit.value[1538U] = 0U; + lit.value[1539U] = 0U; + lit.value[1540U] = 0U; + lit.value[1541U] = 0U; + lit.value[1542U] = 0U; + lit.value[1543U] = 0U; + lit.value[1544U] = 0U; + lit.value[1545U] = 0U; + lit.value[1546U] = 0U; + lit.value[1547U] = 0U; + lit.value[1548U] = 0U; + lit.value[1549U] = 0U; + lit.value[1550U] = 0U; + lit.value[1551U] = 0U; + lit.value[1552U] = 0U; + lit.value[1553U] = 0U; + lit.value[1554U] = 0U; + lit.value[1555U] = 0U; + lit.value[1556U] = 0U; + lit.value[1557U] = 0U; + lit.value[1558U] = 0U; + lit.value[1559U] = 0U; + lit.value[1560U] = 0U; + lit.value[1561U] = 0U; + lit.value[1562U] = 0U; + lit.value[1563U] = 0U; + lit.value[1564U] = 0U; + lit.value[1565U] = 0U; + lit.value[1566U] = 0U; + lit.value[1567U] = 0U; + lit.value[1568U] = 0U; + lit.value[1569U] = 0U; + lit.value[1570U] = 0U; + lit.value[1571U] = 0U; + lit.value[1572U] = 0U; + lit.value[1573U] = 0U; + lit.value[1574U] = 0U; + lit.value[1575U] = 0U; + lit.value[1576U] = 0U; + lit.value[1577U] = 0U; + lit.value[1578U] = 0U; + lit.value[1579U] = 0U; + lit.value[1580U] = 0U; + lit.value[1581U] = 0U; + lit.value[1582U] = 0U; + lit.value[1583U] = 0U; + lit.value[1584U] = 0U; + lit.value[1585U] = 0U; + lit.value[1586U] = 0U; + lit.value[1587U] = 0U; + lit.value[1588U] = 0U; + lit.value[1589U] = 0U; + lit.value[1590U] = 0U; + lit.value[1591U] = 0U; + lit.value[1592U] = 0U; + lit.value[1593U] = 0U; + lit.value[1594U] = 0U; + lit.value[1595U] = 0U; + lit.value[1596U] = 0U; + lit.value[1597U] = 0U; + lit.value[1598U] = 0U; + lit.value[1599U] = 0U; + lit.value[1600U] = 0U; + lit.value[1601U] = 0U; + lit.value[1602U] = 0U; + lit.value[1603U] = 0U; + lit.value[1604U] = 0U; + lit.value[1605U] = 0U; + lit.value[1606U] = 0U; + lit.value[1607U] = 0U; + lit.value[1608U] = 0U; + lit.value[1609U] = 0U; + lit.value[1610U] = 0U; + lit.value[1611U] = 0U; + lit.value[1612U] = 0U; + lit.value[1613U] = 0U; + lit.value[1614U] = 0U; + lit.value[1615U] = 0U; + lit.value[1616U] = 0U; + lit.value[1617U] = 0U; + lit.value[1618U] = 0U; + lit.value[1619U] = 0U; + lit.value[1620U] = 0U; + lit.value[1621U] = 0U; + lit.value[1622U] = 0U; + lit.value[1623U] = 0U; + lit.value[1624U] = 0U; + lit.value[1625U] = 0U; + lit.value[1626U] = 0U; + lit.value[1627U] = 0U; + lit.value[1628U] = 0U; + lit.value[1629U] = 0U; + lit.value[1630U] = 0U; + lit.value[1631U] = 0U; + lit.value[1632U] = 0U; + lit.value[1633U] = 0U; + lit.value[1634U] = 0U; + lit.value[1635U] = 0U; + lit.value[1636U] = 0U; + lit.value[1637U] = 0U; + lit.value[1638U] = 0U; + lit.value[1639U] = 0U; + lit.value[1640U] = 0U; + lit.value[1641U] = 0U; + lit.value[1642U] = 0U; + lit.value[1643U] = 0U; + lit.value[1644U] = 0U; + lit.value[1645U] = 0U; + lit.value[1646U] = 0U; + lit.value[1647U] = 0U; + lit.value[1648U] = 0U; + lit.value[1649U] = 0U; + lit.value[1650U] = 0U; + lit.value[1651U] = 0U; + lit.value[1652U] = 0U; + lit.value[1653U] = 0U; + lit.value[1654U] = 0U; + lit.value[1655U] = 0U; + lit.value[1656U] = 0U; + lit.value[1657U] = 0U; + lit.value[1658U] = 0U; + lit.value[1659U] = 0U; + lit.value[1660U] = 0U; + lit.value[1661U] = 0U; + lit.value[1662U] = 0U; + lit.value[1663U] = 0U; + lit.value[1664U] = 0U; + lit.value[1665U] = 0U; + lit.value[1666U] = 0U; + lit.value[1667U] = 0U; + lit.value[1668U] = 0U; + lit.value[1669U] = 0U; + lit.value[1670U] = 0U; + lit.value[1671U] = 0U; + lit.value[1672U] = 0U; + lit.value[1673U] = 0U; + lit.value[1674U] = 0U; + lit.value[1675U] = 0U; + lit.value[1676U] = 0U; + lit.value[1677U] = 0U; + lit.value[1678U] = 0U; + lit.value[1679U] = 0U; + lit.value[1680U] = 0U; + lit.value[1681U] = 0U; + lit.value[1682U] = 0U; + lit.value[1683U] = 0U; + lit.value[1684U] = 0U; + lit.value[1685U] = 0U; + lit.value[1686U] = 0U; + lit.value[1687U] = 0U; + lit.value[1688U] = 0U; + lit.value[1689U] = 0U; + lit.value[1690U] = 0U; + lit.value[1691U] = 0U; + lit.value[1692U] = 0U; + lit.value[1693U] = 0U; + lit.value[1694U] = 0U; + lit.value[1695U] = 0U; + lit.value[1696U] = 0U; + lit.value[1697U] = 0U; + lit.value[1698U] = 0U; + lit.value[1699U] = 0U; + lit.value[1700U] = 0U; + lit.value[1701U] = 0U; + lit.value[1702U] = 0U; + lit.value[1703U] = 0U; + lit.value[1704U] = 0U; + lit.value[1705U] = 0U; + lit.value[1706U] = 0U; + lit.value[1707U] = 0U; + lit.value[1708U] = 0U; + lit.value[1709U] = 0U; + lit.value[1710U] = 0U; + lit.value[1711U] = 0U; + lit.value[1712U] = 0U; + lit.value[1713U] = 0U; + lit.value[1714U] = 0U; + lit.value[1715U] = 0U; + lit.value[1716U] = 0U; + lit.value[1717U] = 0U; + lit.value[1718U] = 0U; + lit.value[1719U] = 0U; + lit.value[1720U] = 0U; + lit.value[1721U] = 0U; + lit.value[1722U] = 0U; + lit.value[1723U] = 0U; + lit.value[1724U] = 0U; + lit.value[1725U] = 0U; + lit.value[1726U] = 0U; + lit.value[1727U] = 0U; + lit.value[1728U] = 0U; + lit.value[1729U] = 0U; + lit.value[1730U] = 0U; + lit.value[1731U] = 0U; + lit.value[1732U] = 0U; + lit.value[1733U] = 0U; + lit.value[1734U] = 0U; + lit.value[1735U] = 0U; + lit.value[1736U] = 0U; + lit.value[1737U] = 0U; + lit.value[1738U] = 0U; + lit.value[1739U] = 0U; + lit.value[1740U] = 0U; + lit.value[1741U] = 0U; + lit.value[1742U] = 0U; + lit.value[1743U] = 0U; + lit.value[1744U] = 0U; + lit.value[1745U] = 0U; + lit.value[1746U] = 0U; + lit.value[1747U] = 0U; + lit.value[1748U] = 0U; + lit.value[1749U] = 0U; + lit.value[1750U] = 0U; + lit.value[1751U] = 0U; + lit.value[1752U] = 0U; + lit.value[1753U] = 0U; + lit.value[1754U] = 0U; + lit.value[1755U] = 0U; + lit.value[1756U] = 0U; + lit.value[1757U] = 0U; + lit.value[1758U] = 0U; + lit.value[1759U] = 0U; + lit.value[1760U] = 0U; + lit.value[1761U] = 0U; + lit.value[1762U] = 0U; + lit.value[1763U] = 0U; + lit.value[1764U] = 0U; + lit.value[1765U] = 0U; + lit.value[1766U] = 0U; + lit.value[1767U] = 0U; + lit.value[1768U] = 0U; + lit.value[1769U] = 0U; + lit.value[1770U] = 0U; + lit.value[1771U] = 0U; + lit.value[1772U] = 0U; + lit.value[1773U] = 0U; + lit.value[1774U] = 0U; + lit.value[1775U] = 0U; + lit.value[1776U] = 0U; + lit.value[1777U] = 0U; + lit.value[1778U] = 0U; + lit.value[1779U] = 0U; + lit.value[1780U] = 0U; + lit.value[1781U] = 0U; + lit.value[1782U] = 0U; + lit.value[1783U] = 0U; + lit.value[1784U] = 0U; + lit.value[1785U] = 0U; + lit.value[1786U] = 0U; + lit.value[1787U] = 0U; + lit.value[1788U] = 0U; + lit.value[1789U] = 0U; + lit.value[1790U] = 0U; + lit.value[1791U] = 0U; + lit.value[1792U] = 0U; + lit.value[1793U] = 0U; + lit.value[1794U] = 0U; + lit.value[1795U] = 0U; + lit.value[1796U] = 0U; + lit.value[1797U] = 0U; + lit.value[1798U] = 0U; + lit.value[1799U] = 0U; + lit.value[1800U] = 0U; + lit.value[1801U] = 0U; + lit.value[1802U] = 0U; + lit.value[1803U] = 0U; + lit.value[1804U] = 0U; + lit.value[1805U] = 0U; + lit.value[1806U] = 0U; + lit.value[1807U] = 0U; + lit.value[1808U] = 0U; + lit.value[1809U] = 0U; + lit.value[1810U] = 0U; + lit.value[1811U] = 0U; + lit.value[1812U] = 0U; + lit.value[1813U] = 0U; + lit.value[1814U] = 0U; + lit.value[1815U] = 0U; + lit.value[1816U] = 0U; + lit.value[1817U] = 0U; + lit.value[1818U] = 0U; + lit.value[1819U] = 0U; + lit.value[1820U] = 0U; + lit.value[1821U] = 0U; + lit.value[1822U] = 0U; + lit.value[1823U] = 0U; + lit.value[1824U] = 0U; + lit.value[1825U] = 0U; + lit.value[1826U] = 0U; + lit.value[1827U] = 0U; + lit.value[1828U] = 0U; + lit.value[1829U] = 0U; + lit.value[1830U] = 0U; + lit.value[1831U] = 0U; + lit.value[1832U] = 0U; + lit.value[1833U] = 0U; + lit.value[1834U] = 0U; + lit.value[1835U] = 0U; + lit.value[1836U] = 0U; + lit.value[1837U] = 0U; + lit.value[1838U] = 0U; + lit.value[1839U] = 0U; + lit.value[1840U] = 0U; + lit.value[1841U] = 0U; + lit.value[1842U] = 0U; + lit.value[1843U] = 0U; + lit.value[1844U] = 0U; + lit.value[1845U] = 0U; + lit.value[1846U] = 0U; + lit.value[1847U] = 0U; + lit.value[1848U] = 0U; + lit.value[1849U] = 0U; + lit.value[1850U] = 0U; + lit.value[1851U] = 0U; + lit.value[1852U] = 0U; + lit.value[1853U] = 0U; + lit.value[1854U] = 0U; + lit.value[1855U] = 0U; + lit.value[1856U] = 0U; + lit.value[1857U] = 0U; + lit.value[1858U] = 0U; + lit.value[1859U] = 0U; + lit.value[1860U] = 0U; + lit.value[1861U] = 0U; + lit.value[1862U] = 0U; + lit.value[1863U] = 0U; + lit.value[1864U] = 0U; + lit.value[1865U] = 0U; + lit.value[1866U] = 0U; + lit.value[1867U] = 0U; + lit.value[1868U] = 0U; + lit.value[1869U] = 0U; + lit.value[1870U] = 0U; + lit.value[1871U] = 0U; + lit.value[1872U] = 0U; + lit.value[1873U] = 0U; + lit.value[1874U] = 0U; + lit.value[1875U] = 0U; + lit.value[1876U] = 0U; + lit.value[1877U] = 0U; + lit.value[1878U] = 0U; + lit.value[1879U] = 0U; + lit.value[1880U] = 0U; + lit.value[1881U] = 0U; + lit.value[1882U] = 0U; + lit.value[1883U] = 0U; + lit.value[1884U] = 0U; + lit.value[1885U] = 0U; + lit.value[1886U] = 0U; + lit.value[1887U] = 0U; + lit.value[1888U] = 0U; + lit.value[1889U] = 0U; + lit.value[1890U] = 0U; + lit.value[1891U] = 0U; + lit.value[1892U] = 0U; + lit.value[1893U] = 0U; + lit.value[1894U] = 0U; + lit.value[1895U] = 0U; + lit.value[1896U] = 0U; + lit.value[1897U] = 0U; + lit.value[1898U] = 0U; + lit.value[1899U] = 0U; + lit.value[1900U] = 0U; + lit.value[1901U] = 0U; + lit.value[1902U] = 0U; + lit.value[1903U] = 0U; + lit.value[1904U] = 0U; + lit.value[1905U] = 0U; + lit.value[1906U] = 0U; + lit.value[1907U] = 0U; + lit.value[1908U] = 0U; + lit.value[1909U] = 0U; + lit.value[1910U] = 0U; + lit.value[1911U] = 0U; + lit.value[1912U] = 0U; + lit.value[1913U] = 0U; + lit.value[1914U] = 0U; + lit.value[1915U] = 0U; + lit.value[1916U] = 0U; + lit.value[1917U] = 0U; + lit.value[1918U] = 0U; + lit.value[1919U] = 0U; + lit.value[1920U] = 0U; + lit.value[1921U] = 0U; + lit.value[1922U] = 0U; + lit.value[1923U] = 0U; + lit.value[1924U] = 0U; + lit.value[1925U] = 0U; + lit.value[1926U] = 0U; + lit.value[1927U] = 0U; + lit.value[1928U] = 0U; + lit.value[1929U] = 0U; + lit.value[1930U] = 0U; + lit.value[1931U] = 0U; + lit.value[1932U] = 0U; + lit.value[1933U] = 0U; + lit.value[1934U] = 0U; + lit.value[1935U] = 0U; + lit.value[1936U] = 0U; + lit.value[1937U] = 0U; + lit.value[1938U] = 0U; + lit.value[1939U] = 0U; + lit.value[1940U] = 0U; + lit.value[1941U] = 0U; + lit.value[1942U] = 0U; + lit.value[1943U] = 0U; + lit.value[1944U] = 0U; + lit.value[1945U] = 0U; + lit.value[1946U] = 0U; + lit.value[1947U] = 0U; + lit.value[1948U] = 0U; + lit.value[1949U] = 0U; + lit.value[1950U] = 0U; + lit.value[1951U] = 0U; + lit.value[1952U] = 0U; + lit.value[1953U] = 0U; + lit.value[1954U] = 0U; + lit.value[1955U] = 0U; + lit.value[1956U] = 0U; + lit.value[1957U] = 0U; + lit.value[1958U] = 0U; + lit.value[1959U] = 0U; + lit.value[1960U] = 0U; + lit.value[1961U] = 0U; + lit.value[1962U] = 0U; + lit.value[1963U] = 0U; + lit.value[1964U] = 0U; + lit.value[1965U] = 0U; + lit.value[1966U] = 0U; + lit.value[1967U] = 0U; + lit.value[1968U] = 0U; + lit.value[1969U] = 0U; + lit.value[1970U] = 0U; + lit.value[1971U] = 0U; + lit.value[1972U] = 0U; + lit.value[1973U] = 0U; + lit.value[1974U] = 0U; + lit.value[1975U] = 0U; + lit.value[1976U] = 0U; + lit.value[1977U] = 0U; + lit.value[1978U] = 0U; + lit.value[1979U] = 0U; + lit.value[1980U] = 0U; + lit.value[1981U] = 0U; + lit.value[1982U] = 0U; + lit.value[1983U] = 0U; + lit.value[1984U] = 0U; + lit.value[1985U] = 0U; + lit.value[1986U] = 0U; + lit.value[1987U] = 0U; + lit.value[1988U] = 0U; + lit.value[1989U] = 0U; + lit.value[1990U] = 0U; + lit.value[1991U] = 0U; + lit.value[1992U] = 0U; + lit.value[1993U] = 0U; + lit.value[1994U] = 0U; + lit.value[1995U] = 0U; + lit.value[1996U] = 0U; + lit.value[1997U] = 0U; + lit.value[1998U] = 0U; + lit.value[1999U] = 0U; + lit.value[2000U] = 0U; + lit.value[2001U] = 0U; + lit.value[2002U] = 0U; + lit.value[2003U] = 0U; + lit.value[2004U] = 0U; + lit.value[2005U] = 0U; + lit.value[2006U] = 0U; + lit.value[2007U] = 0U; + lit.value[2008U] = 0U; + lit.value[2009U] = 0U; + lit.value[2010U] = 0U; + lit.value[2011U] = 0U; + lit.value[2012U] = 0U; + lit.value[2013U] = 0U; + lit.value[2014U] = 0U; + lit.value[2015U] = 0U; + lit.value[2016U] = 0U; + lit.value[2017U] = 0U; + lit.value[2018U] = 0U; + lit.value[2019U] = 0U; + lit.value[2020U] = 0U; + lit.value[2021U] = 0U; + lit.value[2022U] = 0U; + lit.value[2023U] = 0U; + lit.value[2024U] = 0U; + lit.value[2025U] = 0U; + lit.value[2026U] = 0U; + lit.value[2027U] = 0U; + lit.value[2028U] = 0U; + lit.value[2029U] = 0U; + lit.value[2030U] = 0U; + lit.value[2031U] = 0U; + lit.value[2032U] = 0U; + lit.value[2033U] = 0U; + lit.value[2034U] = 0U; + lit.value[2035U] = 0U; + lit.value[2036U] = 0U; + lit.value[2037U] = 0U; + lit.value[2038U] = 0U; + lit.value[2039U] = 0U; + lit.value[2040U] = 0U; + lit.value[2041U] = 0U; + lit.value[2042U] = 0U; + lit.value[2043U] = 0U; + lit.value[2044U] = 0U; + lit.value[2045U] = 0U; + lit.value[2046U] = 0U; + lit.value[2047U] = 0U; + lit.value[2048U] = 0U; + lit.value[2049U] = 0U; + lit.value[2050U] = 0U; + lit.value[2051U] = 0U; + lit.value[2052U] = 0U; + lit.value[2053U] = 0U; + lit.value[2054U] = 0U; + lit.value[2055U] = 0U; + lit.value[2056U] = 0U; + lit.value[2057U] = 0U; + lit.value[2058U] = 0U; + lit.value[2059U] = 0U; + lit.value[2060U] = 0U; + lit.value[2061U] = 0U; + lit.value[2062U] = 0U; + lit.value[2063U] = 0U; + lit.value[2064U] = 0U; + lit.value[2065U] = 0U; + lit.value[2066U] = 0U; + lit.value[2067U] = 0U; + lit.value[2068U] = 0U; + lit.value[2069U] = 0U; + lit.value[2070U] = 0U; + lit.value[2071U] = 0U; + lit.value[2072U] = 0U; + lit.value[2073U] = 0U; + lit.value[2074U] = 0U; + lit.value[2075U] = 0U; + lit.value[2076U] = 0U; + lit.value[2077U] = 0U; + lit.value[2078U] = 0U; + lit.value[2079U] = 0U; + lit.value[2080U] = 0U; + lit.value[2081U] = 0U; + lit.value[2082U] = 0U; + lit.value[2083U] = 0U; + lit.value[2084U] = 0U; + lit.value[2085U] = 0U; + lit.value[2086U] = 0U; + lit.value[2087U] = 0U; + lit.value[2088U] = 0U; + lit.value[2089U] = 0U; + lit.value[2090U] = 0U; + lit.value[2091U] = 0U; + lit.value[2092U] = 0U; + lit.value[2093U] = 0U; + lit.value[2094U] = 0U; + lit.value[2095U] = 0U; + lit.value[2096U] = 0U; + lit.value[2097U] = 0U; + lit.value[2098U] = 0U; + lit.value[2099U] = 0U; + lit.value[2100U] = 0U; + lit.value[2101U] = 0U; + lit.value[2102U] = 0U; + lit.value[2103U] = 0U; + lit.value[2104U] = 0U; + lit.value[2105U] = 0U; + lit.value[2106U] = 0U; + lit.value[2107U] = 0U; + lit.value[2108U] = 0U; + lit.value[2109U] = 0U; + lit.value[2110U] = 0U; + lit.value[2111U] = 0U; + lit.value[2112U] = 0U; + lit.value[2113U] = 0U; + lit.value[2114U] = 0U; + lit.value[2115U] = 0U; + lit.value[2116U] = 0U; + lit.value[2117U] = 0U; + lit.value[2118U] = 0U; + lit.value[2119U] = 0U; + lit.value[2120U] = 0U; + lit.value[2121U] = 0U; + lit.value[2122U] = 0U; + lit.value[2123U] = 0U; + lit.value[2124U] = 0U; + lit.value[2125U] = 0U; + lit.value[2126U] = 0U; + lit.value[2127U] = 0U; + lit.value[2128U] = 0U; + lit.value[2129U] = 0U; + lit.value[2130U] = 0U; + lit.value[2131U] = 0U; + lit.value[2132U] = 0U; + lit.value[2133U] = 0U; + lit.value[2134U] = 0U; + lit.value[2135U] = 0U; + lit.value[2136U] = 0U; + lit.value[2137U] = 0U; + lit.value[2138U] = 0U; + lit.value[2139U] = 0U; + lit.value[2140U] = 0U; + lit.value[2141U] = 0U; + lit.value[2142U] = 0U; + lit.value[2143U] = 0U; + lit.value[2144U] = 0U; + lit.value[2145U] = 0U; + lit.value[2146U] = 0U; + lit.value[2147U] = 0U; + lit.value[2148U] = 0U; + lit.value[2149U] = 0U; + lit.value[2150U] = 0U; + lit.value[2151U] = 0U; + lit.value[2152U] = 0U; + lit.value[2153U] = 0U; + lit.value[2154U] = 0U; + lit.value[2155U] = 0U; + lit.value[2156U] = 0U; + lit.value[2157U] = 0U; + lit.value[2158U] = 0U; + lit.value[2159U] = 0U; + lit.value[2160U] = 0U; + lit.value[2161U] = 0U; + lit.value[2162U] = 0U; + lit.value[2163U] = 0U; + lit.value[2164U] = 0U; + lit.value[2165U] = 0U; + lit.value[2166U] = 0U; + lit.value[2167U] = 0U; + lit.value[2168U] = 0U; + lit.value[2169U] = 0U; + lit.value[2170U] = 0U; + lit.value[2171U] = 0U; + lit.value[2172U] = 0U; + lit.value[2173U] = 0U; + lit.value[2174U] = 0U; + lit.value[2175U] = 0U; + lit.value[2176U] = 0U; + lit.value[2177U] = 0U; + lit.value[2178U] = 0U; + lit.value[2179U] = 0U; + lit.value[2180U] = 0U; + lit.value[2181U] = 0U; + lit.value[2182U] = 0U; + lit.value[2183U] = 0U; + lit.value[2184U] = 0U; + lit.value[2185U] = 0U; + lit.value[2186U] = 0U; + lit.value[2187U] = 0U; + lit.value[2188U] = 0U; + lit.value[2189U] = 0U; + lit.value[2190U] = 0U; + lit.value[2191U] = 0U; + lit.value[2192U] = 0U; + lit.value[2193U] = 0U; + lit.value[2194U] = 0U; + lit.value[2195U] = 0U; + lit.value[2196U] = 0U; + lit.value[2197U] = 0U; + lit.value[2198U] = 0U; + lit.value[2199U] = 0U; + lit.value[2200U] = 0U; + lit.value[2201U] = 0U; + lit.value[2202U] = 0U; + lit.value[2203U] = 0U; + lit.value[2204U] = 0U; + lit.value[2205U] = 0U; + lit.value[2206U] = 0U; + lit.value[2207U] = 0U; + lit.value[2208U] = 0U; + lit.value[2209U] = 0U; + lit.value[2210U] = 0U; + lit.value[2211U] = 0U; + lit.value[2212U] = 0U; + lit.value[2213U] = 0U; + lit.value[2214U] = 0U; + lit.value[2215U] = 0U; + lit.value[2216U] = 0U; + lit.value[2217U] = 0U; + lit.value[2218U] = 0U; + lit.value[2219U] = 0U; + lit.value[2220U] = 0U; + lit.value[2221U] = 0U; + lit.value[2222U] = 0U; + lit.value[2223U] = 0U; + lit.value[2224U] = 0U; + lit.value[2225U] = 0U; + lit.value[2226U] = 0U; + lit.value[2227U] = 0U; + lit.value[2228U] = 0U; + lit.value[2229U] = 0U; + lit.value[2230U] = 0U; + lit.value[2231U] = 0U; + lit.value[2232U] = 0U; + lit.value[2233U] = 0U; + lit.value[2234U] = 0U; + lit.value[2235U] = 0U; + lit.value[2236U] = 0U; + lit.value[2237U] = 0U; + lit.value[2238U] = 0U; + lit.value[2239U] = 0U; + lit.value[2240U] = 0U; + lit.value[2241U] = 0U; + lit.value[2242U] = 0U; + lit.value[2243U] = 0U; + lit.value[2244U] = 0U; + lit.value[2245U] = 0U; + lit.value[2246U] = 0U; + lit.value[2247U] = 0U; + lit.value[2248U] = 0U; + lit.value[2249U] = 0U; + lit.value[2250U] = 0U; + lit.value[2251U] = 0U; + lit.value[2252U] = 0U; + lit.value[2253U] = 0U; + lit.value[2254U] = 0U; + lit.value[2255U] = 0U; + lit.value[2256U] = 0U; + lit.value[2257U] = 0U; + lit.value[2258U] = 0U; + lit.value[2259U] = 0U; + lit.value[2260U] = 0U; + lit.value[2261U] = 0U; + lit.value[2262U] = 0U; + lit.value[2263U] = 0U; + lit.value[2264U] = 0U; + lit.value[2265U] = 0U; + lit.value[2266U] = 0U; + lit.value[2267U] = 0U; + lit.value[2268U] = 0U; + lit.value[2269U] = 0U; + lit.value[2270U] = 0U; + lit.value[2271U] = 0U; + lit.value[2272U] = 0U; + lit.value[2273U] = 0U; + lit.value[2274U] = 0U; + lit.value[2275U] = 0U; + lit.value[2276U] = 0U; + lit.value[2277U] = 0U; + lit.value[2278U] = 0U; + lit.value[2279U] = 0U; + lit.value[2280U] = 0U; + lit.value[2281U] = 0U; + lit.value[2282U] = 0U; + lit.value[2283U] = 0U; + lit.value[2284U] = 0U; + lit.value[2285U] = 0U; + lit.value[2286U] = 0U; + lit.value[2287U] = 0U; + lit.value[2288U] = 0U; + lit.value[2289U] = 0U; + lit.value[2290U] = 0U; + lit.value[2291U] = 0U; + lit.value[2292U] = 0U; + lit.value[2293U] = 0U; + lit.value[2294U] = 0U; + lit.value[2295U] = 0U; + lit.value[2296U] = 0U; + lit.value[2297U] = 0U; + lit.value[2298U] = 0U; + lit.value[2299U] = 0U; + lit.value[2300U] = 0U; + lit.value[2301U] = 0U; + lit.value[2302U] = 0U; + lit.value[2303U] = 0U; + lit.value[2304U] = 0U; + lit.value[2305U] = 0U; + lit.value[2306U] = 0U; + lit.value[2307U] = 0U; + lit.value[2308U] = 0U; + lit.value[2309U] = 0U; + lit.value[2310U] = 0U; + lit.value[2311U] = 0U; + lit.value[2312U] = 0U; + lit.value[2313U] = 0U; + lit.value[2314U] = 0U; + lit.value[2315U] = 0U; + lit.value[2316U] = 0U; + lit.value[2317U] = 0U; + lit.value[2318U] = 0U; + lit.value[2319U] = 0U; + lit.value[2320U] = 0U; + lit.value[2321U] = 0U; + lit.value[2322U] = 0U; + lit.value[2323U] = 0U; + lit.value[2324U] = 0U; + lit.value[2325U] = 0U; + lit.value[2326U] = 0U; + lit.value[2327U] = 0U; + lit.value[2328U] = 0U; + lit.value[2329U] = 0U; + lit.value[2330U] = 0U; + lit.value[2331U] = 0U; + lit.value[2332U] = 0U; + lit.value[2333U] = 0U; + lit.value[2334U] = 0U; + lit.value[2335U] = 0U; + lit.value[2336U] = 0U; + lit.value[2337U] = 0U; + lit.value[2338U] = 0U; + lit.value[2339U] = 0U; + lit.value[2340U] = 0U; + lit.value[2341U] = 0U; + lit.value[2342U] = 0U; + lit.value[2343U] = 0U; + lit.value[2344U] = 0U; + lit.value[2345U] = 0U; + lit.value[2346U] = 0U; + lit.value[2347U] = 0U; + lit.value[2348U] = 0U; + lit.value[2349U] = 0U; + lit.value[2350U] = 0U; + lit.value[2351U] = 0U; + lit.value[2352U] = 0U; + lit.value[2353U] = 0U; + lit.value[2354U] = 0U; + lit.value[2355U] = 0U; + lit.value[2356U] = 0U; + lit.value[2357U] = 0U; + lit.value[2358U] = 0U; + lit.value[2359U] = 0U; + lit.value[2360U] = 0U; + lit.value[2361U] = 0U; + lit.value[2362U] = 0U; + lit.value[2363U] = 0U; + lit.value[2364U] = 0U; + lit.value[2365U] = 0U; + lit.value[2366U] = 0U; + lit.value[2367U] = 0U; + lit.value[2368U] = 0U; + lit.value[2369U] = 0U; + lit.value[2370U] = 0U; + lit.value[2371U] = 0U; + lit.value[2372U] = 0U; + lit.value[2373U] = 0U; + lit.value[2374U] = 0U; + lit.value[2375U] = 0U; + lit.value[2376U] = 0U; + lit.value[2377U] = 0U; + lit.value[2378U] = 0U; + lit.value[2379U] = 0U; + lit.value[2380U] = 0U; + lit.value[2381U] = 0U; + lit.value[2382U] = 0U; + lit.value[2383U] = 0U; + lit.value[2384U] = 0U; + lit.value[2385U] = 0U; + lit.value[2386U] = 0U; + lit.value[2387U] = 0U; + lit.value[2388U] = 0U; + lit.value[2389U] = 0U; + lit.value[2390U] = 0U; + lit.value[2391U] = 0U; + lit.value[2392U] = 0U; + lit.value[2393U] = 0U; + lit.value[2394U] = 0U; + lit.value[2395U] = 0U; + lit.value[2396U] = 0U; + lit.value[2397U] = 0U; + lit.value[2398U] = 0U; + lit.value[2399U] = 0U; + lit.value[2400U] = 0U; + lit.value[2401U] = 0U; + lit.value[2402U] = 0U; + lit.value[2403U] = 0U; + lit.value[2404U] = 0U; + lit.value[2405U] = 0U; + lit.value[2406U] = 0U; + lit.value[2407U] = 0U; + lit.value[2408U] = 0U; + lit.value[2409U] = 0U; + lit.value[2410U] = 0U; + lit.value[2411U] = 0U; + lit.value[2412U] = 0U; + lit.value[2413U] = 0U; + lit.value[2414U] = 0U; + lit.value[2415U] = 0U; + lit.value[2416U] = 0U; + lit.value[2417U] = 0U; + lit.value[2418U] = 0U; + lit.value[2419U] = 0U; + lit.value[2420U] = 0U; + lit.value[2421U] = 0U; + lit.value[2422U] = 0U; + lit.value[2423U] = 0U; + lit.value[2424U] = 0U; + lit.value[2425U] = 0U; + lit.value[2426U] = 0U; + lit.value[2427U] = 0U; + lit.value[2428U] = 0U; + lit.value[2429U] = 0U; + lit.value[2430U] = 0U; + lit.value[2431U] = 0U; + lit.value[2432U] = 0U; + lit.value[2433U] = 0U; + lit.value[2434U] = 0U; + lit.value[2435U] = 0U; + lit.value[2436U] = 0U; + lit.value[2437U] = 0U; + lit.value[2438U] = 0U; + lit.value[2439U] = 0U; + lit.value[2440U] = 0U; + lit.value[2441U] = 0U; + lit.value[2442U] = 0U; + lit.value[2443U] = 0U; + lit.value[2444U] = 0U; + lit.value[2445U] = 0U; + lit.value[2446U] = 0U; + lit.value[2447U] = 0U; + lit.value[2448U] = 0U; + lit.value[2449U] = 0U; + lit.value[2450U] = 0U; + lit.value[2451U] = 0U; + lit.value[2452U] = 0U; + lit.value[2453U] = 0U; + lit.value[2454U] = 0U; + lit.value[2455U] = 0U; + lit.value[2456U] = 0U; + lit.value[2457U] = 0U; + lit.value[2458U] = 0U; + lit.value[2459U] = 0U; + lit.value[2460U] = 0U; + lit.value[2461U] = 0U; + lit.value[2462U] = 0U; + lit.value[2463U] = 0U; + lit.value[2464U] = 0U; + lit.value[2465U] = 0U; + lit.value[2466U] = 0U; + lit.value[2467U] = 0U; + lit.value[2468U] = 0U; + lit.value[2469U] = 0U; + lit.value[2470U] = 0U; + lit.value[2471U] = 0U; + lit.value[2472U] = 0U; + lit.value[2473U] = 0U; + lit.value[2474U] = 0U; + lit.value[2475U] = 0U; + lit.value[2476U] = 0U; + lit.value[2477U] = 0U; + lit.value[2478U] = 0U; + lit.value[2479U] = 0U; + lit.value[2480U] = 0U; + lit.value[2481U] = 0U; + lit.value[2482U] = 0U; + lit.value[2483U] = 0U; + lit.value[2484U] = 0U; + lit.value[2485U] = 0U; + lit.value[2486U] = 0U; + lit.value[2487U] = 0U; + lit.value[2488U] = 0U; + lit.value[2489U] = 0U; + lit.value[2490U] = 0U; + lit.value[2491U] = 0U; + lit.value[2492U] = 0U; + lit.value[2493U] = 0U; + lit.value[2494U] = 0U; + lit.value[2495U] = 0U; + lit.value[2496U] = 0U; + lit.value[2497U] = 0U; + lit.value[2498U] = 0U; + lit.value[2499U] = 0U; + lit.value[2500U] = 0U; + lit.value[2501U] = 0U; + lit.value[2502U] = 0U; + lit.value[2503U] = 0U; + lit.value[2504U] = 0U; + lit.value[2505U] = 0U; + lit.value[2506U] = 0U; + lit.value[2507U] = 0U; + lit.value[2508U] = 0U; + lit.value[2509U] = 0U; + lit.value[2510U] = 0U; + lit.value[2511U] = 0U; + lit.value[2512U] = 0U; + lit.value[2513U] = 0U; + lit.value[2514U] = 0U; + lit.value[2515U] = 0U; + lit.value[2516U] = 0U; + lit.value[2517U] = 0U; + lit.value[2518U] = 0U; + lit.value[2519U] = 0U; + lit.value[2520U] = 0U; + lit.value[2521U] = 0U; + lit.value[2522U] = 0U; + lit.value[2523U] = 0U; + lit.value[2524U] = 0U; + lit.value[2525U] = 0U; + lit.value[2526U] = 0U; + lit.value[2527U] = 0U; + lit.value[2528U] = 0U; + lit.value[2529U] = 0U; + lit.value[2530U] = 0U; + lit.value[2531U] = 0U; + lit.value[2532U] = 0U; + lit.value[2533U] = 0U; + lit.value[2534U] = 0U; + lit.value[2535U] = 0U; + lit.value[2536U] = 0U; + lit.value[2537U] = 0U; + lit.value[2538U] = 0U; + lit.value[2539U] = 0U; + lit.value[2540U] = 0U; + lit.value[2541U] = 0U; + lit.value[2542U] = 0U; + lit.value[2543U] = 0U; + lit.value[2544U] = 0U; + lit.value[2545U] = 0U; + lit.value[2546U] = 0U; + lit.value[2547U] = 0U; + lit.value[2548U] = 0U; + lit.value[2549U] = 0U; + lit.value[2550U] = 0U; + lit.value[2551U] = 0U; + lit.value[2552U] = 0U; + lit.value[2553U] = 0U; + lit.value[2554U] = 0U; + lit.value[2555U] = 0U; + lit.value[2556U] = 0U; + lit.value[2557U] = 0U; + lit.value[2558U] = 0U; + lit.value[2559U] = 0U; + lit.value[2560U] = 0U; + lit.value[2561U] = 0U; + lit.value[2562U] = 0U; + lit.value[2563U] = 0U; + lit.value[2564U] = 0U; + lit.value[2565U] = 0U; + lit.value[2566U] = 0U; + lit.value[2567U] = 0U; + lit.value[2568U] = 0U; + lit.value[2569U] = 0U; + lit.value[2570U] = 0U; + lit.value[2571U] = 0U; + lit.value[2572U] = 0U; + lit.value[2573U] = 0U; + lit.value[2574U] = 0U; + lit.value[2575U] = 0U; + lit.value[2576U] = 0U; + lit.value[2577U] = 0U; + lit.value[2578U] = 0U; + lit.value[2579U] = 0U; + lit.value[2580U] = 0U; + lit.value[2581U] = 0U; + lit.value[2582U] = 0U; + lit.value[2583U] = 0U; + lit.value[2584U] = 0U; + lit.value[2585U] = 0U; + lit.value[2586U] = 0U; + lit.value[2587U] = 0U; + lit.value[2588U] = 0U; + lit.value[2589U] = 0U; + lit.value[2590U] = 0U; + lit.value[2591U] = 0U; + lit.value[2592U] = 0U; + lit.value[2593U] = 0U; + lit.value[2594U] = 0U; + lit.value[2595U] = 0U; + lit.value[2596U] = 0U; + lit.value[2597U] = 0U; + lit.value[2598U] = 0U; + lit.value[2599U] = 0U; + lit.value[2600U] = 0U; + lit.value[2601U] = 0U; + lit.value[2602U] = 0U; + lit.value[2603U] = 0U; + lit.value[2604U] = 0U; + lit.value[2605U] = 0U; + lit.value[2606U] = 0U; + lit.value[2607U] = 0U; + lit.value[2608U] = 0U; + lit.value[2609U] = 0U; + lit.value[2610U] = 0U; + lit.value[2611U] = 0U; + lit.value[2612U] = 0U; + lit.value[2613U] = 0U; + lit.value[2614U] = 0U; + lit.value[2615U] = 0U; + lit.value[2616U] = 0U; + lit.value[2617U] = 0U; + lit.value[2618U] = 0U; + lit.value[2619U] = 0U; + lit.value[2620U] = 0U; + lit.value[2621U] = 0U; + lit.value[2622U] = 0U; + lit.value[2623U] = 0U; + lit.value[2624U] = 0U; + lit.value[2625U] = 0U; + lit.value[2626U] = 0U; + lit.value[2627U] = 0U; + lit.value[2628U] = 0U; + lit.value[2629U] = 0U; + lit.value[2630U] = 0U; + lit.value[2631U] = 0U; + lit.value[2632U] = 0U; + lit.value[2633U] = 0U; + lit.value[2634U] = 0U; + lit.value[2635U] = 0U; + lit.value[2636U] = 0U; + lit.value[2637U] = 0U; + lit.value[2638U] = 0U; + lit.value[2639U] = 0U; + lit.value[2640U] = 0U; + lit.value[2641U] = 0U; + lit.value[2642U] = 0U; + lit.value[2643U] = 0U; + lit.value[2644U] = 0U; + lit.value[2645U] = 0U; + lit.value[2646U] = 0U; + lit.value[2647U] = 0U; + lit.value[2648U] = 0U; + lit.value[2649U] = 0U; + lit.value[2650U] = 0U; + lit.value[2651U] = 0U; + lit.value[2652U] = 0U; + lit.value[2653U] = 0U; + lit.value[2654U] = 0U; + lit.value[2655U] = 0U; + lit.value[2656U] = 0U; + lit.value[2657U] = 0U; + lit.value[2658U] = 0U; + lit.value[2659U] = 0U; + lit.value[2660U] = 0U; + lit.value[2661U] = 0U; + lit.value[2662U] = 0U; + lit.value[2663U] = 0U; + lit.value[2664U] = 0U; + lit.value[2665U] = 0U; + lit.value[2666U] = 0U; + lit.value[2667U] = 0U; + lit.value[2668U] = 0U; + lit.value[2669U] = 0U; + lit.value[2670U] = 0U; + lit.value[2671U] = 0U; + lit.value[2672U] = 0U; + lit.value[2673U] = 0U; + lit.value[2674U] = 0U; + lit.value[2675U] = 0U; + lit.value[2676U] = 0U; + lit.value[2677U] = 0U; + lit.value[2678U] = 0U; + lit.value[2679U] = 0U; + lit.value[2680U] = 0U; + lit.value[2681U] = 0U; + lit.value[2682U] = 0U; + lit.value[2683U] = 0U; + lit.value[2684U] = 0U; + lit.value[2685U] = 0U; + lit.value[2686U] = 0U; + lit.value[2687U] = 0U; + lit.value[2688U] = 0U; + lit.value[2689U] = 0U; + lit.value[2690U] = 0U; + lit.value[2691U] = 0U; + lit.value[2692U] = 0U; + lit.value[2693U] = 0U; + lit.value[2694U] = 0U; + lit.value[2695U] = 0U; + lit.value[2696U] = 0U; + lit.value[2697U] = 0U; + lit.value[2698U] = 0U; + lit.value[2699U] = 0U; + lit.value[2700U] = 0U; + lit.value[2701U] = 0U; + lit.value[2702U] = 0U; + lit.value[2703U] = 0U; + lit.value[2704U] = 0U; + lit.value[2705U] = 0U; + lit.value[2706U] = 0U; + lit.value[2707U] = 0U; + lit.value[2708U] = 0U; + lit.value[2709U] = 0U; + lit.value[2710U] = 0U; + lit.value[2711U] = 0U; + lit.value[2712U] = 0U; + lit.value[2713U] = 0U; + lit.value[2714U] = 0U; + lit.value[2715U] = 0U; + lit.value[2716U] = 0U; + lit.value[2717U] = 0U; + lit.value[2718U] = 0U; + lit.value[2719U] = 0U; + lit.value[2720U] = 0U; + lit.value[2721U] = 0U; + lit.value[2722U] = 0U; + lit.value[2723U] = 0U; + lit.value[2724U] = 0U; + lit.value[2725U] = 0U; + lit.value[2726U] = 0U; + lit.value[2727U] = 0U; + lit.value[2728U] = 0U; + lit.value[2729U] = 0U; + lit.value[2730U] = 0U; + lit.value[2731U] = 0U; + lit.value[2732U] = 0U; + lit.value[2733U] = 0U; + lit.value[2734U] = 0U; + lit.value[2735U] = 0U; + lit.value[2736U] = 0U; + lit.value[2737U] = 0U; + lit.value[2738U] = 0U; + lit.value[2739U] = 0U; + lit.value[2740U] = 0U; + lit.value[2741U] = 0U; + lit.value[2742U] = 0U; + lit.value[2743U] = 0U; + lit.value[2744U] = 0U; + lit.value[2745U] = 0U; + lit.value[2746U] = 0U; + lit.value[2747U] = 0U; + lit.value[2748U] = 0U; + lit.value[2749U] = 0U; + lit.value[2750U] = 0U; + lit.value[2751U] = 0U; + lit.value[2752U] = 0U; + lit.value[2753U] = 0U; + lit.value[2754U] = 0U; + lit.value[2755U] = 0U; + lit.value[2756U] = 0U; + lit.value[2757U] = 0U; + lit.value[2758U] = 0U; + lit.value[2759U] = 0U; + lit.value[2760U] = 0U; + lit.value[2761U] = 0U; + lit.value[2762U] = 0U; + lit.value[2763U] = 0U; + lit.value[2764U] = 0U; + lit.value[2765U] = 0U; + lit.value[2766U] = 0U; + lit.value[2767U] = 0U; + lit.value[2768U] = 0U; + lit.value[2769U] = 0U; + lit.value[2770U] = 0U; + lit.value[2771U] = 0U; + lit.value[2772U] = 0U; + lit.value[2773U] = 0U; + lit.value[2774U] = 0U; + lit.value[2775U] = 0U; + lit.value[2776U] = 0U; + lit.value[2777U] = 0U; + lit.value[2778U] = 0U; + lit.value[2779U] = 0U; + lit.value[2780U] = 0U; + lit.value[2781U] = 0U; + lit.value[2782U] = 0U; + lit.value[2783U] = 0U; + lit.value[2784U] = 0U; + lit.value[2785U] = 0U; + lit.value[2786U] = 0U; + lit.value[2787U] = 0U; + lit.value[2788U] = 0U; + lit.value[2789U] = 0U; + lit.value[2790U] = 0U; + lit.value[2791U] = 0U; + lit.value[2792U] = 0U; + lit.value[2793U] = 0U; + lit.value[2794U] = 0U; + lit.value[2795U] = 0U; + lit.value[2796U] = 0U; + lit.value[2797U] = 0U; + lit.value[2798U] = 0U; + lit.value[2799U] = 0U; + lit.value[2800U] = 0U; + lit.value[2801U] = 0U; + lit.value[2802U] = 0U; + lit.value[2803U] = 0U; + lit.value[2804U] = 0U; + lit.value[2805U] = 0U; + lit.value[2806U] = 0U; + lit.value[2807U] = 0U; + lit.value[2808U] = 0U; + lit.value[2809U] = 0U; + lit.value[2810U] = 0U; + lit.value[2811U] = 0U; + lit.value[2812U] = 0U; + lit.value[2813U] = 0U; + lit.value[2814U] = 0U; + lit.value[2815U] = 0U; + lit.value[2816U] = 0U; + lit.value[2817U] = 0U; + lit.value[2818U] = 0U; + lit.value[2819U] = 0U; + lit.value[2820U] = 0U; + lit.value[2821U] = 0U; + lit.value[2822U] = 0U; + lit.value[2823U] = 0U; + lit.value[2824U] = 0U; + lit.value[2825U] = 0U; + lit.value[2826U] = 0U; + lit.value[2827U] = 0U; + lit.value[2828U] = 0U; + lit.value[2829U] = 0U; + lit.value[2830U] = 0U; + lit.value[2831U] = 0U; + lit.value[2832U] = 0U; + lit.value[2833U] = 0U; + lit.value[2834U] = 0U; + lit.value[2835U] = 0U; + lit.value[2836U] = 0U; + lit.value[2837U] = 0U; + lit.value[2838U] = 0U; + lit.value[2839U] = 0U; + lit.value[2840U] = 0U; + lit.value[2841U] = 0U; + lit.value[2842U] = 0U; + lit.value[2843U] = 0U; + lit.value[2844U] = 0U; + lit.value[2845U] = 0U; + lit.value[2846U] = 0U; + lit.value[2847U] = 0U; + lit.value[2848U] = 0U; + lit.value[2849U] = 0U; + lit.value[2850U] = 0U; + lit.value[2851U] = 0U; + lit.value[2852U] = 0U; + lit.value[2853U] = 0U; + lit.value[2854U] = 0U; + lit.value[2855U] = 0U; + lit.value[2856U] = 0U; + lit.value[2857U] = 0U; + lit.value[2858U] = 0U; + lit.value[2859U] = 0U; + lit.value[2860U] = 0U; + lit.value[2861U] = 0U; + lit.value[2862U] = 0U; + lit.value[2863U] = 0U; + lit.value[2864U] = 0U; + lit.value[2865U] = 0U; + lit.value[2866U] = 0U; + lit.value[2867U] = 0U; + lit.value[2868U] = 0U; + lit.value[2869U] = 0U; + lit.value[2870U] = 0U; + lit.value[2871U] = 0U; + lit.value[2872U] = 0U; + lit.value[2873U] = 0U; + lit.value[2874U] = 0U; + lit.value[2875U] = 0U; + lit.value[2876U] = 0U; + lit.value[2877U] = 0U; + lit.value[2878U] = 0U; + lit.value[2879U] = 0U; + lit.value[2880U] = 0U; + lit.value[2881U] = 0U; + lit.value[2882U] = 0U; + lit.value[2883U] = 0U; + lit.value[2884U] = 0U; + lit.value[2885U] = 0U; + lit.value[2886U] = 0U; + lit.value[2887U] = 0U; + lit.value[2888U] = 0U; + lit.value[2889U] = 0U; + lit.value[2890U] = 0U; + lit.value[2891U] = 0U; + lit.value[2892U] = 0U; + lit.value[2893U] = 0U; + lit.value[2894U] = 0U; + lit.value[2895U] = 0U; + lit.value[2896U] = 0U; + lit.value[2897U] = 0U; + lit.value[2898U] = 0U; + lit.value[2899U] = 0U; + lit.value[2900U] = 0U; + lit.value[2901U] = 0U; + lit.value[2902U] = 0U; + lit.value[2903U] = 0U; + lit.value[2904U] = 0U; + lit.value[2905U] = 0U; + lit.value[2906U] = 0U; + lit.value[2907U] = 0U; + lit.value[2908U] = 0U; + lit.value[2909U] = 0U; + lit.value[2910U] = 0U; + lit.value[2911U] = 0U; + lit.value[2912U] = 0U; + lit.value[2913U] = 0U; + lit.value[2914U] = 0U; + lit.value[2915U] = 0U; + lit.value[2916U] = 0U; + lit.value[2917U] = 0U; + lit.value[2918U] = 0U; + lit.value[2919U] = 0U; + lit.value[2920U] = 0U; + lit.value[2921U] = 0U; + lit.value[2922U] = 0U; + lit.value[2923U] = 0U; + lit.value[2924U] = 0U; + lit.value[2925U] = 0U; + lit.value[2926U] = 0U; + lit.value[2927U] = 0U; + lit.value[2928U] = 0U; + lit.value[2929U] = 0U; + lit.value[2930U] = 0U; + lit.value[2931U] = 0U; + lit.value[2932U] = 0U; + lit.value[2933U] = 0U; + lit.value[2934U] = 0U; + lit.value[2935U] = 0U; + lit.value[2936U] = 0U; + lit.value[2937U] = 0U; + lit.value[2938U] = 0U; + lit.value[2939U] = 0U; + lit.value[2940U] = 0U; + lit.value[2941U] = 0U; + lit.value[2942U] = 0U; + lit.value[2943U] = 0U; + lit.value[2944U] = 0U; + lit.value[2945U] = 0U; + lit.value[2946U] = 0U; + lit.value[2947U] = 0U; + lit.value[2948U] = 0U; + lit.value[2949U] = 0U; + lit.value[2950U] = 0U; + lit.value[2951U] = 0U; + lit.value[2952U] = 0U; + lit.value[2953U] = 0U; + lit.value[2954U] = 0U; + lit.value[2955U] = 0U; + lit.value[2956U] = 0U; + lit.value[2957U] = 0U; + lit.value[2958U] = 0U; + lit.value[2959U] = 0U; + lit.value[2960U] = 0U; + lit.value[2961U] = 0U; + lit.value[2962U] = 0U; + lit.value[2963U] = 0U; + lit.value[2964U] = 0U; + lit.value[2965U] = 0U; + lit.value[2966U] = 0U; + lit.value[2967U] = 0U; + lit.value[2968U] = 0U; + lit.value[2969U] = 0U; + lit.value[2970U] = 0U; + lit.value[2971U] = 0U; + lit.value[2972U] = 0U; + lit.value[2973U] = 0U; + lit.value[2974U] = 0U; + lit.value[2975U] = 0U; + lit.value[2976U] = 0U; + lit.value[2977U] = 0U; + lit.value[2978U] = 0U; + lit.value[2979U] = 0U; + lit.value[2980U] = 0U; + lit.value[2981U] = 0U; + lit.value[2982U] = 0U; + lit.value[2983U] = 0U; + lit.value[2984U] = 0U; + lit.value[2985U] = 0U; + lit.value[2986U] = 0U; + lit.value[2987U] = 0U; + lit.value[2988U] = 0U; + lit.value[2989U] = 0U; + lit.value[2990U] = 0U; + lit.value[2991U] = 0U; + lit.value[2992U] = 0U; + lit.value[2993U] = 0U; + lit.value[2994U] = 0U; + lit.value[2995U] = 0U; + lit.value[2996U] = 0U; + lit.value[2997U] = 0U; + lit.value[2998U] = 0U; + lit.value[2999U] = 0U; + lit.value[3000U] = 0U; + lit.value[3001U] = 0U; + lit.value[3002U] = 0U; + lit.value[3003U] = 0U; + lit.value[3004U] = 0U; + lit.value[3005U] = 0U; + lit.value[3006U] = 0U; + lit.value[3007U] = 0U; + lit.value[3008U] = 0U; + lit.value[3009U] = 0U; + lit.value[3010U] = 0U; + lit.value[3011U] = 0U; + lit.value[3012U] = 0U; + lit.value[3013U] = 0U; + lit.value[3014U] = 0U; + lit.value[3015U] = 0U; + lit.value[3016U] = 0U; + lit.value[3017U] = 0U; + lit.value[3018U] = 0U; + lit.value[3019U] = 0U; + lit.value[3020U] = 0U; + lit.value[3021U] = 0U; + lit.value[3022U] = 0U; + lit.value[3023U] = 0U; + lit.value[3024U] = 0U; + lit.value[3025U] = 0U; + lit.value[3026U] = 0U; + lit.value[3027U] = 0U; + lit.value[3028U] = 0U; + lit.value[3029U] = 0U; + lit.value[3030U] = 0U; + lit.value[3031U] = 0U; + lit.value[3032U] = 0U; + lit.value[3033U] = 0U; + lit.value[3034U] = 0U; + lit.value[3035U] = 0U; + lit.value[3036U] = 0U; + lit.value[3037U] = 0U; + lit.value[3038U] = 0U; + lit.value[3039U] = 0U; + lit.value[3040U] = 0U; + lit.value[3041U] = 0U; + lit.value[3042U] = 0U; + lit.value[3043U] = 0U; + lit.value[3044U] = 0U; + lit.value[3045U] = 0U; + lit.value[3046U] = 0U; + lit.value[3047U] = 0U; + lit.value[3048U] = 0U; + lit.value[3049U] = 0U; + lit.value[3050U] = 0U; + lit.value[3051U] = 0U; + lit.value[3052U] = 0U; + lit.value[3053U] = 0U; + lit.value[3054U] = 0U; + lit.value[3055U] = 0U; + lit.value[3056U] = 0U; + lit.value[3057U] = 0U; + lit.value[3058U] = 0U; + lit.value[3059U] = 0U; + lit.value[3060U] = 0U; + lit.value[3061U] = 0U; + lit.value[3062U] = 0U; + lit.value[3063U] = 0U; + lit.value[3064U] = 0U; + lit.value[3065U] = 0U; + lit.value[3066U] = 0U; + lit.value[3067U] = 0U; + lit.value[3068U] = 0U; + lit.value[3069U] = 0U; + lit.value[3070U] = 0U; + lit.value[3071U] = 0U; + lit.value[3072U] = 0U; + lit.value[3073U] = 0U; + lit.value[3074U] = 0U; + lit.value[3075U] = 0U; + lit.value[3076U] = 0U; + lit.value[3077U] = 0U; + lit.value[3078U] = 0U; + lit.value[3079U] = 0U; + lit.value[3080U] = 0U; + lit.value[3081U] = 0U; + lit.value[3082U] = 0U; + lit.value[3083U] = 0U; + lit.value[3084U] = 0U; + lit.value[3085U] = 0U; + lit.value[3086U] = 0U; + lit.value[3087U] = 0U; + lit.value[3088U] = 0U; + lit.value[3089U] = 0U; + lit.value[3090U] = 0U; + lit.value[3091U] = 0U; + lit.value[3092U] = 0U; + lit.value[3093U] = 0U; + lit.value[3094U] = 0U; + lit.value[3095U] = 0U; + lit.value[3096U] = 0U; + lit.value[3097U] = 0U; + lit.value[3098U] = 0U; + lit.value[3099U] = 0U; + lit.value[3100U] = 0U; + lit.value[3101U] = 0U; + lit.value[3102U] = 0U; + lit.value[3103U] = 0U; + lit.value[3104U] = 0U; + lit.value[3105U] = 0U; + lit.value[3106U] = 0U; + lit.value[3107U] = 0U; + lit.value[3108U] = 0U; + lit.value[3109U] = 0U; + lit.value[3110U] = 0U; + lit.value[3111U] = 0U; + lit.value[3112U] = 0U; + lit.value[3113U] = 0U; + lit.value[3114U] = 0U; + lit.value[3115U] = 0U; + lit.value[3116U] = 0U; + lit.value[3117U] = 0U; + lit.value[3118U] = 0U; + lit.value[3119U] = 0U; + lit.value[3120U] = 0U; + lit.value[3121U] = 0U; + lit.value[3122U] = 0U; + lit.value[3123U] = 0U; + lit.value[3124U] = 0U; + lit.value[3125U] = 0U; + lit.value[3126U] = 0U; + lit.value[3127U] = 0U; + lit.value[3128U] = 0U; + lit.value[3129U] = 0U; + lit.value[3130U] = 0U; + lit.value[3131U] = 0U; + lit.value[3132U] = 0U; + lit.value[3133U] = 0U; + lit.value[3134U] = 0U; + lit.value[3135U] = 0U; + lit.value[3136U] = 0U; + lit.value[3137U] = 0U; + lit.value[3138U] = 0U; + lit.value[3139U] = 0U; + lit.value[3140U] = 0U; + lit.value[3141U] = 0U; + lit.value[3142U] = 0U; + lit.value[3143U] = 0U; + lit.value[3144U] = 0U; + lit.value[3145U] = 0U; + lit.value[3146U] = 0U; + lit.value[3147U] = 0U; + lit.value[3148U] = 0U; + lit.value[3149U] = 0U; + lit.value[3150U] = 0U; + lit.value[3151U] = 0U; + lit.value[3152U] = 0U; + lit.value[3153U] = 0U; + lit.value[3154U] = 0U; + lit.value[3155U] = 0U; + lit.value[3156U] = 0U; + lit.value[3157U] = 0U; + lit.value[3158U] = 0U; + lit.value[3159U] = 0U; + lit.value[3160U] = 0U; + lit.value[3161U] = 0U; + lit.value[3162U] = 0U; + lit.value[3163U] = 0U; + lit.value[3164U] = 0U; + lit.value[3165U] = 0U; + lit.value[3166U] = 0U; + lit.value[3167U] = 0U; + lit.value[3168U] = 0U; + lit.value[3169U] = 0U; + lit.value[3170U] = 0U; + lit.value[3171U] = 0U; + lit.value[3172U] = 0U; + lit.value[3173U] = 0U; + lit.value[3174U] = 0U; + lit.value[3175U] = 0U; + lit.value[3176U] = 0U; + lit.value[3177U] = 0U; + lit.value[3178U] = 0U; + lit.value[3179U] = 0U; + lit.value[3180U] = 0U; + lit.value[3181U] = 0U; + lit.value[3182U] = 0U; + lit.value[3183U] = 0U; + lit.value[3184U] = 0U; + lit.value[3185U] = 0U; + lit.value[3186U] = 0U; + lit.value[3187U] = 0U; + lit.value[3188U] = 0U; + lit.value[3189U] = 0U; + lit.value[3190U] = 0U; + lit.value[3191U] = 0U; + lit.value[3192U] = 0U; + lit.value[3193U] = 0U; + lit.value[3194U] = 0U; + lit.value[3195U] = 0U; + lit.value[3196U] = 0U; + lit.value[3197U] = 0U; + lit.value[3198U] = 0U; + lit.value[3199U] = 0U; + lit.value[3200U] = 0U; + lit.value[3201U] = 0U; + lit.value[3202U] = 0U; + lit.value[3203U] = 0U; + lit.value[3204U] = 0U; + lit.value[3205U] = 0U; + lit.value[3206U] = 0U; + lit.value[3207U] = 0U; + lit.value[3208U] = 0U; + lit.value[3209U] = 0U; + lit.value[3210U] = 0U; + lit.value[3211U] = 0U; + lit.value[3212U] = 0U; + lit.value[3213U] = 0U; + lit.value[3214U] = 0U; + lit.value[3215U] = 0U; + lit.value[3216U] = 0U; + lit.value[3217U] = 0U; + lit.value[3218U] = 0U; + lit.value[3219U] = 0U; + lit.value[3220U] = 0U; + lit.value[3221U] = 0U; + lit.value[3222U] = 0U; + lit.value[3223U] = 0U; + lit.value[3224U] = 0U; + lit.value[3225U] = 0U; + lit.value[3226U] = 0U; + lit.value[3227U] = 0U; + lit.value[3228U] = 0U; + lit.value[3229U] = 0U; + lit.value[3230U] = 0U; + lit.value[3231U] = 0U; + lit.value[3232U] = 0U; + lit.value[3233U] = 0U; + lit.value[3234U] = 0U; + lit.value[3235U] = 0U; + lit.value[3236U] = 0U; + lit.value[3237U] = 0U; + lit.value[3238U] = 0U; + lit.value[3239U] = 0U; + lit.value[3240U] = 0U; + lit.value[3241U] = 0U; + lit.value[3242U] = 0U; + lit.value[3243U] = 0U; + lit.value[3244U] = 0U; + lit.value[3245U] = 0U; + lit.value[3246U] = 0U; + lit.value[3247U] = 0U; + lit.value[3248U] = 0U; + lit.value[3249U] = 0U; + lit.value[3250U] = 0U; + lit.value[3251U] = 0U; + lit.value[3252U] = 0U; + lit.value[3253U] = 0U; + lit.value[3254U] = 0U; + lit.value[3255U] = 0U; + lit.value[3256U] = 0U; + lit.value[3257U] = 0U; + lit.value[3258U] = 0U; + lit.value[3259U] = 0U; + lit.value[3260U] = 0U; + lit.value[3261U] = 0U; + lit.value[3262U] = 0U; + lit.value[3263U] = 0U; + lit.value[3264U] = 0U; + lit.value[3265U] = 0U; + lit.value[3266U] = 0U; + lit.value[3267U] = 0U; + lit.value[3268U] = 0U; + lit.value[3269U] = 0U; + lit.value[3270U] = 0U; + lit.value[3271U] = 0U; + lit.value[3272U] = 0U; + lit.value[3273U] = 0U; + lit.value[3274U] = 0U; + lit.value[3275U] = 0U; + lit.value[3276U] = 0U; + lit.value[3277U] = 0U; + lit.value[3278U] = 0U; + lit.value[3279U] = 0U; + lit.value[3280U] = 0U; + lit.value[3281U] = 0U; + lit.value[3282U] = 0U; + lit.value[3283U] = 0U; + lit.value[3284U] = 0U; + lit.value[3285U] = 0U; + lit.value[3286U] = 0U; + lit.value[3287U] = 0U; + lit.value[3288U] = 0U; + lit.value[3289U] = 0U; + lit.value[3290U] = 0U; + lit.value[3291U] = 0U; + lit.value[3292U] = 0U; + lit.value[3293U] = 0U; + lit.value[3294U] = 0U; + lit.value[3295U] = 0U; + lit.value[3296U] = 0U; + lit.value[3297U] = 0U; + lit.value[3298U] = 0U; + lit.value[3299U] = 0U; + lit.value[3300U] = 0U; + lit.value[3301U] = 0U; + lit.value[3302U] = 0U; + lit.value[3303U] = 0U; + lit.value[3304U] = 0U; + lit.value[3305U] = 0U; + lit.value[3306U] = 0U; + lit.value[3307U] = 0U; + lit.value[3308U] = 0U; return lit; } diff --git a/libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h b/libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h index 2ec0118b2..7a3e81dab 100644 --- a/libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h +++ b/libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h @@ -8,7 +8,7 @@ * Eurydice: 8e112cd3065d2c1eb6c023cd37111300dbf9fc9a * Karamel: f82ecfe9b99edd64642d47b4e3fb6314a8e2320b * F*: b0961063393215ca65927f017720cb365a193833-dirty - * Libcrux: a09987d066ac254dbc0e455cbc83aa5bbe096741 + * Libcrux: 66afce2b7d2b86febb97fb1fc5de2fbba7419d74 */ #ifndef __libcrux_mldsa65_avx2_H @@ -4734,6 +4734,21 @@ libcrux_ml_dsa_ml_dsa_65_avx2_generate_key_pair(uint8_t randomness[32U]) { return lit; } +/** + Generate an ML-DSA-65 Key Pair +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline void libcrux_ml_dsa_ml_dsa_65_avx2_generate_key_pair_mut( + uint8_t randomness[32U], uint8_t *signing_key, uint8_t *verification_key) { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_ml_dsa_65_generate_key_pair( + copy_of_randomness, + Eurydice_array_to_slice((size_t)4032U, signing_key, uint8_t), + Eurydice_array_to_slice((size_t)1952U, verification_key, uint8_t)); +} + /** A monomorphic instance of libcrux_ml_dsa.encoding.error.deserialize with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256 @@ -5694,10 +5709,11 @@ libcrux_ml_dsa_hash_functions_simd256_Shake256x4 with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE Result_2e +static KRML_MUSTINLINE Result_53 libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_internal_07( Eurydice_slice signing_key, Eurydice_slice message, - Option_84 domain_separation_context, uint8_t randomness[32U]) { + Option_84 domain_separation_context, uint8_t randomness[32U], + uint8_t *signature) { Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( signing_key, LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); @@ -5995,12 +6011,11 @@ libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_internal_07( } } } - Result_2e uu____8; + Result_53 uu____8; if (commitment_hash0.tag == None) { - uu____8 = (CLITERAL(Result_2e){ + uu____8 = (CLITERAL(Result_53){ .tag = Err, - .val = {.case_Err = - libcrux_ml_dsa_types_SigningError_RejectionSamplingError}}); + .f0 = libcrux_ml_dsa_types_SigningError_RejectionSamplingError}); } else { uint8_t commitment_hash1[48U]; memcpy(commitment_hash1, commitment_hash0.f0, @@ -6008,11 +6023,9 @@ libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_internal_07( uint8_t commitment_hash[48U]; memcpy(commitment_hash, commitment_hash1, (size_t)48U * sizeof(uint8_t)); if (signer_response0.tag == None) { - uu____8 = (CLITERAL(Result_2e){ + uu____8 = (CLITERAL(Result_53){ .tag = Err, - .val = { - .case_Err = - libcrux_ml_dsa_types_SigningError_RejectionSamplingError}}); + .f0 = libcrux_ml_dsa_types_SigningError_RejectionSamplingError}); } else { libcrux_ml_dsa_polynomial_PolynomialRingElement_4b signer_response1[5U]; memcpy(signer_response1, signer_response0.f0, @@ -6023,17 +6036,14 @@ libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_internal_07( (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_4b)); if (hint0.tag == None) { - uu____8 = (CLITERAL(Result_2e){ + uu____8 = (CLITERAL(Result_53){ .tag = Err, - .val = { - .case_Err = - libcrux_ml_dsa_types_SigningError_RejectionSamplingError}}); + .f0 = libcrux_ml_dsa_types_SigningError_RejectionSamplingError}); } else { int32_t hint1[6U][256U]; memcpy(hint1, hint0.f0, (size_t)6U * sizeof(int32_t[256U])); int32_t hint[6U][256U]; memcpy(hint, hint1, (size_t)6U * sizeof(int32_t[256U])); - uint8_t signature[3309U] = {0U}; libcrux_ml_dsa_encoding_signature_serialize_21( Eurydice_array_to_slice((size_t)48U, commitment_hash, uint8_t), Eurydice_array_to_slice( @@ -6047,13 +6057,7 @@ libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_internal_07( LIBCRUX_ML_DSA_ML_DSA_GENERIC_ML_DSA_65_GAMMA1_RING_ELEMENT_SIZE, LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_MAX_ONES_IN_HINT, Eurydice_array_to_slice((size_t)3309U, signature, uint8_t)); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_signature[3309U]; - memcpy(copy_of_signature, signature, (size_t)3309U * sizeof(uint8_t)); - Result_2e lit; - lit.tag = Ok; - lit.val.case_Ok = libcrux_ml_dsa_types_new_8f_fa(copy_of_signature); - return lit; + return (CLITERAL(Result_53){.tag = Ok}); } } } @@ -6061,7 +6065,7 @@ libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_internal_07( } /** -A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.ml_dsa_65.sign +A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.ml_dsa_65.sign_mut with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256, libcrux_ml_dsa_samplex4_avx2_AVX2Sampler, libcrux_ml_dsa_hash_functions_simd256_Shake128x4, @@ -6071,18 +6075,18 @@ libcrux_ml_dsa_hash_functions_simd256_Shake256x4 with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE Result_2e -libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_07(Eurydice_slice signing_key, - Eurydice_slice message, - Eurydice_slice context, - uint8_t randomness[32U]) { +static KRML_MUSTINLINE Result_53 +libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_mut_07(Eurydice_slice signing_key, + Eurydice_slice message, + Eurydice_slice context, + uint8_t randomness[32U], + uint8_t *signature) { Result_a8 uu____0 = libcrux_ml_dsa_pre_hash_new_45( context, (CLITERAL(Option_30){.tag = None})); if (!(uu____0.tag == Ok)) { - return (CLITERAL(Result_2e){ + return (CLITERAL(Result_53){ .tag = Err, - .val = {.case_Err = - libcrux_ml_dsa_types_SigningError_ContextTooLongError}}); + .f0 = libcrux_ml_dsa_types_SigningError_ContextTooLongError}); } libcrux_ml_dsa_pre_hash_DomainSeparationContext dsc = uu____0.val.case_Ok; libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context = @@ -6094,7 +6098,43 @@ libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_07(Eurydice_slice signing_key, uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); return libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_internal_07( - uu____1, uu____2, uu____3, copy_of_randomness); + uu____1, uu____2, uu____3, copy_of_randomness, signature); +} + +/** +A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.ml_dsa_65.sign +with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256, +libcrux_ml_dsa_samplex4_avx2_AVX2Sampler, +libcrux_ml_dsa_hash_functions_simd256_Shake128x4, +libcrux_ml_dsa_hash_functions_simd256_Shake256, +libcrux_ml_dsa_hash_functions_portable_Shake256Xof, +libcrux_ml_dsa_hash_functions_simd256_Shake256x4 with const generics + +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE Result_2e +libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_07(Eurydice_slice signing_key, + Eurydice_slice message, + Eurydice_slice context, + uint8_t randomness[32U]) { + libcrux_ml_dsa_types_MLDSASignature_8f signature = + libcrux_ml_dsa_types_zero_8f_fa(); + Eurydice_slice uu____0 = signing_key; + Eurydice_slice uu____1 = message; + Eurydice_slice uu____2 = context; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + Result_53 uu____4 = libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_mut_07( + uu____0, uu____1, uu____2, copy_of_randomness, signature.value); + Result_2e uu____5; + if (uu____4.tag == Ok) { + uu____5 = (CLITERAL(Result_2e){.tag = Ok, .val = {.case_Ok = signature}}); + } else { + libcrux_ml_dsa_types_SigningError e = uu____4.f0; + uu____5 = (CLITERAL(Result_2e){.tag = Err, .val = {.case_Err = e}}); + } + return uu____5; } KRML_ATTRIBUTE_TARGET("avx2") @@ -6152,9 +6192,64 @@ static inline Result_2e libcrux_ml_dsa_ml_dsa_65_avx2_sign( uu____0, uu____1, uu____2, copy_of_randomness); } +KRML_ATTRIBUTE_TARGET("avx2") +static inline Result_53 +libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_ml_dsa_65_sign_mut__inner( + uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, + uint8_t randomness[32U], uint8_t *signature) { + Eurydice_slice uu____0 = + Eurydice_array_to_slice((size_t)4032U, signing_key, uint8_t); + Eurydice_slice uu____1 = message; + Eurydice_slice uu____2 = context; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_mut_07( + uu____0, uu____1, uu____2, copy_of_randomness, signature); +} + +/** + Sign. +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline Result_53 +libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_ml_dsa_65_sign_mut( + uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, + uint8_t randomness[32U], uint8_t *signature) { + uint8_t *uu____0 = signing_key; + Eurydice_slice uu____1 = message; + Eurydice_slice uu____2 = context; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_ml_dsa_65_sign_mut__inner( + uu____0, uu____1, uu____2, copy_of_randomness, signature); +} + +/** + Generate an ML-DSA-65 Signature + + The parameter `context` is used for domain separation + and is a byte string of length at most 255 bytes. It + may also be empty. +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline Result_53 libcrux_ml_dsa_ml_dsa_65_avx2_sign_mut( + uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, + uint8_t randomness[32U], uint8_t *signature) { + uint8_t *uu____0 = signing_key; + Eurydice_slice uu____1 = message; + Eurydice_slice uu____2 = context; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_ml_dsa_65_sign_mut( + uu____0, uu____1, uu____2, copy_of_randomness, signature); +} + /** A monomorphic instance of -libcrux_ml_dsa.ml_dsa_generic.ml_dsa_65.sign_pre_hashed with types +libcrux_ml_dsa.ml_dsa_generic.ml_dsa_65.sign_pre_hashed_mut with types libcrux_ml_dsa_simd_avx2_vector_type_Vec256, libcrux_ml_dsa_samplex4_avx2_AVX2Sampler, libcrux_ml_dsa_hash_functions_portable_Shake128, @@ -6166,10 +6261,11 @@ libcrux_ml_dsa_pre_hash_SHAKE128_PH with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE Result_2e -libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_pre_hashed_37( +static KRML_MUSTINLINE Result_53 +libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_pre_hashed_mut_37( Eurydice_slice signing_key, Eurydice_slice message, Eurydice_slice context, - Eurydice_slice pre_hash_buffer, uint8_t randomness[32U]) { + Eurydice_slice pre_hash_buffer, uint8_t randomness[32U], + uint8_t *signature) { if (!(Eurydice_slice_len(context, uint8_t) > LIBCRUX_ML_DSA_CONSTANTS_CONTEXT_MAX_LEN)) { libcrux_ml_dsa_pre_hash_hash_3e_cc(message, pre_hash_buffer); @@ -6181,10 +6277,9 @@ libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_pre_hashed_37( memcpy(lit.f0, ret, (size_t)11U * sizeof(uint8_t)); Result_a8 uu____1 = libcrux_ml_dsa_pre_hash_new_45(uu____0, lit); if (!(uu____1.tag == Ok)) { - return (CLITERAL(Result_2e){ + return (CLITERAL(Result_53){ .tag = Err, - .val = {.case_Err = - libcrux_ml_dsa_types_SigningError_ContextTooLongError}}); + .f0 = libcrux_ml_dsa_types_SigningError_ContextTooLongError}); } libcrux_ml_dsa_pre_hash_DomainSeparationContext dsc = uu____1.val.case_Ok; libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context = @@ -6196,12 +6291,51 @@ libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_pre_hashed_37( uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); return libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_internal_07( - uu____2, uu____3, uu____4, copy_of_randomness); + uu____2, uu____3, uu____4, copy_of_randomness, signature); } - return (CLITERAL(Result_2e){ - .tag = Err, - .val = {.case_Err = - libcrux_ml_dsa_types_SigningError_ContextTooLongError}}); + return (CLITERAL(Result_53){ + .tag = Err, .f0 = libcrux_ml_dsa_types_SigningError_ContextTooLongError}); +} + +/** +A monomorphic instance of +libcrux_ml_dsa.ml_dsa_generic.ml_dsa_65.sign_pre_hashed with types +libcrux_ml_dsa_simd_avx2_vector_type_Vec256, +libcrux_ml_dsa_samplex4_avx2_AVX2Sampler, +libcrux_ml_dsa_hash_functions_portable_Shake128, +libcrux_ml_dsa_hash_functions_simd256_Shake128x4, +libcrux_ml_dsa_hash_functions_simd256_Shake256, +libcrux_ml_dsa_hash_functions_portable_Shake256Xof, +libcrux_ml_dsa_hash_functions_simd256_Shake256x4, +libcrux_ml_dsa_pre_hash_SHAKE128_PH with const generics + +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE Result_2e +libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_pre_hashed_37( + Eurydice_slice signing_key, Eurydice_slice message, Eurydice_slice context, + Eurydice_slice pre_hash_buffer, uint8_t randomness[32U]) { + libcrux_ml_dsa_types_MLDSASignature_8f signature = + libcrux_ml_dsa_types_zero_8f_fa(); + Eurydice_slice uu____0 = signing_key; + Eurydice_slice uu____1 = message; + Eurydice_slice uu____2 = context; + Eurydice_slice uu____3 = pre_hash_buffer; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + Result_53 uu____5 = + libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_pre_hashed_mut_37( + uu____0, uu____1, uu____2, uu____3, copy_of_randomness, + signature.value); + Result_2e uu____6; + if (uu____5.tag == Ok) { + uu____6 = (CLITERAL(Result_2e){.tag = Ok, .val = {.case_Ok = signature}}); + } else { + libcrux_ml_dsa_types_SigningError e = uu____5.f0; + uu____6 = (CLITERAL(Result_2e){.tag = Err, .val = {.case_Err = e}}); + } + return uu____6; } KRML_ATTRIBUTE_TARGET("avx2") @@ -6353,14 +6487,14 @@ libcrux_ml_dsa_encoding_signature_deserialize_21( libcrux_ml_dsa_polynomial_PolynomialRingElement_4b *)); } size_t previous_true_hints_seen = (size_t)0U; - size_t i = (size_t)0U; + size_t i0 = (size_t)0U; bool malformed_hint = false; - while (i < rows_in_a) { + while (true) { if (malformed_hint) { break; - } else { + } else if (i0 < rows_in_a) { size_t current_true_hints_seen = (size_t)Eurydice_slice_index( - hint_serialized, max_ones_in_hint + i, uint8_t, uint8_t *); + hint_serialized, max_ones_in_hint + i0, uint8_t, uint8_t *); size_t j; bool uu____2; bool uu____3; @@ -6376,8 +6510,8 @@ libcrux_ml_dsa_encoding_signature_deserialize_21( size_t uu____13; size_t uu____14; bool uu____15; - size_t uu____16; - Eurydice_slice *uu____17; + Eurydice_slice uu____16; + size_t uu____17; size_t uu____18; uint8_t uu____19; size_t uu____20; @@ -6411,15 +6545,14 @@ libcrux_ml_dsa_encoding_signature_deserialize_21( malformed_hint = true; uu____15 = malformed_hint; if (!uu____15) { - uu____16 = i; - uu____17 = &out_hint; + uu____16 = out_hint; + uu____17 = i0; uu____20 = j; uu____19 = Eurydice_slice_index(hint_serialized, uu____20, uint8_t, uint8_t *); uu____18 = (size_t)uu____19; - Eurydice_slice_index(out_hint, uu____16, int32_t[256U], - int32_t(*)[256U])[uu____18] = - (int32_t)1; + libcrux_ml_dsa_encoding_signature_set_hint( + uu____16, uu____17, uu____18); j++; } continue; @@ -6427,14 +6560,14 @@ libcrux_ml_dsa_encoding_signature_deserialize_21( } uu____15 = malformed_hint; if (!uu____15) { - uu____16 = i; - uu____17 = &out_hint; + uu____16 = out_hint; + uu____17 = i0; uu____20 = j; uu____19 = Eurydice_slice_index(hint_serialized, uu____20, uint8_t, uint8_t *); uu____18 = (size_t)uu____19; - Eurydice_slice_index(out_hint, uu____16, int32_t[256U], - int32_t(*)[256U])[uu____18] = (int32_t)1; + libcrux_ml_dsa_encoding_signature_set_hint(uu____16, uu____17, + uu____18); j++; } } else { @@ -6446,7 +6579,7 @@ libcrux_ml_dsa_encoding_signature_deserialize_21( if (!uu____21) { uu____22 = current_true_hints_seen; previous_true_hints_seen = uu____22; - i++; + i0++; } continue; } @@ -6478,14 +6611,14 @@ libcrux_ml_dsa_encoding_signature_deserialize_21( malformed_hint = true; uu____15 = malformed_hint; if (!uu____15) { - uu____16 = i; - uu____17 = &out_hint; + uu____16 = out_hint; + uu____17 = i0; uu____20 = j; uu____19 = Eurydice_slice_index(hint_serialized, uu____20, uint8_t, uint8_t *); uu____18 = (size_t)uu____19; - Eurydice_slice_index(out_hint, uu____16, int32_t[256U], - int32_t(*)[256U])[uu____18] = (int32_t)1; + libcrux_ml_dsa_encoding_signature_set_hint(uu____16, uu____17, + uu____18); j++; } continue; @@ -6493,14 +6626,14 @@ libcrux_ml_dsa_encoding_signature_deserialize_21( } uu____15 = malformed_hint; if (!uu____15) { - uu____16 = i; - uu____17 = &out_hint; + uu____16 = out_hint; + uu____17 = i0; uu____20 = j; uu____19 = Eurydice_slice_index(hint_serialized, uu____20, uint8_t, uint8_t *); uu____18 = (size_t)uu____19; - Eurydice_slice_index(out_hint, uu____16, int32_t[256U], - int32_t(*)[256U])[uu____18] = (int32_t)1; + libcrux_ml_dsa_encoding_signature_set_hint(uu____16, uu____17, + uu____18); j++; } } else { @@ -6512,19 +6645,18 @@ libcrux_ml_dsa_encoding_signature_deserialize_21( if (!uu____21) { uu____22 = current_true_hints_seen; previous_true_hints_seen = uu____22; - i++; + i0++; } + } else { + break; } } - i = previous_true_hints_seen; - while (i < max_ones_in_hint) { - if (malformed_hint) { + i0 = previous_true_hints_seen; + for (size_t i = i0; i < max_ones_in_hint; i++) { + size_t j = i; + if (Eurydice_slice_index(hint_serialized, j, uint8_t, uint8_t *) != 0U) { + malformed_hint = true; break; - } else { - if (Eurydice_slice_index(hint_serialized, i, uint8_t, uint8_t *) != 0U) { - malformed_hint = true; - } - i++; } } if (!malformed_hint) { diff --git a/libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h b/libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h index 5c1bec2a0..263dd135a 100644 --- a/libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h +++ b/libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h @@ -8,7 +8,7 @@ * Eurydice: 8e112cd3065d2c1eb6c023cd37111300dbf9fc9a * Karamel: f82ecfe9b99edd64642d47b4e3fb6314a8e2320b * F*: b0961063393215ca65927f017720cb365a193833-dirty - * Libcrux: a09987d066ac254dbc0e455cbc83aa5bbe096741 + * Libcrux: 66afce2b7d2b86febb97fb1fc5de2fbba7419d74 */ #ifndef __libcrux_mldsa65_portable_H @@ -188,6 +188,12 @@ libcrux_ml_dsa_encoding_error_chunk_size(libcrux_ml_dsa_constants_Eta eta) { return (size_t)3U; } +static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_signature_set_hint( + Eurydice_slice out_hint, size_t i, size_t j) { + Eurydice_slice_index(out_hint, i, int32_t[256U], int32_t(*)[256U])[j] = + (int32_t)1; +} + #define LIBCRUX_ML_DSA_ENCODING_T0_OUTPUT_BYTES_PER_SIMD_UNIT ((size_t)13U) #define LIBCRUX_ML_DSA_ENCODING_T1_DESERIALIZE_WINDOW ((size_t)10U) @@ -5774,6 +5780,18 @@ libcrux_ml_dsa_ml_dsa_65_portable_generate_key_pair(uint8_t randomness[32U]) { return lit; } +/** + Generate an ML-DSA-65 Key Pair +*/ +static inline void libcrux_ml_dsa_ml_dsa_65_portable_generate_key_pair_mut( + uint8_t randomness[32U], uint8_t *signing_key, uint8_t *verification_key) { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_ml_dsa_65_generate_key_pair( + copy_of_randomness, signing_key, verification_key); +} + /** A monomorphic instance of core.option.Option with types libcrux_ml_dsa_pre_hash_DomainSeparationContext @@ -6770,10 +6788,11 @@ libcrux_ml_dsa_hash_functions_portable_Shake256Xof, libcrux_ml_dsa_hash_functions_portable_Shake256X4 with const generics */ -static KRML_MUSTINLINE Result_2e +static KRML_MUSTINLINE Result_53 libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_internal_5a( Eurydice_slice signing_key, Eurydice_slice message, - Option_84 domain_separation_context, uint8_t randomness[32U]) { + Option_84 domain_separation_context, uint8_t randomness[32U], + uint8_t *signature) { Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( signing_key, LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); @@ -7071,12 +7090,11 @@ libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_internal_5a( } } } - Result_2e uu____8; + Result_53 uu____8; if (commitment_hash0.tag == None) { - uu____8 = (CLITERAL(Result_2e){ + uu____8 = (CLITERAL(Result_53){ .tag = Err, - .val = {.case_Err = - libcrux_ml_dsa_types_SigningError_RejectionSamplingError}}); + .f0 = libcrux_ml_dsa_types_SigningError_RejectionSamplingError}); } else { uint8_t commitment_hash1[48U]; memcpy(commitment_hash1, commitment_hash0.f0, @@ -7084,11 +7102,9 @@ libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_internal_5a( uint8_t commitment_hash[48U]; memcpy(commitment_hash, commitment_hash1, (size_t)48U * sizeof(uint8_t)); if (signer_response0.tag == None) { - uu____8 = (CLITERAL(Result_2e){ + uu____8 = (CLITERAL(Result_53){ .tag = Err, - .val = { - .case_Err = - libcrux_ml_dsa_types_SigningError_RejectionSamplingError}}); + .f0 = libcrux_ml_dsa_types_SigningError_RejectionSamplingError}); } else { libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 signer_response1[5U]; memcpy(signer_response1, signer_response0.f0, @@ -7099,17 +7115,14 @@ libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_internal_5a( (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_e8)); if (hint0.tag == None) { - uu____8 = (CLITERAL(Result_2e){ + uu____8 = (CLITERAL(Result_53){ .tag = Err, - .val = { - .case_Err = - libcrux_ml_dsa_types_SigningError_RejectionSamplingError}}); + .f0 = libcrux_ml_dsa_types_SigningError_RejectionSamplingError}); } else { int32_t hint1[6U][256U]; memcpy(hint1, hint0.f0, (size_t)6U * sizeof(int32_t[256U])); int32_t hint[6U][256U]; memcpy(hint, hint1, (size_t)6U * sizeof(int32_t[256U])); - uint8_t signature[3309U] = {0U}; libcrux_ml_dsa_encoding_signature_serialize_5b( Eurydice_array_to_slice((size_t)48U, commitment_hash, uint8_t), Eurydice_array_to_slice( @@ -7123,13 +7136,7 @@ libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_internal_5a( LIBCRUX_ML_DSA_ML_DSA_GENERIC_ML_DSA_65_GAMMA1_RING_ELEMENT_SIZE, LIBCRUX_ML_DSA_CONSTANTS_ML_DSA_65_MAX_ONES_IN_HINT, Eurydice_array_to_slice((size_t)3309U, signature, uint8_t)); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_signature[3309U]; - memcpy(copy_of_signature, signature, (size_t)3309U * sizeof(uint8_t)); - Result_2e lit; - lit.tag = Ok; - lit.val.case_Ok = libcrux_ml_dsa_types_new_8f_fa(copy_of_signature); - return lit; + return (CLITERAL(Result_53){.tag = Ok}); } } } @@ -7137,7 +7144,7 @@ libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_internal_5a( } /** -A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.ml_dsa_65.sign +A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.ml_dsa_65.sign_mut with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients, libcrux_ml_dsa_samplex4_portable_PortableSampler, libcrux_ml_dsa_hash_functions_portable_Shake128X4, @@ -7146,18 +7153,18 @@ libcrux_ml_dsa_hash_functions_portable_Shake256Xof, libcrux_ml_dsa_hash_functions_portable_Shake256X4 with const generics */ -static KRML_MUSTINLINE Result_2e -libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_5a(Eurydice_slice signing_key, - Eurydice_slice message, - Eurydice_slice context, - uint8_t randomness[32U]) { +static KRML_MUSTINLINE Result_53 +libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_mut_5a(Eurydice_slice signing_key, + Eurydice_slice message, + Eurydice_slice context, + uint8_t randomness[32U], + uint8_t *signature) { Result_a8 uu____0 = libcrux_ml_dsa_pre_hash_new_45( context, (CLITERAL(Option_30){.tag = None})); if (!(uu____0.tag == Ok)) { - return (CLITERAL(Result_2e){ + return (CLITERAL(Result_53){ .tag = Err, - .val = {.case_Err = - libcrux_ml_dsa_types_SigningError_ContextTooLongError}}); + .f0 = libcrux_ml_dsa_types_SigningError_ContextTooLongError}); } libcrux_ml_dsa_pre_hash_DomainSeparationContext dsc = uu____0.val.case_Ok; libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context = @@ -7169,7 +7176,42 @@ libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_5a(Eurydice_slice signing_key, uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); return libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_internal_5a( - uu____1, uu____2, uu____3, copy_of_randomness); + uu____1, uu____2, uu____3, copy_of_randomness, signature); +} + +/** +A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.ml_dsa_65.sign +with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients, +libcrux_ml_dsa_samplex4_portable_PortableSampler, +libcrux_ml_dsa_hash_functions_portable_Shake128X4, +libcrux_ml_dsa_hash_functions_portable_Shake256, +libcrux_ml_dsa_hash_functions_portable_Shake256Xof, +libcrux_ml_dsa_hash_functions_portable_Shake256X4 with const generics + +*/ +static KRML_MUSTINLINE Result_2e +libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_5a(Eurydice_slice signing_key, + Eurydice_slice message, + Eurydice_slice context, + uint8_t randomness[32U]) { + libcrux_ml_dsa_types_MLDSASignature_8f signature = + libcrux_ml_dsa_types_zero_8f_fa(); + Eurydice_slice uu____0 = signing_key; + Eurydice_slice uu____1 = message; + Eurydice_slice uu____2 = context; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + Result_53 uu____4 = libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_mut_5a( + uu____0, uu____1, uu____2, copy_of_randomness, signature.value); + Result_2e uu____5; + if (uu____4.tag == Ok) { + uu____5 = (CLITERAL(Result_2e){.tag = Ok, .val = {.case_Ok = signature}}); + } else { + libcrux_ml_dsa_types_SigningError e = uu____4.f0; + uu____5 = (CLITERAL(Result_2e){.tag = Err, .val = {.case_Err = e}}); + } + return uu____5; } /** @@ -7210,6 +7252,44 @@ static inline Result_2e libcrux_ml_dsa_ml_dsa_65_portable_sign( uu____0, uu____1, uu____2, copy_of_randomness); } +/** + Sign. +*/ +static inline Result_53 +libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_ml_dsa_65_sign_mut( + uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, + uint8_t randomness[32U], uint8_t *signature) { + Eurydice_slice uu____0 = + Eurydice_array_to_slice((size_t)4032U, signing_key, uint8_t); + Eurydice_slice uu____1 = message; + Eurydice_slice uu____2 = context; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_mut_5a( + uu____0, uu____1, uu____2, copy_of_randomness, signature); +} + +/** + Generate an ML-DSA-65 Signature + + The parameter `context` is used for domain separation + and is a byte string of length at most 255 bytes. It + may also be empty. +*/ +static inline Result_53 libcrux_ml_dsa_ml_dsa_65_portable_sign_mut( + uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, + uint8_t randomness[32U], uint8_t *signature) { + uint8_t *uu____0 = signing_key; + Eurydice_slice uu____1 = message; + Eurydice_slice uu____2 = context; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_ml_dsa_65_sign_mut( + uu____0, uu____1, uu____2, copy_of_randomness, signature); +} + /** This function found in impl {(libcrux_ml_dsa::pre_hash::PreHash for libcrux_ml_dsa::pre_hash::SHAKE128_PH)} @@ -7227,7 +7307,7 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_pre_hash_hash_3e_cc( /** A monomorphic instance of -libcrux_ml_dsa.ml_dsa_generic.ml_dsa_65.sign_pre_hashed with types +libcrux_ml_dsa.ml_dsa_generic.ml_dsa_65.sign_pre_hashed_mut with types libcrux_ml_dsa_simd_portable_vector_type_Coefficients, libcrux_ml_dsa_samplex4_portable_PortableSampler, libcrux_ml_dsa_hash_functions_portable_Shake128, @@ -7238,10 +7318,11 @@ libcrux_ml_dsa_hash_functions_portable_Shake256X4, libcrux_ml_dsa_pre_hash_SHAKE128_PH with const generics */ -static KRML_MUSTINLINE Result_2e -libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_pre_hashed_3f( +static KRML_MUSTINLINE Result_53 +libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_pre_hashed_mut_3f( Eurydice_slice signing_key, Eurydice_slice message, Eurydice_slice context, - Eurydice_slice pre_hash_buffer, uint8_t randomness[32U]) { + Eurydice_slice pre_hash_buffer, uint8_t randomness[32U], + uint8_t *signature) { if (!(Eurydice_slice_len(context, uint8_t) > LIBCRUX_ML_DSA_CONSTANTS_CONTEXT_MAX_LEN)) { libcrux_ml_dsa_pre_hash_hash_3e_cc(message, pre_hash_buffer); @@ -7253,10 +7334,9 @@ libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_pre_hashed_3f( memcpy(lit.f0, ret, (size_t)11U * sizeof(uint8_t)); Result_a8 uu____1 = libcrux_ml_dsa_pre_hash_new_45(uu____0, lit); if (!(uu____1.tag == Ok)) { - return (CLITERAL(Result_2e){ + return (CLITERAL(Result_53){ .tag = Err, - .val = {.case_Err = - libcrux_ml_dsa_types_SigningError_ContextTooLongError}}); + .f0 = libcrux_ml_dsa_types_SigningError_ContextTooLongError}); } libcrux_ml_dsa_pre_hash_DomainSeparationContext dsc = uu____1.val.case_Ok; libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context = @@ -7268,12 +7348,50 @@ libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_pre_hashed_3f( uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); return libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_internal_5a( - uu____2, uu____3, uu____4, copy_of_randomness); + uu____2, uu____3, uu____4, copy_of_randomness, signature); } - return (CLITERAL(Result_2e){ - .tag = Err, - .val = {.case_Err = - libcrux_ml_dsa_types_SigningError_ContextTooLongError}}); + return (CLITERAL(Result_53){ + .tag = Err, .f0 = libcrux_ml_dsa_types_SigningError_ContextTooLongError}); +} + +/** +A monomorphic instance of +libcrux_ml_dsa.ml_dsa_generic.ml_dsa_65.sign_pre_hashed with types +libcrux_ml_dsa_simd_portable_vector_type_Coefficients, +libcrux_ml_dsa_samplex4_portable_PortableSampler, +libcrux_ml_dsa_hash_functions_portable_Shake128, +libcrux_ml_dsa_hash_functions_portable_Shake128X4, +libcrux_ml_dsa_hash_functions_portable_Shake256, +libcrux_ml_dsa_hash_functions_portable_Shake256Xof, +libcrux_ml_dsa_hash_functions_portable_Shake256X4, +libcrux_ml_dsa_pre_hash_SHAKE128_PH with const generics + +*/ +static KRML_MUSTINLINE Result_2e +libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_pre_hashed_3f( + Eurydice_slice signing_key, Eurydice_slice message, Eurydice_slice context, + Eurydice_slice pre_hash_buffer, uint8_t randomness[32U]) { + libcrux_ml_dsa_types_MLDSASignature_8f signature = + libcrux_ml_dsa_types_zero_8f_fa(); + Eurydice_slice uu____0 = signing_key; + Eurydice_slice uu____1 = message; + Eurydice_slice uu____2 = context; + Eurydice_slice uu____3 = pre_hash_buffer; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + Result_53 uu____5 = + libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_sign_pre_hashed_mut_3f( + uu____0, uu____1, uu____2, uu____3, copy_of_randomness, + signature.value); + Result_2e uu____6; + if (uu____5.tag == Ok) { + uu____6 = (CLITERAL(Result_2e){.tag = Ok, .val = {.case_Ok = signature}}); + } else { + libcrux_ml_dsa_types_SigningError e = uu____5.f0; + uu____6 = (CLITERAL(Result_2e){.tag = Err, .val = {.case_Err = e}}); + } + return uu____6; } /** @@ -7407,14 +7525,14 @@ libcrux_ml_dsa_encoding_signature_deserialize_5b( libcrux_ml_dsa_polynomial_PolynomialRingElement_e8 *)); } size_t previous_true_hints_seen = (size_t)0U; - size_t i = (size_t)0U; + size_t i0 = (size_t)0U; bool malformed_hint = false; - while (i < rows_in_a) { + while (true) { if (malformed_hint) { break; - } else { + } else if (i0 < rows_in_a) { size_t current_true_hints_seen = (size_t)Eurydice_slice_index( - hint_serialized, max_ones_in_hint + i, uint8_t, uint8_t *); + hint_serialized, max_ones_in_hint + i0, uint8_t, uint8_t *); size_t j; bool uu____2; bool uu____3; @@ -7430,8 +7548,8 @@ libcrux_ml_dsa_encoding_signature_deserialize_5b( size_t uu____13; size_t uu____14; bool uu____15; - size_t uu____16; - Eurydice_slice *uu____17; + Eurydice_slice uu____16; + size_t uu____17; size_t uu____18; uint8_t uu____19; size_t uu____20; @@ -7465,15 +7583,14 @@ libcrux_ml_dsa_encoding_signature_deserialize_5b( malformed_hint = true; uu____15 = malformed_hint; if (!uu____15) { - uu____16 = i; - uu____17 = &out_hint; + uu____16 = out_hint; + uu____17 = i0; uu____20 = j; uu____19 = Eurydice_slice_index(hint_serialized, uu____20, uint8_t, uint8_t *); uu____18 = (size_t)uu____19; - Eurydice_slice_index(out_hint, uu____16, int32_t[256U], - int32_t(*)[256U])[uu____18] = - (int32_t)1; + libcrux_ml_dsa_encoding_signature_set_hint( + uu____16, uu____17, uu____18); j++; } continue; @@ -7481,14 +7598,14 @@ libcrux_ml_dsa_encoding_signature_deserialize_5b( } uu____15 = malformed_hint; if (!uu____15) { - uu____16 = i; - uu____17 = &out_hint; + uu____16 = out_hint; + uu____17 = i0; uu____20 = j; uu____19 = Eurydice_slice_index(hint_serialized, uu____20, uint8_t, uint8_t *); uu____18 = (size_t)uu____19; - Eurydice_slice_index(out_hint, uu____16, int32_t[256U], - int32_t(*)[256U])[uu____18] = (int32_t)1; + libcrux_ml_dsa_encoding_signature_set_hint(uu____16, uu____17, + uu____18); j++; } } else { @@ -7500,7 +7617,7 @@ libcrux_ml_dsa_encoding_signature_deserialize_5b( if (!uu____21) { uu____22 = current_true_hints_seen; previous_true_hints_seen = uu____22; - i++; + i0++; } continue; } @@ -7532,14 +7649,14 @@ libcrux_ml_dsa_encoding_signature_deserialize_5b( malformed_hint = true; uu____15 = malformed_hint; if (!uu____15) { - uu____16 = i; - uu____17 = &out_hint; + uu____16 = out_hint; + uu____17 = i0; uu____20 = j; uu____19 = Eurydice_slice_index(hint_serialized, uu____20, uint8_t, uint8_t *); uu____18 = (size_t)uu____19; - Eurydice_slice_index(out_hint, uu____16, int32_t[256U], - int32_t(*)[256U])[uu____18] = (int32_t)1; + libcrux_ml_dsa_encoding_signature_set_hint(uu____16, uu____17, + uu____18); j++; } continue; @@ -7547,14 +7664,14 @@ libcrux_ml_dsa_encoding_signature_deserialize_5b( } uu____15 = malformed_hint; if (!uu____15) { - uu____16 = i; - uu____17 = &out_hint; + uu____16 = out_hint; + uu____17 = i0; uu____20 = j; uu____19 = Eurydice_slice_index(hint_serialized, uu____20, uint8_t, uint8_t *); uu____18 = (size_t)uu____19; - Eurydice_slice_index(out_hint, uu____16, int32_t[256U], - int32_t(*)[256U])[uu____18] = (int32_t)1; + libcrux_ml_dsa_encoding_signature_set_hint(uu____16, uu____17, + uu____18); j++; } } else { @@ -7566,19 +7683,18 @@ libcrux_ml_dsa_encoding_signature_deserialize_5b( if (!uu____21) { uu____22 = current_true_hints_seen; previous_true_hints_seen = uu____22; - i++; + i0++; } + } else { + break; } } - i = previous_true_hints_seen; - while (i < max_ones_in_hint) { - if (malformed_hint) { + i0 = previous_true_hints_seen; + for (size_t i = i0; i < max_ones_in_hint; i++) { + size_t j = i; + if (Eurydice_slice_index(hint_serialized, j, uint8_t, uint8_t *) != 0U) { + malformed_hint = true; break; - } else { - if (Eurydice_slice_index(hint_serialized, i, uint8_t, uint8_t *) != 0U) { - malformed_hint = true; - } - i++; } } if (!malformed_hint) { diff --git a/libcrux-ml-dsa/cg/libcrux_sha3_avx2.h b/libcrux-ml-dsa/cg/libcrux_sha3_avx2.h index d3a25d7cc..3c48ae1a7 100644 --- a/libcrux-ml-dsa/cg/libcrux_sha3_avx2.h +++ b/libcrux-ml-dsa/cg/libcrux_sha3_avx2.h @@ -8,7 +8,7 @@ * Eurydice: 8e112cd3065d2c1eb6c023cd37111300dbf9fc9a * Karamel: f82ecfe9b99edd64642d47b4e3fb6314a8e2320b * F*: b0961063393215ca65927f017720cb365a193833-dirty - * Libcrux: a09987d066ac254dbc0e455cbc83aa5bbe096741 + * Libcrux: 66afce2b7d2b86febb97fb1fc5de2fbba7419d74 */ #ifndef __libcrux_sha3_avx2_H diff --git a/libcrux-ml-dsa/cg/libcrux_sha3_portable.h b/libcrux-ml-dsa/cg/libcrux_sha3_portable.h index d3193b72c..672b57f1e 100644 --- a/libcrux-ml-dsa/cg/libcrux_sha3_portable.h +++ b/libcrux-ml-dsa/cg/libcrux_sha3_portable.h @@ -8,7 +8,7 @@ * Eurydice: 8e112cd3065d2c1eb6c023cd37111300dbf9fc9a * Karamel: f82ecfe9b99edd64642d47b4e3fb6314a8e2320b * F*: b0961063393215ca65927f017720cb365a193833-dirty - * Libcrux: a09987d066ac254dbc0e455cbc83aa5bbe096741 + * Libcrux: 66afce2b7d2b86febb97fb1fc5de2fbba7419d74 */ #ifndef __libcrux_sha3_portable_H diff --git a/libcrux-ml-dsa/cg/tests/mldsa65.cc b/libcrux-ml-dsa/cg/tests/mldsa65.cc index baa8dd911..51477e0d2 100644 --- a/libcrux-ml-dsa/cg/tests/mldsa65.cc +++ b/libcrux-ml-dsa/cg/tests/mldsa65.cc @@ -7,9 +7,14 @@ */ #include +#include #include "libcrux_mldsa65_portable.h" +using namespace std; + +typedef vector bytes; + template Eurydice_slice mk_slice(T *x, size_t len) { @@ -27,7 +32,13 @@ TEST(MlDsa65TestPortable, ConsistencyTest) { randomness[i] = 13; } - auto key_pair = libcrux_ml_dsa_ml_dsa_65_portable_generate_key_pair(randomness); + + bytes signing_key(LIBCRUX_ML_DSA_ML_DSA_GENERIC_ML_DSA_65_SIGNING_KEY_SIZE); + bytes verification_key(LIBCRUX_ML_DSA_ML_DSA_GENERIC_ML_DSA_65_VERIFICATION_KEY_SIZE); + libcrux_ml_dsa_ml_dsa_65_portable_generate_key_pair_mut( + randomness, + signing_key.data(), + verification_key.data()); // Sign uint8_t msg[79] = {0}; @@ -39,19 +50,27 @@ TEST(MlDsa65TestPortable, ConsistencyTest) auto msg_slice = mk_slice(&msg, 79); auto context_slice = mk_slice(&context, 3); - auto signature_result = libcrux_ml_dsa_ml_dsa_65_portable_sign( - &key_pair.signing_key, msg_slice, + bytes signature(LIBCRUX_ML_DSA_ML_DSA_GENERIC_ML_DSA_65_SIGNATURE_SIZE); + auto signature_result = libcrux_ml_dsa_ml_dsa_65_portable_sign_mut( + signing_key.data(), + msg_slice, context_slice, - randomness); + randomness, + signature.data()); EXPECT_EQ(signature_result.tag, Ok); - auto signature = signature_result.val.case_Ok; // Verify + // XXX: Make better APIs so we don't have to copy the values here. + libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_MLDSA65VerificationKey verification_key_struct; + memcpy(verification_key_struct.value, verification_key.data(), verification_key.size()); + libcrux_ml_dsa_ml_dsa_generic_ml_dsa_65_MLDSA65Signature signature_struct; + memcpy(signature_struct.value, signature.data(), signature.size()); + auto result = libcrux_ml_dsa_ml_dsa_65_portable_verify( - &key_pair.verification_key, + &verification_key_struct, msg_slice, context_slice, - &signature); + &signature_struct); EXPECT_EQ(result.tag, Ok); } diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fst index f16997151..fc93a51a0 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fst @@ -9,6 +9,23 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () +let set_hint (out_hint: t_Slice (t_Array i32 (sz 256))) (i j: usize) = + let hax_temp_output, out_hint:(Prims.unit & t_Slice (t_Array i32 (sz 256))) = + (), + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out_hint + i + (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (out_hint.[ i ] + <: + t_Array i32 (sz 256)) + j + 1l + <: + t_Array i32 (sz 256)) + <: + (Prims.unit & t_Slice (t_Array i32 (sz 256))) + in + out_hint + let deserialize (#v_SIMDUnit: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -105,7 +122,7 @@ let deserialize usize) = temp_0_ in - (i <. rows_in_a <: bool) && (~.malformed_hint <: bool)) + (~.malformed_hint <: bool) && (i <. rows_in_a <: bool)) (i, malformed_hint, out_hint, previous_true_hints_seen <: (usize & bool & t_Slice (t_Array i32 (sz 256)) & usize)) @@ -152,15 +169,7 @@ let deserialize if ~.malformed_hint then let out_hint:t_Slice (t_Array i32 (sz 256)) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out_hint - i - (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (out_hint.[ i ] - <: - t_Array i32 (sz 256)) - (cast (hint_serialized.[ j ] <: u8) <: usize) - 1l - <: - t_Array i32 (sz 256)) + set_hint out_hint i (cast (hint_serialized.[ j ] <: u8) <: usize) in let j:usize = j +! sz 1 in j, malformed_hint, out_hint <: (usize & bool & t_Slice (t_Array i32 (sz 256))) @@ -180,22 +189,27 @@ let deserialize (usize & bool & t_Slice (t_Array i32 (sz 256)) & usize)) in let i:usize = previous_true_hints_seen in - let i, malformed_hint:(usize & bool) = - Rust_primitives.f_while_loop (fun temp_0_ -> - let i, malformed_hint:(usize & bool) = temp_0_ in - (i <. max_ones_in_hint <: bool) && (~.malformed_hint <: bool)) - (i, malformed_hint <: (usize & bool)) - (fun temp_0_ -> - let i, malformed_hint:(usize & bool) = temp_0_ in - let malformed_hint:bool = - if (hint_serialized.[ i ] <: u8) <>. 0uy - then - let malformed_hint:bool = true in - malformed_hint - else malformed_hint - in - let i:usize = i +! sz 1 in - i, malformed_hint <: (usize & bool)) + let malformed_hint:bool = + Rust_primitives.Hax.Folds.fold_range_cf i + max_ones_in_hint + (fun malformed_hint temp_1_ -> + let malformed_hint:bool = malformed_hint in + let _:usize = temp_1_ in + true) + malformed_hint + (fun malformed_hint j -> + let malformed_hint:bool = malformed_hint in + let j:usize = j in + if (hint_serialized.[ j ] <: u8) <>. 0uy <: bool + then + let malformed_hint:bool = true in + Core.Ops.Control_flow.ControlFlow_Break ((), malformed_hint <: (Prims.unit & bool)) + <: + Core.Ops.Control_flow.t_ControlFlow (Prims.unit & bool) bool + else + Core.Ops.Control_flow.ControlFlow_Continue malformed_hint + <: + Core.Ops.Control_flow.t_ControlFlow (Prims.unit & bool) bool) in if malformed_hint then diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fsti index e1854f60f..1e799b36e 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fsti @@ -9,6 +9,9 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () +val set_hint (out_hint: t_Slice (t_Array i32 (sz 256))) (i j: usize) + : Prims.Pure (t_Slice (t_Array i32 (sz 256))) Prims.l_True (fun _ -> Prims.l_True) + val deserialize (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst index 79582529e..1f4e74abc 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst @@ -37,6 +37,30 @@ let sign context randomness +let sign_mut + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 2420)) + = + let tmp0, out:(t_Array u8 (sz 2420) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.sign_mut (Libcrux_ml_dsa.Types.impl__as_ref + (sz 2560) + signing_key + <: + t_Array u8 (sz 2560)) + message + context + randomness + signature + in + let signature:t_Array u8 (sz 2420) = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in + signature, hax_temp_output + <: + (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + let sign_pre_hashed_shake128 (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) (message context: t_Slice u8) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fsti index 2cc5f13c7..d8a0fad7d 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fsti @@ -21,6 +21,20 @@ val sign (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) +/// Generate an ML-DSA-44 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign_mut + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 2420)) + : Prims.Pure + (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + Prims.l_True + (fun _ -> Prims.l_True) + /// Generate a HashML-DSA-44 Signature, with a SHAKE128 pre-hashing /// The parameter `context` is used for domain separation /// and is a byte string of length at most 255 bytes. It diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst index 8a6b279e8..af30cc781 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst @@ -37,6 +37,30 @@ let sign context randomness +let sign_mut + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 2420)) + = + let tmp0, out:(t_Array u8 (sz 2420) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.sign_mut (Libcrux_ml_dsa.Types.impl__as_ref + (sz 2560) + signing_key + <: + t_Array u8 (sz 2560)) + message + context + randomness + signature + in + let signature:t_Array u8 (sz 2420) = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in + signature, hax_temp_output + <: + (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + let sign_pre_hashed_shake128 (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) (message context: t_Slice u8) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fsti index 58227663f..9a4380d2b 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fsti @@ -21,6 +21,20 @@ val sign (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) +/// Generate an ML-DSA-44 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign_mut + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 2420)) + : Prims.Pure + (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + Prims.l_True + (fun _ -> Prims.l_True) + /// Generate a HashML-DSA-44 Signature, with a SHAKE128 pre-hashing /// The parameter `context` is used for domain separation /// and is a byte string of length at most 255 bytes. It diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst index 5d10a32f4..13a796716 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst @@ -37,6 +37,30 @@ let sign context randomness +let sign_mut + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 2420)) + = + let tmp0, out:(t_Array u8 (sz 2420) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.sign_mut (Libcrux_ml_dsa.Types.impl__as_ref + (sz 2560) + signing_key + <: + t_Array u8 (sz 2560)) + message + context + randomness + signature + in + let signature:t_Array u8 (sz 2420) = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in + signature, hax_temp_output + <: + (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + let sign_pre_hashed_shake128 (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) (message context: t_Slice u8) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fsti index 1e6653b8a..80d949c43 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fsti @@ -21,6 +21,20 @@ val sign (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) +/// Generate an ML-DSA-44 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign_mut + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 2420)) + : Prims.Pure + (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + Prims.l_True + (fun _ -> Prims.l_True) + /// Generate a HashML-DSA-44 Signature, with a SHAKE128 pre-hashing /// The parameter `context` is used for domain separation /// and is a byte string of length at most 255 bytes. It diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst index 2fad9a3d2..4ba7e0a11 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst @@ -23,6 +23,21 @@ let generate_key_pair (randomness: t_Array u8 (sz 32)) = <: Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) +let generate_key_pair_mut + (randomness: t_Array u8 (sz 32)) + (signing_key: t_Array u8 (sz 4032)) + (verification_key: t_Array u8 (sz 1952)) + = + let tmp0, tmp1:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.generate_key_pair randomness + signing_key + verification_key + in + let signing_key:t_Array u8 (sz 4032) = tmp0 in + let verification_key:t_Array u8 (sz 1952) = tmp1 in + let _:Prims.unit = () in + signing_key, verification_key <: (t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) + let sign (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) (message context: t_Slice u8) @@ -37,6 +52,26 @@ let sign context randomness +let sign_mut + (signing_key: t_Array u8 (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 3309)) + = + let tmp0, out:(t_Array u8 (sz 3309) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.sign_mut signing_key + message + context + randomness + signature + in + let signature:t_Array u8 (sz 3309) = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in + signature, hax_temp_output + <: + (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + let sign_pre_hashed_shake128 (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) (message context: t_Slice u8) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fsti index bfcb87df8..00176aa30 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fsti @@ -9,6 +9,13 @@ val generate_key_pair (randomness: t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) +/// Generate an ML-DSA-65 Key Pair +val generate_key_pair_mut + (randomness: t_Array u8 (sz 32)) + (signing_key: t_Array u8 (sz 4032)) + (verification_key: t_Array u8 (sz 1952)) + : Prims.Pure (t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) Prims.l_True (fun _ -> Prims.l_True) + /// Generate an ML-DSA-65 Signature /// The parameter `context` is used for domain separation /// and is a byte string of length at most 255 bytes. It @@ -21,6 +28,20 @@ val sign (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) +/// Generate an ML-DSA-65 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign_mut + (signing_key: t_Array u8 (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 3309)) + : Prims.Pure + (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + Prims.l_True + (fun _ -> Prims.l_True) + /// Generate a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing /// The parameter `context` is used for domain separation /// and is a byte string of length at most 255 bytes. It diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst index 24205fe33..655282ddc 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst @@ -23,6 +23,21 @@ let generate_key_pair (randomness: t_Array u8 (sz 32)) = <: Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) +let generate_key_pair_mut + (randomness: t_Array u8 (sz 32)) + (signing_key: t_Array u8 (sz 4032)) + (verification_key: t_Array u8 (sz 1952)) + = + let tmp0, tmp1:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.generate_key_pair randomness + signing_key + verification_key + in + let signing_key:t_Array u8 (sz 4032) = tmp0 in + let verification_key:t_Array u8 (sz 1952) = tmp1 in + let _:Prims.unit = () in + signing_key, verification_key <: (t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) + let sign (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) (message context: t_Slice u8) @@ -37,6 +52,26 @@ let sign context randomness +let sign_mut + (signing_key: t_Array u8 (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 3309)) + = + let tmp0, out:(t_Array u8 (sz 3309) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.sign_mut signing_key + message + context + randomness + signature + in + let signature:t_Array u8 (sz 3309) = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in + signature, hax_temp_output + <: + (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + let sign_pre_hashed_shake128 (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) (message context: t_Slice u8) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fsti index ff39c5e48..43b275f98 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fsti @@ -9,6 +9,13 @@ val generate_key_pair (randomness: t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) +/// Generate an ML-DSA-65 Key Pair +val generate_key_pair_mut + (randomness: t_Array u8 (sz 32)) + (signing_key: t_Array u8 (sz 4032)) + (verification_key: t_Array u8 (sz 1952)) + : Prims.Pure (t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) Prims.l_True (fun _ -> Prims.l_True) + /// Generate an ML-DSA-65 Signature /// The parameter `context` is used for domain separation /// and is a byte string of length at most 255 bytes. It @@ -21,6 +28,20 @@ val sign (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) +/// Generate an ML-DSA-65 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign_mut + (signing_key: t_Array u8 (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 3309)) + : Prims.Pure + (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + Prims.l_True + (fun _ -> Prims.l_True) + /// Generate a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing /// The parameter `context` is used for domain separation /// and is a byte string of length at most 255 bytes. It diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst index 325f4c11f..124549c25 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst @@ -23,6 +23,21 @@ let generate_key_pair (randomness: t_Array u8 (sz 32)) = <: Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) +let generate_key_pair_mut + (randomness: t_Array u8 (sz 32)) + (signing_key: t_Array u8 (sz 4032)) + (verification_key: t_Array u8 (sz 1952)) + = + let tmp0, tmp1:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.generate_key_pair randomness + signing_key + verification_key + in + let signing_key:t_Array u8 (sz 4032) = tmp0 in + let verification_key:t_Array u8 (sz 1952) = tmp1 in + let _:Prims.unit = () in + signing_key, verification_key <: (t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) + let sign (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) (message context: t_Slice u8) @@ -37,6 +52,26 @@ let sign context randomness +let sign_mut + (signing_key: t_Array u8 (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 3309)) + = + let tmp0, out:(t_Array u8 (sz 3309) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.sign_mut signing_key + message + context + randomness + signature + in + let signature:t_Array u8 (sz 3309) = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in + signature, hax_temp_output + <: + (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + let sign_pre_hashed_shake128 (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) (message context: t_Slice u8) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fsti index 7568a9a1c..2953eab1b 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fsti @@ -9,6 +9,13 @@ val generate_key_pair (randomness: t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) +/// Generate an ML-DSA-65 Key Pair +val generate_key_pair_mut + (randomness: t_Array u8 (sz 32)) + (signing_key: t_Array u8 (sz 4032)) + (verification_key: t_Array u8 (sz 1952)) + : Prims.Pure (t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) Prims.l_True (fun _ -> Prims.l_True) + /// Generate an ML-DSA-65 Signature /// The parameter `context` is used for domain separation /// and is a byte string of length at most 255 bytes. It @@ -21,6 +28,20 @@ val sign (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) +/// Generate an ML-DSA-65 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign_mut + (signing_key: t_Array u8 (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 3309)) + : Prims.Pure + (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + Prims.l_True + (fun _ -> Prims.l_True) + /// Generate a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing /// The parameter `context` is used for domain separation /// and is a byte string of length at most 255 bytes. It diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst index bbb9f7a6a..2a1c3baa1 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst @@ -37,6 +37,30 @@ let sign context randomness +let sign_mut + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 4627)) + = + let tmp0, out:(t_Array u8 (sz 4627) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.sign_mut (Libcrux_ml_dsa.Types.impl__as_ref + (sz 4896) + signing_key + <: + t_Array u8 (sz 4896)) + message + context + randomness + signature + in + let signature:t_Array u8 (sz 4627) = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in + signature, hax_temp_output + <: + (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + let sign_pre_hashed_shake128 (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) (message context: t_Slice u8) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fsti index 2b2ba04ee..6225e3023 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fsti @@ -21,6 +21,20 @@ val sign (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) +/// Generate an ML-DSA-87 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign_mut + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 4627)) + : Prims.Pure + (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + Prims.l_True + (fun _ -> Prims.l_True) + /// Generate a HashML-DSA-87 Signature, with a SHAKE128 pre-hashing /// The parameter `context` is used for domain separation /// and is a byte string of length at most 255 bytes. It diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst index 754385046..c6bec73a6 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst @@ -37,6 +37,30 @@ let sign context randomness +let sign_mut + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 4627)) + = + let tmp0, out:(t_Array u8 (sz 4627) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.sign_mut (Libcrux_ml_dsa.Types.impl__as_ref + (sz 4896) + signing_key + <: + t_Array u8 (sz 4896)) + message + context + randomness + signature + in + let signature:t_Array u8 (sz 4627) = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in + signature, hax_temp_output + <: + (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + let sign_pre_hashed_shake128 (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) (message context: t_Slice u8) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fsti index 499342491..7ba0608c8 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fsti @@ -21,6 +21,20 @@ val sign (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) +/// Generate an ML-DSA-87 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign_mut + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 4627)) + : Prims.Pure + (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + Prims.l_True + (fun _ -> Prims.l_True) + /// Generate a HashML-DSA-87 Signature, with a SHAKE128 pre-hashing /// The parameter `context` is used for domain separation /// and is a byte string of length at most 255 bytes. It diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst index 8dd52879e..6979118c4 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst @@ -37,6 +37,30 @@ let sign context randomness +let sign_mut + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 4627)) + = + let tmp0, out:(t_Array u8 (sz 4627) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.sign_mut (Libcrux_ml_dsa.Types.impl__as_ref + (sz 4896) + signing_key + <: + t_Array u8 (sz 4896)) + message + context + randomness + signature + in + let signature:t_Array u8 (sz 4627) = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in + signature, hax_temp_output + <: + (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + let sign_pre_hashed_shake128 (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) (message context: t_Slice u8) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fsti index 5825b758b..00756769a 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fsti @@ -21,6 +21,20 @@ val sign (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) +/// Generate an ML-DSA-87 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign_mut + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 4627)) + : Prims.Pure + (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + Prims.l_True + (fun _ -> Prims.l_True) + /// Generate a HashML-DSA-87 Signature, with a SHAKE128 pre-hashing /// The parameter `context` is used for domain separation /// and is a byte string of length at most 255 bytes. It diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.fst index cd101511d..bf51216c4 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.fst @@ -64,6 +64,44 @@ let sign (randomness: t_Array u8 (sz 32)) = sign___inner signing_key message context randomness +let sign_mut___inner + (signing_key: t_Array u8 (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 2420)) + = + let tmp0, out:(t_Array u8 (sz 2420) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.sign_mut #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 (signing_key <: t_Slice u8) message + context randomness signature + in + let signature:t_Array u8 (sz 2420) = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in + signature, hax_temp_output + <: + (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + +let sign_mut + (signing_key: t_Array u8 (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 2420)) + = + let tmp0, out:(t_Array u8 (sz 2420) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + sign_mut___inner signing_key message context randomness signature + in + let signature:t_Array u8 (sz 2420) = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in + signature, hax_temp_output + <: + (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + let sign_pre_hashed_shake128___inner (signing_key: t_Array u8 (sz 2560)) (message context pre_hash_buffer: t_Slice u8) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.fsti index 1d183a070..0a6cd9f8c 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.fsti @@ -43,6 +43,27 @@ val sign (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) +val sign_mut___inner + (signing_key: t_Array u8 (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 2420)) + : Prims.Pure + (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Sign. +val sign_mut + (signing_key: t_Array u8 (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 2420)) + : Prims.Pure + (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + Prims.l_True + (fun _ -> Prims.l_True) + val sign_pre_hashed_shake128___inner (signing_key: t_Array u8 (sz 2560)) (message context pre_hash_buffer: t_Slice u8) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.fst index 21bded2ad..76460ff5f 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.fst @@ -64,6 +64,44 @@ let sign (randomness: t_Array u8 (sz 32)) = sign___inner signing_key message context randomness +let sign_mut___inner + (signing_key: t_Array u8 (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 3309)) + = + let tmp0, out:(t_Array u8 (sz 3309) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.sign_mut #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 (signing_key <: t_Slice u8) message + context randomness signature + in + let signature:t_Array u8 (sz 3309) = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in + signature, hax_temp_output + <: + (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + +let sign_mut + (signing_key: t_Array u8 (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 3309)) + = + let tmp0, out:(t_Array u8 (sz 3309) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + sign_mut___inner signing_key message context randomness signature + in + let signature:t_Array u8 (sz 3309) = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in + signature, hax_temp_output + <: + (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + let sign_pre_hashed_shake128___inner (signing_key: t_Array u8 (sz 4032)) (message context pre_hash_buffer: t_Slice u8) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.fsti index 5ca65ea3e..73beab56d 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.fsti @@ -43,6 +43,27 @@ val sign (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) +val sign_mut___inner + (signing_key: t_Array u8 (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 3309)) + : Prims.Pure + (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Sign. +val sign_mut + (signing_key: t_Array u8 (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 3309)) + : Prims.Pure + (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + Prims.l_True + (fun _ -> Prims.l_True) + val sign_pre_hashed_shake128___inner (signing_key: t_Array u8 (sz 4032)) (message context pre_hash_buffer: t_Slice u8) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.fst index 0673c1047..4b0b2f7b9 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.fst @@ -64,6 +64,44 @@ let sign (randomness: t_Array u8 (sz 32)) = sign___inner signing_key message context randomness +let sign_mut___inner + (signing_key: t_Array u8 (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 4627)) + = + let tmp0, out:(t_Array u8 (sz 4627) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.sign_mut #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 (signing_key <: t_Slice u8) message + context randomness signature + in + let signature:t_Array u8 (sz 4627) = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in + signature, hax_temp_output + <: + (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + +let sign_mut + (signing_key: t_Array u8 (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 4627)) + = + let tmp0, out:(t_Array u8 (sz 4627) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + sign_mut___inner signing_key message context randomness signature + in + let signature:t_Array u8 (sz 4627) = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in + signature, hax_temp_output + <: + (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + let sign_pre_hashed_shake128___inner (signing_key: t_Array u8 (sz 4896)) (message context pre_hash_buffer: t_Slice u8) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.fsti index a7b0d3ae2..a119375c4 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.fsti @@ -43,6 +43,27 @@ val sign (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) +val sign_mut___inner + (signing_key: t_Array u8 (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 4627)) + : Prims.Pure + (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Sign. +val sign_mut + (signing_key: t_Array u8 (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 4627)) + : Prims.Pure + (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + Prims.l_True + (fun _ -> Prims.l_True) + val sign_pre_hashed_shake128___inner (signing_key: t_Array u8 (sz 4896)) (message context pre_hash_buffer: t_Slice u8) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.fst index 356bb5d34..4d4ef382b 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.fst @@ -50,6 +50,27 @@ let sign #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 (signing_key <: t_Slice u8) message context randomness +let sign_mut + (signing_key: t_Array u8 (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 2420)) + = + let tmp0, out:(t_Array u8 (sz 2420) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.sign_mut #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 (signing_key <: t_Slice u8) message context + randomness signature + in + let signature:t_Array u8 (sz 2420) = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in + signature, hax_temp_output + <: + (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + let sign_pre_hashed_shake128 (signing_key: t_Array u8 (sz 2560)) (message context pre_hash_buffer: t_Slice u8) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.fsti index a8681a605..858d01f49 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.fsti @@ -33,6 +33,17 @@ val sign (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) +/// Sign. +val sign_mut + (signing_key: t_Array u8 (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 2420)) + : Prims.Pure + (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + Prims.l_True + (fun _ -> Prims.l_True) + /// Sign (pre-hashed). val sign_pre_hashed_shake128 (signing_key: t_Array u8 (sz 2560)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.fst index d36980422..ffad39510 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.fst @@ -50,6 +50,27 @@ let sign #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 (signing_key <: t_Slice u8) message context randomness +let sign_mut + (signing_key: t_Array u8 (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 3309)) + = + let tmp0, out:(t_Array u8 (sz 3309) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.sign_mut #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 (signing_key <: t_Slice u8) message context + randomness signature + in + let signature:t_Array u8 (sz 3309) = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in + signature, hax_temp_output + <: + (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + let sign_pre_hashed_shake128 (signing_key: t_Array u8 (sz 4032)) (message context pre_hash_buffer: t_Slice u8) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.fsti index dbc3427cc..3319e50fb 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.fsti @@ -33,6 +33,17 @@ val sign (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) +/// Sign. +val sign_mut + (signing_key: t_Array u8 (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 3309)) + : Prims.Pure + (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + Prims.l_True + (fun _ -> Prims.l_True) + /// Sign (pre-hashed). val sign_pre_hashed_shake128 (signing_key: t_Array u8 (sz 4032)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.fst index a4178c8e4..2e13a6e28 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.fst @@ -50,6 +50,27 @@ let sign #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 (signing_key <: t_Slice u8) message context randomness +let sign_mut + (signing_key: t_Array u8 (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 4627)) + = + let tmp0, out:(t_Array u8 (sz 4627) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.sign_mut #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 (signing_key <: t_Slice u8) message context + randomness signature + in + let signature:t_Array u8 (sz 4627) = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in + signature, hax_temp_output + <: + (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + let sign_pre_hashed_shake128 (signing_key: t_Array u8 (sz 4896)) (message context pre_hash_buffer: t_Slice u8) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.fsti index 3179307e3..70e139689 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.fsti @@ -33,6 +33,17 @@ val sign (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) +/// Sign. +val sign_mut + (signing_key: t_Array u8 (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 4627)) + : Prims.Pure + (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + Prims.l_True + (fun _ -> Prims.l_True) + /// Sign (pre-hashed). val sign_pre_hashed_shake128 (signing_key: t_Array u8 (sz 4896)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.fst index 2ec142025..10b695e9e 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.fst @@ -50,6 +50,28 @@ let sign #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 (signing_key <: t_Slice u8) message context randomness +let sign_mut + (signing_key: t_Array u8 (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 2420)) + = + let tmp0, out:(t_Array u8 (sz 2420) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.sign_mut #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 (signing_key <: t_Slice u8) message + context randomness signature + in + let signature:t_Array u8 (sz 2420) = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in + signature, hax_temp_output + <: + (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + let sign_pre_hashed_shake128 (signing_key: t_Array u8 (sz 2560)) (message context pre_hash_buffer: t_Slice u8) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.fsti index 676d92da6..347cf611d 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.fsti @@ -32,6 +32,17 @@ val sign (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) +/// Sign. +val sign_mut + (signing_key: t_Array u8 (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 2420)) + : Prims.Pure + (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + Prims.l_True + (fun _ -> Prims.l_True) + /// Sign (pre-hashed). val sign_pre_hashed_shake128 (signing_key: t_Array u8 (sz 2560)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.fst index f0f0540d5..997301ee1 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.fst @@ -50,6 +50,28 @@ let sign #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 (signing_key <: t_Slice u8) message context randomness +let sign_mut + (signing_key: t_Array u8 (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 3309)) + = + let tmp0, out:(t_Array u8 (sz 3309) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.sign_mut #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 (signing_key <: t_Slice u8) message + context randomness signature + in + let signature:t_Array u8 (sz 3309) = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in + signature, hax_temp_output + <: + (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + let sign_pre_hashed_shake128 (signing_key: t_Array u8 (sz 4032)) (message context pre_hash_buffer: t_Slice u8) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.fsti index 45fa9ce86..a101743e2 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.fsti @@ -32,6 +32,17 @@ val sign (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) +/// Sign. +val sign_mut + (signing_key: t_Array u8 (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 3309)) + : Prims.Pure + (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + Prims.l_True + (fun _ -> Prims.l_True) + /// Sign (pre-hashed). val sign_pre_hashed_shake128 (signing_key: t_Array u8 (sz 4032)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.fst index bff63f137..c9ba5db20 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.fst @@ -50,6 +50,28 @@ let sign #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 (signing_key <: t_Slice u8) message context randomness +let sign_mut + (signing_key: t_Array u8 (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 4627)) + = + let tmp0, out:(t_Array u8 (sz 4627) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.sign_mut #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 (signing_key <: t_Slice u8) message + context randomness signature + in + let signature:t_Array u8 (sz 4627) = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in + signature, hax_temp_output + <: + (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + let sign_pre_hashed_shake128 (signing_key: t_Array u8 (sz 4896)) (message context pre_hash_buffer: t_Slice u8) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.fsti index dd7f46ae3..61e6daa3b 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.fsti @@ -32,6 +32,17 @@ val sign (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) +/// Sign. +val sign_mut + (signing_key: t_Array u8 (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 4627)) + : Prims.Pure + (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + Prims.l_True + (fun _ -> Prims.l_True) + /// Sign (pre-hashed). val sign_pre_hashed_shake128 (signing_key: t_Array u8 (sz 4896)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fst index e040e5dac..5844e378d 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fst @@ -387,6 +387,7 @@ let sign_internal (domain_separation_context: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 2420)) = let seed_for_a, remaining_serialized:(t_Slice u8 & t_Slice u8) = Core.Slice.impl__split_at #u8 signing_key Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE @@ -881,7 +882,6 @@ let sign_internal (match hint <: Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) with | Core.Option.Option_Some hint -> let hint:t_Array (t_Array i32 (sz 256)) (sz 4) = hint in - let signature:t_Array u8 (sz 2420) = Rust_primitives.Hax.repeat 0uy (sz 2420) in let signature:t_Array u8 (sz 2420) = Libcrux_ml_dsa.Encoding.Signature.serialize #v_SIMDUnit (commitment_hash <: t_Slice u8) @@ -895,35 +895,50 @@ let sign_internal Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_MAX_ONES_IN_HINT signature in - Core.Result.Result_Ok (Libcrux_ml_dsa.Types.impl_4__new (sz 2420) signature) + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError + = + Core.Result.Result_Ok (() <: Prims.unit) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError + in + signature, hax_temp_output <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) - Libcrux_ml_dsa.Types.t_SigningError + (t_Array u8 (sz 2420) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) | Core.Option.Option_None -> - Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + signature, + (Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + <: + Libcrux_ml_dsa.Types.t_SigningError) <: - Libcrux_ml_dsa.Types.t_SigningError) + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) - Libcrux_ml_dsa.Types.t_SigningError) + (t_Array u8 (sz 2420) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError)) | Core.Option.Option_None -> - Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + signature, + (Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + <: + Libcrux_ml_dsa.Types.t_SigningError) <: - Libcrux_ml_dsa.Types.t_SigningError) + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) - Libcrux_ml_dsa.Types.t_SigningError) - | Core.Option.Option_None -> - Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError <: Libcrux_ml_dsa.Types.t_SigningError + (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) ) + | Core.Option.Option_None -> + signature, + (Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + <: + Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) - Libcrux_ml_dsa.Types.t_SigningError + (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) -let sign +let sign_mut (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: @@ -943,6 +958,7 @@ let sign Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) (signing_key message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 2420)) = match Libcrux_ml_dsa.Pre_hash.impl_1__new context @@ -953,19 +969,76 @@ let sign with | Core.Result.Result_Ok dsc -> let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in - sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 - signing_key message - (Core.Option.Option_Some domain_separation_context - <: - Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness + let tmp0, out:(t_Array u8 (sz 2420) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 + signing_key message + (Core.Option.Option_Some domain_separation_context + <: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness + signature + in + let signature:t_Array u8 (sz 2420) = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in + signature, hax_temp_output + <: + (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) | Core.Result.Result_Err _ -> - Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) + signature, + (Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + <: + (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + +let sign + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i6: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (signing_key message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + let signature:Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420) = + Libcrux_ml_dsa.Types.impl_4__zero (sz 2420) () + in + let tmp0, out:(t_Array u8 (sz 2420) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + sign_mut #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 + signing_key message context randomness signature.Libcrux_ml_dsa.Types.f_value + in + let signature:Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420) = + { signature with Libcrux_ml_dsa.Types.f_value = tmp0 } + <: + Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420) + in + match out <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError with + | Core.Result.Result_Ok _ -> + Core.Result.Result_Ok signature + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError + | Core.Result.Result_Err e -> + Core.Result.Result_Err e <: Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) Libcrux_ml_dsa.Types.t_SigningError -let sign_pre_hashed +let sign_pre_hashed_mut (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -990,19 +1063,19 @@ let sign_pre_hashed (#[FStar.Tactics.Typeclasses.tcresolve ()] i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH) (signing_key message context pre_hash_buffer: t_Slice u8) (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 2420)) = if (Core.Slice.impl__len #u8 context <: usize) >. Libcrux_ml_dsa.Constants.v_CONTEXT_MAX_LEN then pre_hash_buffer, + signature, (Core.Result.Result_Err (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) - Libcrux_ml_dsa.Types.t_SigningError) + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) <: - (t_Slice u8 & - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) - Libcrux_ml_dsa.Types.t_SigningError) + (t_Slice u8 & t_Array u8 (sz 2420) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) else let pre_hash_buffer:t_Slice u8 = Libcrux_ml_dsa.Pre_hash.f_hash #v_PH @@ -1025,32 +1098,96 @@ let sign_pre_hashed with | Core.Result.Result_Ok dsc -> let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in - let hax_temp_output:Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) - Libcrux_ml_dsa.Types.t_SigningError = + let tmp0, out:(t_Array u8 (sz 2420) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 signing_key pre_hash_buffer (Core.Option.Option_Some domain_separation_context <: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness + signature + in + let signature:t_Array u8 (sz 2420) = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = + out in - pre_hash_buffer, hax_temp_output + pre_hash_buffer, signature, hax_temp_output <: - (t_Slice u8 & - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) - Libcrux_ml_dsa.Types.t_SigningError) + (t_Slice u8 & t_Array u8 (sz 2420) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) | Core.Result.Result_Err _ -> pre_hash_buffer, + signature, (Core.Result.Result_Err (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) - Libcrux_ml_dsa.Types.t_SigningError) + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) <: - (t_Slice u8 & - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) - Libcrux_ml_dsa.Types.t_SigningError) + (t_Slice u8 & t_Array u8 (sz 2420) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + +let sign_pre_hashed + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: + Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i9: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i12: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i13: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i14: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH) + (signing_key message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + let signature:Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420) = + Libcrux_ml_dsa.Types.impl_4__zero (sz 2420) () + in + let tmp0, tmp1, out:(t_Slice u8 & t_Array u8 (sz 2420) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + sign_pre_hashed_mut #v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof + #v_Shake256X4 #v_PH signing_key message context pre_hash_buffer randomness + signature.Libcrux_ml_dsa.Types.f_value + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let signature:Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420) = + { signature with Libcrux_ml_dsa.Types.f_value = tmp1 } + <: + Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420) + in + let hax_temp_output:Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError = + match out <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError with + | Core.Result.Result_Ok _ -> + Core.Result.Result_Ok signature + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError + | Core.Result.Result_Err e -> + Core.Result.Result_Err e + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) let generate_key_pair (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fsti index 004470087..c55d05042 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fsti @@ -116,9 +116,27 @@ val sign_internal (domain_separation_context: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 2420)) : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + Prims.l_True + (fun _ -> Prims.l_True) + +val sign_mut + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (signing_key message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 2420)) + : Prims.Pure + (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + Prims.l_True + (fun _ -> Prims.l_True) val sign (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) @@ -134,6 +152,26 @@ val sign (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) +val sign_pre_hashed_mut + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: + Type0) + {| i8: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i9: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i13: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i14: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + {| i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH |} + (signing_key message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 2420)) + : Prims.Pure + (t_Slice u8 & t_Array u8 (sz 2420) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + Prims.l_True + (fun _ -> Prims.l_True) + val sign_pre_hashed (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: Type0) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fst index ff4ccf2a6..9cd43f56e 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fst @@ -387,6 +387,7 @@ let sign_internal (domain_separation_context: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 3309)) = let seed_for_a, remaining_serialized:(t_Slice u8 & t_Slice u8) = Core.Slice.impl__split_at #u8 signing_key Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE @@ -881,7 +882,6 @@ let sign_internal (match hint <: Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) with | Core.Option.Option_Some hint -> let hint:t_Array (t_Array i32 (sz 256)) (sz 6) = hint in - let signature:t_Array u8 (sz 3309) = Rust_primitives.Hax.repeat 0uy (sz 3309) in let signature:t_Array u8 (sz 3309) = Libcrux_ml_dsa.Encoding.Signature.serialize #v_SIMDUnit (commitment_hash <: t_Slice u8) @@ -895,35 +895,50 @@ let sign_internal Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_MAX_ONES_IN_HINT signature in - Core.Result.Result_Ok (Libcrux_ml_dsa.Types.impl_4__new (sz 3309) signature) + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError + = + Core.Result.Result_Ok (() <: Prims.unit) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError + in + signature, hax_temp_output <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) - Libcrux_ml_dsa.Types.t_SigningError + (t_Array u8 (sz 3309) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) | Core.Option.Option_None -> - Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + signature, + (Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + <: + Libcrux_ml_dsa.Types.t_SigningError) <: - Libcrux_ml_dsa.Types.t_SigningError) + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) - Libcrux_ml_dsa.Types.t_SigningError) + (t_Array u8 (sz 3309) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError)) | Core.Option.Option_None -> - Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + signature, + (Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + <: + Libcrux_ml_dsa.Types.t_SigningError) <: - Libcrux_ml_dsa.Types.t_SigningError) + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) - Libcrux_ml_dsa.Types.t_SigningError) - | Core.Option.Option_None -> - Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError <: Libcrux_ml_dsa.Types.t_SigningError + (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) ) + | Core.Option.Option_None -> + signature, + (Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + <: + Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) - Libcrux_ml_dsa.Types.t_SigningError + (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) -let sign +let sign_mut (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: @@ -943,6 +958,7 @@ let sign Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) (signing_key message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 3309)) = match Libcrux_ml_dsa.Pre_hash.impl_1__new context @@ -953,19 +969,76 @@ let sign with | Core.Result.Result_Ok dsc -> let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in - sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 - signing_key message - (Core.Option.Option_Some domain_separation_context - <: - Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness + let tmp0, out:(t_Array u8 (sz 3309) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 + signing_key message + (Core.Option.Option_Some domain_separation_context + <: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness + signature + in + let signature:t_Array u8 (sz 3309) = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in + signature, hax_temp_output + <: + (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) | Core.Result.Result_Err _ -> - Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) + signature, + (Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + <: + (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + +let sign + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i6: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (signing_key message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + let signature:Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309) = + Libcrux_ml_dsa.Types.impl_4__zero (sz 3309) () + in + let tmp0, out:(t_Array u8 (sz 3309) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + sign_mut #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 + signing_key message context randomness signature.Libcrux_ml_dsa.Types.f_value + in + let signature:Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309) = + { signature with Libcrux_ml_dsa.Types.f_value = tmp0 } + <: + Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309) + in + match out <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError with + | Core.Result.Result_Ok _ -> + Core.Result.Result_Ok signature + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError + | Core.Result.Result_Err e -> + Core.Result.Result_Err e <: Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) Libcrux_ml_dsa.Types.t_SigningError -let sign_pre_hashed +let sign_pre_hashed_mut (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -990,19 +1063,19 @@ let sign_pre_hashed (#[FStar.Tactics.Typeclasses.tcresolve ()] i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH) (signing_key message context pre_hash_buffer: t_Slice u8) (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 3309)) = if (Core.Slice.impl__len #u8 context <: usize) >. Libcrux_ml_dsa.Constants.v_CONTEXT_MAX_LEN then pre_hash_buffer, + signature, (Core.Result.Result_Err (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) - Libcrux_ml_dsa.Types.t_SigningError) + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) <: - (t_Slice u8 & - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) - Libcrux_ml_dsa.Types.t_SigningError) + (t_Slice u8 & t_Array u8 (sz 3309) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) else let pre_hash_buffer:t_Slice u8 = Libcrux_ml_dsa.Pre_hash.f_hash #v_PH @@ -1025,32 +1098,96 @@ let sign_pre_hashed with | Core.Result.Result_Ok dsc -> let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in - let hax_temp_output:Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) - Libcrux_ml_dsa.Types.t_SigningError = + let tmp0, out:(t_Array u8 (sz 3309) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 signing_key pre_hash_buffer (Core.Option.Option_Some domain_separation_context <: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness + signature + in + let signature:t_Array u8 (sz 3309) = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = + out in - pre_hash_buffer, hax_temp_output + pre_hash_buffer, signature, hax_temp_output <: - (t_Slice u8 & - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) - Libcrux_ml_dsa.Types.t_SigningError) + (t_Slice u8 & t_Array u8 (sz 3309) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) | Core.Result.Result_Err _ -> pre_hash_buffer, + signature, (Core.Result.Result_Err (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) - Libcrux_ml_dsa.Types.t_SigningError) + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) <: - (t_Slice u8 & - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) - Libcrux_ml_dsa.Types.t_SigningError) + (t_Slice u8 & t_Array u8 (sz 3309) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + +let sign_pre_hashed + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: + Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i9: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i12: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i13: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i14: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH) + (signing_key message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + let signature:Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309) = + Libcrux_ml_dsa.Types.impl_4__zero (sz 3309) () + in + let tmp0, tmp1, out:(t_Slice u8 & t_Array u8 (sz 3309) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + sign_pre_hashed_mut #v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof + #v_Shake256X4 #v_PH signing_key message context pre_hash_buffer randomness + signature.Libcrux_ml_dsa.Types.f_value + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let signature:Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309) = + { signature with Libcrux_ml_dsa.Types.f_value = tmp1 } + <: + Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309) + in + let hax_temp_output:Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError = + match out <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError with + | Core.Result.Result_Ok _ -> + Core.Result.Result_Ok signature + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError + | Core.Result.Result_Err e -> + Core.Result.Result_Err e + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) let generate_key_pair (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fsti index bb879294f..dc9e55a43 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fsti @@ -116,9 +116,27 @@ val sign_internal (domain_separation_context: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 3309)) : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + Prims.l_True + (fun _ -> Prims.l_True) + +val sign_mut + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (signing_key message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 3309)) + : Prims.Pure + (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + Prims.l_True + (fun _ -> Prims.l_True) val sign (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) @@ -134,6 +152,26 @@ val sign (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) +val sign_pre_hashed_mut + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: + Type0) + {| i8: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i9: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i13: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i14: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + {| i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH |} + (signing_key message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 3309)) + : Prims.Pure + (t_Slice u8 & t_Array u8 (sz 3309) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + Prims.l_True + (fun _ -> Prims.l_True) + val sign_pre_hashed (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: Type0) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fst index 58dc92f1f..a2fc8ab3e 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fst @@ -387,6 +387,7 @@ let sign_internal (domain_separation_context: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 4627)) = let seed_for_a, remaining_serialized:(t_Slice u8 & t_Slice u8) = Core.Slice.impl__split_at #u8 signing_key Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE @@ -883,7 +884,6 @@ let sign_internal (match hint <: Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) with | Core.Option.Option_Some hint -> let hint:t_Array (t_Array i32 (sz 256)) (sz 8) = hint in - let signature:t_Array u8 (sz 4627) = Rust_primitives.Hax.repeat 0uy (sz 4627) in let signature:t_Array u8 (sz 4627) = Libcrux_ml_dsa.Encoding.Signature.serialize #v_SIMDUnit (commitment_hash <: t_Slice u8) @@ -897,35 +897,50 @@ let sign_internal Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_MAX_ONES_IN_HINT signature in - Core.Result.Result_Ok (Libcrux_ml_dsa.Types.impl_4__new (sz 4627) signature) + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError + = + Core.Result.Result_Ok (() <: Prims.unit) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError + in + signature, hax_temp_output <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) - Libcrux_ml_dsa.Types.t_SigningError + (t_Array u8 (sz 4627) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) | Core.Option.Option_None -> - Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + signature, + (Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + <: + Libcrux_ml_dsa.Types.t_SigningError) <: - Libcrux_ml_dsa.Types.t_SigningError) + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) - Libcrux_ml_dsa.Types.t_SigningError) + (t_Array u8 (sz 4627) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError)) | Core.Option.Option_None -> - Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + signature, + (Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + <: + Libcrux_ml_dsa.Types.t_SigningError) <: - Libcrux_ml_dsa.Types.t_SigningError) + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) - Libcrux_ml_dsa.Types.t_SigningError) - | Core.Option.Option_None -> - Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError <: Libcrux_ml_dsa.Types.t_SigningError + (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) ) + | Core.Option.Option_None -> + signature, + (Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + <: + Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) - Libcrux_ml_dsa.Types.t_SigningError + (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) -let sign +let sign_mut (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: @@ -945,6 +960,7 @@ let sign Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) (signing_key message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 4627)) = match Libcrux_ml_dsa.Pre_hash.impl_1__new context @@ -955,19 +971,76 @@ let sign with | Core.Result.Result_Ok dsc -> let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in - sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 - signing_key message - (Core.Option.Option_Some domain_separation_context - <: - Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness + let tmp0, out:(t_Array u8 (sz 4627) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 + signing_key message + (Core.Option.Option_Some domain_separation_context + <: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness + signature + in + let signature:t_Array u8 (sz 4627) = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in + signature, hax_temp_output + <: + (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) | Core.Result.Result_Err _ -> - Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) + signature, + (Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + <: + (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + +let sign + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i6: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (signing_key message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + let signature:Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627) = + Libcrux_ml_dsa.Types.impl_4__zero (sz 4627) () + in + let tmp0, out:(t_Array u8 (sz 4627) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + sign_mut #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 + signing_key message context randomness signature.Libcrux_ml_dsa.Types.f_value + in + let signature:Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627) = + { signature with Libcrux_ml_dsa.Types.f_value = tmp0 } + <: + Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627) + in + match out <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError with + | Core.Result.Result_Ok _ -> + Core.Result.Result_Ok signature + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError + | Core.Result.Result_Err e -> + Core.Result.Result_Err e <: Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) Libcrux_ml_dsa.Types.t_SigningError -let sign_pre_hashed +let sign_pre_hashed_mut (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -992,19 +1065,19 @@ let sign_pre_hashed (#[FStar.Tactics.Typeclasses.tcresolve ()] i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH) (signing_key message context pre_hash_buffer: t_Slice u8) (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 4627)) = if (Core.Slice.impl__len #u8 context <: usize) >. Libcrux_ml_dsa.Constants.v_CONTEXT_MAX_LEN then pre_hash_buffer, + signature, (Core.Result.Result_Err (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) - Libcrux_ml_dsa.Types.t_SigningError) + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) <: - (t_Slice u8 & - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) - Libcrux_ml_dsa.Types.t_SigningError) + (t_Slice u8 & t_Array u8 (sz 4627) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) else let pre_hash_buffer:t_Slice u8 = Libcrux_ml_dsa.Pre_hash.f_hash #v_PH @@ -1027,32 +1100,96 @@ let sign_pre_hashed with | Core.Result.Result_Ok dsc -> let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in - let hax_temp_output:Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) - Libcrux_ml_dsa.Types.t_SigningError = + let tmp0, out:(t_Array u8 (sz 4627) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 signing_key pre_hash_buffer (Core.Option.Option_Some domain_separation_context <: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness + signature + in + let signature:t_Array u8 (sz 4627) = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = + out in - pre_hash_buffer, hax_temp_output + pre_hash_buffer, signature, hax_temp_output <: - (t_Slice u8 & - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) - Libcrux_ml_dsa.Types.t_SigningError) + (t_Slice u8 & t_Array u8 (sz 4627) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) | Core.Result.Result_Err _ -> pre_hash_buffer, + signature, (Core.Result.Result_Err (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) - Libcrux_ml_dsa.Types.t_SigningError) + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) <: - (t_Slice u8 & - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) - Libcrux_ml_dsa.Types.t_SigningError) + (t_Slice u8 & t_Array u8 (sz 4627) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + +let sign_pre_hashed + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: + Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i9: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i12: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i13: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i14: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH) + (signing_key message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + let signature:Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627) = + Libcrux_ml_dsa.Types.impl_4__zero (sz 4627) () + in + let tmp0, tmp1, out:(t_Slice u8 & t_Array u8 (sz 4627) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + sign_pre_hashed_mut #v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof + #v_Shake256X4 #v_PH signing_key message context pre_hash_buffer randomness + signature.Libcrux_ml_dsa.Types.f_value + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let signature:Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627) = + { signature with Libcrux_ml_dsa.Types.f_value = tmp1 } + <: + Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627) + in + let hax_temp_output:Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError = + match out <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError with + | Core.Result.Result_Ok _ -> + Core.Result.Result_Ok signature + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError + | Core.Result.Result_Err e -> + Core.Result.Result_Err e + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) let generate_key_pair (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fsti index 04d19b3e5..1185fe9ef 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fsti @@ -116,9 +116,27 @@ val sign_internal (domain_separation_context: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 4627)) : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + Prims.l_True + (fun _ -> Prims.l_True) + +val sign_mut + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (signing_key message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 4627)) + : Prims.Pure + (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + Prims.l_True + (fun _ -> Prims.l_True) val sign (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) @@ -134,6 +152,26 @@ val sign (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) +val sign_pre_hashed_mut + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: + Type0) + {| i8: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i9: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i13: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i14: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + {| i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH |} + (signing_key message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 4627)) + : Prims.Pure + (t_Slice u8 & t_Array u8 (sz 4627) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + Prims.l_True + (fun _ -> Prims.l_True) + val sign_pre_hashed (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: Type0) diff --git a/libcrux-ml-dsa/src/encoding/signature.rs b/libcrux-ml-dsa/src/encoding/signature.rs index 029d2758e..1d66d8ee2 100644 --- a/libcrux-ml-dsa/src/encoding/signature.rs +++ b/libcrux-ml-dsa/src/encoding/signature.rs @@ -91,7 +91,7 @@ pub(crate) fn deserialize( let mut i = 0; let mut malformed_hint = false; - while i < rows_in_a && !malformed_hint { + while !malformed_hint && i < rows_in_a { let current_true_hints_seen = hint_serialized[max_ones_in_hint + i] as usize; if (current_true_hints_seen < previous_true_hints_seen) @@ -108,8 +108,9 @@ pub(crate) fn deserialize( // increasing malformed_hint = true; } + if !malformed_hint { - out_hint[i][hint_serialized[j] as usize] = 1; + set_hint(out_hint, i, hint_serialized[j] as usize); j += 1; } } @@ -121,12 +122,13 @@ pub(crate) fn deserialize( } i = previous_true_hints_seen; - while i < max_ones_in_hint && !malformed_hint { - if hint_serialized[i] != 0 { + + for j in i..max_ones_in_hint { + if hint_serialized[j] != 0 { // ensures padding indices are zero malformed_hint = true; + break; } - i += 1; } if malformed_hint { @@ -135,3 +137,8 @@ pub(crate) fn deserialize( Ok(()) } + +#[inline(always)] +fn set_hint(out_hint: &mut [[i32; 256]], i: usize, j: usize) { + out_hint[i][j] = 1 +} diff --git a/libcrux-ml-dsa/src/ml_dsa_44.rs b/libcrux-ml-dsa/src/ml_dsa_44.rs index ab8bf7a0d..f1efaf216 100644 --- a/libcrux-ml-dsa/src/ml_dsa_44.rs +++ b/libcrux-ml-dsa/src/ml_dsa_44.rs @@ -49,6 +49,27 @@ macro_rules! instantiate { ) } + /// Generate an ML-DSA-44 Signature + /// + /// The parameter `context` is used for domain separation + /// and is a byte string of length at most 255 bytes. It + /// may also be empty. + pub fn sign_mut( + signing_key: &MLDSA44SigningKey, + message: &[u8], + context: &[u8], + randomness: [u8; SIGNING_RANDOMNESS_SIZE], + signature: &mut [u8; SIGNATURE_SIZE], + ) -> Result<(), SigningError> { + crate::ml_dsa_generic::instantiations::$modp::ml_dsa_44::sign_mut( + signing_key.as_ref(), + message, + context, + randomness, + signature, + ) + } + /// Generate an ML-DSA-44 Signature (Algorithm 7 in FIPS204) /// /// The message is assumed to be domain-separated. diff --git a/libcrux-ml-dsa/src/ml_dsa_65.rs b/libcrux-ml-dsa/src/ml_dsa_65.rs index 81835139b..452a8da4f 100644 --- a/libcrux-ml-dsa/src/ml_dsa_65.rs +++ b/libcrux-ml-dsa/src/ml_dsa_65.rs @@ -30,6 +30,19 @@ macro_rules! instantiate { } } + /// Generate an ML-DSA-65 Key Pair + pub fn generate_key_pair_mut( + randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], + signing_key: &mut [u8; SIGNING_KEY_SIZE], + verification_key: &mut [u8; VERIFICATION_KEY_SIZE], + ) { + crate::ml_dsa_generic::instantiations::$modp::ml_dsa_65::generate_key_pair( + randomness, + signing_key, + verification_key, + ); + } + /// Generate an ML-DSA-65 Signature /// /// The parameter `context` is used for domain separation @@ -49,6 +62,27 @@ macro_rules! instantiate { ) } + /// Generate an ML-DSA-65 Signature + /// + /// The parameter `context` is used for domain separation + /// and is a byte string of length at most 255 bytes. It + /// may also be empty. + pub fn sign_mut( + signing_key: &[u8; SIGNING_KEY_SIZE], + message: &[u8], + context: &[u8], + randomness: [u8; SIGNING_RANDOMNESS_SIZE], + signature: &mut [u8; SIGNATURE_SIZE], + ) -> Result<(), SigningError> { + crate::ml_dsa_generic::instantiations::$modp::ml_dsa_65::sign_mut( + signing_key, + message, + context, + randomness, + signature, + ) + } + /// Generate an ML-DSA-65 Signature (Algorithm 7 in FIPS204) /// /// The message is assumed to be domain-separated. diff --git a/libcrux-ml-dsa/src/ml_dsa_87.rs b/libcrux-ml-dsa/src/ml_dsa_87.rs index ab1a4b4f6..6b5fae3e5 100644 --- a/libcrux-ml-dsa/src/ml_dsa_87.rs +++ b/libcrux-ml-dsa/src/ml_dsa_87.rs @@ -49,6 +49,27 @@ macro_rules! instantiate { ) } + /// Generate an ML-DSA-87 Signature + /// + /// The parameter `context` is used for domain separation + /// and is a byte string of length at most 255 bytes. It + /// may also be empty. + pub fn sign_mut( + signing_key: &MLDSA87SigningKey, + message: &[u8], + context: &[u8], + randomness: [u8; SIGNING_RANDOMNESS_SIZE], + signature: &mut [u8; SIGNATURE_SIZE], + ) -> Result<(), SigningError> { + crate::ml_dsa_generic::instantiations::$modp::ml_dsa_87::sign_mut( + signing_key.as_ref(), + message, + context, + randomness, + signature, + ) + } + /// Generate an ML-DSA-87 Signature (Algorithm 7 in FIPS204) /// /// The message is assumed to be domain-separated. diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index c551fb69e..84f66ab70 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -137,7 +137,8 @@ pub(crate) mod generic { message: &[u8], domain_separation_context: Option, randomness: [u8; SIGNING_RANDOMNESS_SIZE], - ) -> Result, SigningError> { + signature: &mut [u8; SIGNATURE_SIZE], + ) -> Result<(), SigningError> { // Split the signing key into its parts. let (seed_for_a, remaining_serialized) = signing_key.split_at(SEED_FOR_A_SIZE); let (seed_for_signing, remaining_serialized) = @@ -331,8 +332,6 @@ pub(crate) mod generic { None => return Err(SigningError::RejectionSamplingError), }; - let mut signature = [0u8; SIGNATURE_SIZE]; - encoding::signature::serialize::( &commitment_hash, &signer_response, @@ -343,10 +342,10 @@ pub(crate) mod generic { GAMMA1_EXPONENT, GAMMA1_RING_ELEMENT_SIZE, MAX_ONES_IN_HINT, - &mut signature, + signature, ); - Ok(MLDSASignature::new(signature)) + Ok(()) } /// The internal verification API. @@ -465,9 +464,8 @@ pub(crate) mod generic { return Err(VerificationError::CommitmentHashesDontMatchError); } - #[allow(non_snake_case)] #[inline(always)] - pub(crate) fn sign_pre_hashed< + pub(crate) fn sign_pre_hashed_mut< SIMDUnit: Operations, Sampler: X4Sampler, Shake128: shake128::Xof, @@ -482,7 +480,8 @@ pub(crate) mod generic { context: &[u8], pre_hash_buffer: &mut [u8], randomness: [u8; SIGNING_RANDOMNESS_SIZE], - ) -> Result, SigningError> { + signature: &mut [u8; SIGNATURE_SIZE], + ) -> Result<(), SigningError> { if context.len() > CONTEXT_MAX_LEN { return Err(SigningError::ContextTooLongError); } @@ -497,22 +496,68 @@ pub(crate) mod generic { pre_hash_buffer, Some(domain_separation_context), randomness, + signature, ) } + #[inline(always)] - pub(crate) fn sign< + pub(crate) fn sign_pre_hashed< SIMDUnit: Operations, Sampler: X4Sampler, + Shake128: shake128::Xof, Shake128X4: shake128::XofX4, Shake256: shake256::DsaXof, Shake256Xof: shake256::Xof, Shake256X4: shake256::XofX4, + PH: PreHash, >( signing_key: &[u8], message: &[u8], context: &[u8], + pre_hash_buffer: &mut [u8], randomness: [u8; SIGNING_RANDOMNESS_SIZE], ) -> Result, SigningError> { + let mut signature = MLDSASignature::zero(); + + // [eurydice] doesn't support ? + // https://github.com/AeneasVerif/eurydice/issues/105 + match sign_pre_hashed_mut::< + SIMDUnit, + Sampler, + Shake128, + Shake128X4, + Shake256, + Shake256Xof, + Shake256X4, + PH, + >( + signing_key, + message, + context, + pre_hash_buffer, + randomness, + &mut signature.value, + ) { + Ok(_) => Ok(signature), + Err(e) => Err(e), + } + } + + #[inline(always)] + pub(crate) fn sign_mut< + SIMDUnit: Operations, + Sampler: X4Sampler, + Shake128X4: shake128::XofX4, + Shake256: shake256::DsaXof, + Shake256Xof: shake256::Xof, + Shake256X4: shake256::XofX4, + >( + signing_key: &[u8], + message: &[u8], + context: &[u8], + randomness: [u8; SIGNING_RANDOMNESS_SIZE], + signature: &mut [u8; SIGNATURE_SIZE], + ) -> Result<(), SigningError> { let domain_separation_context = match DomainSeparationContext::new(context, None) { Ok(dsc) => dsc, Err(_) => return Err(SigningError::ContextTooLongError), @@ -522,9 +567,40 @@ pub(crate) mod generic { message, Some(domain_separation_context), randomness, + signature, ) } - #[allow(non_snake_case)] + + #[inline(always)] + pub(crate) fn sign< + SIMDUnit: Operations, + Sampler: X4Sampler, + Shake128X4: shake128::XofX4, + Shake256: shake256::DsaXof, + Shake256Xof: shake256::Xof, + Shake256X4: shake256::XofX4, + >( + signing_key: &[u8], + message: &[u8], + context: &[u8], + randomness: [u8; SIGNING_RANDOMNESS_SIZE], + ) -> Result, SigningError> { + let mut signature = MLDSASignature::zero(); + + // [eurydice] doesn't support ? + // https://github.com/AeneasVerif/eurydice/issues/105 + match sign_mut::( + signing_key, + message, + context, + randomness, + &mut signature.value, + ) { + Ok(_) => Ok(signature), + Err(e) => Err(e), + } + } + #[inline(always)] pub(crate) fn verify< SIMDUnit: Operations, @@ -551,7 +627,6 @@ pub(crate) mod generic { ) } - #[allow(non_snake_case)] #[inline(always)] pub(crate) fn verify_pre_hashed< SIMDUnit: Operations, diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs index dccc74b3b..8990ba5f7 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs @@ -59,12 +59,32 @@ macro_rules! instantiate { >(signing_key, message, context, randomness) } + /// Sign. + pub fn sign_mut( + signing_key: &[u8; SIGNING_KEY_SIZE], + message: &[u8], + context: &[u8], + randomness: [u8; SIGNING_RANDOMNESS_SIZE], + signature: &mut [u8; SIGNATURE_SIZE], + ) -> Result<(), SigningError> { + crate::ml_dsa_generic::$parameter_module::sign_mut::< + $simdunit, + $sampler, + $shake128x4, + $shake256, + $shake256xof, + $shake256x4, + >(signing_key, message, context, randomness, signature) + } + #[cfg(feature = "acvp")] pub fn sign_internal( signing_key: &[u8; SIGNING_KEY_SIZE], message: &[u8], randomness: [u8; SIGNING_RANDOMNESS_SIZE], ) -> Result, SigningError> { + let mut signature = MLDSASignature::zero(); + crate::ml_dsa_generic::$parameter_module::sign_internal::< $simdunit, $sampler, @@ -72,7 +92,9 @@ macro_rules! instantiate { $shake256, $shake256xof, $shake256x4, - >(signing_key, message, None, randomness) + >(signing_key, message, None, randomness, &mut signature.value)?; + + Ok(signature) } /// Sign (pre-hashed). diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs index 62dd0a39c..2fabfa469 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs @@ -71,6 +71,38 @@ macro_rules! parameter_set { unsafe { _inner(signing_key, message, context, randomness) } } + #[allow(unsafe_code)] + /// Sign. + pub fn sign_mut( + signing_key: &[u8; SIGNING_KEY_SIZE], + message: &[u8], + context: &[u8], + randomness: [u8; SIGNING_RANDOMNESS_SIZE], + signature: &mut [u8; SIGNATURE_SIZE], + ) -> Result<(), SigningError> { + #[cfg_attr(not(hax), target_feature(enable = "avx2"))] + #[allow(unsafe_code)] + unsafe fn _inner( + signing_key: &[u8; SIGNING_KEY_SIZE], + message: &[u8], + context: &[u8], + randomness: [u8; SIGNING_RANDOMNESS_SIZE], + signature: &mut [u8; SIGNATURE_SIZE], + ) -> Result<(), SigningError> { + crate::ml_dsa_generic::$parameter_module::sign_mut::< + crate::simd::avx2::AVX2SIMDUnit, + crate::samplex4::avx2::AVX2Sampler, + crate::hash_functions::simd256::Shake128x4, + crate::hash_functions::simd256::Shake256, + // We use the portable version here. + // It doesn' make sense to do these in parallel. + crate::hash_functions::portable::Shake256Xof, + crate::hash_functions::simd256::Shake256x4, + >(signing_key, message, context, randomness, signature) + } + unsafe { _inner(signing_key, message, context, randomness, signature) } + } + /// Sign (internal API) #[allow(unsafe_code)] #[cfg(feature = "acvp")] @@ -85,7 +117,8 @@ macro_rules! parameter_set { signing_key: &[u8; SIGNING_KEY_SIZE], message: &[u8], randomness: [u8; SIGNING_RANDOMNESS_SIZE], - ) -> Result, SigningError> { + signature: &mut [u8; SIGNATURE_SIZE], + ) -> Result<(), SigningError> { crate::ml_dsa_generic::$parameter_module::sign_internal::< crate::simd::avx2::AVX2SIMDUnit, crate::samplex4::avx2::AVX2Sampler, @@ -95,9 +128,15 @@ macro_rules! parameter_set { // It doesn' make sense to do these in parallel. crate::hash_functions::portable::Shake256Xof, crate::hash_functions::simd256::Shake256x4, - >(signing_key, message, None, randomness) + >(signing_key, message, None, randomness, signature) } - unsafe { _inner(&signing_key, message, randomness) } + + let mut signature = MLDSASignature::zero(); + unsafe { + _inner(&signing_key, message, randomness, &mut signature.value)?; + } + + Ok(signature) } /// Sign (pre-hashed).