From 1ec5a9f2bffb6dd9d9d3265881c383c7ee32c7f2 Mon Sep 17 00:00:00 2001
From: Jonas Schneider-Bensch <jonas@cryspen.com>
Date: Mon, 21 Oct 2024 13:22:56 +0200
Subject: [PATCH 01/22] Enable AVX2 target feature

---
 libcrux-ml-dsa/src/lib.rs                           | 1 +
 libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs | 7 +------
 2 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/libcrux-ml-dsa/src/lib.rs b/libcrux-ml-dsa/src/lib.rs
index 3a9090beb..dda8312c1 100644
--- a/libcrux-ml-dsa/src/lib.rs
+++ b/libcrux-ml-dsa/src/lib.rs
@@ -1,4 +1,5 @@
 #![no_std]
+#![deny(unsafe_code)]
 
 mod arithmetic;
 mod constants;
diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs
index aa859d7d5..15936617b 100644
--- a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs
+++ b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs
@@ -305,12 +305,7 @@ instantiate! {portable,
 
 // AVX2 generic implementation.
 #[cfg(feature = "simd256")]
-instantiate! {avx2,
-    crate::simd::avx2::AVX2SIMDUnit,
-    crate::hash_functions::simd256::Shake128x4,
-    crate::hash_functions::simd256::Shake256,
-    crate::hash_functions::simd256::Shake256x4
-}
+pub mod avx2;
 
 // NEON generic implementation.
 #[cfg(feature = "simd128")]

From 0031d3c06b6638aac7f0dd6d67293785c5a26c0c Mon Sep 17 00:00:00 2001
From: Jonas Schneider-Bensch <jonas@cryspen.com>
Date: Mon, 21 Oct 2024 13:50:12 +0200
Subject: [PATCH 02/22] Inlining to help AVX2 optimization

---
 libcrux-ml-dsa/src/hash_functions.rs | 39 +++++++++++++++++++++++++++-
 libcrux-ml-dsa/src/ml_dsa_generic.rs |  8 ++++++
 libcrux-ml-dsa/src/sample.rs         |  1 +
 libcrux-ml-dsa/src/simd/avx2.rs      | 32 ++++++++++++++++++++---
 4 files changed, 76 insertions(+), 4 deletions(-)

diff --git a/libcrux-ml-dsa/src/hash_functions.rs b/libcrux-ml-dsa/src/hash_functions.rs
index 2d4864f3f..ba8f9e952 100644
--- a/libcrux-ml-dsa/src/hash_functions.rs
+++ b/libcrux-ml-dsa/src/hash_functions.rs
@@ -433,10 +433,12 @@ pub(crate) mod simd256 {
 
     impl shake128::XofX4 for Shake128x4 {
         /// Init the state and absorb 4 blocks in parallel.
+        #[inline(always)]
         fn init_absorb(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self {
             init_absorb(input0, input1, input2, input3)
         }
 
+        #[inline(always)]
         fn squeeze_first_five_blocks(
             &mut self,
             out0: &mut [u8; shake128::FIVE_BLOCKS_SIZE],
@@ -447,6 +449,7 @@ pub(crate) mod simd256 {
             squeeze_first_five_blocks(self, out0, out1, out2, out3);
         }
 
+        #[inline(always)]
         fn squeeze_next_block(
             &mut self,
         ) -> (
@@ -460,7 +463,37 @@ pub(crate) mod simd256 {
     }
 
     /// AVX2 SHAKE 256 state
-    pub(crate) type Shake256 = super::portable::Shake256;
+    pub(crate) struct Shake256 {
+        state: portable::KeccakState,
+    }
+    impl shake256::Xof for Shake256 {
+        #[inline(always)]
+        fn shake256<const OUTPUT_LENGTH: usize>(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]) {
+            portable::shake256(out, input);
+        }
+
+        #[inline(always)]
+        fn init_absorb(input: &[u8]) -> Self {
+            let mut state = portable::incremental::shake256_init();
+            portable::incremental::shake256_absorb_final(&mut state, input);
+
+            Self { state }
+        }
+
+        #[inline(always)]
+        fn squeeze_first_block(&mut self) -> [u8; shake256::BLOCK_SIZE] {
+            let mut out = [0u8; shake256::BLOCK_SIZE];
+            portable::incremental::shake256_squeeze_first_block(&mut self.state, &mut out);
+            out
+        }
+
+        #[inline(always)]
+        fn squeeze_next_block(&mut self) -> [u8; shake256::BLOCK_SIZE] {
+            let mut out = [0u8; shake256::BLOCK_SIZE];
+            portable::incremental::shake256_squeeze_next_block(&mut self.state, &mut out);
+            out
+        }
+    }
 
     /// AVX2 SHAKE 256 x4 state.
     #[cfg_attr(hax, hax_lib::opaque_type)]
@@ -534,10 +567,12 @@ pub(crate) mod simd256 {
     }
 
     impl shake256::XofX4 for Shake256x4 {
+        #[inline(always)]
         fn init_absorb_x4(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self {
             init_absorb_x4(input0, input1, input2, input3)
         }
 
+        #[inline(always)]
         fn squeeze_first_block_x4(
             &mut self,
         ) -> (
@@ -549,6 +584,7 @@ pub(crate) mod simd256 {
             squeeze_first_block_x4(self)
         }
 
+        #[inline(always)]
         fn squeeze_next_block_x4(
             &mut self,
         ) -> (
@@ -560,6 +596,7 @@ pub(crate) mod simd256 {
             squeeze_next_block_x4(self)
         }
 
+        #[inline(always)]
         fn shake256_x4<const OUT_LEN: usize>(
             input0: &[u8],
             input1: &[u8],
diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs
index 85ba11ccf..9b0443525 100644
--- a/libcrux-ml-dsa/src/ml_dsa_generic.rs
+++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs
@@ -26,6 +26,7 @@ pub(crate) mod instantiations;
 pub(crate) mod multiplexing;
 
 /// Generate a key pair.
+#[inline(always)]
 pub(crate) fn generate_key_pair<
     SIMDUnit: Operations,
     Shake128X4: shake128::XofX4,
@@ -90,6 +91,7 @@ pub(crate) fn generate_key_pair<
 }
 
 #[allow(non_snake_case)]
+#[inline(always)]
 pub(crate) fn sign_pre_hashed<
     SIMDUnit: Operations,
     Shake128X4: shake128::XofX4,
@@ -149,6 +151,7 @@ pub(crate) fn sign_pre_hashed<
 }
 
 #[allow(non_snake_case)]
+#[inline(always)]
 pub(crate) fn sign<
     SIMDUnit: Operations,
     Shake128X4: shake128::XofX4,
@@ -207,6 +210,7 @@ pub(crate) fn sign<
 /// If no `domain_separation_context` is supplied, it is assumed that
 /// `message` already contains the domain separation.
 #[allow(non_snake_case)]
+#[inline(always)]
 pub(crate) fn sign_internal<
     SIMDUnit: Operations,
     Shake128X4: shake128::XofX4,
@@ -413,6 +417,7 @@ pub(crate) fn sign_internal<
 /// for details on the domain separation for regular ML-DSA. Line
 /// 23 of Algorithm 4 (and line 18 of Algorithm 5,resp.) describe domain separation for the HashMl-DSA
 /// variant.
+#[inline(always)]
 fn derive_message_representative(
     verification_key_hash: [u8; 64],
     domain_separation_context: Option<DomainSeparationContext>,
@@ -445,6 +450,7 @@ fn derive_message_representative(
 /// If no `domain_separation_context` is supplied, it is assumed that
 /// `message` already contains the domain separation.
 #[allow(non_snake_case)]
+#[inline(always)]
 pub(crate) fn verify_internal<
     SIMDUnit: Operations,
     Shake128X4: shake128::XofX4,
@@ -545,6 +551,7 @@ pub(crate) fn verify_internal<
 }
 
 #[allow(non_snake_case)]
+#[inline(always)]
 pub(crate) fn verify<
     SIMDUnit: Operations,
     Shake128X4: shake128::XofX4,
@@ -595,6 +602,7 @@ pub(crate) fn verify<
 }
 
 #[allow(non_snake_case)]
+#[inline(always)]
 pub(crate) fn verify_pre_hashed<
     SIMDUnit: Operations,
     Shake128X4: shake128::XofX4,
diff --git a/libcrux-ml-dsa/src/sample.rs b/libcrux-ml-dsa/src/sample.rs
index f1558eb7f..99e7d33f2 100644
--- a/libcrux-ml-dsa/src/sample.rs
+++ b/libcrux-ml-dsa/src/sample.rs
@@ -322,6 +322,7 @@ pub(crate) fn sample_four_error_ring_elements<
     )
 }
 
+#[inline(always)]
 fn update_seed(mut seed: [u8; 66], domain_separator: &mut u16) -> [u8; 66] {
     seed[64] = *domain_separator as u8;
     seed[65] = (*domain_separator >> 8) as u8;
diff --git a/libcrux-ml-dsa/src/simd/avx2.rs b/libcrux-ml-dsa/src/simd/avx2.rs
index f891d39be..3c324f2f3 100644
--- a/libcrux-ml-dsa/src/simd/avx2.rs
+++ b/libcrux-ml-dsa/src/simd/avx2.rs
@@ -9,109 +9,133 @@ mod vector_type;
 pub(crate) use vector_type::AVX2SIMDUnit;
 
 impl Operations for AVX2SIMDUnit {
+    #[inline(always)]
     fn ZERO() -> Self {
         vector_type::ZERO()
     }
 
+    #[inline(always)]
     fn from_coefficient_array(coefficient_array: &[i32]) -> Self {
         vector_type::from_coefficient_array(coefficient_array)
     }
 
+    #[inline(always)]
     fn to_coefficient_array(&self) -> [i32; 8] {
         vector_type::to_coefficient_array(&self)
     }
-
+    #[inline(always)]
     fn add(lhs: &Self, rhs: &Self) -> Self {
         arithmetic::add(lhs.coefficients, rhs.coefficients).into()
     }
-
+    #[inline(always)]
     fn subtract(lhs: &Self, rhs: &Self) -> Self {
         arithmetic::subtract(lhs.coefficients, rhs.coefficients).into()
     }
-
+    #[inline(always)]
     fn montgomery_multiply_by_constant(simd_unit: Self, constant: i32) -> Self {
         arithmetic::montgomery_multiply_by_constant(simd_unit.coefficients, constant).into()
     }
+    #[inline(always)]
     fn montgomery_multiply(lhs: Self, rhs: Self) -> Self {
         arithmetic::montgomery_multiply(lhs.coefficients, rhs.coefficients).into()
     }
+    #[inline(always)]
     fn shift_left_then_reduce<const SHIFT_BY: i32>(simd_unit: Self) -> Self {
         arithmetic::shift_left_then_reduce::<SHIFT_BY>(simd_unit.coefficients).into()
     }
 
+    #[inline(always)]
     fn power2round(simd_unit: Self) -> (Self, Self) {
         let (lower, upper) = arithmetic::power2round(simd_unit.coefficients);
 
         (lower.into(), upper.into())
     }
 
+    #[inline(always)]
     fn infinity_norm_exceeds(simd_unit: Self, bound: i32) -> bool {
         arithmetic::infinity_norm_exceeds(simd_unit.coefficients, bound)
     }
 
+    #[inline(always)]
     fn decompose<const GAMMA2: i32>(simd_unit: Self) -> (Self, Self) {
         let (lower, upper) = arithmetic::decompose::<GAMMA2>(simd_unit.coefficients);
 
         (lower.into(), upper.into())
     }
 
+    #[inline(always)]
     fn compute_hint<const GAMMA2: i32>(low: Self, high: Self) -> (usize, Self) {
         let (count, hint) = arithmetic::compute_hint::<GAMMA2>(low.coefficients, high.coefficients);
 
         (count, hint.into())
     }
+    #[inline(always)]
     fn use_hint<const GAMMA2: i32>(simd_unit: Self, hint: Self) -> Self {
         arithmetic::use_hint::<GAMMA2>(simd_unit.coefficients, hint.coefficients).into()
     }
 
+    #[inline(always)]
     fn rejection_sample_less_than_field_modulus(randomness: &[u8], out: &mut [i32]) -> usize {
         rejection_sample::less_than_field_modulus::sample(randomness, out)
     }
+    #[inline(always)]
     fn rejection_sample_less_than_eta_equals_2(randomness: &[u8], out: &mut [i32]) -> usize {
         rejection_sample::less_than_eta::sample::<2>(randomness, out)
     }
+    #[inline(always)]
     fn rejection_sample_less_than_eta_equals_4(randomness: &[u8], out: &mut [i32]) -> usize {
         rejection_sample::less_than_eta::sample::<4>(randomness, out)
     }
 
+    #[inline(always)]
     fn gamma1_serialize<const OUTPUT_SIZE: usize>(simd_unit: Self) -> [u8; OUTPUT_SIZE] {
         encoding::gamma1::serialize::<OUTPUT_SIZE>(simd_unit.coefficients)
     }
+    #[inline(always)]
     fn gamma1_deserialize<const GAMMA1_EXPONENT: usize>(serialized: &[u8]) -> Self {
         encoding::gamma1::deserialize::<GAMMA1_EXPONENT>(serialized).into()
     }
 
+    #[inline(always)]
     fn commitment_serialize<const OUTPUT_SIZE: usize>(simd_unit: Self) -> [u8; OUTPUT_SIZE] {
         encoding::commitment::serialize::<OUTPUT_SIZE>(simd_unit.coefficients)
     }
 
+    #[inline(always)]
     fn error_serialize<const OUTPUT_SIZE: usize>(simd_unit: Self) -> [u8; OUTPUT_SIZE] {
         encoding::error::serialize::<OUTPUT_SIZE>(simd_unit.coefficients)
     }
+    #[inline(always)]
     fn error_deserialize<const ETA: usize>(serialized: &[u8]) -> Self {
         encoding::error::deserialize::<ETA>(serialized).into()
     }
 
+    #[inline(always)]
     fn t0_serialize(simd_unit: Self) -> [u8; 13] {
         encoding::t0::serialize(simd_unit.coefficients)
     }
+    #[inline(always)]
     fn t0_deserialize(serialized: &[u8]) -> Self {
         encoding::t0::deserialize(serialized).into()
     }
 
+    #[inline(always)]
     fn t1_serialize(simd_unit: Self) -> [u8; 10] {
         encoding::t1::serialize(simd_unit.coefficients)
     }
+    #[inline(always)]
     fn t1_deserialize(serialized: &[u8]) -> Self {
         encoding::t1::deserialize(serialized).into()
     }
 
+    #[inline(always)]
     fn ntt(simd_units: [Self; SIMD_UNITS_IN_RING_ELEMENT]) -> [Self; SIMD_UNITS_IN_RING_ELEMENT] {
         let result = ntt::ntt(simd_units.map(|x| x.coefficients));
 
         result.map(|x| x.into())
     }
 
+    #[inline(always)]
     fn invert_ntt_at_layer_0(
         simd_unit: Self,
         zeta0: i32,
@@ -121,9 +145,11 @@ impl Operations for AVX2SIMDUnit {
     ) -> Self {
         ntt::invert_ntt_at_layer_0(simd_unit.coefficients, zeta0, zeta1, zeta2, zeta3).into()
     }
+    #[inline(always)]
     fn invert_ntt_at_layer_1(simd_unit: Self, zeta0: i32, zeta1: i32) -> Self {
         ntt::invert_ntt_at_layer_1(simd_unit.coefficients, zeta0, zeta1).into()
     }
+    #[inline(always)]
     fn invert_ntt_at_layer_2(simd_unit: Self, zeta: i32) -> Self {
         ntt::invert_ntt_at_layer_2(simd_unit.coefficients, zeta).into()
     }

From 4bc6554647a36dab0a711acd7fead1ad0efd8157 Mon Sep 17 00:00:00 2001
From: Jonas Schneider-Bensch <jonas@cryspen.com>
Date: Tue, 22 Oct 2024 08:47:23 +0200
Subject: [PATCH 03/22] Missing module

---
 .../src/ml_dsa_generic/instantiations/avx2.rs | 584 ++++++++++++++++++
 1 file changed, 584 insertions(+)
 create mode 100644 libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs

diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs
new file mode 100644
index 000000000..716fd2f59
--- /dev/null
+++ b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs
@@ -0,0 +1,584 @@
+use crate::{
+    constants::*,
+    ml_dsa_generic::{SigningError, VerificationError},
+    pre_hash::SHAKE128_PH,
+    types::*,
+};
+
+mod avx2_feature {
+    use super::*;
+
+    /// Generate key pair.
+    #[target_feature(enable = "avx2")]
+    #[allow(unsafe_code)]
+    pub(super) unsafe fn generate_key_pair<
+        const ROWS_IN_A: usize,
+        const COLUMNS_IN_A: usize,
+        const ETA: usize,
+        const ERROR_RING_ELEMENT_SIZE: usize,
+        const SIGNING_KEY_SIZE: usize,
+        const VERIFICATION_KEY_SIZE: usize,
+    >(
+        randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE],
+    ) -> ([u8; SIGNING_KEY_SIZE], [u8; VERIFICATION_KEY_SIZE]) {
+        crate::ml_dsa_generic::generate_key_pair::<
+            crate::simd::avx2::AVX2SIMDUnit,
+            crate::hash_functions::simd256::Shake128x4,
+            crate::hash_functions::simd256::Shake256,
+            crate::hash_functions::simd256::Shake256x4,
+            ROWS_IN_A,
+            COLUMNS_IN_A,
+            ETA,
+            ERROR_RING_ELEMENT_SIZE,
+            SIGNING_KEY_SIZE,
+            VERIFICATION_KEY_SIZE,
+        >(randomness)
+    }
+
+    /// Sign.
+    #[target_feature(enable = "avx2")]
+    #[allow(unsafe_code)]
+    pub(super) unsafe fn sign<
+        const ROWS_IN_A: usize,
+        const COLUMNS_IN_A: usize,
+        const ETA: usize,
+        const ERROR_RING_ELEMENT_SIZE: usize,
+        const GAMMA1_EXPONENT: usize,
+        const GAMMA2: i32,
+        const COMMITMENT_RING_ELEMENT_SIZE: usize,
+        const COMMITMENT_VECTOR_SIZE: usize,
+        const COMMITMENT_HASH_SIZE: usize,
+        const ONES_IN_VERIFIER_CHALLENGE: usize,
+        const MAX_ONES_IN_HINT: usize,
+        const GAMMA1_RING_ELEMENT_SIZE: usize,
+        const SIGNING_KEY_SIZE: usize,
+        const SIGNATURE_SIZE: usize,
+    >(
+        signing_key: &[u8; SIGNING_KEY_SIZE],
+        message: &[u8],
+        context: &[u8],
+        randomness: [u8; SIGNING_RANDOMNESS_SIZE],
+    ) -> Result<MLDSASignature<SIGNATURE_SIZE>, SigningError> {
+        crate::ml_dsa_generic::sign::<
+            crate::simd::avx2::AVX2SIMDUnit,
+            crate::hash_functions::simd256::Shake128x4,
+            crate::hash_functions::simd256::Shake256,
+            crate::hash_functions::simd256::Shake256x4,
+            ROWS_IN_A,
+            COLUMNS_IN_A,
+            ETA,
+            ERROR_RING_ELEMENT_SIZE,
+            GAMMA1_EXPONENT,
+            GAMMA2,
+            COMMITMENT_RING_ELEMENT_SIZE,
+            COMMITMENT_VECTOR_SIZE,
+            COMMITMENT_HASH_SIZE,
+            ONES_IN_VERIFIER_CHALLENGE,
+            MAX_ONES_IN_HINT,
+            GAMMA1_RING_ELEMENT_SIZE,
+            SIGNING_KEY_SIZE,
+            SIGNATURE_SIZE,
+        >(&signing_key, message, context, randomness)
+    }
+
+    /// Sign (internal API)
+    #[cfg(feature = "acvp")]
+    #[target_feature(enable = "avx2")]
+    #[allow(unsafe_code)]
+    pub(super) unsafe fn sign_internal<
+        const ROWS_IN_A: usize,
+        const COLUMNS_IN_A: usize,
+        const ETA: usize,
+        const ERROR_RING_ELEMENT_SIZE: usize,
+        const GAMMA1_EXPONENT: usize,
+        const GAMMA2: i32,
+        const COMMITMENT_RING_ELEMENT_SIZE: usize,
+        const COMMITMENT_VECTOR_SIZE: usize,
+        const COMMITMENT_HASH_SIZE: usize,
+        const ONES_IN_VERIFIER_CHALLENGE: usize,
+        const MAX_ONES_IN_HINT: usize,
+        const GAMMA1_RING_ELEMENT_SIZE: usize,
+        const SIGNING_KEY_SIZE: usize,
+        const SIGNATURE_SIZE: usize,
+    >(
+        signing_key: &[u8; SIGNING_KEY_SIZE],
+        message: &[u8],
+        randomness: [u8; SIGNING_RANDOMNESS_SIZE],
+    ) -> Result<MLDSASignature<SIGNATURE_SIZE>, SigningError> {
+        crate::ml_dsa_generic::sign_internal::<
+            crate::simd::avx2::AVX2SIMDUnit,
+            crate::hash_functions::simd256::Shake128x4,
+            crate::hash_functions::simd256::Shake256,
+            crate::hash_functions::simd256::Shake256x4,
+            ROWS_IN_A,
+            COLUMNS_IN_A,
+            ETA,
+            ERROR_RING_ELEMENT_SIZE,
+            GAMMA1_EXPONENT,
+            GAMMA2,
+            COMMITMENT_RING_ELEMENT_SIZE,
+            COMMITMENT_VECTOR_SIZE,
+            COMMITMENT_HASH_SIZE,
+            ONES_IN_VERIFIER_CHALLENGE,
+            MAX_ONES_IN_HINT,
+            GAMMA1_RING_ELEMENT_SIZE,
+            SIGNING_KEY_SIZE,
+            SIGNATURE_SIZE,
+        >(&signing_key, message, None, randomness)
+    }
+
+    /// Sign (pre-hashed).
+    #[target_feature(enable = "avx2")]
+    #[allow(unsafe_code)]
+    pub(super) unsafe fn sign_pre_hashed_shake128<
+        const ROWS_IN_A: usize,
+        const COLUMNS_IN_A: usize,
+        const ETA: usize,
+        const ERROR_RING_ELEMENT_SIZE: usize,
+        const GAMMA1_EXPONENT: usize,
+        const GAMMA2: i32,
+        const COMMITMENT_RING_ELEMENT_SIZE: usize,
+        const COMMITMENT_VECTOR_SIZE: usize,
+        const COMMITMENT_HASH_SIZE: usize,
+        const ONES_IN_VERIFIER_CHALLENGE: usize,
+        const MAX_ONES_IN_HINT: usize,
+        const GAMMA1_RING_ELEMENT_SIZE: usize,
+        const SIGNING_KEY_SIZE: usize,
+        const SIGNATURE_SIZE: usize,
+    >(
+        signing_key: &[u8; SIGNING_KEY_SIZE],
+        message: &[u8],
+        context: &[u8],
+        randomness: [u8; SIGNING_RANDOMNESS_SIZE],
+    ) -> Result<MLDSASignature<SIGNATURE_SIZE>, SigningError> {
+        crate::ml_dsa_generic::sign_pre_hashed::<
+            crate::simd::avx2::AVX2SIMDUnit,
+            crate::hash_functions::simd256::Shake128x4,
+            crate::hash_functions::simd256::Shake256,
+            crate::hash_functions::simd256::Shake256x4,
+            SHAKE128_PH,
+            256,
+            ROWS_IN_A,
+            COLUMNS_IN_A,
+            ETA,
+            ERROR_RING_ELEMENT_SIZE,
+            GAMMA1_EXPONENT,
+            GAMMA2,
+            COMMITMENT_RING_ELEMENT_SIZE,
+            COMMITMENT_VECTOR_SIZE,
+            COMMITMENT_HASH_SIZE,
+            ONES_IN_VERIFIER_CHALLENGE,
+            MAX_ONES_IN_HINT,
+            GAMMA1_RING_ELEMENT_SIZE,
+            SIGNING_KEY_SIZE,
+            SIGNATURE_SIZE,
+        >(&signing_key, message, context, randomness)
+    }
+
+    /// Verify.
+    #[target_feature(enable = "avx2")]
+    #[allow(unsafe_code)]
+    pub(super) unsafe fn verify<
+        const ROWS_IN_A: usize,
+        const COLUMNS_IN_A: usize,
+        const SIGNATURE_SIZE: usize,
+        const VERIFICATION_KEY_SIZE: usize,
+        const GAMMA1_EXPONENT: usize,
+        const GAMMA1_RING_ELEMENT_SIZE: usize,
+        const GAMMA2: i32,
+        const BETA: i32,
+        const COMMITMENT_RING_ELEMENT_SIZE: usize,
+        const COMMITMENT_VECTOR_SIZE: usize,
+        const COMMITMENT_HASH_SIZE: usize,
+        const ONES_IN_VERIFIER_CHALLENGE: usize,
+        const MAX_ONES_IN_HINT: usize,
+    >(
+        verification_key: &[u8; VERIFICATION_KEY_SIZE],
+        message: &[u8],
+        context: &[u8],
+        signature: &[u8; SIGNATURE_SIZE],
+    ) -> Result<(), VerificationError> {
+        crate::ml_dsa_generic::verify::<
+            crate::simd::avx2::AVX2SIMDUnit,
+            crate::hash_functions::simd256::Shake128x4,
+            crate::hash_functions::simd256::Shake256,
+            ROWS_IN_A,
+            COLUMNS_IN_A,
+            SIGNATURE_SIZE,
+            VERIFICATION_KEY_SIZE,
+            GAMMA1_EXPONENT,
+            GAMMA1_RING_ELEMENT_SIZE,
+            GAMMA2,
+            BETA,
+            COMMITMENT_RING_ELEMENT_SIZE,
+            COMMITMENT_VECTOR_SIZE,
+            COMMITMENT_HASH_SIZE,
+            ONES_IN_VERIFIER_CHALLENGE,
+            MAX_ONES_IN_HINT,
+        >(verification_key, message, context, signature)
+    }
+
+    /// Verify (internal API).
+    #[cfg(feature = "acvp")]
+    #[target_feature(enable = "avx2")]
+    #[allow(unsafe_code)]
+    pub(super) unsafe fn verify_internal<
+        const ROWS_IN_A: usize,
+        const COLUMNS_IN_A: usize,
+        const SIGNATURE_SIZE: usize,
+        const VERIFICATION_KEY_SIZE: usize,
+        const GAMMA1_EXPONENT: usize,
+        const GAMMA1_RING_ELEMENT_SIZE: usize,
+        const GAMMA2: i32,
+        const BETA: i32,
+        const COMMITMENT_RING_ELEMENT_SIZE: usize,
+        const COMMITMENT_VECTOR_SIZE: usize,
+        const COMMITMENT_HASH_SIZE: usize,
+        const ONES_IN_VERIFIER_CHALLENGE: usize,
+        const MAX_ONES_IN_HINT: usize,
+    >(
+        verification_key: &[u8; VERIFICATION_KEY_SIZE],
+        message: &[u8],
+        signature: &[u8; SIGNATURE_SIZE],
+    ) -> Result<(), VerificationError> {
+        crate::ml_dsa_generic::verify_internal::<
+            crate::simd::avx2::AVX2SIMDUnit,
+            crate::hash_functions::simd256::Shake128x4,
+            crate::hash_functions::simd256::Shake256,
+            ROWS_IN_A,
+            COLUMNS_IN_A,
+            SIGNATURE_SIZE,
+            VERIFICATION_KEY_SIZE,
+            GAMMA1_EXPONENT,
+            GAMMA1_RING_ELEMENT_SIZE,
+            GAMMA2,
+            BETA,
+            COMMITMENT_RING_ELEMENT_SIZE,
+            COMMITMENT_VECTOR_SIZE,
+            COMMITMENT_HASH_SIZE,
+            ONES_IN_VERIFIER_CHALLENGE,
+            MAX_ONES_IN_HINT,
+        >(verification_key, message, None, signature)
+    }
+
+    /// Verify (pre-hashed with SHAKE-128).
+    #[target_feature(enable = "avx2")]
+    #[allow(unsafe_code)]
+    pub(super) unsafe fn verify_pre_hashed_shake128<
+        const ROWS_IN_A: usize,
+        const COLUMNS_IN_A: usize,
+        const SIGNATURE_SIZE: usize,
+        const VERIFICATION_KEY_SIZE: usize,
+        const GAMMA1_EXPONENT: usize,
+        const GAMMA1_RING_ELEMENT_SIZE: usize,
+        const GAMMA2: i32,
+        const BETA: i32,
+        const COMMITMENT_RING_ELEMENT_SIZE: usize,
+        const COMMITMENT_VECTOR_SIZE: usize,
+        const COMMITMENT_HASH_SIZE: usize,
+        const ONES_IN_VERIFIER_CHALLENGE: usize,
+        const MAX_ONES_IN_HINT: usize,
+    >(
+        verification_key: &[u8; VERIFICATION_KEY_SIZE],
+        message: &[u8],
+        context: &[u8],
+        signature: &[u8; SIGNATURE_SIZE],
+    ) -> Result<(), VerificationError> {
+        crate::ml_dsa_generic::verify_pre_hashed::<
+            crate::simd::avx2::AVX2SIMDUnit,
+            crate::hash_functions::simd256::Shake128x4,
+            crate::hash_functions::simd256::Shake256,
+            SHAKE128_PH,
+            256,
+            ROWS_IN_A,
+            COLUMNS_IN_A,
+            SIGNATURE_SIZE,
+            VERIFICATION_KEY_SIZE,
+            GAMMA1_EXPONENT,
+            GAMMA1_RING_ELEMENT_SIZE,
+            GAMMA2,
+            BETA,
+            COMMITMENT_RING_ELEMENT_SIZE,
+            COMMITMENT_VECTOR_SIZE,
+            COMMITMENT_HASH_SIZE,
+            ONES_IN_VERIFIER_CHALLENGE,
+            MAX_ONES_IN_HINT,
+        >(verification_key, message, context, signature)
+    }
+}
+
+/// Generate key pair.
+#[allow(unsafe_code)]
+pub(crate) fn generate_key_pair<
+    const ROWS_IN_A: usize,
+    const COLUMNS_IN_A: usize,
+    const ETA: usize,
+    const ERROR_RING_ELEMENT_SIZE: usize,
+    const SIGNING_KEY_SIZE: usize,
+    const VERIFICATION_KEY_SIZE: usize,
+>(
+    randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE],
+) -> ([u8; SIGNING_KEY_SIZE], [u8; VERIFICATION_KEY_SIZE]) {
+    unsafe {
+        avx2_feature::generate_key_pair::<
+            ROWS_IN_A,
+            COLUMNS_IN_A,
+            ETA,
+            ERROR_RING_ELEMENT_SIZE,
+            SIGNING_KEY_SIZE,
+            VERIFICATION_KEY_SIZE,
+        >(randomness)
+    }
+}
+
+/// Sign.
+#[allow(unsafe_code)]
+pub(crate) fn sign<
+    const ROWS_IN_A: usize,
+    const COLUMNS_IN_A: usize,
+    const ETA: usize,
+    const ERROR_RING_ELEMENT_SIZE: usize,
+    const GAMMA1_EXPONENT: usize,
+    const GAMMA2: i32,
+    const COMMITMENT_RING_ELEMENT_SIZE: usize,
+    const COMMITMENT_VECTOR_SIZE: usize,
+    const COMMITMENT_HASH_SIZE: usize,
+    const ONES_IN_VERIFIER_CHALLENGE: usize,
+    const MAX_ONES_IN_HINT: usize,
+    const GAMMA1_RING_ELEMENT_SIZE: usize,
+    const SIGNING_KEY_SIZE: usize,
+    const SIGNATURE_SIZE: usize,
+>(
+    signing_key: &[u8; SIGNING_KEY_SIZE],
+    message: &[u8],
+    context: &[u8],
+    randomness: [u8; SIGNING_RANDOMNESS_SIZE],
+) -> Result<MLDSASignature<SIGNATURE_SIZE>, SigningError> {
+    unsafe {
+        avx2_feature::sign::<
+            ROWS_IN_A,
+            COLUMNS_IN_A,
+            ETA,
+            ERROR_RING_ELEMENT_SIZE,
+            GAMMA1_EXPONENT,
+            GAMMA2,
+            COMMITMENT_RING_ELEMENT_SIZE,
+            COMMITMENT_VECTOR_SIZE,
+            COMMITMENT_HASH_SIZE,
+            ONES_IN_VERIFIER_CHALLENGE,
+            MAX_ONES_IN_HINT,
+            GAMMA1_RING_ELEMENT_SIZE,
+            SIGNING_KEY_SIZE,
+            SIGNATURE_SIZE,
+        >(signing_key, message, context, randomness)
+    }
+}
+
+/// Sign (internal API)
+#[cfg(feature = "acvp")]
+#[allow(unsafe_code)]
+pub(crate) fn sign_internal<
+    const ROWS_IN_A: usize,
+    const COLUMNS_IN_A: usize,
+    const ETA: usize,
+    const ERROR_RING_ELEMENT_SIZE: usize,
+    const GAMMA1_EXPONENT: usize,
+    const GAMMA2: i32,
+    const COMMITMENT_RING_ELEMENT_SIZE: usize,
+    const COMMITMENT_VECTOR_SIZE: usize,
+    const COMMITMENT_HASH_SIZE: usize,
+    const ONES_IN_VERIFIER_CHALLENGE: usize,
+    const MAX_ONES_IN_HINT: usize,
+    const GAMMA1_RING_ELEMENT_SIZE: usize,
+    const SIGNING_KEY_SIZE: usize,
+    const SIGNATURE_SIZE: usize,
+>(
+    signing_key: &[u8; SIGNING_KEY_SIZE],
+    message: &[u8],
+    randomness: [u8; SIGNING_RANDOMNESS_SIZE],
+) -> Result<MLDSASignature<SIGNATURE_SIZE>, SigningError> {
+    unsafe {
+        avx2_feature::sign_internal::<
+            ROWS_IN_A,
+            COLUMNS_IN_A,
+            ETA,
+            ERROR_RING_ELEMENT_SIZE,
+            GAMMA1_EXPONENT,
+            GAMMA2,
+            COMMITMENT_RING_ELEMENT_SIZE,
+            COMMITMENT_VECTOR_SIZE,
+            COMMITMENT_HASH_SIZE,
+            ONES_IN_VERIFIER_CHALLENGE,
+            MAX_ONES_IN_HINT,
+            GAMMA1_RING_ELEMENT_SIZE,
+            SIGNING_KEY_SIZE,
+            SIGNATURE_SIZE,
+        >(signing_key, message, randomness)
+    }
+}
+
+/// Sign (pre-hashed).
+#[allow(unsafe_code)]
+pub(crate) fn sign_pre_hashed_shake128<
+    const ROWS_IN_A: usize,
+    const COLUMNS_IN_A: usize,
+    const ETA: usize,
+    const ERROR_RING_ELEMENT_SIZE: usize,
+    const GAMMA1_EXPONENT: usize,
+    const GAMMA2: i32,
+    const COMMITMENT_RING_ELEMENT_SIZE: usize,
+    const COMMITMENT_VECTOR_SIZE: usize,
+    const COMMITMENT_HASH_SIZE: usize,
+    const ONES_IN_VERIFIER_CHALLENGE: usize,
+    const MAX_ONES_IN_HINT: usize,
+    const GAMMA1_RING_ELEMENT_SIZE: usize,
+    const SIGNING_KEY_SIZE: usize,
+    const SIGNATURE_SIZE: usize,
+>(
+    signing_key: &[u8; SIGNING_KEY_SIZE],
+    message: &[u8],
+    context: &[u8],
+    randomness: [u8; SIGNING_RANDOMNESS_SIZE],
+) -> Result<MLDSASignature<SIGNATURE_SIZE>, SigningError> {
+    unsafe {
+        avx2_feature::sign_pre_hashed_shake128::<
+            ROWS_IN_A,
+            COLUMNS_IN_A,
+            ETA,
+            ERROR_RING_ELEMENT_SIZE,
+            GAMMA1_EXPONENT,
+            GAMMA2,
+            COMMITMENT_RING_ELEMENT_SIZE,
+            COMMITMENT_VECTOR_SIZE,
+            COMMITMENT_HASH_SIZE,
+            ONES_IN_VERIFIER_CHALLENGE,
+            MAX_ONES_IN_HINT,
+            GAMMA1_RING_ELEMENT_SIZE,
+            SIGNING_KEY_SIZE,
+            SIGNATURE_SIZE,
+        >(signing_key, message, context, randomness)
+    }
+}
+
+/// Verify.
+#[allow(unsafe_code)]
+pub(crate) fn verify<
+    const ROWS_IN_A: usize,
+    const COLUMNS_IN_A: usize,
+    const SIGNATURE_SIZE: usize,
+    const VERIFICATION_KEY_SIZE: usize,
+    const GAMMA1_EXPONENT: usize,
+    const GAMMA1_RING_ELEMENT_SIZE: usize,
+    const GAMMA2: i32,
+    const BETA: i32,
+    const COMMITMENT_RING_ELEMENT_SIZE: usize,
+    const COMMITMENT_VECTOR_SIZE: usize,
+    const COMMITMENT_HASH_SIZE: usize,
+    const ONES_IN_VERIFIER_CHALLENGE: usize,
+    const MAX_ONES_IN_HINT: usize,
+>(
+    verification_key: &[u8; VERIFICATION_KEY_SIZE],
+    message: &[u8],
+    context: &[u8],
+    signature: &[u8; SIGNATURE_SIZE],
+) -> Result<(), VerificationError> {
+    unsafe {
+        avx2_feature::verify::<
+            ROWS_IN_A,
+            COLUMNS_IN_A,
+            SIGNATURE_SIZE,
+            VERIFICATION_KEY_SIZE,
+            GAMMA1_EXPONENT,
+            GAMMA1_RING_ELEMENT_SIZE,
+            GAMMA2,
+            BETA,
+            COMMITMENT_RING_ELEMENT_SIZE,
+            COMMITMENT_VECTOR_SIZE,
+            COMMITMENT_HASH_SIZE,
+            ONES_IN_VERIFIER_CHALLENGE,
+            MAX_ONES_IN_HINT,
+        >(verification_key, message, context, signature)
+    }
+}
+
+/// Verify (internal API).
+#[cfg(feature = "acvp")]
+#[allow(unsafe_code)]
+pub(crate) fn verify_internal<
+    const ROWS_IN_A: usize,
+    const COLUMNS_IN_A: usize,
+    const SIGNATURE_SIZE: usize,
+    const VERIFICATION_KEY_SIZE: usize,
+    const GAMMA1_EXPONENT: usize,
+    const GAMMA1_RING_ELEMENT_SIZE: usize,
+    const GAMMA2: i32,
+    const BETA: i32,
+    const COMMITMENT_RING_ELEMENT_SIZE: usize,
+    const COMMITMENT_VECTOR_SIZE: usize,
+    const COMMITMENT_HASH_SIZE: usize,
+    const ONES_IN_VERIFIER_CHALLENGE: usize,
+    const MAX_ONES_IN_HINT: usize,
+>(
+    verification_key: &[u8; VERIFICATION_KEY_SIZE],
+    message: &[u8],
+    signature: &[u8; SIGNATURE_SIZE],
+) -> Result<(), VerificationError> {
+    unsafe {
+        avx2_feature::verify_internal::<
+            ROWS_IN_A,
+            COLUMNS_IN_A,
+            SIGNATURE_SIZE,
+            VERIFICATION_KEY_SIZE,
+            GAMMA1_EXPONENT,
+            GAMMA1_RING_ELEMENT_SIZE,
+            GAMMA2,
+            BETA,
+            COMMITMENT_RING_ELEMENT_SIZE,
+            COMMITMENT_VECTOR_SIZE,
+            COMMITMENT_HASH_SIZE,
+            ONES_IN_VERIFIER_CHALLENGE,
+            MAX_ONES_IN_HINT,
+        >(verification_key, message, signature)
+    }
+}
+
+/// Verify (pre-hashed with SHAKE-128).
+#[allow(unsafe_code)]
+pub(crate) fn verify_pre_hashed_shake128<
+    const ROWS_IN_A: usize,
+    const COLUMNS_IN_A: usize,
+    const SIGNATURE_SIZE: usize,
+    const VERIFICATION_KEY_SIZE: usize,
+    const GAMMA1_EXPONENT: usize,
+    const GAMMA1_RING_ELEMENT_SIZE: usize,
+    const GAMMA2: i32,
+    const BETA: i32,
+    const COMMITMENT_RING_ELEMENT_SIZE: usize,
+    const COMMITMENT_VECTOR_SIZE: usize,
+    const COMMITMENT_HASH_SIZE: usize,
+    const ONES_IN_VERIFIER_CHALLENGE: usize,
+    const MAX_ONES_IN_HINT: usize,
+>(
+    verification_key: &[u8; VERIFICATION_KEY_SIZE],
+    message: &[u8],
+    context: &[u8],
+    signature: &[u8; SIGNATURE_SIZE],
+) -> Result<(), VerificationError> {
+    unsafe {
+        avx2_feature::verify_pre_hashed_shake128::<
+            ROWS_IN_A,
+            COLUMNS_IN_A,
+            SIGNATURE_SIZE,
+            VERIFICATION_KEY_SIZE,
+            GAMMA1_EXPONENT,
+            GAMMA1_RING_ELEMENT_SIZE,
+            GAMMA2,
+            BETA,
+            COMMITMENT_RING_ELEMENT_SIZE,
+            COMMITMENT_VECTOR_SIZE,
+            COMMITMENT_HASH_SIZE,
+            ONES_IN_VERIFIER_CHALLENGE,
+            MAX_ONES_IN_HINT,
+        >(verification_key, message, context, signature)
+    }
+}

From f946f53653518dd89c110a3eb806faf31c1e0f3e Mon Sep 17 00:00:00 2001
From: Jonas Schneider-Bensch <jonas@cryspen.com>
Date: Thu, 24 Oct 2024 15:36:23 +0200
Subject: [PATCH 04/22] Attempt to reduce stack size

---
 libcrux-ml-dsa/src/simd/avx2.rs     | 3 ++-
 libcrux-ml-dsa/src/simd/avx2/ntt.rs | 5 +++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/libcrux-ml-dsa/src/simd/avx2.rs b/libcrux-ml-dsa/src/simd/avx2.rs
index 3c324f2f3..e4c7189c6 100644
--- a/libcrux-ml-dsa/src/simd/avx2.rs
+++ b/libcrux-ml-dsa/src/simd/avx2.rs
@@ -129,8 +129,9 @@ impl Operations for AVX2SIMDUnit {
     }
 
     #[inline(always)]
+    #[allow(unsafe_code)]
     fn ntt(simd_units: [Self; SIMD_UNITS_IN_RING_ELEMENT]) -> [Self; SIMD_UNITS_IN_RING_ELEMENT] {
-        let result = ntt::ntt(simd_units.map(|x| x.coefficients));
+        let result = unsafe{ntt::ntt(simd_units.map(|x| x.coefficients))};
 
         result.map(|x| x.into())
     }
diff --git a/libcrux-ml-dsa/src/simd/avx2/ntt.rs b/libcrux-ml-dsa/src/simd/avx2/ntt.rs
index 94d8aa1dd..512669e28 100644
--- a/libcrux-ml-dsa/src/simd/avx2/ntt.rs
+++ b/libcrux-ml-dsa/src/simd/avx2/ntt.rs
@@ -244,8 +244,9 @@ fn ntt_at_layer_3_plus<const LAYER: usize>(
     ()
 }
 
-#[inline(always)]
-pub(crate) fn ntt(
+#[target_feature(enable = "avx2")]
+#[allow(unsafe_code)]
+pub(crate) unsafe fn ntt(
     mut re: [Vec256; SIMD_UNITS_IN_RING_ELEMENT],
 ) -> [Vec256; SIMD_UNITS_IN_RING_ELEMENT] {
     let mut zeta_i = 0;

From a86ce0029bf9122fb3075a9ac46c9a5951eb81af Mon Sep 17 00:00:00 2001
From: Jonas Schneider-Bensch <jonas@cryspen.com>
Date: Thu, 24 Oct 2024 15:36:43 +0200
Subject: [PATCH 05/22] Format

---
 libcrux-ml-dsa/src/simd/avx2.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libcrux-ml-dsa/src/simd/avx2.rs b/libcrux-ml-dsa/src/simd/avx2.rs
index e4c7189c6..c83c24caa 100644
--- a/libcrux-ml-dsa/src/simd/avx2.rs
+++ b/libcrux-ml-dsa/src/simd/avx2.rs
@@ -131,7 +131,7 @@ impl Operations for AVX2SIMDUnit {
     #[inline(always)]
     #[allow(unsafe_code)]
     fn ntt(simd_units: [Self; SIMD_UNITS_IN_RING_ELEMENT]) -> [Self; SIMD_UNITS_IN_RING_ELEMENT] {
-        let result = unsafe{ntt::ntt(simd_units.map(|x| x.coefficients))};
+        let result = unsafe { ntt::ntt(simd_units.map(|x| x.coefficients)) };
 
         result.map(|x| x.into())
     }

From 23120b2f7d7e14a7df9f61bbfc0f5e9ef7c2a887 Mon Sep 17 00:00:00 2001
From: Jonas Schneider-Bensch <jonas@cryspen.com>
Date: Thu, 31 Oct 2024 16:52:17 +0100
Subject: [PATCH 06/22] ACVP uninlined inner functions

---
 libcrux-ml-dsa/tests/acvp.rs | 268 ++++++++++++++++++++---------------
 1 file changed, 150 insertions(+), 118 deletions(-)

diff --git a/libcrux-ml-dsa/tests/acvp.rs b/libcrux-ml-dsa/tests/acvp.rs
index ebdc2ce9f..75f0c1ddf 100644
--- a/libcrux-ml-dsa/tests/acvp.rs
+++ b/libcrux-ml-dsa/tests/acvp.rs
@@ -63,8 +63,6 @@ struct ResultPromptTestGroup {
 
 #[test]
 fn keygen() {
-    use libcrux_ml_dsa::*;
-
     let prompts: Prompts<KeyGenPromptTestGroup> = read("keygen", "prompt.json");
     assert!(prompts.algorithm == "ML-DSA");
     assert!(prompts.revision == "FIPS204");
@@ -83,37 +81,50 @@ fn keygen() {
         eprintln!("{parameter_set}");
 
         for test in kat.tests {
-            eprintln!("  {}", test.tcId);
-            fn check<const VK_LEN: usize, const SK_LEN: usize>(
-                keys: MLDSAKeyPair<VK_LEN, SK_LEN>,
-                result: &KeyGenResult,
-            ) {
-                assert_eq!(result.pk, keys.verification_key.as_slice());
-                assert_eq!(result.sk, keys.signing_key.as_slice());
-            }
-
-            let expected_result = results
-                .testGroups
-                .iter()
-                .find(|tg| tg.tgId == kat.tgId)
-                .unwrap()
-                .tests
-                .iter()
-                .find(|t| t.tcId == test.tcId)
-                .unwrap();
-
-            match parameter_set.as_str() {
-                "ML-DSA-44" => check(ml_dsa_44::generate_key_pair(test.seed), expected_result),
-
-                "ML-DSA-65" => check(ml_dsa_65::generate_key_pair(test.seed), expected_result),
-
-                "ML-DSA-87" => check(ml_dsa_87::generate_key_pair(test.seed), expected_result),
-                _ => unimplemented!(),
-            }
+            keygen_inner(test, &results, kat.tgId, &parameter_set);
         }
     }
 }
 
+#[inline(never)]
+#[allow(non_snake_case)]
+fn keygen_inner(
+    test: KeyGenPrompt,
+    results: &Results<ResultPromptTestGroup>,
+    tgId: usize,
+    parameter_set: &String,
+) {
+    use libcrux_ml_dsa::*;
+    eprintln!("  {}", test.tcId);
+    #[inline(never)]
+    fn check<const VK_LEN: usize, const SK_LEN: usize>(
+        keys: MLDSAKeyPair<VK_LEN, SK_LEN>,
+        result: &KeyGenResult,
+    ) {
+        assert_eq!(result.pk, keys.verification_key.as_slice());
+        assert_eq!(result.sk, keys.signing_key.as_slice());
+    }
+
+    let expected_result = results
+        .testGroups
+        .iter()
+        .find(|tg| tg.tgId == tgId)
+        .unwrap()
+        .tests
+        .iter()
+        .find(|t| t.tcId == test.tcId)
+        .unwrap();
+
+    match parameter_set.as_str() {
+        "ML-DSA-44" => check(ml_dsa_44::generate_key_pair(test.seed), expected_result),
+
+        "ML-DSA-65" => check(ml_dsa_65::generate_key_pair(test.seed), expected_result),
+
+        "ML-DSA-87" => check(ml_dsa_87::generate_key_pair(test.seed), expected_result),
+        _ => unimplemented!(),
+    }
+}
+
 fn read<T: DeserializeOwned>(variant: &str, file: &str) -> T {
     let katfile_path = Path::new("tests")
         .join("kats")
@@ -128,8 +139,6 @@ fn read<T: DeserializeOwned>(variant: &str, file: &str) -> T {
 
 #[test]
 fn siggen() {
-    use libcrux_ml_dsa::*;
-
     let prompts: Prompts<SigGenPromptTestGroup> = read("siggen", "prompt.json");
     assert!(prompts.algorithm == "ML-DSA");
     assert!(prompts.revision == "FIPS204");
@@ -148,59 +157,69 @@ fn siggen() {
         eprintln!("{parameter_set}");
 
         for test in kat.tests {
-            eprintln!("  {}", test.tcId);
-            let expected_result = results
-                .testGroups
-                .iter()
-                .find(|tg| tg.tgId == kat.tgId)
-                .unwrap()
-                .tests
-                .iter()
-                .find(|t| t.tcId == test.tcId)
-                .unwrap();
-
-            let Randomness(rnd) = test.rnd.unwrap_or(Randomness([0u8; 32]));
-
-            match parameter_set.as_str() {
-                "ML-DSA-44" => {
-                    let signature = ml_dsa_44::sign_internal(
-                        &MLDSASigningKey(test.sk.try_into().unwrap()),
-                        &test.message,
-                        rnd,
-                    )
-                    .unwrap();
-                    assert_eq!(signature.as_slice(), expected_result.signature);
-                }
-
-                "ML-DSA-65" => {
-                    let signature = ml_dsa_65::sign_internal(
-                        &MLDSASigningKey(test.sk.try_into().unwrap()),
-                        &test.message,
-                        rnd,
-                    )
-                    .unwrap();
-                    assert_eq!(signature.as_slice(), expected_result.signature);
-                }
-
-                "ML-DSA-87" => {
-                    let signature = ml_dsa_87::sign_internal(
-                        &MLDSASigningKey(test.sk.try_into().unwrap()),
-                        &test.message,
-                        rnd,
-                    )
-                    .unwrap();
-                    assert_eq!(signature.as_slice(), expected_result.signature);
-                }
-                _ => unimplemented!(),
-            }
+            siggen_inner(test, &results, kat.tgId, &parameter_set);
         }
     }
 }
 
-#[test]
-fn sigver() {
+#[inline(never)]
+#[allow(non_snake_case)]
+fn siggen_inner(
+    test: SigGenTest,
+    results: &Results<ResultSigGenTestGroup>,
+    tgId: usize,
+    parameter_set: &String,
+) {
     use libcrux_ml_dsa::*;
+    eprintln!("  {}", test.tcId);
+    let expected_result = results
+        .testGroups
+        .iter()
+        .find(|tg| tg.tgId == tgId)
+        .unwrap()
+        .tests
+        .iter()
+        .find(|t| t.tcId == test.tcId)
+        .unwrap();
+
+    let Randomness(rnd) = test.rnd.unwrap_or(Randomness([0u8; 32]));
+
+    match parameter_set.as_str() {
+        "ML-DSA-44" => {
+            let signature = ml_dsa_44::sign_internal(
+                &MLDSASigningKey(test.sk.try_into().unwrap()),
+                &test.message,
+                rnd,
+            )
+            .unwrap();
+            assert_eq!(signature.as_slice(), expected_result.signature);
+        }
 
+        "ML-DSA-65" => {
+            let signature = ml_dsa_65::sign_internal(
+                &MLDSASigningKey(test.sk.try_into().unwrap()),
+                &test.message,
+                rnd,
+            )
+            .unwrap();
+            assert_eq!(signature.as_slice(), expected_result.signature);
+        }
+
+        "ML-DSA-87" => {
+            let signature = ml_dsa_87::sign_internal(
+                &MLDSASigningKey(test.sk.try_into().unwrap()),
+                &test.message,
+                rnd,
+            )
+            .unwrap();
+            assert_eq!(signature.as_slice(), expected_result.signature);
+        }
+        _ => unimplemented!(),
+    }
+}
+
+#[test]
+fn sigver() {
     let prompts: Prompts<SigVerPromptTestGroup> = read("sigver", "prompt.json");
     assert!(prompts.algorithm == "ML-DSA");
     assert!(prompts.revision == "FIPS204");
@@ -219,47 +238,60 @@ fn sigver() {
         eprintln!("{parameter_set}");
 
         for test in kat.tests {
-            eprintln!("  {}", test.tcId);
-            let expected_result = results
-                .testGroups
-                .iter()
-                .find(|tg| tg.tgId == kat.tgId)
-                .unwrap()
-                .tests
-                .iter()
-                .find(|t| t.tcId == test.tcId)
-                .unwrap();
-
-            match parameter_set.as_str() {
-                "ML-DSA-44" => {
-                    let valid = ml_dsa_44::verify_internal(
-                        &MLDSAVerificationKey(kat.pk.clone().try_into().unwrap()),
-                        &test.message,
-                        &MLDSASignature(test.signature.try_into().unwrap()),
-                    );
-                    assert_eq!(valid.is_ok(), expected_result.testPassed);
-                }
-
-                "ML-DSA-65" => {
-                    let valid = ml_dsa_65::verify_internal(
-                        &MLDSAVerificationKey(kat.pk.clone().try_into().unwrap()),
-                        &test.message,
-                        &MLDSASignature(test.signature.try_into().unwrap()),
-                    );
-                    assert_eq!(valid.is_ok(), expected_result.testPassed);
-                }
-
-                "ML-DSA-87" => {
-                    let valid = ml_dsa_87::verify_internal(
-                        &MLDSAVerificationKey(kat.pk.clone().try_into().unwrap()),
-                        &test.message,
-                        &MLDSASignature(test.signature.try_into().unwrap()),
-                    );
-                    assert_eq!(valid.is_ok(), expected_result.testPassed);
-                }
-                _ => unimplemented!(),
-            }
+            sigver_inner(test, &results, kat.tgId, &kat.pk, &parameter_set);
+        }
+    }
+}
+
+#[inline(never)]
+#[allow(non_snake_case)]
+fn sigver_inner(
+    test: SigVerTest,
+    results: &Results<ResultSigVerTestGroup>,
+    tgId: usize,
+    pk: &[u8],
+    parameter_set: &String,
+) {
+    use libcrux_ml_dsa::*;
+    eprintln!("  {}", test.tcId);
+    let expected_result = results
+        .testGroups
+        .iter()
+        .find(|tg| tg.tgId == tgId)
+        .unwrap()
+        .tests
+        .iter()
+        .find(|t| t.tcId == test.tcId)
+        .unwrap();
+
+    match parameter_set.as_str() {
+        "ML-DSA-44" => {
+            let valid = ml_dsa_44::verify_internal(
+                &MLDSAVerificationKey(pk.to_owned().try_into().unwrap()),
+                &test.message,
+                &MLDSASignature(test.signature.try_into().unwrap()),
+            );
+            assert_eq!(valid.is_ok(), expected_result.testPassed);
+        }
+
+        "ML-DSA-65" => {
+            let valid = ml_dsa_65::verify_internal(
+                &MLDSAVerificationKey(pk.to_owned().try_into().unwrap()),
+                &test.message,
+                &MLDSASignature(test.signature.try_into().unwrap()),
+            );
+            assert_eq!(valid.is_ok(), expected_result.testPassed);
+        }
+
+        "ML-DSA-87" => {
+            let valid = ml_dsa_87::verify_internal(
+                &MLDSAVerificationKey(pk.to_owned().try_into().unwrap()),
+                &test.message,
+                &MLDSASignature(test.signature.try_into().unwrap()),
+            );
+            assert_eq!(valid.is_ok(), expected_result.testPassed);
         }
+        _ => unimplemented!(),
     }
 }
 

From 30c7de7a00fe3f666e0ec9b397e002f77643c85e Mon Sep 17 00:00:00 2001
From: Jonas Schneider-Bensch <jonas@cryspen.com>
Date: Mon, 4 Nov 2024 11:40:18 +0100
Subject: [PATCH 07/22] Remove Zeta arrays

Changes cherry-picked from `07084ab4` and `6022f6e4`
---
 libcrux-ml-dsa/src/ntt.rs               | 303 +++++++++++++++--------
 libcrux-ml-dsa/src/simd/avx2/ntt.rs     | 306 +++++++++++++++++-------
 libcrux-ml-dsa/src/simd/portable/ntt.rs | 259 +++++++++++++++-----
 libcrux-ml-dsa/src/simd/traits.rs       |  29 ---
 4 files changed, 631 insertions(+), 266 deletions(-)

diff --git a/libcrux-ml-dsa/src/ntt.rs b/libcrux-ml-dsa/src/ntt.rs
index 7094faaa5..df925fae8 100644
--- a/libcrux-ml-dsa/src/ntt.rs
+++ b/libcrux-ml-dsa/src/ntt.rs
@@ -1,39 +1,9 @@
 use crate::{
     arithmetic::FieldElementTimesMontgomeryR,
-    constants::COEFFICIENTS_IN_RING_ELEMENT,
     polynomial::PolynomialRingElement,
     simd::traits::{montgomery_multiply_by_fer, Operations, COEFFICIENTS_IN_SIMD_UNIT},
 };
 
-const ZETAS_TIMES_MONTGOMERY_R: [FieldElementTimesMontgomeryR; 256] = [
-    0, 25847, -2608894, -518909, 237124, -777960, -876248, 466468, 1826347, 2353451, -359251,
-    -2091905, 3119733, -2884855, 3111497, 2680103, 2725464, 1024112, -1079900, 3585928, -549488,
-    -1119584, 2619752, -2108549, -2118186, -3859737, -1399561, -3277672, 1757237, -19422, 4010497,
-    280005, 2706023, 95776, 3077325, 3530437, -1661693, -3592148, -2537516, 3915439, -3861115,
-    -3043716, 3574422, -2867647, 3539968, -300467, 2348700, -539299, -1699267, -1643818, 3505694,
-    -3821735, 3507263, -2140649, -1600420, 3699596, 811944, 531354, 954230, 3881043, 3900724,
-    -2556880, 2071892, -2797779, -3930395, -1528703, -3677745, -3041255, -1452451, 3475950,
-    2176455, -1585221, -1257611, 1939314, -4083598, -1000202, -3190144, -3157330, -3632928, 126922,
-    3412210, -983419, 2147896, 2715295, -2967645, -3693493, -411027, -2477047, -671102, -1228525,
-    -22981, -1308169, -381987, 1349076, 1852771, -1430430, -3343383, 264944, 508951, 3097992,
-    44288, -1100098, 904516, 3958618, -3724342, -8578, 1653064, -3249728, 2389356, -210977, 759969,
-    -1316856, 189548, -3553272, 3159746, -1851402, -2409325, -177440, 1315589, 1341330, 1285669,
-    -1584928, -812732, -1439742, -3019102, -3881060, -3628969, 3839961, 2091667, 3407706, 2316500,
-    3817976, -3342478, 2244091, -2446433, -3562462, 266997, 2434439, -1235728, 3513181, -3520352,
-    -3759364, -1197226, -3193378, 900702, 1859098, 909542, 819034, 495491, -1613174, -43260,
-    -522500, -655327, -3122442, 2031748, 3207046, -3556995, -525098, -768622, -3595838, 342297,
-    286988, -2437823, 4108315, 3437287, -3342277, 1735879, 203044, 2842341, 2691481, -2590150,
-    1265009, 4055324, 1247620, 2486353, 1595974, -3767016, 1250494, 2635921, -3548272, -2994039,
-    1869119, 1903435, -1050970, -1333058, 1237275, -3318210, -1430225, -451100, 1312455, 3306115,
-    -1962642, -1279661, 1917081, -2546312, -1374803, 1500165, 777191, 2235880, 3406031, -542412,
-    -2831860, -1671176, -1846953, -2584293, -3724270, 594136, -3776993, -2013608, 2432395, 2454455,
-    -164721, 1957272, 3369112, 185531, -1207385, -3183426, 162844, 1616392, 3014001, 810149,
-    1652634, -3694233, -1799107, -3038916, 3523897, 3866901, 269760, 2213111, -975884, 1717735,
-    472078, -426683, 1723600, -1803090, 1910376, -1667432, -1104333, -260646, -3833893, -2939036,
-    -2235985, -420899, -2286327, 183443, -976891, 1612842, -3545687, -554416, 3919660, -48306,
-    -1362209, 3937738, 1400424, -846154, 1976782,
-];
-
 #[inline(always)]
 pub(crate) fn ntt<SIMDUnit: Operations>(
     re: PolynomialRingElement<SIMDUnit>,
@@ -44,96 +14,237 @@ pub(crate) fn ntt<SIMDUnit: Operations>(
 }
 
 #[inline(always)]
-fn invert_ntt_at_layer_0<SIMDUnit: Operations>(
-    zeta_i: &mut usize,
-    re: &mut PolynomialRingElement<SIMDUnit>,
-) {
-    *zeta_i -= 1;
-
-    for round in 0..re.simd_units.len() {
-        re.simd_units[round] = SIMDUnit::invert_ntt_at_layer_0(
-            re.simd_units[round],
-            ZETAS_TIMES_MONTGOMERY_R[*zeta_i],
-            ZETAS_TIMES_MONTGOMERY_R[*zeta_i - 1],
-            ZETAS_TIMES_MONTGOMERY_R[*zeta_i - 2],
-            ZETAS_TIMES_MONTGOMERY_R[*zeta_i - 3],
-        );
-
-        *zeta_i -= 4;
+fn invert_ntt_at_layer_0<SIMDUnit: Operations>(re: &mut PolynomialRingElement<SIMDUnit>) {
+    macro_rules! round {
+        ($i:literal, $zeta_0:literal, $zeta_1:literal, $zeta_2:literal, $zeta_3:literal) => {
+            re.simd_units[$i] = SIMDUnit::invert_ntt_at_layer_0(
+                re.simd_units[$i],
+                $zeta_0,
+                $zeta_1,
+                $zeta_2,
+                $zeta_3,
+            );
+        };
     }
 
-    *zeta_i += 1;
+    round!(0, 1976782, -846154, 1400424, 3937738);
+    round!(1, -1362209, -48306, 3919660, -554416);
+    round!(2, -3545687, 1612842, -976891, 183443);
+    round!(3, -2286327, -420899, -2235985, -2939036);
+    round!(4, -3833893, -260646, -1104333, -1667432);
+    round!(5, 1910376, -1803090, 1723600, -426683);
+    round!(6, 472078, 1717735, -975884, 2213111);
+    round!(7, 269760, 3866901, 3523897, -3038916);
+    round!(8, -1799107, -3694233, 1652634, 810149);
+    round!(9, 3014001, 1616392, 162844, -3183426);
+    round!(10, -1207385, 185531, 3369112, 1957272);
+    round!(11, -164721, 2454455, 2432395, -2013608);
+    round!(12, -3776993, 594136, -3724270, -2584293);
+    round!(13, -1846953, -1671176, -2831860, -542412);
+    round!(14, 3406031, 2235880, 777191, 1500165);
+    round!(15, -1374803, -2546312, 1917081, -1279661);
+    round!(16, -1962642, 3306115, 1312455, -451100);
+    round!(17, -1430225, -3318210, 1237275, -1333058);
+    round!(18, -1050970, 1903435, 1869119, -2994039);
+    round!(19, -3548272, 2635921, 1250494, -3767016);
+    round!(20, 1595974, 2486353, 1247620, 4055324);
+    round!(21, 1265009, -2590150, 2691481, 2842341);
+    round!(22, 203044, 1735879, -3342277, 3437287);
+    round!(23, 4108315, -2437823, 286988, 342297);
+    round!(24, -3595838, -768622, -525098, -3556995);
+    round!(25, 3207046, 2031748, -3122442, -655327);
+    round!(26, -522500, -43260, -1613174, 495491);
+    round!(27, 819034, 909542, 1859098, 900702);
+    round!(28, -3193378, -1197226, -3759364, -3520352);
+    round!(29, 3513181, -1235728, 2434439, 266997);
+    round!(30, -3562462, -2446433, 2244091, -3342478);
+    round!(31, 3817976, 2316500, 3407706, 2091667);
 }
+
 #[inline(always)]
-fn invert_ntt_at_layer_1<SIMDUnit: Operations>(
-    zeta_i: &mut usize,
-    re: &mut PolynomialRingElement<SIMDUnit>,
-) {
-    *zeta_i -= 1;
+fn invert_ntt_at_layer_1<SIMDUnit: Operations>(re: &mut PolynomialRingElement<SIMDUnit>) {
+    macro_rules! round {
+        ($i:literal, $zeta_0:literal, $zeta_1:literal) => {
+            re.simd_units[$i] =
+                SIMDUnit::invert_ntt_at_layer_1(re.simd_units[$i], $zeta_0, $zeta_1);
+        };
+    }
 
-    for round in 0..(256 / COEFFICIENTS_IN_SIMD_UNIT) {
-        re.simd_units[round] = SIMDUnit::invert_ntt_at_layer_1(
-            re.simd_units[round],
-            ZETAS_TIMES_MONTGOMERY_R[*zeta_i],
-            ZETAS_TIMES_MONTGOMERY_R[*zeta_i - 1],
-        );
-        *zeta_i -= 2;
+    round!(0, 3839961, -3628969);
+    round!(1, -3881060, -3019102);
+    round!(2, -1439742, -812732);
+    round!(3, -1584928, 1285669);
+    round!(4, 1341330, 1315589);
+    round!(5, -177440, -2409325);
+    round!(6, -1851402, 3159746);
+    round!(7, -3553272, 189548);
+    round!(8, -1316856, 759969);
+    round!(9, -210977, 2389356);
+    round!(10, -3249728, 1653064);
+    round!(11, -8578, -3724342);
+    round!(12, 3958618, 904516);
+    round!(13, -1100098, 44288);
+    round!(14, 3097992, 508951);
+    round!(15, 264944, -3343383);
+    round!(16, -1430430, 1852771);
+    round!(17, 1349076, -381987);
+    round!(18, -1308169, -22981);
+    round!(19, -1228525, -671102);
+    round!(20, -2477047, -411027);
+    round!(21, -3693493, -2967645);
+    round!(22, 2715295, 2147896);
+    round!(23, -983419, 3412210);
+    round!(24, 126922, -3632928);
+    round!(25, -3157330, -3190144);
+    round!(26, -1000202, -4083598);
+    round!(27, 1939314, -1257611);
+    round!(28, -1585221, 2176455);
+    round!(29, 3475950, -1452451);
+    round!(30, -3041255, -3677745);
+    round!(31, -1528703, -3930395);
+}
+
+#[inline(always)]
+fn invert_ntt_at_layer_2<SIMDUnit: Operations>(re: &mut PolynomialRingElement<SIMDUnit>) {
+    macro_rules! round {
+        ($i:literal, $zeta:literal) => {
+            re.simd_units[$i] = SIMDUnit::invert_ntt_at_layer_2(re.simd_units[$i], $zeta);
+        };
     }
 
-    *zeta_i += 1;
+    round!(0, -2797779);
+    round!(1, 2071892);
+    round!(2, -2556880);
+    round!(3, 3900724);
+    round!(4, 3881043);
+    round!(5, 954230);
+    round!(6, 531354);
+    round!(7, 811944);
+    round!(8, 3699596);
+    round!(9, -1600420);
+    round!(10, -2140649);
+    round!(11, 3507263);
+    round!(12, -3821735);
+    round!(13, 3505694);
+    round!(14, -1643818);
+    round!(15, -1699267);
+    round!(16, -539299);
+    round!(17, 2348700);
+    round!(18, -300467);
+    round!(19, 3539968);
+    round!(20, -2867647);
+    round!(21, 3574422);
+    round!(22, -3043716);
+    round!(23, -3861115);
+    round!(24, 3915439);
+    round!(25, -2537516);
+    round!(26, -3592148);
+    round!(27, -1661693);
+    round!(28, 3530437);
+    round!(29, 3077325);
+    round!(30, 95776);
+    round!(31, 2706023);
 }
+
 #[inline(always)]
-fn invert_ntt_at_layer_2<SIMDUnit: Operations>(
-    zeta_i: &mut usize,
+fn outer_3_plus<
+    SIMDUnit: Operations,
+    const OFFSET: usize,
+    const STEP_BY: usize,
+    const ZETA: FieldElementTimesMontgomeryR,
+>(
     re: &mut PolynomialRingElement<SIMDUnit>,
 ) {
-    for round in 0..(256 / COEFFICIENTS_IN_SIMD_UNIT) {
-        *zeta_i -= 1;
-        re.simd_units[round] = SIMDUnit::invert_ntt_at_layer_2(
-            re.simd_units[round],
-            ZETAS_TIMES_MONTGOMERY_R[*zeta_i],
-        );
+    for j in OFFSET..OFFSET + STEP_BY {
+        let a_minus_b = SIMDUnit::subtract(&re.simd_units[j + STEP_BY], &re.simd_units[j]);
+        re.simd_units[j] = SIMDUnit::add(&re.simd_units[j], &re.simd_units[j + STEP_BY]);
+        re.simd_units[j + STEP_BY] = montgomery_multiply_by_fer(a_minus_b, ZETA);
     }
     ()
 }
+
 #[inline(always)]
-fn invert_ntt_at_layer_3_plus<SIMDUnit: Operations, const LAYER: usize>(
-    zeta_i: &mut usize,
-    re: &mut PolynomialRingElement<SIMDUnit>,
-) {
-    let step = 1 << LAYER;
+fn invert_ntt_at_layer_3<SIMDUnit: Operations>(re: &mut PolynomialRingElement<SIMDUnit>) {
+    const STEP: usize = 8; // 1 << LAYER;
+    const STEP_BY: usize = 1; // step / COEFFICIENTS_IN_SIMD_UNIT;
 
-    for round in 0..(128 >> LAYER) {
-        *zeta_i -= 1;
+    outer_3_plus::<SIMDUnit, { (0 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 280005>(re);
+    outer_3_plus::<SIMDUnit, { (1 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 4010497>(re);
+    outer_3_plus::<SIMDUnit, { (2 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -19422>(re);
+    outer_3_plus::<SIMDUnit, { (3 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 1757237>(re);
+    outer_3_plus::<SIMDUnit, { (4 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -3277672>(re);
+    outer_3_plus::<SIMDUnit, { (5 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -1399561>(re);
+    outer_3_plus::<SIMDUnit, { (6 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -3859737>(re);
+    outer_3_plus::<SIMDUnit, { (7 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -2118186>(re);
+    outer_3_plus::<SIMDUnit, { (8 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -2108549>(re);
+    outer_3_plus::<SIMDUnit, { (9 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 2619752>(re);
+    outer_3_plus::<SIMDUnit, { (10 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -1119584>(
+        re,
+    );
+    outer_3_plus::<SIMDUnit, { (11 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -549488>(re);
+    outer_3_plus::<SIMDUnit, { (12 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 3585928>(re);
+    outer_3_plus::<SIMDUnit, { (13 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -1079900>(
+        re,
+    );
+    outer_3_plus::<SIMDUnit, { (14 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 1024112>(re);
+    outer_3_plus::<SIMDUnit, { (15 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 2725464>(re);
+}
 
-        let offset = (round * step * 2) / COEFFICIENTS_IN_SIMD_UNIT;
-        let step_by = step / COEFFICIENTS_IN_SIMD_UNIT;
+#[inline(always)]
+fn invert_ntt_at_layer_4<SIMDUnit: Operations>(re: &mut PolynomialRingElement<SIMDUnit>) {
+    const STEP: usize = 16; // 1 << LAYER;
+    const STEP_BY: usize = 2; // step / COEFFICIENTS_IN_SIMD_UNIT;
 
-        for j in offset..offset + step_by {
-            let a_minus_b = SIMDUnit::subtract(&re.simd_units[j + step_by], &re.simd_units[j]);
-            re.simd_units[j] = SIMDUnit::add(&re.simd_units[j], &re.simd_units[j + step_by]);
-            re.simd_units[j + step_by] =
-                montgomery_multiply_by_fer(a_minus_b, ZETAS_TIMES_MONTGOMERY_R[*zeta_i]);
-        }
-        ()
-    }
-    ()
+    outer_3_plus::<SIMDUnit, { (0 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 2680103>(re);
+    outer_3_plus::<SIMDUnit, { (1 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 3111497>(re);
+    outer_3_plus::<SIMDUnit, { (2 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -2884855>(re);
+    outer_3_plus::<SIMDUnit, { (3 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 3119733>(re);
+    outer_3_plus::<SIMDUnit, { (4 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -2091905>(re);
+    outer_3_plus::<SIMDUnit, { (5 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -359251>(re);
+    outer_3_plus::<SIMDUnit, { (6 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 2353451>(re);
+    outer_3_plus::<SIMDUnit, { (7 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 1826347>(re);
+}
+
+#[inline(always)]
+fn invert_ntt_at_layer_5<SIMDUnit: Operations>(re: &mut PolynomialRingElement<SIMDUnit>) {
+    const STEP: usize = 32; // 1 << LAYER;
+    const STEP_BY: usize = 4; // step / COEFFICIENTS_IN_SIMD_UNIT;
+
+    outer_3_plus::<SIMDUnit, { (0 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 466468>(re);
+    outer_3_plus::<SIMDUnit, { (1 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -876248>(re);
+    outer_3_plus::<SIMDUnit, { (2 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -777960>(re);
+    outer_3_plus::<SIMDUnit, { (3 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 237124>(re);
+}
+
+#[inline(always)]
+fn invert_ntt_at_layer_6<SIMDUnit: Operations>(re: &mut PolynomialRingElement<SIMDUnit>) {
+    const STEP: usize = 64; // 1 << LAYER;
+    const STEP_BY: usize = 8; // step / COEFFICIENTS_IN_SIMD_UNIT;
+
+    outer_3_plus::<SIMDUnit, { (0 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -518909>(re);
+    outer_3_plus::<SIMDUnit, { (1 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -2608894>(re);
+}
+
+#[inline(always)]
+fn invert_ntt_at_layer_7<SIMDUnit: Operations>(re: &mut PolynomialRingElement<SIMDUnit>) {
+    const STEP: usize = 128; // 1 << LAYER;
+    const STEP_BY: usize = 16; // step / COEFFICIENTS_IN_SIMD_UNIT;
+
+    outer_3_plus::<SIMDUnit, { (0 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 25847>(re);
 }
 
 #[inline(always)]
 pub(crate) fn invert_ntt_montgomery<SIMDUnit: Operations>(
     mut re: PolynomialRingElement<SIMDUnit>,
 ) -> PolynomialRingElement<SIMDUnit> {
-    let mut zeta_i = COEFFICIENTS_IN_RING_ELEMENT;
-
-    invert_ntt_at_layer_0(&mut zeta_i, &mut re);
-    invert_ntt_at_layer_1(&mut zeta_i, &mut re);
-    invert_ntt_at_layer_2(&mut zeta_i, &mut re);
-    invert_ntt_at_layer_3_plus::<SIMDUnit, 3>(&mut zeta_i, &mut re);
-    invert_ntt_at_layer_3_plus::<SIMDUnit, 4>(&mut zeta_i, &mut re);
-    invert_ntt_at_layer_3_plus::<SIMDUnit, 5>(&mut zeta_i, &mut re);
-    invert_ntt_at_layer_3_plus::<SIMDUnit, 6>(&mut zeta_i, &mut re);
-    invert_ntt_at_layer_3_plus::<SIMDUnit, 7>(&mut zeta_i, &mut re);
+    invert_ntt_at_layer_0(&mut re);
+    invert_ntt_at_layer_1(&mut re);
+    invert_ntt_at_layer_2(&mut re);
+    invert_ntt_at_layer_3(&mut re);
+    invert_ntt_at_layer_4(&mut re);
+    invert_ntt_at_layer_5(&mut re);
+    invert_ntt_at_layer_6(&mut re);
+    invert_ntt_at_layer_7(&mut re);
 
     for i in 0..re.simd_units.len() {
         // After invert_ntt_at_layer, elements are of the form a * MONTGOMERY_R^{-1}
diff --git a/libcrux-ml-dsa/src/simd/avx2/ntt.rs b/libcrux-ml-dsa/src/simd/avx2/ntt.rs
index 512669e28..60b98fc25 100644
--- a/libcrux-ml-dsa/src/simd/avx2/ntt.rs
+++ b/libcrux-ml-dsa/src/simd/avx2/ntt.rs
@@ -1,7 +1,5 @@
 use super::arithmetic;
-use crate::simd::traits::{
-    COEFFICIENTS_IN_SIMD_UNIT, SIMD_UNITS_IN_RING_ELEMENT, ZETAS_TIMES_MONTGOMERY_R,
-};
+use crate::simd::traits::{COEFFICIENTS_IN_SIMD_UNIT, SIMD_UNITS_IN_RING_ELEMENT};
 
 use libcrux_intrinsics::avx2::*;
 
@@ -124,28 +122,42 @@ pub fn invert_ntt_at_layer_0(
 }
 
 #[inline(always)]
-fn ntt_at_layer_0(zeta_i: &mut usize, re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) {
-    *zeta_i += 1;
-    for round in (0..re.len()).step_by(2) {
-        let (a, b) = butterfly_2(
-            re[round],
-            re[round + 1],
-            ZETAS_TIMES_MONTGOMERY_R[*zeta_i],
-            ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 1],
-            ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 2],
-            ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 3],
-            ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 4],
-            ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 5],
-            ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 6],
-            ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 7],
-        );
-        re[round] = a;
-        re[round + 1] = b;
-
-        *zeta_i += 8;
+fn ntt_at_layer_0(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) {
+    macro_rules! round {
+        ($i:literal, $zeta_0:literal, $zeta_1:literal, $zeta_2:literal, $zeta_3:literal, $zeta_4:literal, $zeta_5:literal, $zeta_6:literal, $zeta_7:literal) => {
+            let (a, b) = butterfly_2(
+                re[$i],
+                re[$i + 1],
+                $zeta_0,
+                $zeta_1,
+                $zeta_2,
+                $zeta_3,
+                $zeta_4,
+                $zeta_5,
+                $zeta_6,
+                $zeta_7,
+            );
+            re[$i] = a;
+            re[$i + 1] = b;
+        };
     }
 
-    *zeta_i -= 1;
+    round!(0, 2091667, 3407706, 2316500, 3817976, -3342478, 2244091, -2446433, -3562462);
+    round!(2, 266997, 2434439, -1235728, 3513181, -3520352, -3759364, -1197226, -3193378);
+    round!(4, 900702, 1859098, 909542, 819034, 495491, -1613174, -43260, -522500);
+    round!(6, -655327, -3122442, 2031748, 3207046, -3556995, -525098, -768622, -3595838);
+    round!(8, 342297, 286988, -2437823, 4108315, 3437287, -3342277, 1735879, 203044);
+    round!(10, 2842341, 2691481, -2590150, 1265009, 4055324, 1247620, 2486353, 1595974);
+    round!(12, -3767016, 1250494, 2635921, -3548272, -2994039, 1869119, 1903435, -1050970);
+    round!(14, -1333058, 1237275, -3318210, -1430225, -451100, 1312455, 3306115, -1962642);
+    round!(16, -1279661, 1917081, -2546312, -1374803, 1500165, 777191, 2235880, 3406031);
+    round!(18, -542412, -2831860, -1671176, -1846953, -2584293, -3724270, 594136, -3776993);
+    round!(20, -2013608, 2432395, 2454455, -164721, 1957272, 3369112, 185531, -1207385);
+    round!(22, -3183426, 162844, 1616392, 3014001, 810149, 1652634, -3694233, -1799107);
+    round!(24, -3038916, 3523897, 3866901, 269760, 2213111, -975884, 1717735, 472078);
+    round!(26, -426683, 1723600, -1803090, 1910376, -1667432, -1104333, -260646, -3833893);
+    round!(28, -2939036, -2235985, -420899, -2286327, 183443, -976891, 1612842, -3545687);
+    round!(30, -554416, 3919660, -48306, -1362209, 3937738, 1400424, -846154, 1976782);
 }
 
 #[inline(always)]
@@ -164,24 +176,31 @@ pub fn invert_ntt_at_layer_1(simd_unit: Vec256, zeta0: i32, zeta1: i32) -> Vec25
 }
 
 #[inline(always)]
-fn ntt_at_layer_1(zeta_i: &mut usize, re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) {
-    *zeta_i += 1;
-    for round in (0..re.len()).step_by(2) {
-        let (a, b) = butterfly_4(
-            re[round],
-            re[round + 1],
-            ZETAS_TIMES_MONTGOMERY_R[*zeta_i],
-            ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 1],
-            ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 2],
-            ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 3],
-        );
-        re[round] = a;
-        re[round + 1] = b;
-
-        *zeta_i += 4;
+fn ntt_at_layer_1(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) {
+    macro_rules! round {
+        ($i:literal, $zeta_0:literal, $zeta_1:literal, $zeta_2:literal, $zeta_3:literal) => {
+            let (a, b) = butterfly_4(re[$i], re[$i + 1], $zeta_0, $zeta_1, $zeta_2, $zeta_3);
+            re[$i] = a;
+            re[$i + 1] = b;
+        };
     }
 
-    *zeta_i -= 1;
+    round!(0, -3930395, -1528703, -3677745, -3041255);
+    round!(2, -1452451, 3475950, 2176455, -1585221);
+    round!(4, -1257611, 1939314, -4083598, -1000202);
+    round!(6, -3190144, -3157330, -3632928, 126922);
+    round!(8, 3412210, -983419, 2147896, 2715295);
+    round!(10, -2967645, -3693493, -411027, -2477047);
+    round!(12, -671102, -1228525, -22981, -1308169);
+    round!(14, -381987, 1349076, 1852771, -1430430);
+    round!(16, -3343383, 264944, 508951, 3097992);
+    round!(18, 44288, -1100098, 904516, 3958618);
+    round!(20, -3724342, -8578, 1653064, -3249728);
+    round!(22, 2389356, -210977, 759969, -1316856);
+    round!(24, 189548, -3553272, 3159746, -1851402);
+    round!(26, -2409325, -177440, 1315589, 1341330);
+    round!(28, 1285669, -1584928, -812732, -1439742);
+    round!(30, -3019102, -3881060, -3628969, 3839961);
 }
 
 #[inline(always)]
@@ -200,46 +219,173 @@ pub fn invert_ntt_at_layer_2(simd_unit: Vec256, zeta: i32) -> Vec256 {
 }
 
 #[inline(always)]
-fn ntt_at_layer_2(zeta_i: &mut usize, re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) {
-    for round in (0..re.len()).step_by(2) {
-        *zeta_i += 1;
-        let (a, b) = butterfly_8(
-            re[round],
-            re[round + 1],
-            ZETAS_TIMES_MONTGOMERY_R[*zeta_i],
-            ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 1],
-        );
-        re[round] = a;
-        re[round + 1] = b;
-
-        *zeta_i += 1;
+fn ntt_at_layer_2(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) {
+    macro_rules! round {
+        ($round:literal, $zeta_0:literal, $zeta_1:literal) => {
+            let (a, b) = butterfly_8(re[$round], re[$round + 1], $zeta_0, $zeta_1);
+            re[$round] = a;
+            re[$round + 1] = b;
+        };
     }
-    ()
+
+    round!(0, 2706023, 95776);
+    round!(2, 3077325, 3530437);
+    round!(4, -1661693, -3592148);
+    round!(6, -2537516, 3915439);
+    round!(8, -3861115, -3043716);
+    round!(10, 3574422, -2867647);
+    round!(12, 3539968, -300467);
+    round!(14, 2348700, -539299);
+    round!(16, -1699267, -1643818);
+    round!(18, 3505694, -3821735);
+    round!(20, 3507263, -2140649);
+    round!(22, -1600420, 3699596);
+    round!(24, 811944, 531354);
+    round!(26, 954230, 3881043);
+    round!(28, 3900724, -2556880);
+    round!(30, 2071892, -2797779);
 }
 
+/// This is equivalent to the pqclean 0 and 1
+///
+/// This does 32 Montgomery multiplications (192 multiplications).
+/// This is the same as in pqclean. The only difference is locality of registers.
 #[inline(always)]
-fn ntt_at_layer_3_plus<const LAYER: usize>(
-    zeta_i: &mut usize,
-    re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT],
-) {
-    let step = 1 << LAYER;
-
-    for round in 0..(128 >> LAYER) {
-        *zeta_i += 1;
-
-        let offset = (round * step * 2) / COEFFICIENTS_IN_SIMD_UNIT;
-        let step_by = step / COEFFICIENTS_IN_SIMD_UNIT;
-
-        for j in offset..offset + step_by {
-            let t = arithmetic::montgomery_multiply_by_constant(
-                re[j + step_by],
-                ZETAS_TIMES_MONTGOMERY_R[*zeta_i],
+fn ntt_at_layer_7_and_6(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) {
+    let field_modulus = mm256_set1_epi32(crate::simd::traits::FIELD_MODULUS);
+    let inverse_of_modulus_mod_montgomery_r =
+        mm256_set1_epi32(crate::simd::traits::INVERSE_OF_MODULUS_MOD_MONTGOMERY_R as i32);
+
+    macro_rules! mul {
+        ($i:expr, $zeta:expr, $step_by:expr) => {
+            let prod02 = mm256_mul_epi32(re[$i + $step_by], $zeta);
+            let prod13 = mm256_mul_epi32(
+                mm256_shuffle_epi32::<0b11_11_01_01>(re[$i + $step_by]), // 0xF5
+                mm256_shuffle_epi32::<0b11_11_01_01>($zeta),             // 0xF5
             );
+            let k02 = mm256_mul_epi32(prod02, inverse_of_modulus_mod_montgomery_r);
+            let k13 = mm256_mul_epi32(prod13, inverse_of_modulus_mod_montgomery_r);
+
+            let c02 = mm256_mul_epi32(k02, field_modulus);
+            let c13 = mm256_mul_epi32(k13, field_modulus);
+
+            let res02 = mm256_sub_epi32(prod02, c02);
+            let res13 = mm256_sub_epi32(prod13, c13);
+            let res02_shifted = mm256_shuffle_epi32::<0b11_11_01_01>(res02); // 0xF5
+            let t = mm256_blend_epi32::<0b10101010>(res02_shifted, res13); // 0xAA
+
+            re[$i + $step_by] = arithmetic::subtract(re[$i], t);
+            re[$i] = arithmetic::add(re[$i], t);
+        };
+    }
+
+    macro_rules! layer {
+        ($start:literal, $zeta:expr, $step_by:expr) => {{
+            mul!($start, $zeta, $step_by);
+            mul!($start + 1, $zeta, $step_by);
+            mul!($start + 2, $zeta, $step_by);
+            mul!($start + 3, $zeta, $step_by);
+        }};
+    }
+
+    const STEP_BY_7: usize = 2 * COEFFICIENTS_IN_SIMD_UNIT;
+    const STEP_BY_6: usize = (1 << 6) / COEFFICIENTS_IN_SIMD_UNIT;
+
+    let zeta7 = mm256_set1_epi32(25847);
+    let zeta60 = mm256_set1_epi32(-2608894);
+    let zeta61 = mm256_set1_epi32(-518909);
+
+    layer!(0, zeta7, STEP_BY_7);
+    layer!(8, zeta7, STEP_BY_7);
+    layer!(0, zeta60, STEP_BY_6);
+    layer!(16, zeta61, STEP_BY_6);
+
+    layer!(4, zeta7, STEP_BY_7);
+    layer!(12, zeta7, STEP_BY_7);
+    layer!(4, zeta60, STEP_BY_6);
+    layer!(20, zeta61, STEP_BY_6);
+}
+
+/// Layer 5, 4, 3
+///
+/// Each layer does 16 Montgomery multiplications -> 3*16 = 48 total
+/// pqclean does 4 * 4 on each layer -> 48 total | plus 4 * 4 shuffles every time (48)
+#[inline(always)]
+fn ntt_at_layer_5_to_3(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) {
+    macro_rules! round {
+        ($i:literal, $zeta: literal) => {
+            let rhs = mm256_set1_epi32($zeta);
+            let offset = ($i * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT;
+
+            for j in offset..offset + STEP_BY {
+                let t = arithmetic::montgomery_multiply(re[j + STEP_BY], rhs);
+
+                re[j + STEP_BY] = arithmetic::subtract(re[j], t);
+                re[j] = arithmetic::add(re[j], t);
+            }
+        };
+    }
+
+    // Layer 5
+    {
+        // 0: 0, 1, 2, 3
+        // 1: 8, 9, 10, 11
+        // 2: 16, 17, 18, 19
+        // 3: 24, 25, 26, 27
+        const STEP: usize = 1 << 5;
+        const STEP_BY: usize = STEP / COEFFICIENTS_IN_SIMD_UNIT;
+
+        round!(0, 237124);
+        round!(1, -777960);
+        round!(2, -876248);
+        round!(3, 466468);
+    }
+
+    // Layer 4
+    {
+        // 0: 0, 1
+        // 1: 4, 5
+        // 2: 8, 9
+        // 3: 12, 13
+        // 4: 16, 17
+        // 5: 20, 21
+        // 6: 24, 25
+        // 7: 28, 29
+        const STEP: usize = 1 << 4;
+        const STEP_BY: usize = STEP / COEFFICIENTS_IN_SIMD_UNIT;
+
+        round!(0, 1826347);
+        round!(1, 2353451);
+        round!(2, -359251);
+        round!(3, -2091905);
+        round!(4, 3119733);
+        round!(5, -2884855);
+        round!(6, 3111497);
+        round!(7, 2680103);
+    }
 
-            re[j + step_by] = arithmetic::subtract(re[j], t);
-            re[j] = arithmetic::add(re[j], t);
-        }
-        () // This is because of https://github.com/hacspec/hax/issues/720
+    // Layer 3
+    {
+        // 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15
+        const STEP: usize = 1 << 3;
+        const STEP_BY: usize = STEP / COEFFICIENTS_IN_SIMD_UNIT;
+
+        round!(0, 2725464);
+        round!(1, 1024112);
+        round!(2, -1079900);
+        round!(3, 3585928);
+        round!(4, -549488);
+        round!(5, -1119584);
+        round!(6, 2619752);
+        round!(7, -2108549);
+        round!(8, -2118186);
+        round!(9, -3859737);
+        round!(10, -1399561);
+        round!(11, -3277672);
+        round!(12, 1757237);
+        round!(13, -19422);
+        round!(14, 4010497);
+        round!(15, 280005);
     }
     ()
 }
@@ -249,15 +395,11 @@ fn ntt_at_layer_3_plus<const LAYER: usize>(
 pub(crate) unsafe fn ntt(
     mut re: [Vec256; SIMD_UNITS_IN_RING_ELEMENT],
 ) -> [Vec256; SIMD_UNITS_IN_RING_ELEMENT] {
-    let mut zeta_i = 0;
-    ntt_at_layer_3_plus::<7>(&mut zeta_i, &mut re);
-    ntt_at_layer_3_plus::<6>(&mut zeta_i, &mut re);
-    ntt_at_layer_3_plus::<5>(&mut zeta_i, &mut re);
-    ntt_at_layer_3_plus::<4>(&mut zeta_i, &mut re);
-    ntt_at_layer_3_plus::<3>(&mut zeta_i, &mut re);
-    ntt_at_layer_2(&mut zeta_i, &mut re);
-    ntt_at_layer_1(&mut zeta_i, &mut re);
-    ntt_at_layer_0(&mut zeta_i, &mut re);
+    ntt_at_layer_7_and_6(&mut re);
+    ntt_at_layer_5_to_3(&mut re);
+    ntt_at_layer_2(&mut re);
+    ntt_at_layer_1(&mut re);
+    ntt_at_layer_0(&mut re);
 
     re
 }
diff --git a/libcrux-ml-dsa/src/simd/portable/ntt.rs b/libcrux-ml-dsa/src/simd/portable/ntt.rs
index 93a049c21..bc6301aef 100644
--- a/libcrux-ml-dsa/src/simd/portable/ntt.rs
+++ b/libcrux-ml-dsa/src/simd/portable/ntt.rs
@@ -1,7 +1,10 @@
-use super::arithmetic::{self, montgomery_multiply_by_constant, montgomery_multiply_fe_by_fer};
-use super::vector_type::PortableSIMDUnit;
-use crate::simd::traits::{
-    COEFFICIENTS_IN_SIMD_UNIT, SIMD_UNITS_IN_RING_ELEMENT, ZETAS_TIMES_MONTGOMERY_R,
+use super::arithmetic::{self, montgomery_multiply_fe_by_fer};
+use crate::simd::{
+    portable::PortableSIMDUnit,
+    traits::{
+        montgomery_multiply_by_fer, FieldElementTimesMontgomeryR, COEFFICIENTS_IN_SIMD_UNIT,
+        SIMD_UNITS_IN_RING_ELEMENT,
+    },
 };
 
 #[inline(always)]
@@ -151,88 +154,226 @@ pub fn invert_ntt_at_layer_2(mut simd_unit: PortableSIMDUnit, zeta: i32) -> Port
 }
 
 #[inline(always)]
-fn ntt_at_layer_0(zeta_i: &mut usize, re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) {
-    *zeta_i += 1;
+fn ntt_at_layer_0(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) {
+    macro_rules! round {
+        ($i:literal, $zeta_0:literal, $zeta_1:literal, $zeta_2:literal, $zeta_3:literal) => {
+            re[$i] = simd_unit_ntt_at_layer_0(re[$i], $zeta_0, $zeta_1, $zeta_2, $zeta_3);
+        };
+    }
 
-    for round in 0..re.len() {
-        re[round] = simd_unit_ntt_at_layer_0(
-            re[round],
-            ZETAS_TIMES_MONTGOMERY_R[*zeta_i],
-            ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 1],
-            ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 2],
-            ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 3],
-        );
+    round!(0, 2091667, 3407706, 2316500, 3817976);
+    round!(1, -3342478, 2244091, -2446433, -3562462);
+    round!(2, 266997, 2434439, -1235728, 3513181);
+    round!(3, -3520352, -3759364, -1197226, -3193378);
+    round!(4, 900702, 1859098, 909542, 819034);
+    round!(5, 495491, -1613174, -43260, -522500);
+    round!(6, -655327, -3122442, 2031748, 3207046);
+    round!(7, -3556995, -525098, -768622, -3595838);
+    round!(8, 342297, 286988, -2437823, 4108315);
+    round!(9, 3437287, -3342277, 1735879, 203044);
+    round!(10, 2842341, 2691481, -2590150, 1265009);
+    round!(11, 4055324, 1247620, 2486353, 1595974);
+    round!(12, -3767016, 1250494, 2635921, -3548272);
+    round!(13, -2994039, 1869119, 1903435, -1050970);
+    round!(14, -1333058, 1237275, -3318210, -1430225);
+    round!(15, -451100, 1312455, 3306115, -1962642);
+    round!(16, -1279661, 1917081, -2546312, -1374803);
+    round!(17, 1500165, 777191, 2235880, 3406031);
+    round!(18, -542412, -2831860, -1671176, -1846953);
+    round!(19, -2584293, -3724270, 594136, -3776993);
+    round!(20, -2013608, 2432395, 2454455, -164721);
+    round!(21, 1957272, 3369112, 185531, -1207385);
+    round!(22, -3183426, 162844, 1616392, 3014001);
+    round!(23, 810149, 1652634, -3694233, -1799107);
+    round!(24, -3038916, 3523897, 3866901, 269760);
+    round!(25, 2213111, -975884, 1717735, 472078);
+    round!(26, -426683, 1723600, -1803090, 1910376);
+    round!(27, -1667432, -1104333, -260646, -3833893);
+    round!(28, -2939036, -2235985, -420899, -2286327);
+    round!(29, 183443, -976891, 1612842, -3545687);
+    round!(30, -554416, 3919660, -48306, -1362209);
+    round!(31, 3937738, 1400424, -846154, 1976782);
+}
 
-        *zeta_i += 4;
+#[inline(always)]
+fn ntt_at_layer_1(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) {
+    macro_rules! round {
+        ($i:literal, $zeta_0:literal, $zeta_1:literal) => {
+            re[$i] = simd_unit_ntt_at_layer_1(re[$i], $zeta_0, $zeta_1);
+        };
     }
 
-    *zeta_i -= 1;
+    round!(0, -3930395, -1528703);
+    round!(1, -3677745, -3041255);
+    round!(2, -1452451, 3475950);
+    round!(3, 2176455, -1585221);
+    round!(4, -1257611, 1939314);
+    round!(5, -4083598, -1000202);
+    round!(6, -3190144, -3157330);
+    round!(7, -3632928, 126922);
+    round!(8, 3412210, -983419);
+    round!(9, 2147896, 2715295);
+    round!(10, -2967645, -3693493);
+    round!(11, -411027, -2477047);
+    round!(12, -671102, -1228525);
+    round!(13, -22981, -1308169);
+    round!(14, -381987, 1349076);
+    round!(15, 1852771, -1430430);
+    round!(16, -3343383, 264944);
+    round!(17, 508951, 3097992);
+    round!(18, 44288, -1100098);
+    round!(19, 904516, 3958618);
+    round!(20, -3724342, -8578);
+    round!(21, 1653064, -3249728);
+    round!(22, 2389356, -210977);
+    round!(23, 759969, -1316856);
+    round!(24, 189548, -3553272);
+    round!(25, 3159746, -1851402);
+    round!(26, -2409325, -177440);
+    round!(27, 1315589, 1341330);
+    round!(28, 1285669, -1584928);
+    round!(29, -812732, -1439742);
+    round!(30, -3019102, -3881060);
+    round!(31, -3628969, 3839961);
 }
 
 #[inline(always)]
-fn ntt_at_layer_1(zeta_i: &mut usize, re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) {
-    *zeta_i += 1;
+fn ntt_at_layer_2(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) {
+    macro_rules! round {
+        ($i:literal, $zeta:literal) => {
+            re[$i] = simd_unit_ntt_at_layer_2(re[$i], $zeta);
+        };
+    }
 
-    for round in 0..re.len() {
-        re[round] = simd_unit_ntt_at_layer_1(
-            re[round],
-            ZETAS_TIMES_MONTGOMERY_R[*zeta_i],
-            ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 1],
-        );
+    round!(0, 2706023);
+    round!(1, 95776);
+    round!(2, 3077325);
+    round!(3, 3530437);
+    round!(4, -1661693);
+    round!(5, -3592148);
+    round!(6, -2537516);
+    round!(7, 3915439);
+    round!(8, -3861115);
+    round!(9, -3043716);
+    round!(10, 3574422);
+    round!(11, -2867647);
+    round!(12, 3539968);
+    round!(13, -300467);
+    round!(14, 2348700);
+    round!(15, -539299);
+    round!(16, -1699267);
+    round!(17, -1643818);
+    round!(18, 3505694);
+    round!(19, -3821735);
+    round!(20, 3507263);
+    round!(21, -2140649);
+    round!(22, -1600420);
+    round!(23, 3699596);
+    round!(24, 811944);
+    round!(25, 531354);
+    round!(26, 954230);
+    round!(27, 3881043);
+    round!(28, 3900724);
+    round!(29, -2556880);
+    round!(30, 2071892);
+    round!(31, -2797779);
+}
 
-        *zeta_i += 2;
+#[inline(always)]
+fn outer_3_plus<
+    const OFFSET: usize,
+    const STEP_BY: usize,
+    const ZETA: FieldElementTimesMontgomeryR,
+>(
+    re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT],
+) {
+    for j in OFFSET..OFFSET + STEP_BY {
+        let t = montgomery_multiply_by_fer(re[j + STEP_BY], ZETA);
+
+        re[j + STEP_BY] = arithmetic::subtract(&re[j], &t);
+        re[j] = arithmetic::add(&re[j], &t);
     }
+    () // Needed because of https://github.com/hacspec/hax/issues/720
+}
 
-    *zeta_i -= 1;
+#[inline(always)]
+fn ntt_at_layer_3(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) {
+    const STEP: usize = 8; // 1 << LAYER;
+    const STEP_BY: usize = 1; // step / COEFFICIENTS_IN_SIMD_UNIT;
+
+    outer_3_plus::<{ (0 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY,  2725464>(re);
+    outer_3_plus::<{ (1 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY,  1024112>(re);
+    outer_3_plus::<{ (2 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY,  -1079900>(re);
+    outer_3_plus::<{ (3 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY,  3585928>(re);
+    outer_3_plus::<{ (4 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY,  -549488>(re);
+    outer_3_plus::<{ (5 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY,  -1119584>(re);
+    outer_3_plus::<{ (6 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY,  2619752>(re);
+    outer_3_plus::<{ (7 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY,  -2108549>(re);
+    outer_3_plus::<{ (8 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY,  -2118186>(re);
+    outer_3_plus::<{ (9 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY,  -3859737>(re);
+    outer_3_plus::<{ (10 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -1399561>(re);
+    outer_3_plus::<{ (11 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -3277672>(re);
+    outer_3_plus::<{ (12 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 1757237>(re);
+    outer_3_plus::<{ (13 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -19422>(re);
+    outer_3_plus::<{ (14 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 4010497>(re);
+    outer_3_plus::<{ (15 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 280005>(re);
 }
 
 #[inline(always)]
-fn ntt_at_layer_2(zeta_i: &mut usize, re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) {
-    for round in 0..re.len() {
-        *zeta_i += 1;
-        re[round] = simd_unit_ntt_at_layer_2(re[round], ZETAS_TIMES_MONTGOMERY_R[*zeta_i]);
-    }
-    ()
+fn ntt_at_layer_4(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) {
+    const STEP: usize = 16; // 1 << LAYER;
+    const STEP_BY: usize = 2; // step / COEFFICIENTS_IN_SIMD_UNIT;
+
+    outer_3_plus::<{ (0 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 1826347>(re);
+    outer_3_plus::<{ (1 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 2353451>(re);
+    outer_3_plus::<{ (2 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -359251>(re);
+    outer_3_plus::<{ (3 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -2091905>(re);
+    outer_3_plus::<{ (4 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 3119733>(re);
+    outer_3_plus::<{ (5 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -2884855>(re);
+    outer_3_plus::<{ (6 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 3111497>(re);
+    outer_3_plus::<{ (7 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 2680103>(re);
 }
 
 #[inline(always)]
-fn ntt_at_layer_3_plus<const LAYER: usize>(
-    zeta_i: &mut usize,
-    re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT],
-) {
-    let step = 1 << LAYER;
+fn ntt_at_layer_5(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) {
+    const STEP: usize = 32; // 1 << LAYER;
+    const STEP_BY: usize = 4; // step / COEFFICIENTS_IN_SIMD_UNIT;
+
+    outer_3_plus::<{ (0 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 237124>(re);
+    outer_3_plus::<{ (1 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -777960>(re);
+    outer_3_plus::<{ (2 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -876248>(re);
+    outer_3_plus::<{ (3 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 466468>(re);
+}
 
-    for round in 0..(128 >> LAYER) {
-        *zeta_i += 1;
+#[inline(always)]
+fn ntt_at_layer_6(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) {
+    const STEP: usize = 64; // 1 << LAYER;
+    const STEP_BY: usize = 8; // step / COEFFICIENTS_IN_SIMD_UNIT;
 
-        let offset = (round * step * 2) / COEFFICIENTS_IN_SIMD_UNIT;
-        let step_by = step / COEFFICIENTS_IN_SIMD_UNIT;
+    outer_3_plus::<{ (0 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -2608894>(re);
+    outer_3_plus::<{ (1 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -518909>(re);
+}
 
-        for j in offset..offset + step_by {
-            let t =
-                montgomery_multiply_by_constant(re[j + step_by], ZETAS_TIMES_MONTGOMERY_R[*zeta_i]);
+#[inline(always)]
+fn ntt_at_layer_7(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) {
+    const STEP: usize = 128; // 1 << LAYER;
+    const STEP_BY: usize = 16; // step / COEFFICIENTS_IN_SIMD_UNIT;
 
-            re[j + step_by] = arithmetic::subtract(&re[j], &t);
-            re[j] = arithmetic::add(&re[j], &t);
-        }
-    }
-    () // Needed because of https://github.com/hacspec/hax/issues/720
+    outer_3_plus::<{ (0 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 25847>(re);
 }
 
 #[inline(always)]
 pub(crate) fn ntt(
     mut re: [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT],
 ) -> [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT] {
-    let mut zeta_i = 0;
-
-    ntt_at_layer_3_plus::<7>(&mut zeta_i, &mut re);
-    ntt_at_layer_3_plus::<6>(&mut zeta_i, &mut re);
-    ntt_at_layer_3_plus::<5>(&mut zeta_i, &mut re);
-    ntt_at_layer_3_plus::<4>(&mut zeta_i, &mut re);
-    ntt_at_layer_3_plus::<3>(&mut zeta_i, &mut re);
-    ntt_at_layer_2(&mut zeta_i, &mut re);
-    ntt_at_layer_1(&mut zeta_i, &mut re);
-    ntt_at_layer_0(&mut zeta_i, &mut re);
+    ntt_at_layer_7(&mut re);
+    ntt_at_layer_6(&mut re);
+    ntt_at_layer_5(&mut re);
+    ntt_at_layer_4(&mut re);
+    ntt_at_layer_3(&mut re);
+    ntt_at_layer_2(&mut re);
+    ntt_at_layer_1(&mut re);
+    ntt_at_layer_0(&mut re);
 
     re
 }
diff --git a/libcrux-ml-dsa/src/simd/traits.rs b/libcrux-ml-dsa/src/simd/traits.rs
index c50ff8537..38715a115 100644
--- a/libcrux-ml-dsa/src/simd/traits.rs
+++ b/libcrux-ml-dsa/src/simd/traits.rs
@@ -14,35 +14,6 @@ pub const INVERSE_OF_MODULUS_MOD_MONTGOMERY_R: u64 = 58_728_449;
 /// We use 'fer' as a shorthand for this type.
 pub(crate) type FieldElementTimesMontgomeryR = i32;
 
-pub(crate) const ZETAS_TIMES_MONTGOMERY_R: [FieldElementTimesMontgomeryR; 256] = [
-    0, 25847, -2608894, -518909, 237124, -777960, -876248, 466468, 1826347, 2353451, -359251,
-    -2091905, 3119733, -2884855, 3111497, 2680103, 2725464, 1024112, -1079900, 3585928, -549488,
-    -1119584, 2619752, -2108549, -2118186, -3859737, -1399561, -3277672, 1757237, -19422, 4010497,
-    280005, 2706023, 95776, 3077325, 3530437, -1661693, -3592148, -2537516, 3915439, -3861115,
-    -3043716, 3574422, -2867647, 3539968, -300467, 2348700, -539299, -1699267, -1643818, 3505694,
-    -3821735, 3507263, -2140649, -1600420, 3699596, 811944, 531354, 954230, 3881043, 3900724,
-    -2556880, 2071892, -2797779, -3930395, -1528703, -3677745, -3041255, -1452451, 3475950,
-    2176455, -1585221, -1257611, 1939314, -4083598, -1000202, -3190144, -3157330, -3632928, 126922,
-    3412210, -983419, 2147896, 2715295, -2967645, -3693493, -411027, -2477047, -671102, -1228525,
-    -22981, -1308169, -381987, 1349076, 1852771, -1430430, -3343383, 264944, 508951, 3097992,
-    44288, -1100098, 904516, 3958618, -3724342, -8578, 1653064, -3249728, 2389356, -210977, 759969,
-    -1316856, 189548, -3553272, 3159746, -1851402, -2409325, -177440, 1315589, 1341330, 1285669,
-    -1584928, -812732, -1439742, -3019102, -3881060, -3628969, 3839961, 2091667, 3407706, 2316500,
-    3817976, -3342478, 2244091, -2446433, -3562462, 266997, 2434439, -1235728, 3513181, -3520352,
-    -3759364, -1197226, -3193378, 900702, 1859098, 909542, 819034, 495491, -1613174, -43260,
-    -522500, -655327, -3122442, 2031748, 3207046, -3556995, -525098, -768622, -3595838, 342297,
-    286988, -2437823, 4108315, 3437287, -3342277, 1735879, 203044, 2842341, 2691481, -2590150,
-    1265009, 4055324, 1247620, 2486353, 1595974, -3767016, 1250494, 2635921, -3548272, -2994039,
-    1869119, 1903435, -1050970, -1333058, 1237275, -3318210, -1430225, -451100, 1312455, 3306115,
-    -1962642, -1279661, 1917081, -2546312, -1374803, 1500165, 777191, 2235880, 3406031, -542412,
-    -2831860, -1671176, -1846953, -2584293, -3724270, 594136, -3776993, -2013608, 2432395, 2454455,
-    -164721, 1957272, 3369112, 185531, -1207385, -3183426, 162844, 1616392, 3014001, 810149,
-    1652634, -3694233, -1799107, -3038916, 3523897, 3866901, 269760, 2213111, -975884, 1717735,
-    472078, -426683, 1723600, -1803090, 1910376, -1667432, -1104333, -260646, -3833893, -2939036,
-    -2235985, -420899, -2286327, 183443, -976891, 1612842, -3545687, -554416, 3919660, -48306,
-    -1362209, 3937738, 1400424, -846154, 1976782,
-];
-
 pub(crate) trait Operations: Copy + Clone {
     #[allow(non_snake_case)]
     fn ZERO() -> Self;

From 0703c5ba349bf587e1cfb3f9628fc61693e61119 Mon Sep 17 00:00:00 2001
From: Jonas Schneider-Bensch <jonas@cryspen.com>
Date: Mon, 4 Nov 2024 11:46:19 +0100
Subject: [PATCH 08/22] SHA-3 AVX2 target feature

Changes cherry-picked from `a87318d8`
---
 libcrux-ml-dsa/Cargo.toml     |   2 +-
 libcrux-sha3/Cargo.toml       |   4 +-
 libcrux-sha3/src/lib.rs       |  55 +--------------
 libcrux-sha3/src/simd/avx2.rs | 122 +++++++++++++++++++++++-----------
 4 files changed, 86 insertions(+), 97 deletions(-)

diff --git a/libcrux-ml-dsa/Cargo.toml b/libcrux-ml-dsa/Cargo.toml
index 3358b8678..0949b4a9c 100644
--- a/libcrux-ml-dsa/Cargo.toml
+++ b/libcrux-ml-dsa/Cargo.toml
@@ -34,7 +34,7 @@ pqcrypto-dilithium = { version = "0.5.0" }         #, default-features = false
 [features]
 simd128 = ["libcrux-sha3/simd128", "libcrux-intrinsics/simd128"]
 simd256 = ["libcrux-sha3/simd256", "libcrux-intrinsics/simd256"]
-acvp = [] # expose internal API for ACVP testing
+acvp = []                                                        # expose internal API for ACVP testing
 
 [[bench]]
 name = "manual44"
diff --git a/libcrux-sha3/Cargo.toml b/libcrux-sha3/Cargo.toml
index 85ed0be95..23b21b401 100644
--- a/libcrux-sha3/Cargo.toml
+++ b/libcrux-sha3/Cargo.toml
@@ -23,8 +23,8 @@ libcrux-intrinsics = { version = "0.0.2-beta.2", path = "../libcrux-intrinsics"
 hax-lib = { version = "0.1.0-alpha.1", git = "https://github.com/hacspec/hax/" }
 
 [features]
-simd128 = []
-simd256 = []
+simd128 = ["libcrux-intrinsics/simd128"]
+simd256 = ["libcrux-intrinsics/simd256"]
 
 [[bench]]
 name = "sha3"
diff --git a/libcrux-sha3/src/lib.rs b/libcrux-sha3/src/lib.rs
index c1395155d..d48dea15f 100644
--- a/libcrux-sha3/src/lib.rs
+++ b/libcrux-sha3/src/lib.rs
@@ -3,7 +3,7 @@
 //! A SHA3 implementation with optional simd optimisations.
 
 #![no_std]
-#![forbid(unsafe_code)]
+#![deny(unsafe_code)]
 #![deny(missing_docs)]
 
 pub mod simd;
@@ -92,7 +92,6 @@ pub fn hash<const LEN: usize>(algorithm: Algorithm, payload: &[u8]) -> [u8; LEN]
 pub use hash as sha3;
 
 /// SHA3 224
-#[inline(always)]
 pub fn sha224(data: &[u8]) -> Sha3_224Digest {
     let mut out = [0u8; 28];
     sha224_ema(&mut out, data);
@@ -103,7 +102,6 @@ pub fn sha224(data: &[u8]) -> Sha3_224Digest {
 ///
 /// Preconditions:
 /// - `digest.len() == 28`
-#[inline(always)]
 pub fn sha224_ema(digest: &mut [u8], payload: &[u8]) {
     debug_assert!(payload.len() <= u32::MAX as usize);
     debug_assert!(digest.len() == 28);
@@ -112,7 +110,6 @@ pub fn sha224_ema(digest: &mut [u8], payload: &[u8]) {
 }
 
 /// SHA3 256
-#[inline(always)]
 pub fn sha256(data: &[u8]) -> Sha3_256Digest {
     let mut out = [0u8; 32];
     sha256_ema(&mut out, data);
@@ -120,7 +117,6 @@ pub fn sha256(data: &[u8]) -> Sha3_256Digest {
 }
 
 /// SHA3 256
-#[inline(always)]
 pub fn sha256_ema(digest: &mut [u8], payload: &[u8]) {
     debug_assert!(payload.len() <= u32::MAX as usize);
     debug_assert!(digest.len() == 32);
@@ -129,7 +125,6 @@ pub fn sha256_ema(digest: &mut [u8], payload: &[u8]) {
 }
 
 /// SHA3 384
-#[inline(always)]
 pub fn sha384(data: &[u8]) -> Sha3_384Digest {
     let mut out = [0u8; 48];
     sha384_ema(&mut out, data);
@@ -137,7 +132,6 @@ pub fn sha384(data: &[u8]) -> Sha3_384Digest {
 }
 
 /// SHA3 384
-#[inline(always)]
 pub fn sha384_ema(digest: &mut [u8], payload: &[u8]) {
     debug_assert!(payload.len() <= u32::MAX as usize);
     debug_assert!(digest.len() == 48);
@@ -146,7 +140,6 @@ pub fn sha384_ema(digest: &mut [u8], payload: &[u8]) {
 }
 
 /// SHA3 512
-#[inline(always)]
 pub fn sha512(data: &[u8]) -> Sha3_512Digest {
     let mut out = [0u8; 64];
     sha512_ema(&mut out, data);
@@ -154,7 +147,6 @@ pub fn sha512(data: &[u8]) -> Sha3_512Digest {
 }
 
 /// SHA3 512
-#[inline(always)]
 pub fn sha512_ema(digest: &mut [u8], payload: &[u8]) {
     debug_assert!(payload.len() <= u32::MAX as usize);
     debug_assert!(digest.len() == 64);
@@ -166,7 +158,6 @@ pub fn sha512_ema(digest: &mut [u8], payload: &[u8]) {
 ///
 /// Note that the output length `BYTES` must fit into 32 bit. If it is longer,
 /// the output will only return `u32::MAX` bytes.
-#[inline(always)]
 pub fn shake128<const BYTES: usize>(data: &[u8]) -> [u8; BYTES] {
     let mut out = [0u8; BYTES];
     portable::shake128(&mut out, data);
@@ -176,7 +167,6 @@ pub fn shake128<const BYTES: usize>(data: &[u8]) -> [u8; BYTES] {
 /// SHAKE 128
 ///
 /// Writes `out.len()` bytes.
-#[inline(always)]
 pub fn shake128_ema(out: &mut [u8], data: &[u8]) {
     portable::shake128(out, data);
 }
@@ -185,7 +175,6 @@ pub fn shake128_ema(out: &mut [u8], data: &[u8]) {
 ///
 /// Note that the output length `BYTES` must fit into 32 bit. If it is longer,
 /// the output will only return `u32::MAX` bytes.
-#[inline(always)]
 pub fn shake256<const BYTES: usize>(data: &[u8]) -> [u8; BYTES] {
     let mut out = [0u8; BYTES];
     portable::shake256(&mut out, data);
@@ -195,7 +184,6 @@ pub fn shake256<const BYTES: usize>(data: &[u8]) -> [u8; BYTES] {
 /// SHAKE 256
 ///
 /// Writes `out.len()` bytes.
-#[inline(always)]
 pub fn shake256_ema(out: &mut [u8], data: &[u8]) {
     portable::shake256(out, data);
 }
@@ -221,37 +209,31 @@ pub mod portable {
     }
 
     /// A portable SHA3 224 implementation.
-    #[inline(always)]
     pub fn sha224(digest: &mut [u8], data: &[u8]) {
         keccakx1::<144, 0x06u8>([data], [digest]);
     }
 
     /// A portable SHA3 256 implementation.
-    #[inline(always)]
     pub fn sha256(digest: &mut [u8], data: &[u8]) {
         keccakx1::<136, 0x06u8>([data], [digest]);
     }
 
     /// A portable SHA3 384 implementation.
-    #[inline(always)]
     pub fn sha384(digest: &mut [u8], data: &[u8]) {
         keccakx1::<104, 0x06u8>([data], [digest]);
     }
 
     /// A portable SHA3 512 implementation.
-    #[inline(always)]
     pub fn sha512(digest: &mut [u8], data: &[u8]) {
         keccakx1::<72, 0x06u8>([data], [digest]);
     }
 
     /// A portable SHAKE128 implementation.
-    #[inline(always)]
     pub fn shake128(digest: &mut [u8], data: &[u8]) {
         keccakx1::<168, 0x1fu8>([data], [digest]);
     }
 
     /// A portable SHAKE256 implementation.
-    #[inline(always)]
     pub fn shake256(digest: &mut [u8], data: &[u8]) {
         keccakx1::<136, 0x1fu8>([data], [digest]);
     }
@@ -366,7 +348,6 @@ pub mod portable {
         }
 
         /// Create a new SHAKE-128 state object.
-        #[inline(always)]
         pub fn shake128_init() -> KeccakState {
             KeccakState {
                 state: GenericState::<1, u64>::new(),
@@ -374,31 +355,26 @@ pub mod portable {
         }
 
         /// Absorb
-        #[inline(always)]
         pub fn shake128_absorb_final(s: &mut KeccakState, data0: &[u8]) {
             absorb_final::<1, u64, 168, 0x1fu8>(&mut s.state, [data0]);
         }
 
         /// Squeeze three blocks
-        #[inline(always)]
         pub fn shake128_squeeze_first_three_blocks(s: &mut KeccakState, out0: &mut [u8]) {
             squeeze_first_three_blocks::<1, u64, 168>(&mut s.state, [out0])
         }
 
         /// Squeeze five blocks
-        #[inline(always)]
         pub fn shake128_squeeze_first_five_blocks(s: &mut KeccakState, out0: &mut [u8]) {
             squeeze_first_five_blocks::<1, u64, 168>(&mut s.state, [out0])
         }
 
         /// Squeeze another block
-        #[inline(always)]
         pub fn shake128_squeeze_next_block(s: &mut KeccakState, out0: &mut [u8]) {
             squeeze_next_block::<1, u64, 168>(&mut s.state, [out0])
         }
 
         /// Create a new SHAKE-256 state object.
-        #[inline(always)]
         pub fn shake256_init() -> KeccakState {
             KeccakState {
                 state: GenericState::<1, u64>::new(),
@@ -406,19 +382,16 @@ pub mod portable {
         }
 
         /// Absorb some data for SHAKE-256 for the last time
-        #[inline(always)]
         pub fn shake256_absorb_final(s: &mut KeccakState, data: &[u8]) {
             absorb_final::<1, u64, 136, 0x1fu8>(&mut s.state, [data]);
         }
 
         /// Squeeze the first SHAKE-256 block
-        #[inline(always)]
         pub fn shake256_squeeze_first_block(s: &mut KeccakState, out: &mut [u8]) {
             squeeze_first_block::<1, u64, 136>(&mut s.state, [out])
         }
 
         /// Squeeze the next SHAKE-256 block
-        #[inline(always)]
         pub fn shake256_squeeze_next_block(s: &mut KeccakState, out: &mut [u8]) {
             squeeze_next_block::<1, u64, 136>(&mut s.state, [out])
         }
@@ -444,7 +417,6 @@ pub mod neon {
 
     /// A portable SHA3 224 implementation.
     #[allow(unused_variables)]
-    #[inline(always)]
     pub fn sha224(digest: &mut [u8], data: &[u8]) {
         #[cfg(not(feature = "simd128"))]
         unimplemented!();
@@ -457,7 +429,6 @@ pub mod neon {
 
     /// A portable SHA3 256 implementation.
     #[allow(unused_variables)]
-    #[inline(always)]
     pub fn sha256(digest: &mut [u8], data: &[u8]) {
         #[cfg(not(feature = "simd128"))]
         unimplemented!();
@@ -470,7 +441,6 @@ pub mod neon {
 
     /// A portable SHA3 384 implementation.
     #[allow(unused_variables)]
-    #[inline(always)]
     pub fn sha384(digest: &mut [u8], data: &[u8]) {
         #[cfg(not(feature = "simd128"))]
         unimplemented!();
@@ -483,7 +453,6 @@ pub mod neon {
 
     /// A portable SHA3 512 implementation.
     #[allow(unused_variables)]
-    #[inline(always)]
     pub fn sha512(digest: &mut [u8], data: &[u8]) {
         #[cfg(not(feature = "simd128"))]
         unimplemented!();
@@ -496,7 +465,6 @@ pub mod neon {
 
     /// A portable SHAKE128 implementation.
     #[allow(unused_variables)]
-    #[inline(always)]
     pub fn shake128<const LEN: usize>(digest: &mut [u8; LEN], data: &[u8]) {
         #[cfg(not(feature = "simd128"))]
         unimplemented!();
@@ -509,7 +477,6 @@ pub mod neon {
 
     /// A portable SHAKE256 implementation.
     #[allow(unused_variables)]
-    #[inline(always)]
     pub fn shake256<const LEN: usize>(digest: &mut [u8; LEN], data: &[u8]) {
         #[cfg(not(feature = "simd128"))]
         unimplemented!();
@@ -529,7 +496,6 @@ pub mod neon {
         ///
         /// Writes the two results into `out0` and `out1`
         #[allow(unused_variables)]
-        #[inline(always)]
         pub fn shake256(input0: &[u8], input1: &[u8], out0: &mut [u8], out1: &mut [u8]) {
             // TODO: make argument ordering consistent
             #[cfg(not(feature = "simd128"))]
@@ -596,7 +562,6 @@ pub mod neon {
             }
 
             /// Initialise the `KeccakState2`.
-            #[inline(always)]
             pub fn init() -> KeccakState {
                 #[cfg(not(feature = "simd128"))]
                 unimplemented!();
@@ -614,7 +579,6 @@ pub mod neon {
             }
 
             /// Shake128 absorb `data0` and `data1` in the [`KeccakState`] `s`.
-            #[inline(always)]
             #[allow(unused_variables)]
             pub fn shake128_absorb_final(s: &mut KeccakState, data0: &[u8], data1: &[u8]) {
                 #[cfg(not(feature = "simd128"))]
@@ -634,7 +598,6 @@ pub mod neon {
             }
 
             /// Shake256 absorb `data0` and `data1` in the [`KeccakState`] `s`.
-            #[inline(always)]
             #[allow(unused_variables)]
             pub fn shake256_absorb_final(s: &mut KeccakState, data0: &[u8], data1: &[u8]) {
                 #[cfg(not(feature = "simd128"))]
@@ -684,7 +647,6 @@ pub mod neon {
             /// Squeeze 2 times the first three blocks in parallel in the
             /// [`KeccakState`] and return the output in `out0` and `out1`.
             #[allow(unused_variables)]
-            #[inline(always)]
             pub fn shake128_squeeze_first_three_blocks(
                 s: &mut KeccakState,
                 out0: &mut [u8],
@@ -708,7 +670,6 @@ pub mod neon {
 
             /// Squeeze five blocks
             #[allow(unused_variables)]
-            #[inline(always)]
             pub fn shake128_squeeze_first_five_blocks(
                 s: &mut KeccakState,
                 out0: &mut [u8],
@@ -724,7 +685,6 @@ pub mod neon {
             }
 
             /// Squeeze block
-            #[inline(always)]
             #[allow(unused_variables)] // TODO: decide if we want to fall back here
             pub fn shake256_squeeze_first_block(
                 s: &mut KeccakState,
@@ -741,7 +701,6 @@ pub mod neon {
             }
 
             /// Squeeze next block
-            #[inline(always)]
             #[allow(unused_variables)] // TODO: decide if we want to fall back here
             pub fn shake256_squeeze_next_block(
                 s: &mut KeccakState,
@@ -816,7 +775,6 @@ pub mod neon {
             /// Squeeze 2 times the next block in parallel in the
             /// [`KeccakState`] and return the output in `out0` and `out1`.
             #[allow(unused_variables)]
-            #[inline(always)]
             pub fn shake128_squeeze_next_block(
                 s: &mut KeccakState,
                 out0: &mut [u8],
@@ -843,7 +801,6 @@ pub mod neon {
             ///
             /// **PANICS** when `N` is not 2, 3, or 4.
             #[allow(unused_variables, non_snake_case)]
-            #[inline(always)]
             fn _shake128_squeezexN<const LEN: usize, const N: usize>(
                 state: &mut [KeccakState; 2],
             ) -> [[u8; LEN]; N] {
@@ -907,7 +864,6 @@ pub mod avx2 {
 
         /// Perform 4 SHAKE256 operations in parallel
         #[allow(unused_variables, clippy::too_many_arguments)] // TODO: decide if we want to fall back here
-        #[inline(always)]
         pub fn shake256(
             input0: &[u8],
             input1: &[u8],
@@ -944,7 +900,6 @@ pub mod avx2 {
         ///
         /// **PANICS** when `N` is not 2, 3, or 4.
         #[allow(unused_variables, non_snake_case)]
-        #[inline(always)]
         fn _shake256xN<const LEN: usize, const N: usize>(input: &[[u8; 33]; N]) -> [[u8; LEN]; N] {
             debug_assert!(N == 2 || N == 3 || N == 4);
             let mut out = [[0u8; LEN]; N];
@@ -1030,7 +985,6 @@ pub mod avx2 {
             pub type KeccakState = [crate::portable::KeccakState; 4];
 
             /// Initialise the [`KeccakState`].
-            #[inline(always)]
             pub fn init() -> KeccakState {
                 #[cfg(not(feature = "simd256"))]
                 unimplemented!();
@@ -1057,7 +1011,6 @@ pub mod avx2 {
             }
 
             /// Absorb
-            #[inline(always)]
             #[allow(unused_variables)] // TODO: decide if we want to fall back here
             pub fn shake128_absorb_final(
                 s: &mut KeccakState,
@@ -1095,7 +1048,6 @@ pub mod avx2 {
             }
 
             /// Absorb
-            #[inline(always)]
             #[allow(unused_variables)] // TODO: decide if we want to fall back here
             pub fn shake256_absorb_final(
                 s: &mut KeccakState,
@@ -1111,7 +1063,6 @@ pub mod avx2 {
             }
 
             /// Squeeze block
-            #[inline(always)]
             #[allow(unused_variables)] // TODO: decide if we want to fall back here
             pub fn shake256_squeeze_first_block(
                 s: &mut KeccakState,
@@ -1127,7 +1078,6 @@ pub mod avx2 {
             }
 
             /// Squeeze next block
-            #[inline(always)]
             #[allow(unused_variables)] // TODO: decide if we want to fall back here
             pub fn shake256_squeeze_next_block(
                 s: &mut KeccakState,
@@ -1175,7 +1125,6 @@ pub mod avx2 {
             }
 
             /// Squeeze three blocks
-            #[inline(always)]
             #[allow(unused_variables)] // TODO: decide if we want to fall back here
             pub fn shake128_squeeze_first_three_blocks(
                 s: &mut KeccakState,
@@ -1216,7 +1165,6 @@ pub mod avx2 {
             }
 
             /// Squeeze five blocks
-            #[inline(always)]
             #[allow(unused_variables)] // TODO: decide if we want to fall back here
             pub fn shake128_squeeze_first_five_blocks(
                 s: &mut KeccakState,
@@ -1286,7 +1234,6 @@ pub mod avx2 {
             }
 
             /// Squeeze another block
-            #[inline(always)]
             #[allow(unused_variables)] // TODO: decide if we want to fall back here
             pub fn shake128_squeeze_next_block(
                 s: &mut KeccakState,
diff --git a/libcrux-sha3/src/simd/avx2.rs b/libcrux-sha3/src/simd/avx2.rs
index 07578e1d1..f957fe115 100644
--- a/libcrux-sha3/src/simd/avx2.rs
+++ b/libcrux-sha3/src/simd/avx2.rs
@@ -1,46 +1,59 @@
 use crate::traits::internal::*;
 use libcrux_intrinsics::avx2::*;
 
-#[inline(always)]
-fn rotate_left<const LEFT: i32, const RIGHT: i32>(x: Vec256) -> Vec256 {
+#[target_feature(enable = "avx2")]
+#[allow(unsafe_code)]
+unsafe fn rotate_left<const LEFT: i32, const RIGHT: i32>(x: Vec256) -> Vec256 {
     debug_assert!(LEFT + RIGHT == 64);
     // XXX: This could be done more efficiently, if the shift values are multiples of 8.
     mm256_xor_si256(mm256_slli_epi64::<LEFT>(x), mm256_srli_epi64::<RIGHT>(x))
 }
 
-#[inline(always)]
-fn _veor5q_u64(a: Vec256, b: Vec256, c: Vec256, d: Vec256, e: Vec256) -> Vec256 {
+#[target_feature(enable = "avx2")]
+#[allow(unsafe_code)]
+unsafe fn _veor5q_u64(a: Vec256, b: Vec256, c: Vec256, d: Vec256, e: Vec256) -> Vec256 {
     let ab = mm256_xor_si256(a, b);
     let cd = mm256_xor_si256(c, d);
     let abcd = mm256_xor_si256(ab, cd);
     mm256_xor_si256(abcd, e)
 }
 
-#[inline(always)]
-fn _vrax1q_u64(a: Vec256, b: Vec256) -> Vec256 {
+#[target_feature(enable = "avx2")]
+#[allow(unsafe_code)]
+unsafe fn _vrax1q_u64(a: Vec256, b: Vec256) -> Vec256 {
     mm256_xor_si256(a, rotate_left::<1, 63>(b))
 }
 
-#[inline(always)]
-fn _vxarq_u64<const LEFT: i32, const RIGHT: i32>(a: Vec256, b: Vec256) -> Vec256 {
+#[target_feature(enable = "avx2")]
+#[allow(unsafe_code)]
+unsafe fn _vxarq_u64<const LEFT: i32, const RIGHT: i32>(a: Vec256, b: Vec256) -> Vec256 {
     let ab = mm256_xor_si256(a, b);
     rotate_left::<LEFT, RIGHT>(ab)
 }
 
-#[inline(always)]
-fn _vbcaxq_u64(a: Vec256, b: Vec256, c: Vec256) -> Vec256 {
+#[target_feature(enable = "avx2")]
+#[allow(unsafe_code)]
+unsafe fn _vbcaxq_u64(a: Vec256, b: Vec256, c: Vec256) -> Vec256 {
     mm256_xor_si256(a, mm256_andnot_si256(c, b))
 }
 
-#[inline(always)]
-fn _veorq_n_u64(a: Vec256, c: u64) -> Vec256 {
+#[target_feature(enable = "avx2")]
+#[allow(unsafe_code)]
+unsafe fn _veorq_n_u64(a: Vec256, c: u64) -> Vec256 {
     // Casting here is required, doesn't change the value.
     let c = mm256_set1_epi64x(c as i64);
     mm256_xor_si256(a, c)
 }
 
-#[inline(always)]
-pub(crate) fn load_block<const RATE: usize>(s: &mut [[Vec256; 5]; 5], blocks: [&[u8]; 4]) {
+#[target_feature(enable = "avx2")]
+#[allow(unsafe_code)]
+unsafe fn xor(a: Vec256, b: Vec256) -> Vec256 {
+    mm256_xor_si256(a, b)
+}
+
+#[target_feature(enable = "avx2")]
+#[allow(unsafe_code)]
+unsafe fn load_block<const RATE: usize>(s: &mut [[Vec256; 5]; 5], blocks: [&[u8]; 4]) {
     debug_assert!(RATE <= blocks[0].len() && RATE % 8 == 0 && (RATE % 32 == 8 || RATE % 32 == 16));
     for i in 0..RATE / 32 {
         let v0 = mm256_loadu_si256_u8(&blocks[0][32 * i..32 * (i + 1)]);
@@ -92,20 +105,24 @@ pub(crate) fn load_block<const RATE: usize>(s: &mut [[Vec256; 5]; 5], blocks: [&
 }
 
 #[inline(always)]
+#[allow(unsafe_code)]
 pub(crate) fn load_block_full<const RATE: usize>(s: &mut [[Vec256; 5]; 5], blocks: [[u8; 200]; 4]) {
-    load_block::<RATE>(
-        s,
-        [
-            &blocks[0] as &[u8],
-            &blocks[1] as &[u8],
-            &blocks[2] as &[u8],
-            &blocks[3] as &[u8],
-        ],
-    );
+    unsafe {
+        load_block::<RATE>(
+            s,
+            [
+                &blocks[0] as &[u8],
+                &blocks[1] as &[u8],
+                &blocks[2] as &[u8],
+                &blocks[3] as &[u8],
+            ],
+        )
+    };
 }
 
-#[inline(always)]
-pub(crate) fn store_block<const RATE: usize>(s: &[[Vec256; 5]; 5], out: [&mut [u8]; 4]) {
+#[target_feature(enable = "avx2")]
+#[allow(unsafe_code)]
+unsafe fn store_block<const RATE: usize>(s: &[[Vec256; 5]; 5], out: [&mut [u8]; 4]) {
     for i in 0..RATE / 32 {
         let v0l = mm256_permute2x128_si256::<0x20>(
             s[(4 * i) / 5][(4 * i) % 5],
@@ -159,17 +176,19 @@ pub(crate) fn store_block<const RATE: usize>(s: &[[Vec256; 5]; 5], out: [&mut [u
 }
 
 #[inline(always)]
+#[allow(unsafe_code)]
 pub(crate) fn store_block_full<const RATE: usize>(s: &[[Vec256; 5]; 5]) -> [[u8; 200]; 4] {
     let mut out0 = [0u8; 200];
     let mut out1 = [0u8; 200];
     let mut out2 = [0u8; 200];
     let mut out3 = [0u8; 200];
-    store_block::<RATE>(s, [&mut out0, &mut out1, &mut out2, &mut out3]);
+    unsafe { store_block::<RATE>(s, [&mut out0, &mut out1, &mut out2, &mut out3]) };
     [out0, out1, out2, out3]
 }
 
-#[inline(always)]
-fn slice_4(a: [&[u8]; 4], start: usize, len: usize) -> [&[u8]; 4] {
+#[target_feature(enable = "avx2")]
+#[allow(unsafe_code)]
+unsafe fn slice_4(a: [&[u8]; 4], start: usize, len: usize) -> [&[u8]; 4] {
     [
         &a[0][start..start + len],
         &a[1][start..start + len],
@@ -178,8 +197,9 @@ fn slice_4(a: [&[u8]; 4], start: usize, len: usize) -> [&[u8]; 4] {
     ]
 }
 
-#[inline(always)]
-fn split_at_mut_4(out: [&mut [u8]; 4], mid: usize) -> ([&mut [u8]; 4], [&mut [u8]; 4]) {
+#[target_feature(enable = "avx2")]
+#[allow(unsafe_code)]
+unsafe fn split_at_mut_4(out: [&mut [u8]; 4], mid: usize) -> ([&mut [u8]; 4], [&mut [u8]; 4]) {
     let [out0, out1, out2, out3] = out;
     let (out00, out01) = out0.split_at_mut(mid);
     let (out10, out11) = out1.split_at_mut(mid);
@@ -193,53 +213,75 @@ impl KeccakItem<4> for Vec256 {
     fn zero() -> Self {
         mm256_set1_epi64x(0)
     }
+
     #[inline(always)]
+    #[allow(unsafe_code)]
     fn xor5(a: Self, b: Self, c: Self, d: Self, e: Self) -> Self {
-        _veor5q_u64(a, b, c, d, e)
+        unsafe { _veor5q_u64(a, b, c, d, e) }
     }
+
     #[inline(always)]
+    #[allow(unsafe_code)]
     fn rotate_left1_and_xor(a: Self, b: Self) -> Self {
-        _vrax1q_u64(a, b)
+        unsafe { _vrax1q_u64(a, b) }
     }
+
     #[inline(always)]
+    #[allow(unsafe_code)]
     fn xor_and_rotate<const LEFT: i32, const RIGHT: i32>(a: Self, b: Self) -> Self {
-        _vxarq_u64::<LEFT, RIGHT>(a, b)
+        unsafe { _vxarq_u64::<LEFT, RIGHT>(a, b) }
     }
+
     #[inline(always)]
+    #[allow(unsafe_code)]
     fn and_not_xor(a: Self, b: Self, c: Self) -> Self {
-        _vbcaxq_u64(a, b, c)
+        unsafe { _vbcaxq_u64(a, b, c) }
     }
+
     #[inline(always)]
+    #[allow(unsafe_code)]
     fn xor_constant(a: Self, c: u64) -> Self {
-        _veorq_n_u64(a, c)
+        unsafe { _veorq_n_u64(a, c) }
     }
+
     #[inline(always)]
+    #[allow(unsafe_code)]
     fn xor(a: Self, b: Self) -> Self {
-        mm256_xor_si256(a, b)
+        unsafe { xor(a, b) }
     }
+
     #[inline(always)]
+    #[allow(unsafe_code)]
     fn load_block<const RATE: usize>(a: &mut [[Self; 5]; 5], b: [&[u8]; 4]) {
-        load_block::<RATE>(a, b)
+        unsafe { load_block::<RATE>(a, b) }
     }
+
     #[inline(always)]
+    #[allow(unsafe_code)]
     fn store_block<const RATE: usize>(a: &[[Self; 5]; 5], b: [&mut [u8]; 4]) {
-        store_block::<RATE>(a, b)
+        unsafe { store_block::<RATE>(a, b) }
     }
+
     #[inline(always)]
     fn load_block_full<const RATE: usize>(a: &mut [[Self; 5]; 5], b: [[u8; 200]; 4]) {
         load_block_full::<RATE>(a, b)
     }
+
     #[inline(always)]
     fn store_block_full<const RATE: usize>(a: &[[Self; 5]; 5]) -> [[u8; 200]; 4] {
         store_block_full::<RATE>(a)
     }
+
     #[inline(always)]
+    #[allow(unsafe_code)]
     fn slice_n(a: [&[u8]; 4], start: usize, len: usize) -> [&[u8]; 4] {
-        slice_4(a, start, len)
+        unsafe { slice_4(a, start, len) }
     }
+
     #[inline(always)]
+    #[allow(unsafe_code)]
     fn split_at_mut_n(a: [&mut [u8]; 4], mid: usize) -> ([&mut [u8]; 4], [&mut [u8]; 4]) {
-        split_at_mut_4(a, mid)
+        unsafe { split_at_mut_4(a, mid) }
     }
 
     // TODO: Do we need this, or not? cf. https://github.com/cryspen/libcrux/issues/482

From 5d85370983d5fb1389573a87deb933614e1532a9 Mon Sep 17 00:00:00 2001
From: Jonas Schneider-Bensch <jonas@cryspen.com>
Date: Mon, 4 Nov 2024 11:54:55 +0100
Subject: [PATCH 09/22] Inlining + target feature changes around inverse NTT

Changes cherry-picked from `a87318d8`
---
 .../src/ml_dsa_generic/instantiations/avx2.rs |  1 +
 libcrux-ml-dsa/src/simd/avx2.rs               | 13 ++++--
 libcrux-ml-dsa/src/simd/avx2/ntt.rs           | 40 +++++++++++--------
 libcrux-ml-dsa/src/simd/portable/ntt.rs       | 20 +++++-----
 4 files changed, 45 insertions(+), 29 deletions(-)

diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs
index 716fd2f59..40111939b 100644
--- a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs
+++ b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs
@@ -333,6 +333,7 @@ pub(crate) fn generate_key_pair<
 
 /// Sign.
 #[allow(unsafe_code)]
+#[inline(always)]
 pub(crate) fn sign<
     const ROWS_IN_A: usize,
     const COLUMNS_IN_A: usize,
diff --git a/libcrux-ml-dsa/src/simd/avx2.rs b/libcrux-ml-dsa/src/simd/avx2.rs
index c83c24caa..f4236caa2 100644
--- a/libcrux-ml-dsa/src/simd/avx2.rs
+++ b/libcrux-ml-dsa/src/simd/avx2.rs
@@ -137,6 +137,7 @@ impl Operations for AVX2SIMDUnit {
     }
 
     #[inline(always)]
+    #[allow(unsafe_code)]
     fn invert_ntt_at_layer_0(
         simd_unit: Self,
         zeta0: i32,
@@ -144,14 +145,20 @@ impl Operations for AVX2SIMDUnit {
         zeta2: i32,
         zeta3: i32,
     ) -> Self {
-        ntt::invert_ntt_at_layer_0(simd_unit.coefficients, zeta0, zeta1, zeta2, zeta3).into()
+        unsafe {
+            ntt::invert_ntt_at_layer_0(simd_unit.coefficients, zeta0, zeta1, zeta2, zeta3).into()
+        }
     }
+
     #[inline(always)]
+    #[allow(unsafe_code)]
     fn invert_ntt_at_layer_1(simd_unit: Self, zeta0: i32, zeta1: i32) -> Self {
-        ntt::invert_ntt_at_layer_1(simd_unit.coefficients, zeta0, zeta1).into()
+        unsafe { ntt::invert_ntt_at_layer_1(simd_unit.coefficients, zeta0, zeta1).into() }
     }
+
     #[inline(always)]
+    #[allow(unsafe_code)]
     fn invert_ntt_at_layer_2(simd_unit: Self, zeta: i32) -> Self {
-        ntt::invert_ntt_at_layer_2(simd_unit.coefficients, zeta).into()
+        unsafe { ntt::invert_ntt_at_layer_2(simd_unit.coefficients, zeta).into() }
     }
 }
diff --git a/libcrux-ml-dsa/src/simd/avx2/ntt.rs b/libcrux-ml-dsa/src/simd/avx2/ntt.rs
index 60b98fc25..b764e6178 100644
--- a/libcrux-ml-dsa/src/simd/avx2/ntt.rs
+++ b/libcrux-ml-dsa/src/simd/avx2/ntt.rs
@@ -100,8 +100,9 @@ fn butterfly_8(a: Vec256, b: Vec256, zeta0: i32, zeta1: i32) -> (Vec256, Vec256)
     (a_out, b_out)
 }
 
-#[inline(always)]
-pub fn invert_ntt_at_layer_0(
+#[target_feature(enable = "avx2")]
+#[allow(unsafe_code)]
+pub(super) unsafe fn invert_ntt_at_layer_0(
     simd_unit: Vec256,
     zeta0: i32,
     zeta1: i32,
@@ -121,8 +122,9 @@ pub fn invert_ntt_at_layer_0(
     mm256_blend_epi32::<0b1_0_1_0_1_0_1_0>(sums, products)
 }
 
-#[inline(always)]
-fn ntt_at_layer_0(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) {
+#[target_feature(enable = "avx2")]
+#[allow(unsafe_code)]
+unsafe fn ntt_at_layer_0(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) {
     macro_rules! round {
         ($i:literal, $zeta_0:literal, $zeta_1:literal, $zeta_2:literal, $zeta_3:literal, $zeta_4:literal, $zeta_5:literal, $zeta_6:literal, $zeta_7:literal) => {
             let (a, b) = butterfly_2(
@@ -160,8 +162,9 @@ fn ntt_at_layer_0(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) {
     round!(30, -554416, 3919660, -48306, -1362209, 3937738, 1400424, -846154, 1976782);
 }
 
-#[inline(always)]
-pub fn invert_ntt_at_layer_1(simd_unit: Vec256, zeta0: i32, zeta1: i32) -> Vec256 {
+#[target_feature(enable = "avx2")]
+#[allow(unsafe_code)]
+pub(super) unsafe fn invert_ntt_at_layer_1(simd_unit: Vec256, zeta0: i32, zeta1: i32) -> Vec256 {
     let zetas = mm256_set_epi32(zeta1, zeta1, 0, 0, zeta0, zeta0, 0, 0);
 
     let add_by_signs = mm256_set_epi32(-1, -1, 1, 1, -1, -1, 1, 1);
@@ -175,8 +178,9 @@ pub fn invert_ntt_at_layer_1(simd_unit: Vec256, zeta0: i32, zeta1: i32) -> Vec25
     mm256_blend_epi32::<0b1_1_0_0_1_1_0_0>(sums, products)
 }
 
-#[inline(always)]
-fn ntt_at_layer_1(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) {
+#[target_feature(enable = "avx2")]
+#[allow(unsafe_code)]
+unsafe fn ntt_at_layer_1(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) {
     macro_rules! round {
         ($i:literal, $zeta_0:literal, $zeta_1:literal, $zeta_2:literal, $zeta_3:literal) => {
             let (a, b) = butterfly_4(re[$i], re[$i + 1], $zeta_0, $zeta_1, $zeta_2, $zeta_3);
@@ -203,8 +207,9 @@ fn ntt_at_layer_1(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) {
     round!(30, -3019102, -3881060, -3628969, 3839961);
 }
 
-#[inline(always)]
-pub fn invert_ntt_at_layer_2(simd_unit: Vec256, zeta: i32) -> Vec256 {
+#[target_feature(enable = "avx2")]
+#[allow(unsafe_code)]
+pub(super) unsafe fn invert_ntt_at_layer_2(simd_unit: Vec256, zeta: i32) -> Vec256 {
     let zetas = mm256_set_epi32(zeta, zeta, zeta, zeta, 0, 0, 0, 0);
 
     let add_by_signs = mm256_set_epi32(-1, -1, -1, -1, 1, 1, 1, 1);
@@ -218,8 +223,9 @@ pub fn invert_ntt_at_layer_2(simd_unit: Vec256, zeta: i32) -> Vec256 {
     mm256_blend_epi32::<0b1_1_1_1_0_0_0_0>(sums, products)
 }
 
-#[inline(always)]
-fn ntt_at_layer_2(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) {
+#[target_feature(enable = "avx2")]
+#[allow(unsafe_code)]
+unsafe fn ntt_at_layer_2(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) {
     macro_rules! round {
         ($round:literal, $zeta_0:literal, $zeta_1:literal) => {
             let (a, b) = butterfly_8(re[$round], re[$round + 1], $zeta_0, $zeta_1);
@@ -250,8 +256,9 @@ fn ntt_at_layer_2(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) {
 ///
 /// This does 32 Montgomery multiplications (192 multiplications).
 /// This is the same as in pqclean. The only difference is locality of registers.
-#[inline(always)]
-fn ntt_at_layer_7_and_6(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) {
+#[target_feature(enable = "avx2")]
+#[allow(unsafe_code)]
+unsafe fn ntt_at_layer_7_and_6(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) {
     let field_modulus = mm256_set1_epi32(crate::simd::traits::FIELD_MODULUS);
     let inverse_of_modulus_mod_montgomery_r =
         mm256_set1_epi32(crate::simd::traits::INVERSE_OF_MODULUS_MOD_MONTGOMERY_R as i32);
@@ -310,8 +317,9 @@ fn ntt_at_layer_7_and_6(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) {
 ///
 /// Each layer does 16 Montgomery multiplications -> 3*16 = 48 total
 /// pqclean does 4 * 4 on each layer -> 48 total | plus 4 * 4 shuffles every time (48)
-#[inline(always)]
-fn ntt_at_layer_5_to_3(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) {
+#[target_feature(enable = "avx2")]
+#[allow(unsafe_code)]
+unsafe fn ntt_at_layer_5_to_3(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) {
     macro_rules! round {
         ($i:literal, $zeta: literal) => {
             let rhs = mm256_set1_epi32($zeta);
diff --git a/libcrux-ml-dsa/src/simd/portable/ntt.rs b/libcrux-ml-dsa/src/simd/portable/ntt.rs
index bc6301aef..3f4e7f12a 100644
--- a/libcrux-ml-dsa/src/simd/portable/ntt.rs
+++ b/libcrux-ml-dsa/src/simd/portable/ntt.rs
@@ -301,16 +301,16 @@ fn ntt_at_layer_3(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) {
     const STEP: usize = 8; // 1 << LAYER;
     const STEP_BY: usize = 1; // step / COEFFICIENTS_IN_SIMD_UNIT;
 
-    outer_3_plus::<{ (0 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY,  2725464>(re);
-    outer_3_plus::<{ (1 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY,  1024112>(re);
-    outer_3_plus::<{ (2 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY,  -1079900>(re);
-    outer_3_plus::<{ (3 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY,  3585928>(re);
-    outer_3_plus::<{ (4 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY,  -549488>(re);
-    outer_3_plus::<{ (5 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY,  -1119584>(re);
-    outer_3_plus::<{ (6 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY,  2619752>(re);
-    outer_3_plus::<{ (7 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY,  -2108549>(re);
-    outer_3_plus::<{ (8 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY,  -2118186>(re);
-    outer_3_plus::<{ (9 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY,  -3859737>(re);
+    outer_3_plus::<{ (0 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 2725464>(re);
+    outer_3_plus::<{ (1 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 1024112>(re);
+    outer_3_plus::<{ (2 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -1079900>(re);
+    outer_3_plus::<{ (3 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 3585928>(re);
+    outer_3_plus::<{ (4 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -549488>(re);
+    outer_3_plus::<{ (5 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -1119584>(re);
+    outer_3_plus::<{ (6 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 2619752>(re);
+    outer_3_plus::<{ (7 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -2108549>(re);
+    outer_3_plus::<{ (8 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -2118186>(re);
+    outer_3_plus::<{ (9 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -3859737>(re);
     outer_3_plus::<{ (10 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -1399561>(re);
     outer_3_plus::<{ (11 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -3277672>(re);
     outer_3_plus::<{ (12 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 1757237>(re);

From 6c8fdc37504b0076d70f7d910733d7b5a1e64a8a Mon Sep 17 00:00:00 2001
From: Jonas Schneider-Bensch <jonas@cryspen.com>
Date: Mon, 4 Nov 2024 13:09:59 +0100
Subject: [PATCH 10/22] Header-only extraction update

---
 libcrux-ml-kem/cg/code_gen.txt                |   2 +-
 libcrux-ml-kem/cg/libcrux_core.h              |   2 +-
 libcrux-ml-kem/cg/libcrux_ct_ops.h            |   2 +-
 libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h     |   2 +-
 .../cg/libcrux_mlkem768_avx2_types.h          |   2 +-
 libcrux-ml-kem/cg/libcrux_mlkem768_portable.h |   2 +-
 .../cg/libcrux_mlkem768_portable_types.h      |   2 +-
 libcrux-ml-kem/cg/libcrux_sha3_avx2.h         | 231 ++++++++----------
 libcrux-ml-kem/cg/libcrux_sha3_portable.h     | 126 +++++-----
 9 files changed, 169 insertions(+), 202 deletions(-)

diff --git a/libcrux-ml-kem/cg/code_gen.txt b/libcrux-ml-kem/cg/code_gen.txt
index 15fc24b99..ec74b2b30 100644
--- a/libcrux-ml-kem/cg/code_gen.txt
+++ b/libcrux-ml-kem/cg/code_gen.txt
@@ -3,4 +3,4 @@ Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f
 Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
 Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
 F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
-Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664
+Libcrux: b6ea994fd158898395679fbace91f4cb000bbe13
diff --git a/libcrux-ml-kem/cg/libcrux_core.h b/libcrux-ml-kem/cg/libcrux_core.h
index b7054262c..b96c41ebd 100644
--- a/libcrux-ml-kem/cg/libcrux_core.h
+++ b/libcrux-ml-kem/cg/libcrux_core.h
@@ -8,7 +8,7 @@
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
  * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
  * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664
+ * Libcrux: b6ea994fd158898395679fbace91f4cb000bbe13
  */
 
 #ifndef __libcrux_core_H
diff --git a/libcrux-ml-kem/cg/libcrux_ct_ops.h b/libcrux-ml-kem/cg/libcrux_ct_ops.h
index 1b4a85c28..5c325dd1c 100644
--- a/libcrux-ml-kem/cg/libcrux_ct_ops.h
+++ b/libcrux-ml-kem/cg/libcrux_ct_ops.h
@@ -8,7 +8,7 @@
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
  * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
  * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664
+ * Libcrux: b6ea994fd158898395679fbace91f4cb000bbe13
  */
 
 #ifndef __libcrux_ct_ops_H
diff --git a/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h b/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h
index ef9105a0b..30f56aa6c 100644
--- a/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h
+++ b/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h
@@ -8,7 +8,7 @@
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
  * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
  * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664
+ * Libcrux: b6ea994fd158898395679fbace91f4cb000bbe13
  */
 
 #ifndef __libcrux_mlkem768_avx2_H
diff --git a/libcrux-ml-kem/cg/libcrux_mlkem768_avx2_types.h b/libcrux-ml-kem/cg/libcrux_mlkem768_avx2_types.h
index a3e9c8d25..7bf29c82c 100644
--- a/libcrux-ml-kem/cg/libcrux_mlkem768_avx2_types.h
+++ b/libcrux-ml-kem/cg/libcrux_mlkem768_avx2_types.h
@@ -8,7 +8,7 @@
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
  * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
  * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664
+ * Libcrux: b6ea994fd158898395679fbace91f4cb000bbe13
  */
 
 #ifndef __libcrux_mlkem768_avx2_types_H
diff --git a/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h b/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h
index 0835aa2cc..4968a4688 100644
--- a/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h
+++ b/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h
@@ -8,7 +8,7 @@
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
  * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
  * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664
+ * Libcrux: b6ea994fd158898395679fbace91f4cb000bbe13
  */
 
 #ifndef __libcrux_mlkem768_portable_H
diff --git a/libcrux-ml-kem/cg/libcrux_mlkem768_portable_types.h b/libcrux-ml-kem/cg/libcrux_mlkem768_portable_types.h
index 679052284..c5ed62a6d 100644
--- a/libcrux-ml-kem/cg/libcrux_mlkem768_portable_types.h
+++ b/libcrux-ml-kem/cg/libcrux_mlkem768_portable_types.h
@@ -8,7 +8,7 @@
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
  * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
  * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664
+ * Libcrux: b6ea994fd158898395679fbace91f4cb000bbe13
  */
 
 #ifndef __libcrux_mlkem768_portable_types_H
diff --git a/libcrux-ml-kem/cg/libcrux_sha3_avx2.h b/libcrux-ml-kem/cg/libcrux_sha3_avx2.h
index c6845ceeb..c3db3f651 100644
--- a/libcrux-ml-kem/cg/libcrux_sha3_avx2.h
+++ b/libcrux-ml-kem/cg/libcrux_sha3_avx2.h
@@ -8,7 +8,7 @@
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
  * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
  * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664
+ * Libcrux: b6ea994fd158898395679fbace91f4cb000bbe13
  */
 
 #ifndef __libcrux_sha3_avx2_H
@@ -33,8 +33,9 @@ static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2_zero_ef(void) {
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__veor5q_u64(
-    __m256i a, __m256i b, __m256i c, __m256i d, __m256i e) {
+static inline __m256i libcrux_sha3_simd_avx2__veor5q_u64(__m256i a, __m256i b,
+                                                         __m256i c, __m256i d,
+                                                         __m256i e) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   __m256i cd = libcrux_intrinsics_avx2_mm256_xor_si256(c, d);
   __m256i abcd = libcrux_intrinsics_avx2_mm256_xor_si256(ab, cd);
@@ -58,16 +59,14 @@ with const generics
 - RIGHT= 63
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i
-libcrux_sha3_simd_avx2_rotate_left_76(__m256i x) {
+static inline __m256i libcrux_sha3_simd_avx2_rotate_left_76(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)1, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)63, x, __m256i));
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vrax1q_u64(__m256i a,
-                                                                  __m256i b) {
+static inline __m256i libcrux_sha3_simd_avx2__vrax1q_u64(__m256i a, __m256i b) {
   __m256i uu____0 = a;
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       uu____0, libcrux_sha3_simd_avx2_rotate_left_76(b));
@@ -84,9 +83,8 @@ libcrux_sha3_simd_avx2_rotate_left1_and_xor_ef(__m256i a, __m256i b) {
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vbcaxq_u64(__m256i a,
-                                                                  __m256i b,
-                                                                  __m256i c) {
+static inline __m256i libcrux_sha3_simd_avx2__vbcaxq_u64(__m256i a, __m256i b,
+                                                         __m256i c) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       a, libcrux_intrinsics_avx2_mm256_andnot_si256(c, b));
 }
@@ -102,8 +100,8 @@ libcrux_sha3_simd_avx2_and_not_xor_ef(__m256i a, __m256i b, __m256i c) {
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__veorq_n_u64(__m256i a,
-                                                                   uint64_t c) {
+static inline __m256i libcrux_sha3_simd_avx2__veorq_n_u64(__m256i a,
+                                                          uint64_t c) {
   __m256i c0 = libcrux_intrinsics_avx2_mm256_set1_epi64x(
       (int64_t) /* Casting here is required, doesn't change the value. */
       c);
@@ -120,6 +118,11 @@ libcrux_sha3_simd_avx2_xor_constant_ef(__m256i a, uint64_t c) {
   return libcrux_sha3_simd_avx2__veorq_n_u64(a, c);
 }
 
+KRML_ATTRIBUTE_TARGET("avx2")
+static inline __m256i libcrux_sha3_simd_avx2_xor(__m256i a, __m256i b) {
+  return libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
+}
+
 /**
 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4:
 usize> for core::core_arch::x86::__m256i)}
@@ -127,12 +130,13 @@ usize> for core::core_arch::x86::__m256i)}
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2_xor_ef(__m256i a,
                                                              __m256i b) {
-  return libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
+  return libcrux_sha3_simd_avx2_xor(a, b);
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_slice_4(
-    Eurydice_slice a[4U], size_t start, size_t len, Eurydice_slice ret[4U]) {
+static inline void libcrux_sha3_simd_avx2_slice_4(Eurydice_slice a[4U],
+                                                  size_t start, size_t len,
+                                                  Eurydice_slice ret[4U]) {
   ret[0U] = Eurydice_slice_subslice2(a[0U], start, start + len, uint8_t);
   ret[1U] = Eurydice_slice_subslice2(a[1U], start, start + len, uint8_t);
   ret[2U] = Eurydice_slice_subslice2(a[2U], start, start + len, uint8_t);
@@ -155,7 +159,7 @@ static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_slice_n_ef(
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE Eurydice_slice_uint8_t_4size_t__x2
+static inline Eurydice_slice_uint8_t_4size_t__x2
 libcrux_sha3_simd_avx2_split_at_mut_4(Eurydice_slice out[4U], size_t mid) {
   Eurydice_slice out0 = out[0U];
   Eurydice_slice out1 = out[1U];
@@ -260,7 +264,7 @@ with const generics
 - RATE= 136
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_load_block_5b(
+static inline void libcrux_sha3_simd_avx2_load_block_5b(
     __m256i (*s)[5U], Eurydice_slice blocks[4U]) {
   for (size_t i = (size_t)0U; i < (size_t)136U / (size_t)32U; i++) {
     size_t i0 = i;
@@ -406,8 +410,7 @@ with const generics
 - RIGHT= 28
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i
-libcrux_sha3_simd_avx2_rotate_left_02(__m256i x) {
+static inline __m256i libcrux_sha3_simd_avx2_rotate_left_02(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)36, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)28, x, __m256i));
@@ -420,8 +423,8 @@ with const generics
 - RIGHT= 28
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_02(__m256i a,
-                                                                    __m256i b) {
+static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_02(__m256i a,
+                                                           __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_02(ab);
 }
@@ -449,8 +452,7 @@ with const generics
 - RIGHT= 61
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i
-libcrux_sha3_simd_avx2_rotate_left_ac(__m256i x) {
+static inline __m256i libcrux_sha3_simd_avx2_rotate_left_ac(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)3, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)61, x, __m256i));
@@ -463,8 +465,8 @@ with const generics
 - RIGHT= 61
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_ac(__m256i a,
-                                                                    __m256i b) {
+static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_ac(__m256i a,
+                                                           __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_ac(ab);
 }
@@ -492,8 +494,7 @@ with const generics
 - RIGHT= 23
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i
-libcrux_sha3_simd_avx2_rotate_left_020(__m256i x) {
+static inline __m256i libcrux_sha3_simd_avx2_rotate_left_020(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)41, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)23, x, __m256i));
@@ -506,8 +507,8 @@ with const generics
 - RIGHT= 23
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i
-libcrux_sha3_simd_avx2__vxarq_u64_020(__m256i a, __m256i b) {
+static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_020(__m256i a,
+                                                            __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_020(ab);
 }
@@ -535,8 +536,7 @@ with const generics
 - RIGHT= 46
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i
-libcrux_sha3_simd_avx2_rotate_left_a9(__m256i x) {
+static inline __m256i libcrux_sha3_simd_avx2_rotate_left_a9(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)18, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)46, x, __m256i));
@@ -549,8 +549,8 @@ with const generics
 - RIGHT= 46
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_a9(__m256i a,
-                                                                    __m256i b) {
+static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_a9(__m256i a,
+                                                           __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_a9(ab);
 }
@@ -578,8 +578,8 @@ with const generics
 - RIGHT= 63
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_76(__m256i a,
-                                                                    __m256i b) {
+static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_76(__m256i a,
+                                                           __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_76(ab);
 }
@@ -607,8 +607,7 @@ with const generics
 - RIGHT= 20
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i
-libcrux_sha3_simd_avx2_rotate_left_58(__m256i x) {
+static inline __m256i libcrux_sha3_simd_avx2_rotate_left_58(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)44, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)20, x, __m256i));
@@ -621,8 +620,8 @@ with const generics
 - RIGHT= 20
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_58(__m256i a,
-                                                                    __m256i b) {
+static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_58(__m256i a,
+                                                           __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_58(ab);
 }
@@ -650,8 +649,7 @@ with const generics
 - RIGHT= 54
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i
-libcrux_sha3_simd_avx2_rotate_left_e0(__m256i x) {
+static inline __m256i libcrux_sha3_simd_avx2_rotate_left_e0(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)10, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)54, x, __m256i));
@@ -664,8 +662,8 @@ with const generics
 - RIGHT= 54
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_e0(__m256i a,
-                                                                    __m256i b) {
+static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_e0(__m256i a,
+                                                           __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_e0(ab);
 }
@@ -693,8 +691,7 @@ with const generics
 - RIGHT= 19
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i
-libcrux_sha3_simd_avx2_rotate_left_63(__m256i x) {
+static inline __m256i libcrux_sha3_simd_avx2_rotate_left_63(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)45, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)19, x, __m256i));
@@ -707,8 +704,8 @@ with const generics
 - RIGHT= 19
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_63(__m256i a,
-                                                                    __m256i b) {
+static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_63(__m256i a,
+                                                           __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_63(ab);
 }
@@ -736,8 +733,7 @@ with const generics
 - RIGHT= 62
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i
-libcrux_sha3_simd_avx2_rotate_left_6a(__m256i x) {
+static inline __m256i libcrux_sha3_simd_avx2_rotate_left_6a(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)2, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)62, x, __m256i));
@@ -750,8 +746,8 @@ with const generics
 - RIGHT= 62
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_6a(__m256i a,
-                                                                    __m256i b) {
+static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_6a(__m256i a,
+                                                           __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_6a(ab);
 }
@@ -779,8 +775,7 @@ with const generics
 - RIGHT= 2
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i
-libcrux_sha3_simd_avx2_rotate_left_ab(__m256i x) {
+static inline __m256i libcrux_sha3_simd_avx2_rotate_left_ab(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)62, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)2, x, __m256i));
@@ -793,8 +788,8 @@ with const generics
 - RIGHT= 2
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_ab(__m256i a,
-                                                                    __m256i b) {
+static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_ab(__m256i a,
+                                                           __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_ab(ab);
 }
@@ -822,8 +817,7 @@ with const generics
 - RIGHT= 58
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i
-libcrux_sha3_simd_avx2_rotate_left_5b(__m256i x) {
+static inline __m256i libcrux_sha3_simd_avx2_rotate_left_5b(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)6, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)58, x, __m256i));
@@ -836,8 +830,8 @@ with const generics
 - RIGHT= 58
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_5b(__m256i a,
-                                                                    __m256i b) {
+static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_5b(__m256i a,
+                                                           __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_5b(ab);
 }
@@ -865,8 +859,7 @@ with const generics
 - RIGHT= 21
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i
-libcrux_sha3_simd_avx2_rotate_left_6f(__m256i x) {
+static inline __m256i libcrux_sha3_simd_avx2_rotate_left_6f(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)43, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)21, x, __m256i));
@@ -879,8 +872,8 @@ with const generics
 - RIGHT= 21
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_6f(__m256i a,
-                                                                    __m256i b) {
+static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_6f(__m256i a,
+                                                           __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_6f(ab);
 }
@@ -908,8 +901,7 @@ with const generics
 - RIGHT= 49
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i
-libcrux_sha3_simd_avx2_rotate_left_62(__m256i x) {
+static inline __m256i libcrux_sha3_simd_avx2_rotate_left_62(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)15, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)49, x, __m256i));
@@ -922,8 +914,8 @@ with const generics
 - RIGHT= 49
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_62(__m256i a,
-                                                                    __m256i b) {
+static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_62(__m256i a,
+                                                           __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_62(ab);
 }
@@ -951,8 +943,7 @@ with const generics
 - RIGHT= 3
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i
-libcrux_sha3_simd_avx2_rotate_left_23(__m256i x) {
+static inline __m256i libcrux_sha3_simd_avx2_rotate_left_23(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)61, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)3, x, __m256i));
@@ -965,8 +956,8 @@ with const generics
 - RIGHT= 3
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_23(__m256i a,
-                                                                    __m256i b) {
+static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_23(__m256i a,
+                                                           __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_23(ab);
 }
@@ -994,8 +985,7 @@ with const generics
 - RIGHT= 36
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i
-libcrux_sha3_simd_avx2_rotate_left_37(__m256i x) {
+static inline __m256i libcrux_sha3_simd_avx2_rotate_left_37(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)28, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)36, x, __m256i));
@@ -1008,8 +998,8 @@ with const generics
 - RIGHT= 36
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_37(__m256i a,
-                                                                    __m256i b) {
+static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_37(__m256i a,
+                                                           __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_37(ab);
 }
@@ -1037,8 +1027,7 @@ with const generics
 - RIGHT= 9
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i
-libcrux_sha3_simd_avx2_rotate_left_bb(__m256i x) {
+static inline __m256i libcrux_sha3_simd_avx2_rotate_left_bb(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)55, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)9, x, __m256i));
@@ -1051,8 +1040,8 @@ with const generics
 - RIGHT= 9
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_bb(__m256i a,
-                                                                    __m256i b) {
+static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_bb(__m256i a,
+                                                           __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_bb(ab);
 }
@@ -1080,8 +1069,7 @@ with const generics
 - RIGHT= 39
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i
-libcrux_sha3_simd_avx2_rotate_left_b9(__m256i x) {
+static inline __m256i libcrux_sha3_simd_avx2_rotate_left_b9(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)25, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)39, x, __m256i));
@@ -1094,8 +1082,8 @@ with const generics
 - RIGHT= 39
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_b9(__m256i a,
-                                                                    __m256i b) {
+static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_b9(__m256i a,
+                                                           __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_b9(ab);
 }
@@ -1123,8 +1111,7 @@ with const generics
 - RIGHT= 43
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i
-libcrux_sha3_simd_avx2_rotate_left_54(__m256i x) {
+static inline __m256i libcrux_sha3_simd_avx2_rotate_left_54(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)21, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)43, x, __m256i));
@@ -1137,8 +1124,8 @@ with const generics
 - RIGHT= 43
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_54(__m256i a,
-                                                                    __m256i b) {
+static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_54(__m256i a,
+                                                           __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_54(ab);
 }
@@ -1166,8 +1153,7 @@ with const generics
 - RIGHT= 8
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i
-libcrux_sha3_simd_avx2_rotate_left_4c(__m256i x) {
+static inline __m256i libcrux_sha3_simd_avx2_rotate_left_4c(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)56, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)8, x, __m256i));
@@ -1180,8 +1166,8 @@ with const generics
 - RIGHT= 8
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_4c(__m256i a,
-                                                                    __m256i b) {
+static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_4c(__m256i a,
+                                                           __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_4c(ab);
 }
@@ -1209,8 +1195,7 @@ with const generics
 - RIGHT= 37
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i
-libcrux_sha3_simd_avx2_rotate_left_ce(__m256i x) {
+static inline __m256i libcrux_sha3_simd_avx2_rotate_left_ce(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)27, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)37, x, __m256i));
@@ -1223,8 +1208,8 @@ with const generics
 - RIGHT= 37
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_ce(__m256i a,
-                                                                    __m256i b) {
+static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_ce(__m256i a,
+                                                           __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_ce(ab);
 }
@@ -1252,8 +1237,7 @@ with const generics
 - RIGHT= 44
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i
-libcrux_sha3_simd_avx2_rotate_left_77(__m256i x) {
+static inline __m256i libcrux_sha3_simd_avx2_rotate_left_77(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)20, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)44, x, __m256i));
@@ -1266,8 +1250,8 @@ with const generics
 - RIGHT= 44
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_77(__m256i a,
-                                                                    __m256i b) {
+static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_77(__m256i a,
+                                                           __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_77(ab);
 }
@@ -1295,8 +1279,7 @@ with const generics
 - RIGHT= 25
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i
-libcrux_sha3_simd_avx2_rotate_left_25(__m256i x) {
+static inline __m256i libcrux_sha3_simd_avx2_rotate_left_25(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)39, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)25, x, __m256i));
@@ -1309,8 +1292,8 @@ with const generics
 - RIGHT= 25
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_25(__m256i a,
-                                                                    __m256i b) {
+static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_25(__m256i a,
+                                                           __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_25(ab);
 }
@@ -1338,8 +1321,7 @@ with const generics
 - RIGHT= 56
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i
-libcrux_sha3_simd_avx2_rotate_left_af(__m256i x) {
+static inline __m256i libcrux_sha3_simd_avx2_rotate_left_af(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)8, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)56, x, __m256i));
@@ -1352,8 +1334,8 @@ with const generics
 - RIGHT= 56
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_af(__m256i a,
-                                                                    __m256i b) {
+static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_af(__m256i a,
+                                                           __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_af(ab);
 }
@@ -1381,8 +1363,7 @@ with const generics
 - RIGHT= 50
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i
-libcrux_sha3_simd_avx2_rotate_left_fd(__m256i x) {
+static inline __m256i libcrux_sha3_simd_avx2_rotate_left_fd(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)14, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)50, x, __m256i));
@@ -1395,8 +1376,8 @@ with const generics
 - RIGHT= 50
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_fd(__m256i a,
-                                                                    __m256i b) {
+static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_fd(__m256i a,
+                                                           __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_fd(ab);
 }
@@ -1689,7 +1670,7 @@ with const generics
 - RATE= 136
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_store_block_5b(
+static inline void libcrux_sha3_simd_avx2_store_block_5b(
     __m256i (*s)[5U], Eurydice_slice out[4U]) {
   for (size_t i = (size_t)0U; i < (size_t)136U / (size_t)32U; i++) {
     size_t i0 = i;
@@ -2032,7 +2013,7 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_keccak_fb(
  Perform 4 SHAKE256 operations in parallel
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE void libcrux_sha3_avx2_x4_shake256(
+static inline void libcrux_sha3_avx2_x4_shake256(
     Eurydice_slice input0, Eurydice_slice input1, Eurydice_slice input2,
     Eurydice_slice input3, Eurydice_slice out0, Eurydice_slice out1,
     Eurydice_slice out2, Eurydice_slice out3) {
@@ -2056,7 +2037,7 @@ typedef libcrux_sha3_generic_keccak_KeccakState_55
  Initialise the [`KeccakState`].
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_55
+static inline libcrux_sha3_generic_keccak_KeccakState_55
 libcrux_sha3_avx2_x4_incremental_init(void) {
   return libcrux_sha3_generic_keccak_new_89_a6();
 }
@@ -2067,7 +2048,7 @@ with const generics
 - RATE= 168
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_load_block_3a(
+static inline void libcrux_sha3_simd_avx2_load_block_3a(
     __m256i (*s)[5U], Eurydice_slice blocks[4U]) {
   for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)32U; i++) {
     size_t i0 = i;
@@ -2258,8 +2239,7 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_fb0(
  Absorb
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE void
-libcrux_sha3_avx2_x4_incremental_shake128_absorb_final(
+static inline void libcrux_sha3_avx2_x4_incremental_shake128_absorb_final(
     libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice data0,
     Eurydice_slice data1, Eurydice_slice data2, Eurydice_slice data3) {
   Eurydice_slice buf[4U] = {data0, data1, data2, data3};
@@ -2272,7 +2252,7 @@ with const generics
 - RATE= 168
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_store_block_3a(
+static inline void libcrux_sha3_simd_avx2_store_block_3a(
     __m256i (*s)[5U], Eurydice_slice out[4U]) {
   for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)32U; i++) {
     size_t i0 = i;
@@ -2422,8 +2402,7 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_next_block_970(
  Squeeze another block
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE void
-libcrux_sha3_avx2_x4_incremental_shake128_squeeze_next_block(
+static inline void libcrux_sha3_avx2_x4_incremental_shake128_squeeze_next_block(
     libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0,
     Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) {
   Eurydice_slice buf[4U] = {out0, out1, out2, out3};
@@ -2475,7 +2454,7 @@ libcrux_sha3_generic_keccak_squeeze_first_three_blocks_97(
  Squeeze three blocks
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE void
+static inline void
 libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_three_blocks(
     libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0,
     Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) {
@@ -2529,7 +2508,7 @@ libcrux_sha3_generic_keccak_squeeze_first_five_blocks_97(
  Squeeze five blocks
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE void
+static inline void
 libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_five_blocks(
     libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0,
     Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) {
@@ -2541,8 +2520,7 @@ libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_five_blocks(
  Absorb
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE void
-libcrux_sha3_avx2_x4_incremental_shake256_absorb_final(
+static inline void libcrux_sha3_avx2_x4_incremental_shake256_absorb_final(
     libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice data0,
     Eurydice_slice data1, Eurydice_slice data2, Eurydice_slice data3) {
   Eurydice_slice buf[4U] = {data0, data1, data2, data3};
@@ -2553,7 +2531,7 @@ libcrux_sha3_avx2_x4_incremental_shake256_absorb_final(
  Squeeze block
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE void
+static inline void
 libcrux_sha3_avx2_x4_incremental_shake256_squeeze_first_block(
     libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0,
     Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) {
@@ -2565,8 +2543,7 @@ libcrux_sha3_avx2_x4_incremental_shake256_squeeze_first_block(
  Squeeze next block
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static KRML_MUSTINLINE void
-libcrux_sha3_avx2_x4_incremental_shake256_squeeze_next_block(
+static inline void libcrux_sha3_avx2_x4_incremental_shake256_squeeze_next_block(
     libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0,
     Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) {
   Eurydice_slice buf[4U] = {out0, out1, out2, out3};
diff --git a/libcrux-ml-kem/cg/libcrux_sha3_portable.h b/libcrux-ml-kem/cg/libcrux_sha3_portable.h
index 69ff6f317..65f8d5cb2 100644
--- a/libcrux-ml-kem/cg/libcrux_sha3_portable.h
+++ b/libcrux-ml-kem/cg/libcrux_sha3_portable.h
@@ -8,7 +8,7 @@
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
  * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
  * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664
+ * Libcrux: b6ea994fd158898395679fbace91f4cb000bbe13
  */
 
 #ifndef __libcrux_sha3_portable_H
@@ -1662,8 +1662,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_96(
 /**
  A portable SHA3 512 implementation.
 */
-static KRML_MUSTINLINE void libcrux_sha3_portable_sha512(Eurydice_slice digest,
-                                                         Eurydice_slice data) {
+static inline void libcrux_sha3_portable_sha512(Eurydice_slice digest,
+                                                Eurydice_slice data) {
   Eurydice_slice buf0[1U] = {data};
   Eurydice_slice buf[1U] = {digest};
   libcrux_sha3_portable_keccakx1_96(buf0, buf);
@@ -2021,8 +2021,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_ad(
 /**
  A portable SHA3 256 implementation.
 */
-static KRML_MUSTINLINE void libcrux_sha3_portable_sha256(Eurydice_slice digest,
-                                                         Eurydice_slice data) {
+static inline void libcrux_sha3_portable_sha256(Eurydice_slice digest,
+                                                Eurydice_slice data) {
   Eurydice_slice buf0[1U] = {data};
   Eurydice_slice buf[1U] = {digest};
   libcrux_sha3_portable_keccakx1_ad(buf0, buf);
@@ -2150,8 +2150,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_ad0(
 /**
  A portable SHAKE256 implementation.
 */
-static KRML_MUSTINLINE void libcrux_sha3_portable_shake256(
-    Eurydice_slice digest, Eurydice_slice data) {
+static inline void libcrux_sha3_portable_shake256(Eurydice_slice digest,
+                                                  Eurydice_slice data) {
   Eurydice_slice buf0[1U] = {data};
   Eurydice_slice buf[1U] = {digest};
   libcrux_sha3_portable_keccakx1_ad0(buf0, buf);
@@ -2163,7 +2163,7 @@ typedef libcrux_sha3_generic_keccak_KeccakState_17
 /**
  Create a new SHAKE-128 state object.
 */
-static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_17
+static inline libcrux_sha3_generic_keccak_KeccakState_17
 libcrux_sha3_portable_incremental_shake128_init(void) {
   return libcrux_sha3_generic_keccak_new_89_04();
 }
@@ -2256,8 +2256,7 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_9e2(
 /**
  Absorb
 */
-static KRML_MUSTINLINE void
-libcrux_sha3_portable_incremental_shake128_absorb_final(
+static inline void libcrux_sha3_portable_incremental_shake128_absorb_final(
     libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice data0) {
   Eurydice_slice buf[1U] = {data0};
   libcrux_sha3_generic_keccak_absorb_final_9e2(s, buf);
@@ -2311,7 +2310,7 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_next_block_c61(
 /**
  Squeeze another block
 */
-static KRML_MUSTINLINE void
+static inline void
 libcrux_sha3_portable_incremental_shake128_squeeze_next_block(
     libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out0) {
   Eurydice_slice buf[1U] = {out0};
@@ -2360,7 +2359,7 @@ libcrux_sha3_generic_keccak_squeeze_first_three_blocks_c6(
 /**
  Squeeze three blocks
 */
-static KRML_MUSTINLINE void
+static inline void
 libcrux_sha3_portable_incremental_shake128_squeeze_first_three_blocks(
     libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out0) {
   Eurydice_slice buf[1U] = {out0};
@@ -2757,8 +2756,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_1e(
 /**
  A portable SHA3 224 implementation.
 */
-static KRML_MUSTINLINE void libcrux_sha3_portable_sha224(Eurydice_slice digest,
-                                                         Eurydice_slice data) {
+static inline void libcrux_sha3_portable_sha224(Eurydice_slice digest,
+                                                Eurydice_slice data) {
   Eurydice_slice buf0[1U] = {data};
   Eurydice_slice buf[1U] = {digest};
   libcrux_sha3_portable_keccakx1_1e(buf0, buf);
@@ -3116,8 +3115,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_7c(
 /**
  A portable SHA3 384 implementation.
 */
-static KRML_MUSTINLINE void libcrux_sha3_portable_sha384(Eurydice_slice digest,
-                                                         Eurydice_slice data) {
+static inline void libcrux_sha3_portable_sha384(Eurydice_slice digest,
+                                                Eurydice_slice data) {
   Eurydice_slice buf0[1U] = {data};
   Eurydice_slice buf[1U] = {digest};
   libcrux_sha3_portable_keccakx1_7c(buf0, buf);
@@ -3129,16 +3128,15 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_sha384(Eurydice_slice digest,
  Preconditions:
  - `digest.len() == 28`
 */
-static KRML_MUSTINLINE void libcrux_sha3_sha224_ema(Eurydice_slice digest,
-                                                    Eurydice_slice payload) {
+static inline void libcrux_sha3_sha224_ema(Eurydice_slice digest,
+                                           Eurydice_slice payload) {
   libcrux_sha3_portable_sha224(digest, payload);
 }
 
 /**
  SHA3 224
 */
-static KRML_MUSTINLINE void libcrux_sha3_sha224(Eurydice_slice data,
-                                                uint8_t ret[28U]) {
+static inline void libcrux_sha3_sha224(Eurydice_slice data, uint8_t ret[28U]) {
   uint8_t out[28U] = {0U};
   libcrux_sha3_sha224_ema(Eurydice_array_to_slice((size_t)28U, out, uint8_t),
                           data);
@@ -3148,16 +3146,15 @@ static KRML_MUSTINLINE void libcrux_sha3_sha224(Eurydice_slice data,
 /**
  SHA3 256
 */
-static KRML_MUSTINLINE void libcrux_sha3_sha256_ema(Eurydice_slice digest,
-                                                    Eurydice_slice payload) {
+static inline void libcrux_sha3_sha256_ema(Eurydice_slice digest,
+                                           Eurydice_slice payload) {
   libcrux_sha3_portable_sha256(digest, payload);
 }
 
 /**
  SHA3 256
 */
-static KRML_MUSTINLINE void libcrux_sha3_sha256(Eurydice_slice data,
-                                                uint8_t ret[32U]) {
+static inline void libcrux_sha3_sha256(Eurydice_slice data, uint8_t ret[32U]) {
   uint8_t out[32U] = {0U};
   libcrux_sha3_sha256_ema(Eurydice_array_to_slice((size_t)32U, out, uint8_t),
                           data);
@@ -3167,16 +3164,15 @@ static KRML_MUSTINLINE void libcrux_sha3_sha256(Eurydice_slice data,
 /**
  SHA3 384
 */
-static KRML_MUSTINLINE void libcrux_sha3_sha384_ema(Eurydice_slice digest,
-                                                    Eurydice_slice payload) {
+static inline void libcrux_sha3_sha384_ema(Eurydice_slice digest,
+                                           Eurydice_slice payload) {
   libcrux_sha3_portable_sha384(digest, payload);
 }
 
 /**
  SHA3 384
 */
-static KRML_MUSTINLINE void libcrux_sha3_sha384(Eurydice_slice data,
-                                                uint8_t ret[48U]) {
+static inline void libcrux_sha3_sha384(Eurydice_slice data, uint8_t ret[48U]) {
   uint8_t out[48U] = {0U};
   libcrux_sha3_sha384_ema(Eurydice_array_to_slice((size_t)48U, out, uint8_t),
                           data);
@@ -3186,16 +3182,15 @@ static KRML_MUSTINLINE void libcrux_sha3_sha384(Eurydice_slice data,
 /**
  SHA3 512
 */
-static KRML_MUSTINLINE void libcrux_sha3_sha512_ema(Eurydice_slice digest,
-                                                    Eurydice_slice payload) {
+static inline void libcrux_sha3_sha512_ema(Eurydice_slice digest,
+                                           Eurydice_slice payload) {
   libcrux_sha3_portable_sha512(digest, payload);
 }
 
 /**
  SHA3 512
 */
-static KRML_MUSTINLINE void libcrux_sha3_sha512(Eurydice_slice data,
-                                                uint8_t ret[64U]) {
+static inline void libcrux_sha3_sha512(Eurydice_slice data, uint8_t ret[64U]) {
   uint8_t out[64U] = {0U};
   libcrux_sha3_sha512_ema(Eurydice_array_to_slice((size_t)64U, out, uint8_t),
                           data);
@@ -3412,8 +3407,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_c6(
 /**
  A portable SHAKE128 implementation.
 */
-static KRML_MUSTINLINE void libcrux_sha3_portable_shake128(
-    Eurydice_slice digest, Eurydice_slice data) {
+static inline void libcrux_sha3_portable_shake128(Eurydice_slice digest,
+                                                  Eurydice_slice data) {
   Eurydice_slice buf0[1U] = {data};
   Eurydice_slice buf[1U] = {digest};
   libcrux_sha3_portable_keccakx1_c6(buf0, buf);
@@ -3424,8 +3419,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_shake128(
 
  Writes `out.len()` bytes.
 */
-static KRML_MUSTINLINE void libcrux_sha3_shake128_ema(Eurydice_slice out,
-                                                      Eurydice_slice data) {
+static inline void libcrux_sha3_shake128_ema(Eurydice_slice out,
+                                             Eurydice_slice data) {
   libcrux_sha3_portable_shake128(out, data);
 }
 
@@ -3434,8 +3429,8 @@ static KRML_MUSTINLINE void libcrux_sha3_shake128_ema(Eurydice_slice out,
 
  Writes `out.len()` bytes.
 */
-static KRML_MUSTINLINE void libcrux_sha3_shake256_ema(Eurydice_slice out,
-                                                      Eurydice_slice data) {
+static inline void libcrux_sha3_shake256_ema(Eurydice_slice out,
+                                             Eurydice_slice data) {
   libcrux_sha3_portable_shake256(out, data);
 }
 
@@ -3456,8 +3451,8 @@ static const size_t libcrux_sha3_generic_keccak__ROTC[24U] = {
 /**
  A portable SHA3 224 implementation.
 */
-static KRML_MUSTINLINE void libcrux_sha3_neon_sha224(Eurydice_slice digest,
-                                                     Eurydice_slice data) {
+static inline void libcrux_sha3_neon_sha224(Eurydice_slice digest,
+                                            Eurydice_slice data) {
   KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
                     "panic!");
   KRML_HOST_EXIT(255U);
@@ -3466,8 +3461,8 @@ static KRML_MUSTINLINE void libcrux_sha3_neon_sha224(Eurydice_slice digest,
 /**
  A portable SHA3 256 implementation.
 */
-static KRML_MUSTINLINE void libcrux_sha3_neon_sha256(Eurydice_slice digest,
-                                                     Eurydice_slice data) {
+static inline void libcrux_sha3_neon_sha256(Eurydice_slice digest,
+                                            Eurydice_slice data) {
   KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
                     "panic!");
   KRML_HOST_EXIT(255U);
@@ -3476,8 +3471,8 @@ static KRML_MUSTINLINE void libcrux_sha3_neon_sha256(Eurydice_slice digest,
 /**
  A portable SHA3 384 implementation.
 */
-static KRML_MUSTINLINE void libcrux_sha3_neon_sha384(Eurydice_slice digest,
-                                                     Eurydice_slice data) {
+static inline void libcrux_sha3_neon_sha384(Eurydice_slice digest,
+                                            Eurydice_slice data) {
   KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
                     "panic!");
   KRML_HOST_EXIT(255U);
@@ -3486,8 +3481,8 @@ static KRML_MUSTINLINE void libcrux_sha3_neon_sha384(Eurydice_slice digest,
 /**
  A portable SHA3 512 implementation.
 */
-static KRML_MUSTINLINE void libcrux_sha3_neon_sha512(Eurydice_slice digest,
-                                                     Eurydice_slice data) {
+static inline void libcrux_sha3_neon_sha512(Eurydice_slice digest,
+                                            Eurydice_slice data) {
   KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
                     "panic!");
   KRML_HOST_EXIT(255U);
@@ -3498,10 +3493,10 @@ static KRML_MUSTINLINE void libcrux_sha3_neon_sha512(Eurydice_slice digest,
 
  Writes the two results into `out0` and `out1`
 */
-static KRML_MUSTINLINE void libcrux_sha3_neon_x2_shake256(Eurydice_slice input0,
-                                                          Eurydice_slice input1,
-                                                          Eurydice_slice out0,
-                                                          Eurydice_slice out1) {
+static inline void libcrux_sha3_neon_x2_shake256(Eurydice_slice input0,
+                                                 Eurydice_slice input1,
+                                                 Eurydice_slice out0,
+                                                 Eurydice_slice out1) {
   /* TODO: make argument ordering consistent */
   KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
                     "panic!");
@@ -3515,7 +3510,7 @@ typedef struct libcrux_sha3_neon_x2_incremental_KeccakState_s {
 /**
  Initialise the `KeccakState2`.
 */
-static KRML_MUSTINLINE libcrux_sha3_neon_x2_incremental_KeccakState
+static inline libcrux_sha3_neon_x2_incremental_KeccakState
 libcrux_sha3_neon_x2_incremental_init(void) {
   /* XXX: These functions could alternatively implement the same with the
    * portable implementation { let s0 = KeccakState::new(); let s1 =
@@ -3528,8 +3523,7 @@ libcrux_sha3_neon_x2_incremental_init(void) {
 /**
  Shake128 absorb `data0` and `data1` in the [`KeccakState`] `s`.
 */
-static KRML_MUSTINLINE void
-libcrux_sha3_neon_x2_incremental_shake128_absorb_final(
+static inline void libcrux_sha3_neon_x2_incremental_shake128_absorb_final(
     libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice data0,
     Eurydice_slice data1) {
   /* XXX: These functions could alternatively implement the same with the
@@ -3545,7 +3539,7 @@ libcrux_sha3_neon_x2_incremental_shake128_absorb_final(
  Squeeze 2 times the first three blocks in parallel in the
  [`KeccakState`] and return the output in `out0` and `out1`.
 */
-static KRML_MUSTINLINE void
+static inline void
 libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_three_blocks(
     libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0,
     Eurydice_slice out1) {
@@ -3562,8 +3556,7 @@ libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_three_blocks(
  Squeeze 2 times the next block in parallel in the
  [`KeccakState`] and return the output in `out0` and `out1`.
 */
-static KRML_MUSTINLINE void
-libcrux_sha3_neon_x2_incremental_shake128_squeeze_next_block(
+static inline void libcrux_sha3_neon_x2_incremental_shake128_squeeze_next_block(
     libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0,
     Eurydice_slice out1) {
   /* XXX: These functions could alternatively implement the same with the
@@ -3578,7 +3571,7 @@ libcrux_sha3_neon_x2_incremental_shake128_squeeze_next_block(
 /**
  Squeeze five blocks
 */
-static KRML_MUSTINLINE void
+static inline void
 libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_five_blocks(
     libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0,
     Eurydice_slice out1) {
@@ -3590,8 +3583,7 @@ libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_five_blocks(
 /**
  Shake256 absorb `data0` and `data1` in the [`KeccakState`] `s`.
 */
-static KRML_MUSTINLINE void
-libcrux_sha3_neon_x2_incremental_shake256_absorb_final(
+static inline void libcrux_sha3_neon_x2_incremental_shake256_absorb_final(
     libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice data0,
     Eurydice_slice data1) {
   /* XXX: These functions could alternatively implement the same with the
@@ -3606,7 +3598,7 @@ libcrux_sha3_neon_x2_incremental_shake256_absorb_final(
 /**
  Squeeze block
 */
-static KRML_MUSTINLINE void
+static inline void
 libcrux_sha3_neon_x2_incremental_shake256_squeeze_first_block(
     libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0,
     Eurydice_slice out1) {
@@ -3618,8 +3610,7 @@ libcrux_sha3_neon_x2_incremental_shake256_squeeze_first_block(
 /**
  Squeeze next block
 */
-static KRML_MUSTINLINE void
-libcrux_sha3_neon_x2_incremental_shake256_squeeze_next_block(
+static inline void libcrux_sha3_neon_x2_incremental_shake256_squeeze_next_block(
     libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0,
     Eurydice_slice out1) {
   KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
@@ -3671,7 +3662,7 @@ libcrux_sha3_generic_keccak_squeeze_first_five_blocks_c6(
 /**
  Squeeze five blocks
 */
-static KRML_MUSTINLINE void
+static inline void
 libcrux_sha3_portable_incremental_shake128_squeeze_first_five_blocks(
     libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out0) {
   Eurydice_slice buf[1U] = {out0};
@@ -3681,8 +3672,7 @@ libcrux_sha3_portable_incremental_shake128_squeeze_first_five_blocks(
 /**
  Absorb some data for SHAKE-256 for the last time
 */
-static KRML_MUSTINLINE void
-libcrux_sha3_portable_incremental_shake256_absorb_final(
+static inline void libcrux_sha3_portable_incremental_shake256_absorb_final(
     libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice data) {
   Eurydice_slice buf[1U] = {data};
   libcrux_sha3_generic_keccak_absorb_final_9e1(s, buf);
@@ -3691,7 +3681,7 @@ libcrux_sha3_portable_incremental_shake256_absorb_final(
 /**
  Create a new SHAKE-256 state object.
 */
-static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_17
+static inline libcrux_sha3_generic_keccak_KeccakState_17
 libcrux_sha3_portable_incremental_shake256_init(void) {
   return libcrux_sha3_generic_keccak_new_89_04();
 }
@@ -3699,7 +3689,7 @@ libcrux_sha3_portable_incremental_shake256_init(void) {
 /**
  Squeeze the first SHAKE-256 block
 */
-static KRML_MUSTINLINE void
+static inline void
 libcrux_sha3_portable_incremental_shake256_squeeze_first_block(
     libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out) {
   Eurydice_slice buf[1U] = {out};
@@ -3709,7 +3699,7 @@ libcrux_sha3_portable_incremental_shake256_squeeze_first_block(
 /**
  Squeeze the next SHAKE-256 block
 */
-static KRML_MUSTINLINE void
+static inline void
 libcrux_sha3_portable_incremental_shake256_squeeze_next_block(
     libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out) {
   Eurydice_slice buf[1U] = {out};

From 51e2d6d0745a788daf02298b7f62d585b53aa827 Mon Sep 17 00:00:00 2001
From: Jonas Schneider-Bensch <jonas@cryspen.com>
Date: Mon, 4 Nov 2024 14:19:22 +0100
Subject: [PATCH 11/22] Update C extraction

---
 libcrux-ml-kem/c/code_gen.txt                 |   2 +-
 libcrux-ml-kem/c/internal/libcrux_core.h      |   2 +-
 .../c/internal/libcrux_mlkem_avx2.h           |   2 +-
 .../c/internal/libcrux_mlkem_portable.h       |   2 +-
 libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h |   2 +-
 .../c/internal/libcrux_sha3_internal.h        |  22 ++-
 libcrux-ml-kem/c/libcrux_core.c               |   2 +-
 libcrux-ml-kem/c/libcrux_core.h               |   2 +-
 libcrux-ml-kem/c/libcrux_mlkem1024.h          |   2 +-
 libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c     |   2 +-
 libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h     |   2 +-
 libcrux-ml-kem/c/libcrux_mlkem1024_portable.c |   2 +-
 libcrux-ml-kem/c/libcrux_mlkem1024_portable.h |   2 +-
 libcrux-ml-kem/c/libcrux_mlkem512.h           |   2 +-
 libcrux-ml-kem/c/libcrux_mlkem512_avx2.c      |   2 +-
 libcrux-ml-kem/c/libcrux_mlkem512_avx2.h      |   2 +-
 libcrux-ml-kem/c/libcrux_mlkem512_portable.c  |   2 +-
 libcrux-ml-kem/c/libcrux_mlkem512_portable.h  |   2 +-
 libcrux-ml-kem/c/libcrux_mlkem768.h           |   2 +-
 libcrux-ml-kem/c/libcrux_mlkem768_avx2.c      |   2 +-
 libcrux-ml-kem/c/libcrux_mlkem768_avx2.h      |   2 +-
 libcrux-ml-kem/c/libcrux_mlkem768_portable.c  |   2 +-
 libcrux-ml-kem/c/libcrux_mlkem768_portable.h  |   2 +-
 libcrux-ml-kem/c/libcrux_mlkem_avx2.c         |   2 +-
 libcrux-ml-kem/c/libcrux_mlkem_avx2.h         |   2 +-
 libcrux-ml-kem/c/libcrux_mlkem_portable.c     |   2 +-
 libcrux-ml-kem/c/libcrux_mlkem_portable.h     |   2 +-
 libcrux-ml-kem/c/libcrux_sha3.h               |  62 ++++----
 libcrux-ml-kem/c/libcrux_sha3_avx2.c          | 143 +++++++++---------
 libcrux-ml-kem/c/libcrux_sha3_avx2.h          |   2 +-
 libcrux-ml-kem/c/libcrux_sha3_internal.h      |   2 +-
 libcrux-ml-kem/c/libcrux_sha3_neon.c          |  41 ++---
 libcrux-ml-kem/c/libcrux_sha3_neon.h          |   2 +-
 33 files changed, 152 insertions(+), 174 deletions(-)

diff --git a/libcrux-ml-kem/c/code_gen.txt b/libcrux-ml-kem/c/code_gen.txt
index 15fc24b99..a9f0fcd1a 100644
--- a/libcrux-ml-kem/c/code_gen.txt
+++ b/libcrux-ml-kem/c/code_gen.txt
@@ -3,4 +3,4 @@ Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f
 Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
 Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
 F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
-Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664
+Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
diff --git a/libcrux-ml-kem/c/internal/libcrux_core.h b/libcrux-ml-kem/c/internal/libcrux_core.h
index 52703ecb0..a6219b29c 100644
--- a/libcrux-ml-kem/c/internal/libcrux_core.h
+++ b/libcrux-ml-kem/c/internal/libcrux_core.h
@@ -8,7 +8,7 @@
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
  * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
  * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664
+ * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
  */
 
 #ifndef __internal_libcrux_core_H
diff --git a/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h b/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h
index 33c98d681..122098dd0 100644
--- a/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h
+++ b/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h
@@ -8,7 +8,7 @@
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
  * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
  * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664
+ * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
  */
 
 #ifndef __internal_libcrux_mlkem_avx2_H
diff --git a/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h b/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h
index d80891e09..fe31b4dfe 100644
--- a/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h
+++ b/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h
@@ -8,7 +8,7 @@
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
  * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
  * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664
+ * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
  */
 
 #ifndef __internal_libcrux_mlkem_portable_H
diff --git a/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h b/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h
index 2beea56d8..822ba71c9 100644
--- a/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h
+++ b/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h
@@ -8,7 +8,7 @@
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
  * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
  * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664
+ * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
  */
 
 #ifndef __internal_libcrux_sha3_avx2_H
diff --git a/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h b/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h
index e2ca80283..c033eebf3 100644
--- a/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h
+++ b/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h
@@ -8,7 +8,7 @@
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
  * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
  * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664
+ * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
  */
 
 #ifndef __internal_libcrux_sha3_internal_H
@@ -27,7 +27,7 @@ typedef libcrux_sha3_generic_keccak_KeccakState_17
 /**
  Create a new SHAKE-128 state object.
 */
-static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_17
+static inline libcrux_sha3_generic_keccak_KeccakState_17
 libcrux_sha3_portable_incremental_shake128_init(void) {
   return libcrux_sha3_generic_keccak_new_89_04();
 }
@@ -35,8 +35,7 @@ libcrux_sha3_portable_incremental_shake128_init(void) {
 /**
  Absorb
 */
-static KRML_MUSTINLINE void
-libcrux_sha3_portable_incremental_shake128_absorb_final(
+static inline void libcrux_sha3_portable_incremental_shake128_absorb_final(
     libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice data0) {
   Eurydice_slice buf[1U] = {data0};
   libcrux_sha3_generic_keccak_absorb_final_9e(s, buf);
@@ -45,7 +44,7 @@ libcrux_sha3_portable_incremental_shake128_absorb_final(
 /**
  Squeeze another block
 */
-static KRML_MUSTINLINE void
+static inline void
 libcrux_sha3_portable_incremental_shake128_squeeze_next_block(
     libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out0) {
   Eurydice_slice buf[1U] = {out0};
@@ -82,7 +81,7 @@ libcrux_sha3_generic_keccak_squeeze_first_three_blocks_c6(
 /**
  Squeeze three blocks
 */
-static KRML_MUSTINLINE void
+static inline void
 libcrux_sha3_portable_incremental_shake128_squeeze_first_three_blocks(
     libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out0) {
   Eurydice_slice buf[1U] = {out0};
@@ -185,7 +184,7 @@ libcrux_sha3_generic_keccak_squeeze_first_five_blocks_c6(
 /**
  Squeeze five blocks
 */
-static KRML_MUSTINLINE void
+static inline void
 libcrux_sha3_portable_incremental_shake128_squeeze_first_five_blocks(
     libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out0) {
   Eurydice_slice buf[1U] = {out0};
@@ -195,8 +194,7 @@ libcrux_sha3_portable_incremental_shake128_squeeze_first_five_blocks(
 /**
  Absorb some data for SHAKE-256 for the last time
 */
-static KRML_MUSTINLINE void
-libcrux_sha3_portable_incremental_shake256_absorb_final(
+static inline void libcrux_sha3_portable_incremental_shake256_absorb_final(
     libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice data) {
   Eurydice_slice buf[1U] = {data};
   libcrux_sha3_generic_keccak_absorb_final_9e0(s, buf);
@@ -205,7 +203,7 @@ libcrux_sha3_portable_incremental_shake256_absorb_final(
 /**
  Create a new SHAKE-256 state object.
 */
-static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_17
+static inline libcrux_sha3_generic_keccak_KeccakState_17
 libcrux_sha3_portable_incremental_shake256_init(void) {
   return libcrux_sha3_generic_keccak_new_89_04();
 }
@@ -213,7 +211,7 @@ libcrux_sha3_portable_incremental_shake256_init(void) {
 /**
  Squeeze the first SHAKE-256 block
 */
-static KRML_MUSTINLINE void
+static inline void
 libcrux_sha3_portable_incremental_shake256_squeeze_first_block(
     libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out) {
   Eurydice_slice buf[1U] = {out};
@@ -223,7 +221,7 @@ libcrux_sha3_portable_incremental_shake256_squeeze_first_block(
 /**
  Squeeze the next SHAKE-256 block
 */
-static KRML_MUSTINLINE void
+static inline void
 libcrux_sha3_portable_incremental_shake256_squeeze_next_block(
     libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out) {
   Eurydice_slice buf[1U] = {out};
diff --git a/libcrux-ml-kem/c/libcrux_core.c b/libcrux-ml-kem/c/libcrux_core.c
index 7d801f811..380560655 100644
--- a/libcrux-ml-kem/c/libcrux_core.c
+++ b/libcrux-ml-kem/c/libcrux_core.c
@@ -8,7 +8,7 @@
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
  * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
  * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664
+ * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
  */
 
 #include "internal/libcrux_core.h"
diff --git a/libcrux-ml-kem/c/libcrux_core.h b/libcrux-ml-kem/c/libcrux_core.h
index dc2e18e7c..a9ea4ae31 100644
--- a/libcrux-ml-kem/c/libcrux_core.h
+++ b/libcrux-ml-kem/c/libcrux_core.h
@@ -8,7 +8,7 @@
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
  * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
  * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664
+ * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
  */
 
 #ifndef __libcrux_core_H
diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024.h b/libcrux-ml-kem/c/libcrux_mlkem1024.h
index a3e68cfa9..2a1bac2bc 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem1024.h
+++ b/libcrux-ml-kem/c/libcrux_mlkem1024.h
@@ -8,7 +8,7 @@
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
  * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
  * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664
+ * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
  */
 
 #ifndef __libcrux_mlkem1024_H
diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c
index cdc2a0839..e998b91fa 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c
+++ b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c
@@ -8,7 +8,7 @@
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
  * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
  * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664
+ * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
  */
 
 #include "libcrux_mlkem1024_avx2.h"
diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h
index 55db6393c..c6b5f62bf 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h
+++ b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h
@@ -8,7 +8,7 @@
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
  * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
  * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664
+ * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
  */
 
 #ifndef __libcrux_mlkem1024_avx2_H
diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c
index b78aeb6bb..575ffc15b 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c
+++ b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c
@@ -8,7 +8,7 @@
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
  * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
  * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664
+ * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
  */
 
 #include "libcrux_mlkem1024_portable.h"
diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h
index f1477247e..623f86b6a 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h
+++ b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h
@@ -8,7 +8,7 @@
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
  * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
  * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664
+ * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
  */
 
 #ifndef __libcrux_mlkem1024_portable_H
diff --git a/libcrux-ml-kem/c/libcrux_mlkem512.h b/libcrux-ml-kem/c/libcrux_mlkem512.h
index 788f751a1..e50855804 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem512.h
+++ b/libcrux-ml-kem/c/libcrux_mlkem512.h
@@ -8,7 +8,7 @@
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
  * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
  * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664
+ * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
  */
 
 #ifndef __libcrux_mlkem512_H
diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c
index 8d68264c8..b45918ce0 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c
+++ b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c
@@ -8,7 +8,7 @@
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
  * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
  * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664
+ * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
  */
 
 #include "libcrux_mlkem512_avx2.h"
diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h
index a3453b05a..a24272f38 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h
+++ b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h
@@ -8,7 +8,7 @@
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
  * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
  * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664
+ * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
  */
 
 #ifndef __libcrux_mlkem512_avx2_H
diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_portable.c b/libcrux-ml-kem/c/libcrux_mlkem512_portable.c
index 905fbe942..1aca3e46a 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem512_portable.c
+++ b/libcrux-ml-kem/c/libcrux_mlkem512_portable.c
@@ -8,7 +8,7 @@
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
  * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
  * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664
+ * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
  */
 
 #include "libcrux_mlkem512_portable.h"
diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_portable.h b/libcrux-ml-kem/c/libcrux_mlkem512_portable.h
index 24bfa2755..82f656696 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem512_portable.h
+++ b/libcrux-ml-kem/c/libcrux_mlkem512_portable.h
@@ -8,7 +8,7 @@
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
  * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
  * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664
+ * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
  */
 
 #ifndef __libcrux_mlkem512_portable_H
diff --git a/libcrux-ml-kem/c/libcrux_mlkem768.h b/libcrux-ml-kem/c/libcrux_mlkem768.h
index 099d61839..4c486fa96 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem768.h
+++ b/libcrux-ml-kem/c/libcrux_mlkem768.h
@@ -8,7 +8,7 @@
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
  * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
  * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664
+ * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
  */
 
 #ifndef __libcrux_mlkem768_H
diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c
index 68249136f..7754cb2d5 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c
+++ b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c
@@ -8,7 +8,7 @@
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
  * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
  * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664
+ * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
  */
 
 #include "libcrux_mlkem768_avx2.h"
diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h
index a982114cb..b0f6e449c 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h
+++ b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h
@@ -8,7 +8,7 @@
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
  * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
  * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664
+ * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
  */
 
 #ifndef __libcrux_mlkem768_avx2_H
diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_portable.c b/libcrux-ml-kem/c/libcrux_mlkem768_portable.c
index 7cef4d22c..cadac4f79 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem768_portable.c
+++ b/libcrux-ml-kem/c/libcrux_mlkem768_portable.c
@@ -8,7 +8,7 @@
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
  * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
  * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664
+ * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
  */
 
 #include "libcrux_mlkem768_portable.h"
diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_portable.h b/libcrux-ml-kem/c/libcrux_mlkem768_portable.h
index a0533a218..58f4deb7e 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem768_portable.h
+++ b/libcrux-ml-kem/c/libcrux_mlkem768_portable.h
@@ -8,7 +8,7 @@
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
  * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
  * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664
+ * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
  */
 
 #ifndef __libcrux_mlkem768_portable_H
diff --git a/libcrux-ml-kem/c/libcrux_mlkem_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem_avx2.c
index c1141b005..450e14514 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem_avx2.c
+++ b/libcrux-ml-kem/c/libcrux_mlkem_avx2.c
@@ -8,7 +8,7 @@
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
  * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
  * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664
+ * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
  */
 
 #include "internal/libcrux_mlkem_avx2.h"
diff --git a/libcrux-ml-kem/c/libcrux_mlkem_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem_avx2.h
index cfcfeb508..b072c10b8 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem_avx2.h
+++ b/libcrux-ml-kem/c/libcrux_mlkem_avx2.h
@@ -8,7 +8,7 @@
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
  * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
  * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664
+ * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
  */
 
 #ifndef __libcrux_mlkem_avx2_H
diff --git a/libcrux-ml-kem/c/libcrux_mlkem_portable.c b/libcrux-ml-kem/c/libcrux_mlkem_portable.c
index 82eab7539..5ada2704e 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem_portable.c
+++ b/libcrux-ml-kem/c/libcrux_mlkem_portable.c
@@ -8,7 +8,7 @@
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
  * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
  * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664
+ * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
  */
 
 #include "internal/libcrux_mlkem_portable.h"
diff --git a/libcrux-ml-kem/c/libcrux_mlkem_portable.h b/libcrux-ml-kem/c/libcrux_mlkem_portable.h
index 53c97bc62..6750e40b5 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem_portable.h
+++ b/libcrux-ml-kem/c/libcrux_mlkem_portable.h
@@ -8,7 +8,7 @@
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
  * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
  * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664
+ * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
  */
 
 #ifndef __libcrux_mlkem_portable_H
diff --git a/libcrux-ml-kem/c/libcrux_sha3.h b/libcrux-ml-kem/c/libcrux_sha3.h
index 51d13a375..4f9736e53 100644
--- a/libcrux-ml-kem/c/libcrux_sha3.h
+++ b/libcrux-ml-kem/c/libcrux_sha3.h
@@ -8,7 +8,7 @@
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
  * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
  * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664
+ * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
  */
 
 #ifndef __libcrux_sha3_H
@@ -25,8 +25,8 @@ extern "C" {
 /**
  A portable SHA3 512 implementation.
 */
-static KRML_MUSTINLINE void libcrux_sha3_portable_sha512(Eurydice_slice digest,
-                                                         Eurydice_slice data) {
+static inline void libcrux_sha3_portable_sha512(Eurydice_slice digest,
+                                                Eurydice_slice data) {
   Eurydice_slice buf0[1U] = {data};
   Eurydice_slice buf[1U] = {digest};
   libcrux_sha3_portable_keccakx1_96(buf0, buf);
@@ -35,8 +35,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_sha512(Eurydice_slice digest,
 /**
  A portable SHA3 256 implementation.
 */
-static KRML_MUSTINLINE void libcrux_sha3_portable_sha256(Eurydice_slice digest,
-                                                         Eurydice_slice data) {
+static inline void libcrux_sha3_portable_sha256(Eurydice_slice digest,
+                                                Eurydice_slice data) {
   Eurydice_slice buf0[1U] = {data};
   Eurydice_slice buf[1U] = {digest};
   libcrux_sha3_portable_keccakx1_ad(buf0, buf);
@@ -45,8 +45,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_sha256(Eurydice_slice digest,
 /**
  A portable SHAKE256 implementation.
 */
-static KRML_MUSTINLINE void libcrux_sha3_portable_shake256(
-    Eurydice_slice digest, Eurydice_slice data) {
+static inline void libcrux_sha3_portable_shake256(Eurydice_slice digest,
+                                                  Eurydice_slice data) {
   Eurydice_slice buf0[1U] = {data};
   Eurydice_slice buf[1U] = {digest};
   libcrux_sha3_portable_keccakx1_ad0(buf0, buf);
@@ -55,8 +55,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_shake256(
 /**
  A portable SHA3 224 implementation.
 */
-static KRML_MUSTINLINE void libcrux_sha3_portable_sha224(Eurydice_slice digest,
-                                                         Eurydice_slice data) {
+static inline void libcrux_sha3_portable_sha224(Eurydice_slice digest,
+                                                Eurydice_slice data) {
   Eurydice_slice buf0[1U] = {data};
   Eurydice_slice buf[1U] = {digest};
   libcrux_sha3_portable_keccakx1_1e(buf0, buf);
@@ -65,8 +65,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_sha224(Eurydice_slice digest,
 /**
  A portable SHA3 384 implementation.
 */
-static KRML_MUSTINLINE void libcrux_sha3_portable_sha384(Eurydice_slice digest,
-                                                         Eurydice_slice data) {
+static inline void libcrux_sha3_portable_sha384(Eurydice_slice digest,
+                                                Eurydice_slice data) {
   Eurydice_slice buf0[1U] = {data};
   Eurydice_slice buf[1U] = {digest};
   libcrux_sha3_portable_keccakx1_7c(buf0, buf);
@@ -78,16 +78,15 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_sha384(Eurydice_slice digest,
  Preconditions:
  - `digest.len() == 28`
 */
-static KRML_MUSTINLINE void libcrux_sha3_sha224_ema(Eurydice_slice digest,
-                                                    Eurydice_slice payload) {
+static inline void libcrux_sha3_sha224_ema(Eurydice_slice digest,
+                                           Eurydice_slice payload) {
   libcrux_sha3_portable_sha224(digest, payload);
 }
 
 /**
  SHA3 224
 */
-static KRML_MUSTINLINE void libcrux_sha3_sha224(Eurydice_slice data,
-                                                uint8_t ret[28U]) {
+static inline void libcrux_sha3_sha224(Eurydice_slice data, uint8_t ret[28U]) {
   uint8_t out[28U] = {0U};
   libcrux_sha3_sha224_ema(Eurydice_array_to_slice((size_t)28U, out, uint8_t),
                           data);
@@ -97,16 +96,15 @@ static KRML_MUSTINLINE void libcrux_sha3_sha224(Eurydice_slice data,
 /**
  SHA3 256
 */
-static KRML_MUSTINLINE void libcrux_sha3_sha256_ema(Eurydice_slice digest,
-                                                    Eurydice_slice payload) {
+static inline void libcrux_sha3_sha256_ema(Eurydice_slice digest,
+                                           Eurydice_slice payload) {
   libcrux_sha3_portable_sha256(digest, payload);
 }
 
 /**
  SHA3 256
 */
-static KRML_MUSTINLINE void libcrux_sha3_sha256(Eurydice_slice data,
-                                                uint8_t ret[32U]) {
+static inline void libcrux_sha3_sha256(Eurydice_slice data, uint8_t ret[32U]) {
   uint8_t out[32U] = {0U};
   libcrux_sha3_sha256_ema(Eurydice_array_to_slice((size_t)32U, out, uint8_t),
                           data);
@@ -116,16 +114,15 @@ static KRML_MUSTINLINE void libcrux_sha3_sha256(Eurydice_slice data,
 /**
  SHA3 384
 */
-static KRML_MUSTINLINE void libcrux_sha3_sha384_ema(Eurydice_slice digest,
-                                                    Eurydice_slice payload) {
+static inline void libcrux_sha3_sha384_ema(Eurydice_slice digest,
+                                           Eurydice_slice payload) {
   libcrux_sha3_portable_sha384(digest, payload);
 }
 
 /**
  SHA3 384
 */
-static KRML_MUSTINLINE void libcrux_sha3_sha384(Eurydice_slice data,
-                                                uint8_t ret[48U]) {
+static inline void libcrux_sha3_sha384(Eurydice_slice data, uint8_t ret[48U]) {
   uint8_t out[48U] = {0U};
   libcrux_sha3_sha384_ema(Eurydice_array_to_slice((size_t)48U, out, uint8_t),
                           data);
@@ -135,16 +132,15 @@ static KRML_MUSTINLINE void libcrux_sha3_sha384(Eurydice_slice data,
 /**
  SHA3 512
 */
-static KRML_MUSTINLINE void libcrux_sha3_sha512_ema(Eurydice_slice digest,
-                                                    Eurydice_slice payload) {
+static inline void libcrux_sha3_sha512_ema(Eurydice_slice digest,
+                                           Eurydice_slice payload) {
   libcrux_sha3_portable_sha512(digest, payload);
 }
 
 /**
  SHA3 512
 */
-static KRML_MUSTINLINE void libcrux_sha3_sha512(Eurydice_slice data,
-                                                uint8_t ret[64U]) {
+static inline void libcrux_sha3_sha512(Eurydice_slice data, uint8_t ret[64U]) {
   uint8_t out[64U] = {0U};
   libcrux_sha3_sha512_ema(Eurydice_array_to_slice((size_t)64U, out, uint8_t),
                           data);
@@ -154,8 +150,8 @@ static KRML_MUSTINLINE void libcrux_sha3_sha512(Eurydice_slice data,
 /**
  A portable SHAKE128 implementation.
 */
-static KRML_MUSTINLINE void libcrux_sha3_portable_shake128(
-    Eurydice_slice digest, Eurydice_slice data) {
+static inline void libcrux_sha3_portable_shake128(Eurydice_slice digest,
+                                                  Eurydice_slice data) {
   Eurydice_slice buf0[1U] = {data};
   Eurydice_slice buf[1U] = {digest};
   libcrux_sha3_portable_keccakx1_c6(buf0, buf);
@@ -166,8 +162,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_shake128(
 
  Writes `out.len()` bytes.
 */
-static KRML_MUSTINLINE void libcrux_sha3_shake128_ema(Eurydice_slice out,
-                                                      Eurydice_slice data) {
+static inline void libcrux_sha3_shake128_ema(Eurydice_slice out,
+                                             Eurydice_slice data) {
   libcrux_sha3_portable_shake128(out, data);
 }
 
@@ -176,8 +172,8 @@ static KRML_MUSTINLINE void libcrux_sha3_shake128_ema(Eurydice_slice out,
 
  Writes `out.len()` bytes.
 */
-static KRML_MUSTINLINE void libcrux_sha3_shake256_ema(Eurydice_slice out,
-                                                      Eurydice_slice data) {
+static inline void libcrux_sha3_shake256_ema(Eurydice_slice out,
+                                             Eurydice_slice data) {
   libcrux_sha3_portable_shake256(out, data);
 }
 
diff --git a/libcrux-ml-kem/c/libcrux_sha3_avx2.c b/libcrux-ml-kem/c/libcrux_sha3_avx2.c
index 004fb251f..7fc037744 100644
--- a/libcrux-ml-kem/c/libcrux_sha3_avx2.c
+++ b/libcrux-ml-kem/c/libcrux_sha3_avx2.c
@@ -8,7 +8,7 @@
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
  * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
  * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664
+ * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
  */
 
 #include "internal/libcrux_sha3_avx2.h"
@@ -23,8 +23,8 @@ static KRML_MUSTINLINE __m256i zero_ef(void) {
   return mm256_set1_epi64x((int64_t)0);
 }
 
-static KRML_MUSTINLINE __m256i _veor5q_u64(__m256i a, __m256i b, __m256i c,
-                                           __m256i d, __m256i e) {
+static __m256i _veor5q_u64(__m256i a, __m256i b, __m256i c, __m256i d,
+                           __m256i e) {
   __m256i ab = mm256_xor_si256(a, b);
   __m256i cd = mm256_xor_si256(c, d);
   __m256i abcd = mm256_xor_si256(ab, cd);
@@ -46,12 +46,12 @@ with const generics
 - LEFT= 1
 - RIGHT= 63
 */
-static KRML_MUSTINLINE __m256i rotate_left_76(__m256i x) {
+static __m256i rotate_left_76(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)1, x, __m256i),
                          mm256_srli_epi64((int32_t)63, x, __m256i));
 }
 
-static KRML_MUSTINLINE __m256i _vrax1q_u64(__m256i a, __m256i b) {
+static __m256i _vrax1q_u64(__m256i a, __m256i b) {
   __m256i uu____0 = a;
   return mm256_xor_si256(uu____0, rotate_left_76(b));
 }
@@ -64,7 +64,7 @@ static KRML_MUSTINLINE __m256i rotate_left1_and_xor_ef(__m256i a, __m256i b) {
   return _vrax1q_u64(a, b);
 }
 
-static KRML_MUSTINLINE __m256i _vbcaxq_u64(__m256i a, __m256i b, __m256i c) {
+static __m256i _vbcaxq_u64(__m256i a, __m256i b, __m256i c) {
   return mm256_xor_si256(a, mm256_andnot_si256(c, b));
 }
 
@@ -76,7 +76,7 @@ static KRML_MUSTINLINE __m256i and_not_xor_ef(__m256i a, __m256i b, __m256i c) {
   return _vbcaxq_u64(a, b, c);
 }
 
-static KRML_MUSTINLINE __m256i _veorq_n_u64(__m256i a, uint64_t c) {
+static __m256i _veorq_n_u64(__m256i a, uint64_t c) {
   __m256i c0 = mm256_set1_epi64x(
       (int64_t) /* Casting here is required, doesn't change the value. */ c);
   return mm256_xor_si256(a, c0);
@@ -90,16 +90,18 @@ static KRML_MUSTINLINE __m256i xor_constant_ef(__m256i a, uint64_t c) {
   return _veorq_n_u64(a, c);
 }
 
+static __m256i xor0(__m256i a, __m256i b) { return mm256_xor_si256(a, b); }
+
 /**
 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4:
 usize> for core::core_arch::x86::__m256i)}
 */
 static KRML_MUSTINLINE __m256i xor_ef(__m256i a, __m256i b) {
-  return mm256_xor_si256(a, b);
+  return xor0(a, b);
 }
 
-static KRML_MUSTINLINE void slice_4(Eurydice_slice a[4U], size_t start,
-                                    size_t len, Eurydice_slice ret[4U]) {
+static void slice_4(Eurydice_slice a[4U], size_t start, size_t len,
+                    Eurydice_slice ret[4U]) {
   ret[0U] = Eurydice_slice_subslice2(a[0U], start, start + len, uint8_t);
   ret[1U] = Eurydice_slice_subslice2(a[1U], start, start + len, uint8_t);
   ret[2U] = Eurydice_slice_subslice2(a[2U], start, start + len, uint8_t);
@@ -120,8 +122,8 @@ static KRML_MUSTINLINE void slice_n_ef(Eurydice_slice a[4U], size_t start,
   memcpy(ret, ret0, (size_t)4U * sizeof(Eurydice_slice));
 }
 
-static KRML_MUSTINLINE Eurydice_slice_uint8_t_4size_t__x2
-split_at_mut_4(Eurydice_slice out[4U], size_t mid) {
+static Eurydice_slice_uint8_t_4size_t__x2 split_at_mut_4(Eurydice_slice out[4U],
+                                                         size_t mid) {
   Eurydice_slice out0 = out[0U];
   Eurydice_slice out1 = out[1U];
   Eurydice_slice out2 = out[2U];
@@ -212,8 +214,7 @@ A monomorphic instance of libcrux_sha3.simd.avx2.load_block
 with const generics
 - RATE= 136
 */
-static KRML_MUSTINLINE void load_block_5b(__m256i (*s)[5U],
-                                          Eurydice_slice blocks[4U]) {
+static void load_block_5b(__m256i (*s)[5U], Eurydice_slice blocks[4U]) {
   for (size_t i = (size_t)0U; i < (size_t)136U / (size_t)32U; i++) {
     size_t i0 = i;
     __m256i v00 = mm256_loadu_si256_u8(
@@ -347,7 +348,7 @@ with const generics
 - LEFT= 36
 - RIGHT= 28
 */
-static KRML_MUSTINLINE __m256i rotate_left_02(__m256i x) {
+static __m256i rotate_left_02(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)36, x, __m256i),
                          mm256_srli_epi64((int32_t)28, x, __m256i));
 }
@@ -358,7 +359,7 @@ with const generics
 - LEFT= 36
 - RIGHT= 28
 */
-static KRML_MUSTINLINE __m256i _vxarq_u64_02(__m256i a, __m256i b) {
+static __m256i _vxarq_u64_02(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_02(ab);
 }
@@ -383,7 +384,7 @@ with const generics
 - LEFT= 3
 - RIGHT= 61
 */
-static KRML_MUSTINLINE __m256i rotate_left_ac(__m256i x) {
+static __m256i rotate_left_ac(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)3, x, __m256i),
                          mm256_srli_epi64((int32_t)61, x, __m256i));
 }
@@ -394,7 +395,7 @@ with const generics
 - LEFT= 3
 - RIGHT= 61
 */
-static KRML_MUSTINLINE __m256i _vxarq_u64_ac(__m256i a, __m256i b) {
+static __m256i _vxarq_u64_ac(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_ac(ab);
 }
@@ -419,7 +420,7 @@ with const generics
 - LEFT= 41
 - RIGHT= 23
 */
-static KRML_MUSTINLINE __m256i rotate_left_020(__m256i x) {
+static __m256i rotate_left_020(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)41, x, __m256i),
                          mm256_srli_epi64((int32_t)23, x, __m256i));
 }
@@ -430,7 +431,7 @@ with const generics
 - LEFT= 41
 - RIGHT= 23
 */
-static KRML_MUSTINLINE __m256i _vxarq_u64_020(__m256i a, __m256i b) {
+static __m256i _vxarq_u64_020(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_020(ab);
 }
@@ -455,7 +456,7 @@ with const generics
 - LEFT= 18
 - RIGHT= 46
 */
-static KRML_MUSTINLINE __m256i rotate_left_a9(__m256i x) {
+static __m256i rotate_left_a9(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)18, x, __m256i),
                          mm256_srli_epi64((int32_t)46, x, __m256i));
 }
@@ -466,7 +467,7 @@ with const generics
 - LEFT= 18
 - RIGHT= 46
 */
-static KRML_MUSTINLINE __m256i _vxarq_u64_a9(__m256i a, __m256i b) {
+static __m256i _vxarq_u64_a9(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_a9(ab);
 }
@@ -491,7 +492,7 @@ with const generics
 - LEFT= 1
 - RIGHT= 63
 */
-static KRML_MUSTINLINE __m256i _vxarq_u64_76(__m256i a, __m256i b) {
+static __m256i _vxarq_u64_76(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_76(ab);
 }
@@ -516,7 +517,7 @@ with const generics
 - LEFT= 44
 - RIGHT= 20
 */
-static KRML_MUSTINLINE __m256i rotate_left_58(__m256i x) {
+static __m256i rotate_left_58(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)44, x, __m256i),
                          mm256_srli_epi64((int32_t)20, x, __m256i));
 }
@@ -527,7 +528,7 @@ with const generics
 - LEFT= 44
 - RIGHT= 20
 */
-static KRML_MUSTINLINE __m256i _vxarq_u64_58(__m256i a, __m256i b) {
+static __m256i _vxarq_u64_58(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_58(ab);
 }
@@ -552,7 +553,7 @@ with const generics
 - LEFT= 10
 - RIGHT= 54
 */
-static KRML_MUSTINLINE __m256i rotate_left_e0(__m256i x) {
+static __m256i rotate_left_e0(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)10, x, __m256i),
                          mm256_srli_epi64((int32_t)54, x, __m256i));
 }
@@ -563,7 +564,7 @@ with const generics
 - LEFT= 10
 - RIGHT= 54
 */
-static KRML_MUSTINLINE __m256i _vxarq_u64_e0(__m256i a, __m256i b) {
+static __m256i _vxarq_u64_e0(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_e0(ab);
 }
@@ -588,7 +589,7 @@ with const generics
 - LEFT= 45
 - RIGHT= 19
 */
-static KRML_MUSTINLINE __m256i rotate_left_63(__m256i x) {
+static __m256i rotate_left_63(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)45, x, __m256i),
                          mm256_srli_epi64((int32_t)19, x, __m256i));
 }
@@ -599,7 +600,7 @@ with const generics
 - LEFT= 45
 - RIGHT= 19
 */
-static KRML_MUSTINLINE __m256i _vxarq_u64_63(__m256i a, __m256i b) {
+static __m256i _vxarq_u64_63(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_63(ab);
 }
@@ -624,7 +625,7 @@ with const generics
 - LEFT= 2
 - RIGHT= 62
 */
-static KRML_MUSTINLINE __m256i rotate_left_6a(__m256i x) {
+static __m256i rotate_left_6a(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)2, x, __m256i),
                          mm256_srli_epi64((int32_t)62, x, __m256i));
 }
@@ -635,7 +636,7 @@ with const generics
 - LEFT= 2
 - RIGHT= 62
 */
-static KRML_MUSTINLINE __m256i _vxarq_u64_6a(__m256i a, __m256i b) {
+static __m256i _vxarq_u64_6a(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_6a(ab);
 }
@@ -660,7 +661,7 @@ with const generics
 - LEFT= 62
 - RIGHT= 2
 */
-static KRML_MUSTINLINE __m256i rotate_left_ab(__m256i x) {
+static __m256i rotate_left_ab(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)62, x, __m256i),
                          mm256_srli_epi64((int32_t)2, x, __m256i));
 }
@@ -671,7 +672,7 @@ with const generics
 - LEFT= 62
 - RIGHT= 2
 */
-static KRML_MUSTINLINE __m256i _vxarq_u64_ab(__m256i a, __m256i b) {
+static __m256i _vxarq_u64_ab(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_ab(ab);
 }
@@ -696,7 +697,7 @@ with const generics
 - LEFT= 6
 - RIGHT= 58
 */
-static KRML_MUSTINLINE __m256i rotate_left_5b(__m256i x) {
+static __m256i rotate_left_5b(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)6, x, __m256i),
                          mm256_srli_epi64((int32_t)58, x, __m256i));
 }
@@ -707,7 +708,7 @@ with const generics
 - LEFT= 6
 - RIGHT= 58
 */
-static KRML_MUSTINLINE __m256i _vxarq_u64_5b(__m256i a, __m256i b) {
+static __m256i _vxarq_u64_5b(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_5b(ab);
 }
@@ -732,7 +733,7 @@ with const generics
 - LEFT= 43
 - RIGHT= 21
 */
-static KRML_MUSTINLINE __m256i rotate_left_6f(__m256i x) {
+static __m256i rotate_left_6f(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)43, x, __m256i),
                          mm256_srli_epi64((int32_t)21, x, __m256i));
 }
@@ -743,7 +744,7 @@ with const generics
 - LEFT= 43
 - RIGHT= 21
 */
-static KRML_MUSTINLINE __m256i _vxarq_u64_6f(__m256i a, __m256i b) {
+static __m256i _vxarq_u64_6f(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_6f(ab);
 }
@@ -768,7 +769,7 @@ with const generics
 - LEFT= 15
 - RIGHT= 49
 */
-static KRML_MUSTINLINE __m256i rotate_left_62(__m256i x) {
+static __m256i rotate_left_62(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)15, x, __m256i),
                          mm256_srli_epi64((int32_t)49, x, __m256i));
 }
@@ -779,7 +780,7 @@ with const generics
 - LEFT= 15
 - RIGHT= 49
 */
-static KRML_MUSTINLINE __m256i _vxarq_u64_62(__m256i a, __m256i b) {
+static __m256i _vxarq_u64_62(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_62(ab);
 }
@@ -804,7 +805,7 @@ with const generics
 - LEFT= 61
 - RIGHT= 3
 */
-static KRML_MUSTINLINE __m256i rotate_left_23(__m256i x) {
+static __m256i rotate_left_23(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)61, x, __m256i),
                          mm256_srli_epi64((int32_t)3, x, __m256i));
 }
@@ -815,7 +816,7 @@ with const generics
 - LEFT= 61
 - RIGHT= 3
 */
-static KRML_MUSTINLINE __m256i _vxarq_u64_23(__m256i a, __m256i b) {
+static __m256i _vxarq_u64_23(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_23(ab);
 }
@@ -840,7 +841,7 @@ with const generics
 - LEFT= 28
 - RIGHT= 36
 */
-static KRML_MUSTINLINE __m256i rotate_left_37(__m256i x) {
+static __m256i rotate_left_37(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)28, x, __m256i),
                          mm256_srli_epi64((int32_t)36, x, __m256i));
 }
@@ -851,7 +852,7 @@ with const generics
 - LEFT= 28
 - RIGHT= 36
 */
-static KRML_MUSTINLINE __m256i _vxarq_u64_37(__m256i a, __m256i b) {
+static __m256i _vxarq_u64_37(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_37(ab);
 }
@@ -876,7 +877,7 @@ with const generics
 - LEFT= 55
 - RIGHT= 9
 */
-static KRML_MUSTINLINE __m256i rotate_left_bb(__m256i x) {
+static __m256i rotate_left_bb(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)55, x, __m256i),
                          mm256_srli_epi64((int32_t)9, x, __m256i));
 }
@@ -887,7 +888,7 @@ with const generics
 - LEFT= 55
 - RIGHT= 9
 */
-static KRML_MUSTINLINE __m256i _vxarq_u64_bb(__m256i a, __m256i b) {
+static __m256i _vxarq_u64_bb(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_bb(ab);
 }
@@ -912,7 +913,7 @@ with const generics
 - LEFT= 25
 - RIGHT= 39
 */
-static KRML_MUSTINLINE __m256i rotate_left_b9(__m256i x) {
+static __m256i rotate_left_b9(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)25, x, __m256i),
                          mm256_srli_epi64((int32_t)39, x, __m256i));
 }
@@ -923,7 +924,7 @@ with const generics
 - LEFT= 25
 - RIGHT= 39
 */
-static KRML_MUSTINLINE __m256i _vxarq_u64_b9(__m256i a, __m256i b) {
+static __m256i _vxarq_u64_b9(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_b9(ab);
 }
@@ -948,7 +949,7 @@ with const generics
 - LEFT= 21
 - RIGHT= 43
 */
-static KRML_MUSTINLINE __m256i rotate_left_54(__m256i x) {
+static __m256i rotate_left_54(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)21, x, __m256i),
                          mm256_srli_epi64((int32_t)43, x, __m256i));
 }
@@ -959,7 +960,7 @@ with const generics
 - LEFT= 21
 - RIGHT= 43
 */
-static KRML_MUSTINLINE __m256i _vxarq_u64_54(__m256i a, __m256i b) {
+static __m256i _vxarq_u64_54(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_54(ab);
 }
@@ -984,7 +985,7 @@ with const generics
 - LEFT= 56
 - RIGHT= 8
 */
-static KRML_MUSTINLINE __m256i rotate_left_4c(__m256i x) {
+static __m256i rotate_left_4c(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)56, x, __m256i),
                          mm256_srli_epi64((int32_t)8, x, __m256i));
 }
@@ -995,7 +996,7 @@ with const generics
 - LEFT= 56
 - RIGHT= 8
 */
-static KRML_MUSTINLINE __m256i _vxarq_u64_4c(__m256i a, __m256i b) {
+static __m256i _vxarq_u64_4c(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_4c(ab);
 }
@@ -1020,7 +1021,7 @@ with const generics
 - LEFT= 27
 - RIGHT= 37
 */
-static KRML_MUSTINLINE __m256i rotate_left_ce(__m256i x) {
+static __m256i rotate_left_ce(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)27, x, __m256i),
                          mm256_srli_epi64((int32_t)37, x, __m256i));
 }
@@ -1031,7 +1032,7 @@ with const generics
 - LEFT= 27
 - RIGHT= 37
 */
-static KRML_MUSTINLINE __m256i _vxarq_u64_ce(__m256i a, __m256i b) {
+static __m256i _vxarq_u64_ce(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_ce(ab);
 }
@@ -1056,7 +1057,7 @@ with const generics
 - LEFT= 20
 - RIGHT= 44
 */
-static KRML_MUSTINLINE __m256i rotate_left_77(__m256i x) {
+static __m256i rotate_left_77(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)20, x, __m256i),
                          mm256_srli_epi64((int32_t)44, x, __m256i));
 }
@@ -1067,7 +1068,7 @@ with const generics
 - LEFT= 20
 - RIGHT= 44
 */
-static KRML_MUSTINLINE __m256i _vxarq_u64_77(__m256i a, __m256i b) {
+static __m256i _vxarq_u64_77(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_77(ab);
 }
@@ -1092,7 +1093,7 @@ with const generics
 - LEFT= 39
 - RIGHT= 25
 */
-static KRML_MUSTINLINE __m256i rotate_left_25(__m256i x) {
+static __m256i rotate_left_25(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)39, x, __m256i),
                          mm256_srli_epi64((int32_t)25, x, __m256i));
 }
@@ -1103,7 +1104,7 @@ with const generics
 - LEFT= 39
 - RIGHT= 25
 */
-static KRML_MUSTINLINE __m256i _vxarq_u64_25(__m256i a, __m256i b) {
+static __m256i _vxarq_u64_25(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_25(ab);
 }
@@ -1128,7 +1129,7 @@ with const generics
 - LEFT= 8
 - RIGHT= 56
 */
-static KRML_MUSTINLINE __m256i rotate_left_af(__m256i x) {
+static __m256i rotate_left_af(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)8, x, __m256i),
                          mm256_srli_epi64((int32_t)56, x, __m256i));
 }
@@ -1139,7 +1140,7 @@ with const generics
 - LEFT= 8
 - RIGHT= 56
 */
-static KRML_MUSTINLINE __m256i _vxarq_u64_af(__m256i a, __m256i b) {
+static __m256i _vxarq_u64_af(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_af(ab);
 }
@@ -1164,7 +1165,7 @@ with const generics
 - LEFT= 14
 - RIGHT= 50
 */
-static KRML_MUSTINLINE __m256i rotate_left_fd(__m256i x) {
+static __m256i rotate_left_fd(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)14, x, __m256i),
                          mm256_srli_epi64((int32_t)50, x, __m256i));
 }
@@ -1175,7 +1176,7 @@ with const generics
 - LEFT= 14
 - RIGHT= 50
 */
-static KRML_MUSTINLINE __m256i _vxarq_u64_fd(__m256i a, __m256i b) {
+static __m256i _vxarq_u64_fd(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_fd(ab);
 }
@@ -1421,8 +1422,7 @@ A monomorphic instance of libcrux_sha3.simd.avx2.store_block
 with const generics
 - RATE= 136
 */
-static KRML_MUSTINLINE void store_block_5b(__m256i (*s)[5U],
-                                           Eurydice_slice out[4U]) {
+static void store_block_5b(__m256i (*s)[5U], Eurydice_slice out[4U]) {
   for (size_t i = (size_t)0U; i < (size_t)136U / (size_t)32U; i++) {
     size_t i0 = i;
     __m256i v0l = mm256_permute2x128_si256(
@@ -1775,8 +1775,7 @@ A monomorphic instance of libcrux_sha3.simd.avx2.load_block
 with const generics
 - RATE= 168
 */
-static KRML_MUSTINLINE void load_block_3a(__m256i (*s)[5U],
-                                          Eurydice_slice blocks[4U]) {
+static void load_block_3a(__m256i (*s)[5U], Eurydice_slice blocks[4U]) {
   for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)32U; i++) {
     size_t i0 = i;
     __m256i v00 = mm256_loadu_si256_u8(
@@ -1962,8 +1961,7 @@ A monomorphic instance of libcrux_sha3.simd.avx2.store_block
 with const generics
 - RATE= 168
 */
-static KRML_MUSTINLINE void store_block_3a(__m256i (*s)[5U],
-                                           Eurydice_slice out[4U]) {
+static void store_block_3a(__m256i (*s)[5U], Eurydice_slice out[4U]) {
   for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)32U; i++) {
     size_t i0 = i;
     __m256i v0l = mm256_permute2x128_si256(
@@ -2207,8 +2205,7 @@ static KRML_MUSTINLINE void squeeze_first_five_blocks_97(
 /**
  Squeeze five blocks
 */
-KRML_MUSTINLINE void
-libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_five_blocks(
+void libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_five_blocks(
     libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0,
     Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) {
   Eurydice_slice buf[4U] = {out0, out1, out2, out3};
@@ -2218,7 +2215,7 @@ libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_five_blocks(
 /**
  Absorb
 */
-KRML_MUSTINLINE void libcrux_sha3_avx2_x4_incremental_shake256_absorb_final(
+void libcrux_sha3_avx2_x4_incremental_shake256_absorb_final(
     libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice data0,
     Eurydice_slice data1, Eurydice_slice data2, Eurydice_slice data3) {
   Eurydice_slice buf[4U] = {data0, data1, data2, data3};
@@ -2228,8 +2225,7 @@ KRML_MUSTINLINE void libcrux_sha3_avx2_x4_incremental_shake256_absorb_final(
 /**
  Squeeze block
 */
-KRML_MUSTINLINE void
-libcrux_sha3_avx2_x4_incremental_shake256_squeeze_first_block(
+void libcrux_sha3_avx2_x4_incremental_shake256_squeeze_first_block(
     libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0,
     Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) {
   Eurydice_slice buf[4U] = {out0, out1, out2, out3};
@@ -2239,8 +2235,7 @@ libcrux_sha3_avx2_x4_incremental_shake256_squeeze_first_block(
 /**
  Squeeze next block
 */
-KRML_MUSTINLINE void
-libcrux_sha3_avx2_x4_incremental_shake256_squeeze_next_block(
+void libcrux_sha3_avx2_x4_incremental_shake256_squeeze_next_block(
     libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0,
     Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) {
   Eurydice_slice buf[4U] = {out0, out1, out2, out3};
diff --git a/libcrux-ml-kem/c/libcrux_sha3_avx2.h b/libcrux-ml-kem/c/libcrux_sha3_avx2.h
index 6b3a024e4..b13fc4697 100644
--- a/libcrux-ml-kem/c/libcrux_sha3_avx2.h
+++ b/libcrux-ml-kem/c/libcrux_sha3_avx2.h
@@ -8,7 +8,7 @@
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
  * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
  * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664
+ * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
  */
 
 #ifndef __libcrux_sha3_avx2_H
diff --git a/libcrux-ml-kem/c/libcrux_sha3_internal.h b/libcrux-ml-kem/c/libcrux_sha3_internal.h
index 073cd070e..44ee7755b 100644
--- a/libcrux-ml-kem/c/libcrux_sha3_internal.h
+++ b/libcrux-ml-kem/c/libcrux_sha3_internal.h
@@ -8,7 +8,7 @@
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
  * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
  * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664
+ * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
  */
 
 #ifndef __libcrux_sha3_internal_H
diff --git a/libcrux-ml-kem/c/libcrux_sha3_neon.c b/libcrux-ml-kem/c/libcrux_sha3_neon.c
index f9027dd69..527fa850b 100644
--- a/libcrux-ml-kem/c/libcrux_sha3_neon.c
+++ b/libcrux-ml-kem/c/libcrux_sha3_neon.c
@@ -8,7 +8,7 @@
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
  * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
  * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664
+ * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
  */
 
 #include "libcrux_sha3_neon.h"
@@ -16,8 +16,7 @@
 /**
  A portable SHA3 224 implementation.
 */
-KRML_MUSTINLINE void libcrux_sha3_neon_sha224(Eurydice_slice digest,
-                                              Eurydice_slice data) {
+void libcrux_sha3_neon_sha224(Eurydice_slice digest, Eurydice_slice data) {
   KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
                     "panic!");
   KRML_HOST_EXIT(255U);
@@ -26,8 +25,7 @@ KRML_MUSTINLINE void libcrux_sha3_neon_sha224(Eurydice_slice digest,
 /**
  A portable SHA3 256 implementation.
 */
-KRML_MUSTINLINE void libcrux_sha3_neon_sha256(Eurydice_slice digest,
-                                              Eurydice_slice data) {
+void libcrux_sha3_neon_sha256(Eurydice_slice digest, Eurydice_slice data) {
   KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
                     "panic!");
   KRML_HOST_EXIT(255U);
@@ -36,8 +34,7 @@ KRML_MUSTINLINE void libcrux_sha3_neon_sha256(Eurydice_slice digest,
 /**
  A portable SHA3 384 implementation.
 */
-KRML_MUSTINLINE void libcrux_sha3_neon_sha384(Eurydice_slice digest,
-                                              Eurydice_slice data) {
+void libcrux_sha3_neon_sha384(Eurydice_slice digest, Eurydice_slice data) {
   KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
                     "panic!");
   KRML_HOST_EXIT(255U);
@@ -46,8 +43,7 @@ KRML_MUSTINLINE void libcrux_sha3_neon_sha384(Eurydice_slice digest,
 /**
  A portable SHA3 512 implementation.
 */
-KRML_MUSTINLINE void libcrux_sha3_neon_sha512(Eurydice_slice digest,
-                                              Eurydice_slice data) {
+void libcrux_sha3_neon_sha512(Eurydice_slice digest, Eurydice_slice data) {
   KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
                     "panic!");
   KRML_HOST_EXIT(255U);
@@ -58,10 +54,8 @@ KRML_MUSTINLINE void libcrux_sha3_neon_sha512(Eurydice_slice digest,
 
  Writes the two results into `out0` and `out1`
 */
-KRML_MUSTINLINE void libcrux_sha3_neon_x2_shake256(Eurydice_slice input0,
-                                                   Eurydice_slice input1,
-                                                   Eurydice_slice out0,
-                                                   Eurydice_slice out1) {
+void libcrux_sha3_neon_x2_shake256(Eurydice_slice input0, Eurydice_slice input1,
+                                   Eurydice_slice out0, Eurydice_slice out1) {
   /* TODO: make argument ordering consistent */
   KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
                     "panic!");
@@ -71,7 +65,7 @@ KRML_MUSTINLINE void libcrux_sha3_neon_x2_shake256(Eurydice_slice input0,
 /**
  Initialise the `KeccakState2`.
 */
-KRML_MUSTINLINE libcrux_sha3_neon_x2_incremental_KeccakState
+libcrux_sha3_neon_x2_incremental_KeccakState
 libcrux_sha3_neon_x2_incremental_init(void) {
   /* XXX: These functions could alternatively implement the same with the
    * portable implementation { let s0 = KeccakState::new(); let s1 =
@@ -84,7 +78,7 @@ libcrux_sha3_neon_x2_incremental_init(void) {
 /**
  Shake128 absorb `data0` and `data1` in the [`KeccakState`] `s`.
 */
-KRML_MUSTINLINE void libcrux_sha3_neon_x2_incremental_shake128_absorb_final(
+void libcrux_sha3_neon_x2_incremental_shake128_absorb_final(
     libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice data0,
     Eurydice_slice data1) {
   /* XXX: These functions could alternatively implement the same with the
@@ -100,8 +94,7 @@ KRML_MUSTINLINE void libcrux_sha3_neon_x2_incremental_shake128_absorb_final(
  Squeeze 2 times the first three blocks in parallel in the
  [`KeccakState`] and return the output in `out0` and `out1`.
 */
-KRML_MUSTINLINE void
-libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_three_blocks(
+void libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_three_blocks(
     libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0,
     Eurydice_slice out1) {
   /* XXX: These functions could alternatively implement the same with the
@@ -117,8 +110,7 @@ libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_three_blocks(
  Squeeze 2 times the next block in parallel in the
  [`KeccakState`] and return the output in `out0` and `out1`.
 */
-KRML_MUSTINLINE void
-libcrux_sha3_neon_x2_incremental_shake128_squeeze_next_block(
+void libcrux_sha3_neon_x2_incremental_shake128_squeeze_next_block(
     libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0,
     Eurydice_slice out1) {
   /* XXX: These functions could alternatively implement the same with the
@@ -133,8 +125,7 @@ libcrux_sha3_neon_x2_incremental_shake128_squeeze_next_block(
 /**
  Squeeze five blocks
 */
-KRML_MUSTINLINE void
-libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_five_blocks(
+void libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_five_blocks(
     libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0,
     Eurydice_slice out1) {
   KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
@@ -145,7 +136,7 @@ libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_five_blocks(
 /**
  Shake256 absorb `data0` and `data1` in the [`KeccakState`] `s`.
 */
-KRML_MUSTINLINE void libcrux_sha3_neon_x2_incremental_shake256_absorb_final(
+void libcrux_sha3_neon_x2_incremental_shake256_absorb_final(
     libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice data0,
     Eurydice_slice data1) {
   /* XXX: These functions could alternatively implement the same with the
@@ -160,8 +151,7 @@ KRML_MUSTINLINE void libcrux_sha3_neon_x2_incremental_shake256_absorb_final(
 /**
  Squeeze block
 */
-KRML_MUSTINLINE void
-libcrux_sha3_neon_x2_incremental_shake256_squeeze_first_block(
+void libcrux_sha3_neon_x2_incremental_shake256_squeeze_first_block(
     libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0,
     Eurydice_slice out1) {
   KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
@@ -172,8 +162,7 @@ libcrux_sha3_neon_x2_incremental_shake256_squeeze_first_block(
 /**
  Squeeze next block
 */
-KRML_MUSTINLINE void
-libcrux_sha3_neon_x2_incremental_shake256_squeeze_next_block(
+void libcrux_sha3_neon_x2_incremental_shake256_squeeze_next_block(
     libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0,
     Eurydice_slice out1) {
   KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
diff --git a/libcrux-ml-kem/c/libcrux_sha3_neon.h b/libcrux-ml-kem/c/libcrux_sha3_neon.h
index a98e1e65c..0fda1a76f 100644
--- a/libcrux-ml-kem/c/libcrux_sha3_neon.h
+++ b/libcrux-ml-kem/c/libcrux_sha3_neon.h
@@ -8,7 +8,7 @@
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
  * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
  * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664
+ * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
  */
 
 #ifndef __libcrux_sha3_neon_H

From 61f72fd4fb1d40b783d88235bfea91b6aaf6733b Mon Sep 17 00:00:00 2001
From: Jonas Schneider-Bensch <jonas@cryspen.com>
Date: Mon, 4 Nov 2024 15:11:34 +0100
Subject: [PATCH 12/22] Fix paths

---
 libcrux-ml-dsa/src/hash_functions.rs | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/libcrux-ml-dsa/src/hash_functions.rs b/libcrux-ml-dsa/src/hash_functions.rs
index ba8f9e952..028b1906c 100644
--- a/libcrux-ml-dsa/src/hash_functions.rs
+++ b/libcrux-ml-dsa/src/hash_functions.rs
@@ -464,18 +464,18 @@ pub(crate) mod simd256 {
 
     /// AVX2 SHAKE 256 state
     pub(crate) struct Shake256 {
-        state: portable::KeccakState,
+        state: libcrux_sha3::portable::KeccakState,
     }
     impl shake256::Xof for Shake256 {
         #[inline(always)]
         fn shake256<const OUTPUT_LENGTH: usize>(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]) {
-            portable::shake256(out, input);
+            libcrux_sha3::portable::shake256(out, input);
         }
 
         #[inline(always)]
         fn init_absorb(input: &[u8]) -> Self {
-            let mut state = portable::incremental::shake256_init();
-            portable::incremental::shake256_absorb_final(&mut state, input);
+            let mut state = libcrux_sha3::portable::incremental::shake256_init();
+            libcrux_sha3::portable::incremental::shake256_absorb_final(&mut state, input);
 
             Self { state }
         }
@@ -483,14 +483,20 @@ pub(crate) mod simd256 {
         #[inline(always)]
         fn squeeze_first_block(&mut self) -> [u8; shake256::BLOCK_SIZE] {
             let mut out = [0u8; shake256::BLOCK_SIZE];
-            portable::incremental::shake256_squeeze_first_block(&mut self.state, &mut out);
+            libcrux_sha3::portable::incremental::shake256_squeeze_first_block(
+                &mut self.state,
+                &mut out,
+            );
             out
         }
 
         #[inline(always)]
         fn squeeze_next_block(&mut self) -> [u8; shake256::BLOCK_SIZE] {
             let mut out = [0u8; shake256::BLOCK_SIZE];
-            portable::incremental::shake256_squeeze_next_block(&mut self.state, &mut out);
+            libcrux_sha3::portable::incremental::shake256_squeeze_next_block(
+                &mut self.state,
+                &mut out,
+            );
             out
         }
     }

From 654d83639e9633f6750a8fce3cb7240d993f10a2 Mon Sep 17 00:00:00 2001
From: Jonas Schneider-Bensch <jonas@cryspen.com>
Date: Tue, 5 Nov 2024 14:28:13 +0100
Subject: [PATCH 13/22] Missing `opaque_type`s in `hash_functions`

---
 libcrux-ml-dsa/src/hash_functions.rs | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libcrux-ml-dsa/src/hash_functions.rs b/libcrux-ml-dsa/src/hash_functions.rs
index 11b2461c1..7bb00e532 100644
--- a/libcrux-ml-dsa/src/hash_functions.rs
+++ b/libcrux-ml-dsa/src/hash_functions.rs
@@ -172,6 +172,7 @@ pub(crate) mod portable {
     }
 
     /// Portable SHAKE 128 state
+    #[cfg_attr(hax, hax_lib::opaque_type)]
     pub(crate) struct Shake128 {}
 
     fn shake128<const OUTPUT_LENGTH: usize>(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]) {
@@ -469,6 +470,7 @@ pub(crate) mod simd256 {
     }
 
     /// AVX2 SHAKE 256 state
+    #[cfg_attr(hax, hax_lib::opaque_type)]
     pub(crate) struct Shake256 {
         state: libcrux_sha3::portable::KeccakState,
     }

From a19752d20d575244b1c88aacf92bb0a8ee02b1ad Mon Sep 17 00:00:00 2001
From: Jonas Schneider-Bensch <jonas@cryspen.com>
Date: Tue, 5 Nov 2024 14:57:10 +0100
Subject: [PATCH 14/22] Make trait impl functions into wrappers

---
 libcrux-ml-dsa/src/hash_functions.rs | 55 +++++++++++++++++++---------
 1 file changed, 38 insertions(+), 17 deletions(-)

diff --git a/libcrux-ml-dsa/src/hash_functions.rs b/libcrux-ml-dsa/src/hash_functions.rs
index 7bb00e532..ff22b6e78 100644
--- a/libcrux-ml-dsa/src/hash_functions.rs
+++ b/libcrux-ml-dsa/src/hash_functions.rs
@@ -474,38 +474,59 @@ pub(crate) mod simd256 {
     pub(crate) struct Shake256 {
         state: libcrux_sha3::portable::KeccakState,
     }
+
+    #[inline(always)]
+    fn shake256<const OUTPUT_LENGTH: usize>(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]) {
+        libcrux_sha3::portable::shake256(out, input);
+    }
+
+    #[inline(always)]
+    fn init_absorb_shake256(input: &[u8]) -> Shake256 {
+        let mut state = libcrux_sha3::portable::incremental::shake256_init();
+        libcrux_sha3::portable::incremental::shake256_absorb_final(&mut state, input);
+
+        Shake256 { state }
+    }
+
+    #[inline(always)]
+    fn squeeze_first_block_shake256(state: &mut Shake256) -> [u8; shake256::BLOCK_SIZE] {
+        let mut out = [0u8; shake256::BLOCK_SIZE];
+        libcrux_sha3::portable::incremental::shake256_squeeze_first_block(
+            &mut state.state,
+            &mut out,
+        );
+        out
+    }
+
+    #[inline(always)]
+    fn squeeze_next_block_shake256(state: &mut Shake256) -> [u8; shake256::BLOCK_SIZE] {
+        let mut out = [0u8; shake256::BLOCK_SIZE];
+        libcrux_sha3::portable::incremental::shake256_squeeze_next_block(
+            &mut state.state,
+            &mut out,
+        );
+        out
+    }
+
     impl shake256::Xof for Shake256 {
         #[inline(always)]
         fn shake256<const OUTPUT_LENGTH: usize>(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]) {
-            libcrux_sha3::portable::shake256(out, input);
+            shake256(input, out)
         }
 
         #[inline(always)]
         fn init_absorb(input: &[u8]) -> Self {
-            let mut state = libcrux_sha3::portable::incremental::shake256_init();
-            libcrux_sha3::portable::incremental::shake256_absorb_final(&mut state, input);
-
-            Self { state }
+            init_absorb_shake256(input)
         }
 
         #[inline(always)]
         fn squeeze_first_block(&mut self) -> [u8; shake256::BLOCK_SIZE] {
-            let mut out = [0u8; shake256::BLOCK_SIZE];
-            libcrux_sha3::portable::incremental::shake256_squeeze_first_block(
-                &mut self.state,
-                &mut out,
-            );
-            out
+            squeeze_first_block_shake256(self)
         }
 
         #[inline(always)]
         fn squeeze_next_block(&mut self) -> [u8; shake256::BLOCK_SIZE] {
-            let mut out = [0u8; shake256::BLOCK_SIZE];
-            libcrux_sha3::portable::incremental::shake256_squeeze_next_block(
-                &mut self.state,
-                &mut out,
-            );
-            out
+            squeeze_next_block_shake256(self)
         }
     }
 

From 837d70fb2e5bb26f5853d737533ea1d3d5015e78 Mon Sep 17 00:00:00 2001
From: Jonas Schneider-Bensch <jonas@cryspen.com>
Date: Tue, 5 Nov 2024 15:32:36 +0100
Subject: [PATCH 15/22] Don't use trait methods

---
 libcrux-ml-dsa/src/simd/portable/ntt.rs | 19 ++++++-------------
 1 file changed, 6 insertions(+), 13 deletions(-)

diff --git a/libcrux-ml-dsa/src/simd/portable/ntt.rs b/libcrux-ml-dsa/src/simd/portable/ntt.rs
index 3f4e7f12a..11bfab4d2 100644
--- a/libcrux-ml-dsa/src/simd/portable/ntt.rs
+++ b/libcrux-ml-dsa/src/simd/portable/ntt.rs
@@ -1,11 +1,8 @@
-use super::arithmetic::{self, montgomery_multiply_fe_by_fer};
-use crate::simd::{
-    portable::PortableSIMDUnit,
-    traits::{
-        montgomery_multiply_by_fer, FieldElementTimesMontgomeryR, COEFFICIENTS_IN_SIMD_UNIT,
-        SIMD_UNITS_IN_RING_ELEMENT,
-    },
+use super::arithmetic::{
+    self, montgomery_multiply_by_constant, montgomery_multiply_fe_by_fer, MontgomeryFieldElement,
 };
+use super::vector_type::PortableSIMDUnit;
+use crate::simd::traits::{COEFFICIENTS_IN_SIMD_UNIT, SIMD_UNITS_IN_RING_ELEMENT};
 
 #[inline(always)]
 pub fn simd_unit_ntt_at_layer_0(
@@ -280,15 +277,11 @@ fn ntt_at_layer_2(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) {
 }
 
 #[inline(always)]
-fn outer_3_plus<
-    const OFFSET: usize,
-    const STEP_BY: usize,
-    const ZETA: FieldElementTimesMontgomeryR,
->(
+fn outer_3_plus<const OFFSET: usize, const STEP_BY: usize, const ZETA: MontgomeryFieldElement>(
     re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT],
 ) {
     for j in OFFSET..OFFSET + STEP_BY {
-        let t = montgomery_multiply_by_fer(re[j + STEP_BY], ZETA);
+        let t = montgomery_multiply_by_constant(re[j + STEP_BY], ZETA);
 
         re[j + STEP_BY] = arithmetic::subtract(&re[j], &t);
         re[j] = arithmetic::add(&re[j], &t);

From 873ccf899d96801ea433ee2022526ba1b6c727f1 Mon Sep 17 00:00:00 2001
From: Jonas Schneider-Bensch <jonas@cryspen.com>
Date: Tue, 5 Nov 2024 15:33:38 +0100
Subject: [PATCH 16/22] Update F*

---
 ...ibcrux_ml_dsa.Hash_functions.Portable.fsti |    5 +-
 ...Libcrux_ml_dsa.Hash_functions.Simd256.fsti |   66 +-
 ...neric.Instantiations.Avx2.Avx2_feature.fst |   97 +
 ...eric.Instantiations.Avx2.Avx2_feature.fsti |   78 +
 ...dsa.Ml_dsa_generic.Instantiations.Avx2.fst |   52 +-
 ...sa.Ml_dsa_generic.Instantiations.Avx2.fsti |   12 -
 .../Libcrux_ml_dsa.Ml_dsa_generic.fst         |   24 +-
 .../fstar/extraction/Libcrux_ml_dsa.Ntt.fst   | 2294 +++++++++++--
 .../fstar/extraction/Libcrux_ml_dsa.Ntt.fsti  |  119 +-
 .../Libcrux_ml_dsa.Simd.Avx2.Ntt.fst          | 2983 ++++++++++++++++-
 .../Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti         |   46 +-
 .../Libcrux_ml_dsa.Simd.Portable.Ntt.fst      | 1545 +++++++--
 .../Libcrux_ml_dsa.Simd.Portable.Ntt.fsti     |   76 +-
 .../Libcrux_ml_dsa.Simd.Traits.fsti           |   40 -
 .../extraction/Libcrux_platform.X86.fsti      |    2 +-
 15 files changed, 6555 insertions(+), 884 deletions(-)
 create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fst
 create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fsti

diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti
index 19bf6bae1..c1b251529 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti
@@ -4,7 +4,7 @@ open Core
 open FStar.Mul
 
 /// Portable SHAKE 128 state
-type t_Shake128 = | Shake128 : t_Shake128
+val t_Shake128:Type0
 
 /// Portable SHAKE 128 x4 state.
 /// We\'re using a portable implementation so this is actually sequential.
@@ -21,9 +21,6 @@ val t_Shake256Absorb:Type0
 
 val t_Shake256Squeeze:Type0
 
-val init_absorb__init_absorb (input: t_Slice u8)
-    : Prims.Pure Libcrux_sha3.Portable.t_KeccakState Prims.l_True (fun _ -> Prims.l_True)
-
 val init_absorb (input0 input1 input2 input3: t_Slice u8)
     : Prims.Pure t_Shake128X4 Prims.l_True (fun _ -> Prims.l_True)
 
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti
index a9b24b26a..97db532b4 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti
@@ -11,13 +11,22 @@ val t_Shake128x4:Type0
 /// AVX2 SHAKE 256 x4 state.
 val t_Shake256x4:Type0
 
+/// AVX2 SHAKE 256 state
+val t_Shake256:Type0
+
 /// Init the state and absorb 4 blocks in parallel.
 val init_absorb (input0 input1 input2 input3: t_Slice u8)
     : Prims.Pure t_Shake128x4 Prims.l_True (fun _ -> Prims.l_True)
 
+val init_absorb_shake256 (input: t_Slice u8)
+    : Prims.Pure t_Shake256 Prims.l_True (fun _ -> Prims.l_True)
+
 val init_absorb_x4 (input0 input1 input2 input3: t_Slice u8)
     : Prims.Pure t_Shake256x4 Prims.l_True (fun _ -> Prims.l_True)
 
+val shake256 (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH)
+    : Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) Prims.l_True (fun _ -> Prims.l_True)
+
 val shake256_x4
       (v_OUT_LEN: usize)
       (input0 input1 input2 input3: t_Slice u8)
@@ -27,6 +36,9 @@ val shake256_x4
       Prims.l_True
       (fun _ -> Prims.l_True)
 
+val squeeze_first_block_shake256 (state: t_Shake256)
+    : Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True)
+
 val squeeze_first_block_x4 (state: t_Shake256x4)
     : Prims.Pure
       (t_Shake256x4 &
@@ -143,6 +155,58 @@ let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 =
         (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168)))
   }
 
+val squeeze_next_block_shake256 (state: t_Shake256)
+    : Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True)
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof t_Shake256 =
+  {
+    f_shake256_pre
+    =
+    (fun (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) -> true);
+    f_shake256_post
+    =
+    (fun
+        (v_OUTPUT_LENGTH: usize)
+        (input: t_Slice u8)
+        (out: t_Array u8 v_OUTPUT_LENGTH)
+        (out1: t_Array u8 v_OUTPUT_LENGTH)
+        ->
+        true);
+    f_shake256
+    =
+    (fun (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) ->
+        let hax_temp_output, out:(Prims.unit & t_Array u8 v_OUTPUT_LENGTH) =
+          (), shake256 v_OUTPUT_LENGTH input out <: (Prims.unit & t_Array u8 v_OUTPUT_LENGTH)
+        in
+        out);
+    f_init_absorb_pre = (fun (input: t_Slice u8) -> true);
+    f_init_absorb_post = (fun (input: t_Slice u8) (out: t_Shake256) -> true);
+    f_init_absorb = (fun (input: t_Slice u8) -> init_absorb_shake256 input);
+    f_squeeze_first_block_pre = (fun (self: t_Shake256) -> true);
+    f_squeeze_first_block_post
+    =
+    (fun (self: t_Shake256) (out2: (t_Shake256 & t_Array u8 (sz 136))) -> true);
+    f_squeeze_first_block
+    =
+    (fun (self: t_Shake256) ->
+        let tmp0, out1:(t_Shake256 & t_Array u8 (sz 136)) = squeeze_first_block_shake256 self in
+        let self:t_Shake256 = tmp0 in
+        let hax_temp_output:t_Array u8 (sz 136) = out1 in
+        self, hax_temp_output <: (t_Shake256 & t_Array u8 (sz 136)));
+    f_squeeze_next_block_pre = (fun (self: t_Shake256) -> true);
+    f_squeeze_next_block_post
+    =
+    (fun (self: t_Shake256) (out2: (t_Shake256 & t_Array u8 (sz 136))) -> true);
+    f_squeeze_next_block
+    =
+    fun (self: t_Shake256) ->
+      let tmp0, out1:(t_Shake256 & t_Array u8 (sz 136)) = squeeze_next_block_shake256 self in
+      let self:t_Shake256 = tmp0 in
+      let hax_temp_output:t_Array u8 (sz 136) = out1 in
+      self, hax_temp_output <: (t_Shake256 & t_Array u8 (sz 136))
+  }
+
 val squeeze_next_block_x4 (state: t_Shake256x4)
     : Prims.Pure
       (t_Shake256x4 &
@@ -151,7 +215,7 @@ val squeeze_next_block_x4 (state: t_Shake256x4)
       (fun _ -> Prims.l_True)
 
 [@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 =
+let impl_2: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 =
   {
     f_init_absorb_x4_pre
     =
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fst
new file mode 100644
index 000000000..db410963c
--- /dev/null
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fst
@@ -0,0 +1,97 @@
+module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 100"
+open Core
+open FStar.Mul
+
+let _ =
+  (* This module has implicit dependencies, here we make them explicit. *)
+  (* The implicit dependencies arise from typeclasses instances. *)
+  let open Libcrux_ml_dsa.Hash_functions.Shake128 in
+  let open Libcrux_ml_dsa.Hash_functions.Shake256 in
+  let open Libcrux_ml_dsa.Hash_functions.Simd256 in
+  let open Libcrux_ml_dsa.Pre_hash in
+  let open Libcrux_ml_dsa.Simd.Avx2 in
+  let open Libcrux_ml_dsa.Simd.Traits in
+  ()
+
+let generate_key_pair
+      (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE:
+          usize)
+      (randomness: t_Array u8 (sz 32))
+     =
+  Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit
+    #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4
+    #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256
+    #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA
+    v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE randomness
+
+let sign
+      (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize)
+      (v_GAMMA2: i32)
+      (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE:
+          usize)
+      (signing_key: t_Array u8 v_SIGNING_KEY_SIZE)
+      (message context: t_Slice u8)
+      (randomness: t_Array u8 (sz 32))
+     =
+  Libcrux_ml_dsa.Ml_dsa_generic.sign #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit
+    #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4
+    #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256
+    #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA
+    v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE
+    v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT
+    v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context
+    randomness
+
+let sign_pre_hashed_shake128
+      (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize)
+      (v_GAMMA2: i32)
+      (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE:
+          usize)
+      (signing_key: t_Array u8 v_SIGNING_KEY_SIZE)
+      (message context: t_Slice u8)
+      (randomness: t_Array u8 (sz 32))
+     =
+  Libcrux_ml_dsa.Ml_dsa_generic.sign_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit
+    #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4
+    #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256
+    #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH
+    (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2
+    v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE
+    v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE
+    v_SIGNATURE_SIZE signing_key message context randomness
+
+let verify
+      (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE:
+          usize)
+      (v_GAMMA2 v_BETA: i32)
+      (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT:
+          usize)
+      (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE)
+      (message context: t_Slice u8)
+      (signature: t_Array u8 v_SIGNATURE_SIZE)
+     =
+  Libcrux_ml_dsa.Ml_dsa_generic.verify #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit
+    #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4
+    #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE
+    v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA
+    v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE
+    v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key message context signature
+
+let verify_pre_hashed_shake128
+      (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE:
+          usize)
+      (v_GAMMA2 v_BETA: i32)
+      (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT:
+          usize)
+      (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE)
+      (message context: t_Slice u8)
+      (signature: t_Array u8 v_SIGNATURE_SIZE)
+     =
+  Libcrux_ml_dsa.Ml_dsa_generic.verify_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit
+    #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4
+    #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH
+    (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT
+    v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE
+    v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT
+    verification_key message context signature
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fsti
new file mode 100644
index 000000000..f5492bbb9
--- /dev/null
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fsti
@@ -0,0 +1,78 @@
+module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 100"
+open Core
+open FStar.Mul
+
+let _ =
+  (* This module has implicit dependencies, here we make them explicit. *)
+  (* The implicit dependencies arise from typeclasses instances. *)
+  let open Libcrux_ml_dsa.Hash_functions.Shake128 in
+  let open Libcrux_ml_dsa.Hash_functions.Shake256 in
+  let open Libcrux_ml_dsa.Hash_functions.Simd256 in
+  let open Libcrux_ml_dsa.Pre_hash in
+  let open Libcrux_ml_dsa.Simd.Avx2 in
+  let open Libcrux_ml_dsa.Simd.Traits in
+  ()
+
+/// Generate key pair.
+val generate_key_pair
+      (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE:
+          usize)
+      (randomness: t_Array u8 (sz 32))
+    : Prims.Pure (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE)
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+/// Sign.
+val sign
+      (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize)
+      (v_GAMMA2: i32)
+      (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE:
+          usize)
+      (signing_key: t_Array u8 v_SIGNING_KEY_SIZE)
+      (message context: t_Slice u8)
+      (randomness: t_Array u8 (sz 32))
+    : Prims.Pure
+      (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE)
+          Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True)
+
+/// Sign (pre-hashed).
+val sign_pre_hashed_shake128
+      (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize)
+      (v_GAMMA2: i32)
+      (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE:
+          usize)
+      (signing_key: t_Array u8 v_SIGNING_KEY_SIZE)
+      (message context: t_Slice u8)
+      (randomness: t_Array u8 (sz 32))
+    : Prims.Pure
+      (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE)
+          Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True)
+
+/// Verify.
+val verify
+      (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE:
+          usize)
+      (v_GAMMA2 v_BETA: i32)
+      (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT:
+          usize)
+      (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE)
+      (message context: t_Slice u8)
+      (signature: t_Array u8 v_SIGNATURE_SIZE)
+    : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+/// Verify (pre-hashed with SHAKE-128).
+val verify_pre_hashed_shake128
+      (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE:
+          usize)
+      (v_GAMMA2 v_BETA: i32)
+      (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT:
+          usize)
+      (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE)
+      (message context: t_Slice u8)
+      (signature: t_Array u8 v_SIGNATURE_SIZE)
+    : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
+      Prims.l_True
+      (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst
index 7aab62832..42e4c6671 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst
@@ -3,28 +3,18 @@ module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2
 open Core
 open FStar.Mul
 
-let _ =
-  (* This module has implicit dependencies, here we make them explicit. *)
-  (* The implicit dependencies arise from typeclasses instances. *)
-  let open Libcrux_ml_dsa.Hash_functions.Portable in
-  let open Libcrux_ml_dsa.Hash_functions.Shake128 in
-  let open Libcrux_ml_dsa.Hash_functions.Shake256 in
-  let open Libcrux_ml_dsa.Hash_functions.Simd256 in
-  let open Libcrux_ml_dsa.Pre_hash in
-  let open Libcrux_ml_dsa.Simd.Avx2 in
-  let open Libcrux_ml_dsa.Simd.Traits in
-  ()
-
 let generate_key_pair
       (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE:
           usize)
       (randomness: t_Array u8 (sz 32))
      =
-  Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit
-    #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4
-    #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256
-    #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA
-    v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE randomness
+  Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.generate_key_pair v_ROWS_IN_A
+    v_COLUMNS_IN_A
+    v_ETA
+    v_ERROR_RING_ELEMENT_SIZE
+    v_SIGNING_KEY_SIZE
+    v_VERIFICATION_KEY_SIZE
+    randomness
 
 let sign
       (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize)
@@ -35,11 +25,8 @@ let sign
       (message context: t_Slice u8)
       (randomness: t_Array u8 (sz 32))
      =
-  Libcrux_ml_dsa.Ml_dsa_generic.sign #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit
-    #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4
-    #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256
-    #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA
-    v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE
+  Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.sign v_ROWS_IN_A v_COLUMNS_IN_A
+    v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE
     v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT
     v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context
     randomness
@@ -53,11 +40,8 @@ let sign_pre_hashed_shake128
       (message context: t_Slice u8)
       (randomness: t_Array u8 (sz 32))
      =
-  Libcrux_ml_dsa.Ml_dsa_generic.sign_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit
-    #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4
-    #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256
-    #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH
-    (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2
+  Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.sign_pre_hashed_shake128 v_ROWS_IN_A
+    v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2
     v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE
     v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE
     v_SIGNATURE_SIZE signing_key message context randomness
@@ -72,11 +56,9 @@ let verify
       (message context: t_Slice u8)
       (signature: t_Array u8 v_SIGNATURE_SIZE)
      =
-  Libcrux_ml_dsa.Ml_dsa_generic.verify #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit
-    #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4
-    #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE
-    v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA
-    v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE
+  Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.verify v_ROWS_IN_A v_COLUMNS_IN_A
+    v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2
+    v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE
     v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key message context signature
 
 let verify_pre_hashed_shake128
@@ -89,10 +71,8 @@ let verify_pre_hashed_shake128
       (message context: t_Slice u8)
       (signature: t_Array u8 v_SIGNATURE_SIZE)
      =
-  Libcrux_ml_dsa.Ml_dsa_generic.verify_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit
-    #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4
-    #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH
-    (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT
+  Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.verify_pre_hashed_shake128 v_ROWS_IN_A
+    v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT
     v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE
     v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT
     verification_key message context signature
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti
index c244ca0d5..3763fcb0a 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti
@@ -3,18 +3,6 @@ module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2
 open Core
 open FStar.Mul
 
-let _ =
-  (* This module has implicit dependencies, here we make them explicit. *)
-  (* The implicit dependencies arise from typeclasses instances. *)
-  let open Libcrux_ml_dsa.Hash_functions.Portable in
-  let open Libcrux_ml_dsa.Hash_functions.Shake128 in
-  let open Libcrux_ml_dsa.Hash_functions.Shake256 in
-  let open Libcrux_ml_dsa.Hash_functions.Simd256 in
-  let open Libcrux_ml_dsa.Pre_hash in
-  let open Libcrux_ml_dsa.Simd.Avx2 in
-  let open Libcrux_ml_dsa.Simd.Traits in
-  ()
-
 /// Generate key pair.
 val generate_key_pair
       (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE:
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst
index 878dd2cb5..95d331653 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst
@@ -543,11 +543,7 @@ let sign
         <:
         Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness
   | Core.Result.Result_Err err ->
-    Core.Result.Result_Err
-    (Core.Convert.f_from #Libcrux_ml_dsa.Types.t_SigningError
-        #Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError
-        #FStar.Tactics.Typeclasses.solve
-        err)
+    Core.Result.Result_Err (Core.Convert.f_from #FStar.Tactics.Typeclasses.solve err)
     <:
     Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE)
       Libcrux_ml_dsa.Types.t_SigningError
@@ -608,11 +604,7 @@ let sign_pre_hashed
           <:
           Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness
     | Core.Result.Result_Err err ->
-      Core.Result.Result_Err
-      (Core.Convert.f_from #Libcrux_ml_dsa.Types.t_SigningError
-          #Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError
-          #FStar.Tactics.Typeclasses.solve
-          err)
+      Core.Result.Result_Err (Core.Convert.f_from #FStar.Tactics.Typeclasses.solve err)
       <:
       Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE)
         Libcrux_ml_dsa.Types.t_SigningError
@@ -806,11 +798,7 @@ let verify
         <:
         Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) signature_serialized
   | Core.Result.Result_Err err ->
-    Core.Result.Result_Err
-    (Core.Convert.f_from #Libcrux_ml_dsa.Types.t_VerificationError
-        #Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError
-        #FStar.Tactics.Typeclasses.solve
-        err)
+    Core.Result.Result_Err (Core.Convert.f_from #FStar.Tactics.Typeclasses.solve err)
     <:
     Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError
 
@@ -859,11 +847,7 @@ let verify_pre_hashed
         <:
         Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) signature_serialized
   | Core.Result.Result_Err err ->
-    Core.Result.Result_Err
-    (Core.Convert.f_from #Libcrux_ml_dsa.Types.t_VerificationError
-        #Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError
-        #FStar.Tactics.Typeclasses.solve
-        err)
+    Core.Result.Result_Err (Core.Convert.f_from #FStar.Tactics.Typeclasses.solve err)
     <:
     Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError
 
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst
index b36669c58..f0e0c4d22 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst
@@ -9,6 +9,1889 @@ let _ =
   let open Libcrux_ml_dsa.Simd.Traits in
   ()
 
+let invert_ntt_at_layer_0_
+      (#v_SIMDUnit: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+      (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+     =
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 0)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 0 ] <: v_SIMDUnit)
+            1976782l
+            (-846154l)
+            1400424l
+            3937738l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 1)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 1 ] <: v_SIMDUnit)
+            (-1362209l)
+            (-48306l)
+            3919660l
+            (-554416l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 2)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 2 ] <: v_SIMDUnit)
+            (-3545687l)
+            1612842l
+            (-976891l)
+            183443l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 3)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 3 ] <: v_SIMDUnit)
+            (-2286327l)
+            (-420899l)
+            (-2235985l)
+            (-2939036l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 4)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 4 ] <: v_SIMDUnit)
+            (-3833893l)
+            (-260646l)
+            (-1104333l)
+            (-1667432l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 5)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 5 ] <: v_SIMDUnit)
+            1910376l
+            (-1803090l)
+            1723600l
+            (-426683l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 6)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 6 ] <: v_SIMDUnit)
+            472078l
+            1717735l
+            (-975884l)
+            2213111l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 7)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 7 ] <: v_SIMDUnit)
+            269760l
+            3866901l
+            3523897l
+            (-3038916l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 8)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 8 ] <: v_SIMDUnit)
+            (-1799107l)
+            (-3694233l)
+            1652634l
+            810149l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 9)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 9 ] <: v_SIMDUnit)
+            3014001l
+            1616392l
+            162844l
+            (-3183426l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 10)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 10 ] <: v_SIMDUnit)
+            (-1207385l)
+            185531l
+            3369112l
+            1957272l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 11)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 11 ] <: v_SIMDUnit)
+            (-164721l)
+            2454455l
+            2432395l
+            (-2013608l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 12)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 12 ] <: v_SIMDUnit)
+            (-3776993l)
+            594136l
+            (-3724270l)
+            (-2584293l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 13)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 13 ] <: v_SIMDUnit)
+            (-1846953l)
+            (-1671176l)
+            (-2831860l)
+            (-542412l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 14)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 14 ] <: v_SIMDUnit)
+            3406031l
+            2235880l
+            777191l
+            1500165l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 15)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 15 ] <: v_SIMDUnit)
+            (-1374803l)
+            (-2546312l)
+            1917081l
+            (-1279661l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 16)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 16 ] <: v_SIMDUnit)
+            (-1962642l)
+            3306115l
+            1312455l
+            (-451100l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 17)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 17 ] <: v_SIMDUnit)
+            (-1430225l)
+            (-3318210l)
+            1237275l
+            (-1333058l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 18)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 18 ] <: v_SIMDUnit)
+            (-1050970l)
+            1903435l
+            1869119l
+            (-2994039l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 19)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 19 ] <: v_SIMDUnit)
+            (-3548272l)
+            2635921l
+            1250494l
+            (-3767016l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 20)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 20 ] <: v_SIMDUnit)
+            1595974l
+            2486353l
+            1247620l
+            4055324l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 21)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 21 ] <: v_SIMDUnit)
+            1265009l
+            (-2590150l)
+            2691481l
+            2842341l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 22)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 22 ] <: v_SIMDUnit)
+            203044l
+            1735879l
+            (-3342277l)
+            3437287l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 23)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 23 ] <: v_SIMDUnit)
+            4108315l
+            (-2437823l)
+            286988l
+            342297l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 24)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 24 ] <: v_SIMDUnit)
+            (-3595838l)
+            (-768622l)
+            (-525098l)
+            (-3556995l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 25)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 25 ] <: v_SIMDUnit)
+            3207046l
+            2031748l
+            (-3122442l)
+            (-655327l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 26)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 26 ] <: v_SIMDUnit)
+            (-522500l)
+            (-43260l)
+            (-1613174l)
+            495491l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 27)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 27 ] <: v_SIMDUnit)
+            819034l
+            909542l
+            1859098l
+            900702l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 28)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 28 ] <: v_SIMDUnit)
+            (-3193378l)
+            (-1197226l)
+            (-3759364l)
+            (-3520352l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 29)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 29 ] <: v_SIMDUnit)
+            3513181l
+            (-1235728l)
+            2434439l
+            266997l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 30)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 30 ] <: v_SIMDUnit)
+            (-3562462l)
+            (-2446433l)
+            2244091l
+            (-3342478l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 31)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 31 ] <: v_SIMDUnit)
+            3817976l
+            2316500l
+            3407706l
+            2091667l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  re
+
+let invert_ntt_at_layer_1_
+      (#v_SIMDUnit: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+      (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+     =
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 0)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 0 ] <: v_SIMDUnit)
+            3839961l
+            (-3628969l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 1)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 1 ] <: v_SIMDUnit)
+            (-3881060l)
+            (-3019102l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 2)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 2 ] <: v_SIMDUnit)
+            (-1439742l)
+            (-812732l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 3)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 3 ] <: v_SIMDUnit)
+            (-1584928l)
+            1285669l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 4)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 4 ] <: v_SIMDUnit)
+            1341330l
+            1315589l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 5)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 5 ] <: v_SIMDUnit)
+            (-177440l)
+            (-2409325l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 6)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 6 ] <: v_SIMDUnit)
+            (-1851402l)
+            3159746l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 7)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 7 ] <: v_SIMDUnit)
+            (-3553272l)
+            189548l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 8)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 8 ] <: v_SIMDUnit)
+            (-1316856l)
+            759969l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 9)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 9 ] <: v_SIMDUnit)
+            (-210977l)
+            2389356l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 10)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 10 ] <: v_SIMDUnit)
+            (-3249728l)
+            1653064l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 11)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 11 ] <: v_SIMDUnit)
+            (-8578l)
+            (-3724342l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 12)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 12 ] <: v_SIMDUnit)
+            3958618l
+            904516l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 13)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 13 ] <: v_SIMDUnit)
+            (-1100098l)
+            44288l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 14)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 14 ] <: v_SIMDUnit)
+            3097992l
+            508951l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 15)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 15 ] <: v_SIMDUnit)
+            264944l
+            (-3343383l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 16)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 16 ] <: v_SIMDUnit)
+            (-1430430l)
+            1852771l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 17)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 17 ] <: v_SIMDUnit)
+            1349076l
+            (-381987l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 18)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 18 ] <: v_SIMDUnit)
+            (-1308169l)
+            (-22981l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 19)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 19 ] <: v_SIMDUnit)
+            (-1228525l)
+            (-671102l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 20)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 20 ] <: v_SIMDUnit)
+            (-2477047l)
+            (-411027l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 21)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 21 ] <: v_SIMDUnit)
+            (-3693493l)
+            (-2967645l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 22)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 22 ] <: v_SIMDUnit)
+            2715295l
+            2147896l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 23)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 23 ] <: v_SIMDUnit)
+            (-983419l)
+            3412210l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 24)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 24 ] <: v_SIMDUnit)
+            126922l
+            (-3632928l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 25)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 25 ] <: v_SIMDUnit)
+            (-3157330l)
+            (-3190144l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 26)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 26 ] <: v_SIMDUnit)
+            (-1000202l)
+            (-4083598l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 27)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 27 ] <: v_SIMDUnit)
+            1939314l
+            (-1257611l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 28)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 28 ] <: v_SIMDUnit)
+            (-1585221l)
+            2176455l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 29)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 29 ] <: v_SIMDUnit)
+            3475950l
+            (-1452451l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 30)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 30 ] <: v_SIMDUnit)
+            (-3041255l)
+            (-3677745l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 31)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 31 ] <: v_SIMDUnit)
+            (-1528703l)
+            (-3930395l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  re
+
+let invert_ntt_at_layer_2_
+      (#v_SIMDUnit: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+      (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+     =
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 0)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 0 ] <: v_SIMDUnit)
+            (-2797779l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 1)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 1 ] <: v_SIMDUnit)
+            2071892l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 2)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 2 ] <: v_SIMDUnit)
+            (-2556880l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 3)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 3 ] <: v_SIMDUnit)
+            3900724l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 4)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 4 ] <: v_SIMDUnit)
+            3881043l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 5)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 5 ] <: v_SIMDUnit)
+            954230l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 6)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 6 ] <: v_SIMDUnit)
+            531354l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 7)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 7 ] <: v_SIMDUnit)
+            811944l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 8)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 8 ] <: v_SIMDUnit)
+            3699596l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 9)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 9 ] <: v_SIMDUnit)
+            (-1600420l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 10)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 10 ] <: v_SIMDUnit)
+            (-2140649l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 11)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 11 ] <: v_SIMDUnit)
+            3507263l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 12)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 12 ] <: v_SIMDUnit)
+            (-3821735l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 13)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 13 ] <: v_SIMDUnit)
+            3505694l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 14)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 14 ] <: v_SIMDUnit)
+            (-1643818l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 15)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 15 ] <: v_SIMDUnit)
+            (-1699267l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 16)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 16 ] <: v_SIMDUnit)
+            (-539299l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 17)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 17 ] <: v_SIMDUnit)
+            2348700l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 18)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 18 ] <: v_SIMDUnit)
+            (-300467l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 19)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 19 ] <: v_SIMDUnit)
+            3539968l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 20)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 20 ] <: v_SIMDUnit)
+            (-2867647l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 21)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 21 ] <: v_SIMDUnit)
+            3574422l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 22)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 22 ] <: v_SIMDUnit)
+            (-3043716l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 23)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 23 ] <: v_SIMDUnit)
+            (-3861115l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 24)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 24 ] <: v_SIMDUnit)
+            3915439l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 25)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 25 ] <: v_SIMDUnit)
+            (-2537516l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 26)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 26 ] <: v_SIMDUnit)
+            (-3592148l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 27)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 27 ] <: v_SIMDUnit)
+            (-1661693l)
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 28)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 28 ] <: v_SIMDUnit)
+            3530437l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 29)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 29 ] <: v_SIMDUnit)
+            3077325l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 30)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 30 ] <: v_SIMDUnit)
+            95776l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    {
+      re with
+      Libcrux_ml_dsa.Polynomial.f_simd_units
+      =
+      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+          .Libcrux_ml_dsa.Polynomial.f_simd_units
+        (sz 31)
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
+            #FStar.Tactics.Typeclasses.solve
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 31 ] <: v_SIMDUnit)
+            2706023l
+          <:
+          v_SIMDUnit)
+    }
+    <:
+    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+  in
+  re
+
 let ntt
       (#v_SIMDUnit: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
@@ -26,30 +1909,32 @@ let ntt
   <:
   Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
 
-let invert_ntt_at_layer_1_
+let outer_3_plus
       (#v_SIMDUnit: Type0)
+      (v_OFFSET v_STEP_BY: usize)
+      (v_ZETA: i32)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
           i1:
           Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
-      (zeta_i: usize)
       (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
      =
-  let zeta_i:usize = zeta_i -! sz 1 in
-  let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) =
-    Rust_primitives.Hax.Folds.fold_range (sz 0)
-      (sz 256 /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT <: usize)
-      (fun temp_0_ temp_1_ ->
-          let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) =
-            temp_0_
-          in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    Rust_primitives.Hax.Folds.fold_range v_OFFSET
+      (v_OFFSET +! v_STEP_BY <: usize)
+      (fun re temp_1_ ->
+          let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = re in
           let _:usize = temp_1_ in
           true)
-      (re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize))
-      (fun temp_0_ round ->
-          let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) =
-            temp_0_
+      re
+      (fun re j ->
+          let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = re in
+          let j:usize = j in
+          let a_minus_b:v_SIMDUnit =
+            Libcrux_ml_dsa.Simd.Traits.f_subtract #v_SIMDUnit
+              #FStar.Tactics.Typeclasses.solve
+              (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j +! v_STEP_BY <: usize ] <: v_SIMDUnit)
+              (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: v_SIMDUnit)
           in
-          let round:usize = round in
           let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
             {
               re with
@@ -57,48 +1942,19 @@ let invert_ntt_at_layer_1_
               =
               Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
                   .Libcrux_ml_dsa.Polynomial.f_simd_units
-                round
-                (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
+                j
+                (Libcrux_ml_dsa.Simd.Traits.f_add #v_SIMDUnit
                     #FStar.Tactics.Typeclasses.solve
-                    (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ round ] <: v_SIMDUnit)
-                    (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
-                    (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 1 <: usize ] <: i32)
+                    (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: v_SIMDUnit)
+                    (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j +! v_STEP_BY <: usize ]
+                      <:
+                      v_SIMDUnit)
                   <:
                   v_SIMDUnit)
             }
             <:
             Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
           in
-          let zeta_i:usize = zeta_i -! sz 2 in
-          re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize))
-  in
-  let zeta_i:usize = zeta_i +! sz 1 in
-  zeta_i, re <: (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
-
-let invert_ntt_at_layer_2_
-      (#v_SIMDUnit: Type0)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i1:
-          Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
-      (zeta_i: usize)
-      (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
-     =
-  let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) =
-    Rust_primitives.Hax.Folds.fold_range (sz 0)
-      (sz 256 /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT <: usize)
-      (fun temp_0_ temp_1_ ->
-          let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) =
-            temp_0_
-          in
-          let _:usize = temp_1_ in
-          true)
-      (re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize))
-      (fun temp_0_ round ->
-          let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) =
-            temp_0_
-          in
-          let round:usize = round in
-          let zeta_i:usize = zeta_i -! sz 1 in
           let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
             {
               re with
@@ -106,169 +1962,156 @@ let invert_ntt_at_layer_2_
               =
               Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
                   .Libcrux_ml_dsa.Polynomial.f_simd_units
-                round
-                (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
-                    #FStar.Tactics.Typeclasses.solve
-                    (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ round ] <: v_SIMDUnit)
-                    (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
+                (j +! v_STEP_BY <: usize)
+                (Libcrux_ml_dsa.Simd.Traits.montgomery_multiply_by_fer #v_SIMDUnit a_minus_b v_ZETA
                   <:
                   v_SIMDUnit)
             }
             <:
             Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
           in
-          re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize))
+          re)
   in
   let hax_temp_output:Prims.unit = () <: Prims.unit in
-  zeta_i, re <: (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+  re
 
-let invert_ntt_at_layer_3_plus
+let invert_ntt_at_layer_3_
       (#v_SIMDUnit: Type0)
-      (v_LAYER: usize)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
           i1:
           Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
-      (zeta_i: usize)
       (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
      =
-  let step:usize = sz 1 <<! v_LAYER in
-  let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) =
-    Rust_primitives.Hax.Folds.fold_range (sz 0)
-      (sz 128 >>! v_LAYER <: usize)
-      (fun temp_0_ temp_1_ ->
-          let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) =
-            temp_0_
-          in
-          let _:usize = temp_1_ in
-          true)
-      (re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize))
-      (fun temp_0_ round ->
-          let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) =
-            temp_0_
-          in
-          let round:usize = round in
-          let zeta_i:usize = zeta_i -! sz 1 in
-          let offset:usize =
-            ((round *! step <: usize) *! sz 2 <: usize) /!
-            Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
-          in
-          let step_by:usize = step /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT in
-          let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-            Rust_primitives.Hax.Folds.fold_range offset
-              (offset +! step_by <: usize)
-              (fun re temp_1_ ->
-                  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = re in
-                  let _:usize = temp_1_ in
-                  true)
-              re
-              (fun re j ->
-                  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = re in
-                  let j:usize = j in
-                  let a_minus_b:v_SIMDUnit =
-                    Libcrux_ml_dsa.Simd.Traits.f_subtract #v_SIMDUnit
-                      #FStar.Tactics.Typeclasses.solve
-                      (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j +! step_by <: usize ]
-                        <:
-                        v_SIMDUnit)
-                      (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: v_SIMDUnit)
-                  in
-                  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-                    {
-                      re with
-                      Libcrux_ml_dsa.Polynomial.f_simd_units
-                      =
-                      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-                          .Libcrux_ml_dsa.Polynomial.f_simd_units
-                        j
-                        (Libcrux_ml_dsa.Simd.Traits.f_add #v_SIMDUnit
-                            #FStar.Tactics.Typeclasses.solve
-                            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: v_SIMDUnit)
-                            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j +! step_by <: usize ]
-                              <:
-                              v_SIMDUnit)
-                          <:
-                          v_SIMDUnit)
-                    }
-                    <:
-                    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
-                  in
-                  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-                    {
-                      re with
-                      Libcrux_ml_dsa.Polynomial.f_simd_units
-                      =
-                      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-                          .Libcrux_ml_dsa.Polynomial.f_simd_units
-                        (j +! step_by <: usize)
-                        (Libcrux_ml_dsa.Simd.Traits.montgomery_multiply_by_fer #v_SIMDUnit
-                            a_minus_b
-                            (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
-                          <:
-                          v_SIMDUnit)
-                    }
-                    <:
-                    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
-                  in
-                  re)
-          in
-          re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize))
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    outer_3_plus #v_SIMDUnit (sz 0) (sz 1) 280005l re
   in
-  let hax_temp_output:Prims.unit = () <: Prims.unit in
-  zeta_i, re <: (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    outer_3_plus #v_SIMDUnit (sz 2) (sz 1) 4010497l re
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    outer_3_plus #v_SIMDUnit (sz 4) (sz 1) (-19422l) re
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    outer_3_plus #v_SIMDUnit (sz 6) (sz 1) 1757237l re
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    outer_3_plus #v_SIMDUnit (sz 8) (sz 1) (-3277672l) re
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    outer_3_plus #v_SIMDUnit (sz 10) (sz 1) (-1399561l) re
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    outer_3_plus #v_SIMDUnit (sz 12) (sz 1) (-3859737l) re
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    outer_3_plus #v_SIMDUnit (sz 14) (sz 1) (-2118186l) re
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    outer_3_plus #v_SIMDUnit (sz 16) (sz 1) (-2108549l) re
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    outer_3_plus #v_SIMDUnit (sz 18) (sz 1) 2619752l re
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    outer_3_plus #v_SIMDUnit (sz 20) (sz 1) (-1119584l) re
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    outer_3_plus #v_SIMDUnit (sz 22) (sz 1) (-549488l) re
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    outer_3_plus #v_SIMDUnit (sz 24) (sz 1) 3585928l re
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    outer_3_plus #v_SIMDUnit (sz 26) (sz 1) (-1079900l) re
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    outer_3_plus #v_SIMDUnit (sz 28) (sz 1) 1024112l re
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    outer_3_plus #v_SIMDUnit (sz 30) (sz 1) 2725464l re
+  in
+  re
 
-let invert_ntt_at_layer_0_
+let invert_ntt_at_layer_4_
       (#v_SIMDUnit: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
           i1:
           Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
-      (zeta_i: usize)
       (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
      =
-  let zeta_i:usize = zeta_i -! sz 1 in
-  let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) =
-    Rust_primitives.Hax.Folds.fold_range (sz 0)
-      (Core.Slice.impl__len #v_SIMDUnit
-          (re.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit)
-        <:
-        usize)
-      (fun temp_0_ temp_1_ ->
-          let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) =
-            temp_0_
-          in
-          let _:usize = temp_1_ in
-          true)
-      (re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize))
-      (fun temp_0_ round ->
-          let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) =
-            temp_0_
-          in
-          let round:usize = round in
-          let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-            {
-              re with
-              Libcrux_ml_dsa.Polynomial.f_simd_units
-              =
-              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-                  .Libcrux_ml_dsa.Polynomial.f_simd_units
-                round
-                (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
-                    #FStar.Tactics.Typeclasses.solve
-                    (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ round ] <: v_SIMDUnit)
-                    (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
-                    (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 1 <: usize ] <: i32)
-                    (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 2 <: usize ] <: i32)
-                    (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 3 <: usize ] <: i32)
-                  <:
-                  v_SIMDUnit)
-            }
-            <:
-            Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
-          in
-          let zeta_i:usize = zeta_i -! sz 4 in
-          re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize))
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    outer_3_plus #v_SIMDUnit (sz 0) (sz 2) 2680103l re
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    outer_3_plus #v_SIMDUnit (sz 4) (sz 2) 3111497l re
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    outer_3_plus #v_SIMDUnit (sz 8) (sz 2) (-2884855l) re
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    outer_3_plus #v_SIMDUnit (sz 12) (sz 2) 3119733l re
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    outer_3_plus #v_SIMDUnit (sz 16) (sz 2) (-2091905l) re
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    outer_3_plus #v_SIMDUnit (sz 20) (sz 2) (-359251l) re
   in
-  let zeta_i:usize = zeta_i +! sz 1 in
-  zeta_i, re <: (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    outer_3_plus #v_SIMDUnit (sz 24) (sz 2) 2353451l re
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    outer_3_plus #v_SIMDUnit (sz 28) (sz 2) 1826347l re
+  in
+  re
+
+let invert_ntt_at_layer_5_
+      (#v_SIMDUnit: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+      (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+     =
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    outer_3_plus #v_SIMDUnit (sz 0) (sz 4) 466468l re
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    outer_3_plus #v_SIMDUnit (sz 8) (sz 4) (-876248l) re
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    outer_3_plus #v_SIMDUnit (sz 16) (sz 4) (-777960l) re
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    outer_3_plus #v_SIMDUnit (sz 24) (sz 4) 237124l re
+  in
+  re
+
+let invert_ntt_at_layer_6_
+      (#v_SIMDUnit: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+      (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+     =
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    outer_3_plus #v_SIMDUnit (sz 0) (sz 8) (-518909l) re
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    outer_3_plus #v_SIMDUnit (sz 16) (sz 8) (-2608894l) re
+  in
+  re
+
+let invert_ntt_at_layer_7_
+      (#v_SIMDUnit: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+      (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+     =
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    outer_3_plus #v_SIMDUnit (sz 0) (sz 16) 25847l re
+  in
+  re
 
 let invert_ntt_montgomery
       (#v_SIMDUnit: Type0)
@@ -277,55 +2120,30 @@ let invert_ntt_montgomery
           Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
       (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
      =
-  let zeta_i:usize = Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT in
-  let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
-    invert_ntt_at_layer_0_ #v_SIMDUnit zeta_i re
-  in
-  let zeta_i:usize = tmp0 in
-  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in
-  let _:Prims.unit = () in
-  let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
-    invert_ntt_at_layer_1_ #v_SIMDUnit zeta_i re
-  in
-  let zeta_i:usize = tmp0 in
-  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in
-  let _:Prims.unit = () in
-  let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
-    invert_ntt_at_layer_2_ #v_SIMDUnit zeta_i re
-  in
-  let zeta_i:usize = tmp0 in
-  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in
-  let _:Prims.unit = () in
-  let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
-    invert_ntt_at_layer_3_plus #v_SIMDUnit (sz 3) zeta_i re
-  in
-  let zeta_i:usize = tmp0 in
-  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in
-  let _:Prims.unit = () in
-  let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
-    invert_ntt_at_layer_3_plus #v_SIMDUnit (sz 4) zeta_i re
-  in
-  let zeta_i:usize = tmp0 in
-  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in
-  let _:Prims.unit = () in
-  let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
-    invert_ntt_at_layer_3_plus #v_SIMDUnit (sz 5) zeta_i re
-  in
-  let zeta_i:usize = tmp0 in
-  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in
-  let _:Prims.unit = () in
-  let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
-    invert_ntt_at_layer_3_plus #v_SIMDUnit (sz 6) zeta_i re
-  in
-  let zeta_i:usize = tmp0 in
-  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in
-  let _:Prims.unit = () in
-  let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
-    invert_ntt_at_layer_3_plus #v_SIMDUnit (sz 7) zeta_i re
-  in
-  let zeta_i:usize = tmp0 in
-  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in
-  let _:Prims.unit = () in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    invert_ntt_at_layer_0_ #v_SIMDUnit re
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    invert_ntt_at_layer_1_ #v_SIMDUnit re
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    invert_ntt_at_layer_2_ #v_SIMDUnit re
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    invert_ntt_at_layer_3_ #v_SIMDUnit re
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    invert_ntt_at_layer_4_ #v_SIMDUnit re
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    invert_ntt_at_layer_5_ #v_SIMDUnit re
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    invert_ntt_at_layer_6_ #v_SIMDUnit re
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    invert_ntt_at_layer_7_ #v_SIMDUnit re
+  in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
     Rust_primitives.Hax.Folds.fold_range (sz 0)
       (Core.Slice.impl__len #v_SIMDUnit
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fsti
index d15c500f9..ed4cbfb4e 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fsti
@@ -9,47 +9,27 @@ let _ =
   let open Libcrux_ml_dsa.Simd.Traits in
   ()
 
-let v_ZETAS_TIMES_MONTGOMERY_R: t_Array i32 (sz 256) =
-  let list =
-    [
-      0l; 25847l; (-2608894l); (-518909l); 237124l; (-777960l); (-876248l); 466468l; 1826347l;
-      2353451l; (-359251l); (-2091905l); 3119733l; (-2884855l); 3111497l; 2680103l; 2725464l;
-      1024112l; (-1079900l); 3585928l; (-549488l); (-1119584l); 2619752l; (-2108549l); (-2118186l);
-      (-3859737l); (-1399561l); (-3277672l); 1757237l; (-19422l); 4010497l; 280005l; 2706023l;
-      95776l; 3077325l; 3530437l; (-1661693l); (-3592148l); (-2537516l); 3915439l; (-3861115l);
-      (-3043716l); 3574422l; (-2867647l); 3539968l; (-300467l); 2348700l; (-539299l); (-1699267l);
-      (-1643818l); 3505694l; (-3821735l); 3507263l; (-2140649l); (-1600420l); 3699596l; 811944l;
-      531354l; 954230l; 3881043l; 3900724l; (-2556880l); 2071892l; (-2797779l); (-3930395l);
-      (-1528703l); (-3677745l); (-3041255l); (-1452451l); 3475950l; 2176455l; (-1585221l);
-      (-1257611l); 1939314l; (-4083598l); (-1000202l); (-3190144l); (-3157330l); (-3632928l);
-      126922l; 3412210l; (-983419l); 2147896l; 2715295l; (-2967645l); (-3693493l); (-411027l);
-      (-2477047l); (-671102l); (-1228525l); (-22981l); (-1308169l); (-381987l); 1349076l; 1852771l;
-      (-1430430l); (-3343383l); 264944l; 508951l; 3097992l; 44288l; (-1100098l); 904516l; 3958618l;
-      (-3724342l); (-8578l); 1653064l; (-3249728l); 2389356l; (-210977l); 759969l; (-1316856l);
-      189548l; (-3553272l); 3159746l; (-1851402l); (-2409325l); (-177440l); 1315589l; 1341330l;
-      1285669l; (-1584928l); (-812732l); (-1439742l); (-3019102l); (-3881060l); (-3628969l);
-      3839961l; 2091667l; 3407706l; 2316500l; 3817976l; (-3342478l); 2244091l; (-2446433l);
-      (-3562462l); 266997l; 2434439l; (-1235728l); 3513181l; (-3520352l); (-3759364l); (-1197226l);
-      (-3193378l); 900702l; 1859098l; 909542l; 819034l; 495491l; (-1613174l); (-43260l); (-522500l);
-      (-655327l); (-3122442l); 2031748l; 3207046l; (-3556995l); (-525098l); (-768622l); (-3595838l);
-      342297l; 286988l; (-2437823l); 4108315l; 3437287l; (-3342277l); 1735879l; 203044l; 2842341l;
-      2691481l; (-2590150l); 1265009l; 4055324l; 1247620l; 2486353l; 1595974l; (-3767016l); 1250494l;
-      2635921l; (-3548272l); (-2994039l); 1869119l; 1903435l; (-1050970l); (-1333058l); 1237275l;
-      (-3318210l); (-1430225l); (-451100l); 1312455l; 3306115l; (-1962642l); (-1279661l); 1917081l;
-      (-2546312l); (-1374803l); 1500165l; 777191l; 2235880l; 3406031l; (-542412l); (-2831860l);
-      (-1671176l); (-1846953l); (-2584293l); (-3724270l); 594136l; (-3776993l); (-2013608l);
-      2432395l; 2454455l; (-164721l); 1957272l; 3369112l; 185531l; (-1207385l); (-3183426l); 162844l;
-      1616392l; 3014001l; 810149l; 1652634l; (-3694233l); (-1799107l); (-3038916l); 3523897l;
-      3866901l; 269760l; 2213111l; (-975884l); 1717735l; 472078l; (-426683l); 1723600l; (-1803090l);
-      1910376l; (-1667432l); (-1104333l); (-260646l); (-3833893l); (-2939036l); (-2235985l);
-      (-420899l); (-2286327l); 183443l; (-976891l); 1612842l; (-3545687l); (-554416l); 3919660l;
-      (-48306l); (-1362209l); 3937738l; 1400424l; (-846154l); 1976782l
-    ]
-  in
-  FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 256);
-  Rust_primitives.Hax.array_of_list 256 list
+let invert_ntt_at_layer_3___STEP: usize = sz 8
 
-val ntt
+let invert_ntt_at_layer_3___STEP_BY: usize = sz 1
+
+let invert_ntt_at_layer_4___STEP: usize = sz 16
+
+let invert_ntt_at_layer_4___STEP_BY: usize = sz 2
+
+let invert_ntt_at_layer_5___STEP: usize = sz 32
+
+let invert_ntt_at_layer_5___STEP_BY: usize = sz 4
+
+let invert_ntt_at_layer_6___STEP: usize = sz 64
+
+let invert_ntt_at_layer_6___STEP_BY: usize = sz 8
+
+let invert_ntt_at_layer_7___STEP: usize = sz 128
+
+let invert_ntt_at_layer_7___STEP_BY: usize = sz 16
+
+val invert_ntt_at_layer_0_
       (#v_SIMDUnit: Type0)
       {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
       (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
@@ -60,37 +40,74 @@ val ntt
 val invert_ntt_at_layer_1_
       (#v_SIMDUnit: Type0)
       {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
-      (zeta_i: usize)
       (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
-    : Prims.Pure (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+    : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
       Prims.l_True
       (fun _ -> Prims.l_True)
 
 val invert_ntt_at_layer_2_
       (#v_SIMDUnit: Type0)
       {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
-      (zeta_i: usize)
       (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
-    : Prims.Pure (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+    : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+val ntt
+      (#v_SIMDUnit: Type0)
+      {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+      (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+    : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
       Prims.l_True
       (fun _ -> Prims.l_True)
 
-val invert_ntt_at_layer_3_plus
+val outer_3_plus
       (#v_SIMDUnit: Type0)
-      (v_LAYER: usize)
+      (v_OFFSET v_STEP_BY: usize)
+      (v_ZETA: i32)
       {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
-      (zeta_i: usize)
       (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
-    : Prims.Pure (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+    : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
       Prims.l_True
       (fun _ -> Prims.l_True)
 
-val invert_ntt_at_layer_0_
+val invert_ntt_at_layer_3_
+      (#v_SIMDUnit: Type0)
+      {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+      (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+    : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+val invert_ntt_at_layer_4_
+      (#v_SIMDUnit: Type0)
+      {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+      (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+    : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+val invert_ntt_at_layer_5_
+      (#v_SIMDUnit: Type0)
+      {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+      (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+    : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+val invert_ntt_at_layer_6_
       (#v_SIMDUnit: Type0)
       {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
-      (zeta_i: usize)
       (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
-    : Prims.Pure (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+    : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+val invert_ntt_at_layer_7_
+      (#v_SIMDUnit: Type0)
+      {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+      (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+    : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
       Prims.l_True
       (fun _ -> Prims.l_True)
 
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst
index 0e6daf656..fb55f5f13 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst
@@ -121,225 +121,2854 @@ let invert_ntt_at_layer_2_ (simd_unit: u8) (zeta: i32) =
   let products:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply sums zetas in
   Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 240l sums products
 
-let ntt_at_layer_3_plus (v_LAYER zeta_i: usize) (re: t_Array u8 (sz 32)) =
-  let step:usize = sz 1 <<! v_LAYER in
-  let re, zeta_i:(t_Array u8 (sz 32) & usize) =
-    Rust_primitives.Hax.Folds.fold_range (sz 0)
-      (sz 128 >>! v_LAYER <: usize)
-      (fun temp_0_ temp_1_ ->
-          let re, zeta_i:(t_Array u8 (sz 32) & usize) = temp_0_ in
+let ntt_at_layer_0_ (re: t_Array u8 (sz 32)) =
+  let a, b:(u8 & u8) =
+    butterfly_2_ (re.[ sz 0 ] <: u8) (re.[ sz 0 +! sz 1 <: usize ] <: u8) 2091667l 3407706l 2316500l
+      3817976l (-3342478l) 2244091l (-2446433l) (-3562462l)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 0) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 0 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_2_ (re.[ sz 2 ] <: u8) (re.[ sz 2 +! sz 1 <: usize ] <: u8) 266997l 2434439l
+      (-1235728l) 3513181l (-3520352l) (-3759364l) (-1197226l) (-3193378l)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 2) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 2 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_2_ (re.[ sz 4 ] <: u8) (re.[ sz 4 +! sz 1 <: usize ] <: u8) 900702l 1859098l 909542l
+      819034l 495491l (-1613174l) (-43260l) (-522500l)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 4) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 4 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_2_ (re.[ sz 6 ] <: u8) (re.[ sz 6 +! sz 1 <: usize ] <: u8) (-655327l) (-3122442l)
+      2031748l 3207046l (-3556995l) (-525098l) (-768622l) (-3595838l)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 6) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 6 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_2_ (re.[ sz 8 ] <: u8) (re.[ sz 8 +! sz 1 <: usize ] <: u8) 342297l 286988l
+      (-2437823l) 4108315l 3437287l (-3342277l) 1735879l 203044l
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 8) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 8 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_2_ (re.[ sz 10 ] <: u8) (re.[ sz 10 +! sz 1 <: usize ] <: u8) 2842341l 2691481l
+      (-2590150l) 1265009l 4055324l 1247620l 2486353l 1595974l
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 10) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 10 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_2_ (re.[ sz 12 ] <: u8) (re.[ sz 12 +! sz 1 <: usize ] <: u8) (-3767016l) 1250494l
+      2635921l (-3548272l) (-2994039l) 1869119l 1903435l (-1050970l)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 12) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 12 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_2_ (re.[ sz 14 ] <: u8) (re.[ sz 14 +! sz 1 <: usize ] <: u8) (-1333058l) 1237275l
+      (-3318210l) (-1430225l) (-451100l) 1312455l 3306115l (-1962642l)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 14) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 14 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_2_ (re.[ sz 16 ] <: u8) (re.[ sz 16 +! sz 1 <: usize ] <: u8) (-1279661l) 1917081l
+      (-2546312l) (-1374803l) 1500165l 777191l 2235880l 3406031l
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 16) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 16 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_2_ (re.[ sz 18 ] <: u8) (re.[ sz 18 +! sz 1 <: usize ] <: u8) (-542412l) (-2831860l)
+      (-1671176l) (-1846953l) (-2584293l) (-3724270l) 594136l (-3776993l)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 18) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 18 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_2_ (re.[ sz 20 ] <: u8) (re.[ sz 20 +! sz 1 <: usize ] <: u8) (-2013608l) 2432395l
+      2454455l (-164721l) 1957272l 3369112l 185531l (-1207385l)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 20) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 20 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_2_ (re.[ sz 22 ] <: u8) (re.[ sz 22 +! sz 1 <: usize ] <: u8) (-3183426l) 162844l
+      1616392l 3014001l 810149l 1652634l (-3694233l) (-1799107l)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 22) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 22 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_2_ (re.[ sz 24 ] <: u8) (re.[ sz 24 +! sz 1 <: usize ] <: u8) (-3038916l) 3523897l
+      3866901l 269760l 2213111l (-975884l) 1717735l 472078l
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 24) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 24 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_2_ (re.[ sz 26 ] <: u8) (re.[ sz 26 +! sz 1 <: usize ] <: u8) (-426683l) 1723600l
+      (-1803090l) 1910376l (-1667432l) (-1104333l) (-260646l) (-3833893l)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 26) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 26 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_2_ (re.[ sz 28 ] <: u8) (re.[ sz 28 +! sz 1 <: usize ] <: u8) (-2939036l) (-2235985l)
+      (-420899l) (-2286327l) 183443l (-976891l) 1612842l (-3545687l)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 28) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 28 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_2_ (re.[ sz 30 ] <: u8) (re.[ sz 30 +! sz 1 <: usize ] <: u8) (-554416l) 3919660l
+      (-48306l) (-1362209l) 3937738l 1400424l (-846154l) 1976782l
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 30) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 30 +! sz 1 <: usize) b
+  in
+  re
+
+let ntt_at_layer_1_ (re: t_Array u8 (sz 32)) =
+  let a, b:(u8 & u8) =
+    butterfly_4_ (re.[ sz 0 ] <: u8)
+      (re.[ sz 0 +! sz 1 <: usize ] <: u8)
+      (-3930395l)
+      (-1528703l)
+      (-3677745l)
+      (-3041255l)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 0) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 0 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_4_ (re.[ sz 2 ] <: u8)
+      (re.[ sz 2 +! sz 1 <: usize ] <: u8)
+      (-1452451l)
+      3475950l
+      2176455l
+      (-1585221l)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 2) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 2 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_4_ (re.[ sz 4 ] <: u8)
+      (re.[ sz 4 +! sz 1 <: usize ] <: u8)
+      (-1257611l)
+      1939314l
+      (-4083598l)
+      (-1000202l)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 4) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 4 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_4_ (re.[ sz 6 ] <: u8)
+      (re.[ sz 6 +! sz 1 <: usize ] <: u8)
+      (-3190144l)
+      (-3157330l)
+      (-3632928l)
+      126922l
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 6) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 6 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_4_ (re.[ sz 8 ] <: u8)
+      (re.[ sz 8 +! sz 1 <: usize ] <: u8)
+      3412210l
+      (-983419l)
+      2147896l
+      2715295l
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 8) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 8 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_4_ (re.[ sz 10 ] <: u8)
+      (re.[ sz 10 +! sz 1 <: usize ] <: u8)
+      (-2967645l)
+      (-3693493l)
+      (-411027l)
+      (-2477047l)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 10) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 10 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_4_ (re.[ sz 12 ] <: u8)
+      (re.[ sz 12 +! sz 1 <: usize ] <: u8)
+      (-671102l)
+      (-1228525l)
+      (-22981l)
+      (-1308169l)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 12) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 12 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_4_ (re.[ sz 14 ] <: u8)
+      (re.[ sz 14 +! sz 1 <: usize ] <: u8)
+      (-381987l)
+      1349076l
+      1852771l
+      (-1430430l)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 14) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 14 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_4_ (re.[ sz 16 ] <: u8)
+      (re.[ sz 16 +! sz 1 <: usize ] <: u8)
+      (-3343383l)
+      264944l
+      508951l
+      3097992l
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 16) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 16 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_4_ (re.[ sz 18 ] <: u8)
+      (re.[ sz 18 +! sz 1 <: usize ] <: u8)
+      44288l
+      (-1100098l)
+      904516l
+      3958618l
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 18) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 18 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_4_ (re.[ sz 20 ] <: u8)
+      (re.[ sz 20 +! sz 1 <: usize ] <: u8)
+      (-3724342l)
+      (-8578l)
+      1653064l
+      (-3249728l)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 20) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 20 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_4_ (re.[ sz 22 ] <: u8)
+      (re.[ sz 22 +! sz 1 <: usize ] <: u8)
+      2389356l
+      (-210977l)
+      759969l
+      (-1316856l)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 22) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 22 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_4_ (re.[ sz 24 ] <: u8)
+      (re.[ sz 24 +! sz 1 <: usize ] <: u8)
+      189548l
+      (-3553272l)
+      3159746l
+      (-1851402l)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 24) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 24 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_4_ (re.[ sz 26 ] <: u8)
+      (re.[ sz 26 +! sz 1 <: usize ] <: u8)
+      (-2409325l)
+      (-177440l)
+      1315589l
+      1341330l
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 26) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 26 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_4_ (re.[ sz 28 ] <: u8)
+      (re.[ sz 28 +! sz 1 <: usize ] <: u8)
+      1285669l
+      (-1584928l)
+      (-812732l)
+      (-1439742l)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 28) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 28 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_4_ (re.[ sz 30 ] <: u8)
+      (re.[ sz 30 +! sz 1 <: usize ] <: u8)
+      (-3019102l)
+      (-3881060l)
+      (-3628969l)
+      3839961l
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 30) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 30 +! sz 1 <: usize) b
+  in
+  re
+
+let ntt_at_layer_2_ (re: t_Array u8 (sz 32)) =
+  let a, b:(u8 & u8) =
+    butterfly_8_ (re.[ sz 0 ] <: u8) (re.[ sz 0 +! sz 1 <: usize ] <: u8) 2706023l 95776l
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 0) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 0 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_8_ (re.[ sz 2 ] <: u8) (re.[ sz 2 +! sz 1 <: usize ] <: u8) 3077325l 3530437l
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 2) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 2 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_8_ (re.[ sz 4 ] <: u8) (re.[ sz 4 +! sz 1 <: usize ] <: u8) (-1661693l) (-3592148l)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 4) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 4 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_8_ (re.[ sz 6 ] <: u8) (re.[ sz 6 +! sz 1 <: usize ] <: u8) (-2537516l) 3915439l
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 6) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 6 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_8_ (re.[ sz 8 ] <: u8) (re.[ sz 8 +! sz 1 <: usize ] <: u8) (-3861115l) (-3043716l)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 8) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 8 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_8_ (re.[ sz 10 ] <: u8) (re.[ sz 10 +! sz 1 <: usize ] <: u8) 3574422l (-2867647l)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 10) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 10 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_8_ (re.[ sz 12 ] <: u8) (re.[ sz 12 +! sz 1 <: usize ] <: u8) 3539968l (-300467l)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 12) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 12 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_8_ (re.[ sz 14 ] <: u8) (re.[ sz 14 +! sz 1 <: usize ] <: u8) 2348700l (-539299l)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 14) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 14 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_8_ (re.[ sz 16 ] <: u8) (re.[ sz 16 +! sz 1 <: usize ] <: u8) (-1699267l) (-1643818l)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 16) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 16 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_8_ (re.[ sz 18 ] <: u8) (re.[ sz 18 +! sz 1 <: usize ] <: u8) 3505694l (-3821735l)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 18) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 18 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_8_ (re.[ sz 20 ] <: u8) (re.[ sz 20 +! sz 1 <: usize ] <: u8) 3507263l (-2140649l)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 20) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 20 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_8_ (re.[ sz 22 ] <: u8) (re.[ sz 22 +! sz 1 <: usize ] <: u8) (-1600420l) 3699596l
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 22) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 22 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_8_ (re.[ sz 24 ] <: u8) (re.[ sz 24 +! sz 1 <: usize ] <: u8) 811944l 531354l
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 24) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 24 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_8_ (re.[ sz 26 ] <: u8) (re.[ sz 26 +! sz 1 <: usize ] <: u8) 954230l 3881043l
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 26) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 26 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_8_ (re.[ sz 28 ] <: u8) (re.[ sz 28 +! sz 1 <: usize ] <: u8) 3900724l (-2556880l)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 28) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 28 +! sz 1 <: usize) b
+  in
+  let a, b:(u8 & u8) =
+    butterfly_8_ (re.[ sz 30 ] <: u8) (re.[ sz 30 +! sz 1 <: usize ] <: u8) 2071892l (-2797779l)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 30) a
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 30 +! sz 1 <: usize) b
+  in
+  re
+
+let ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) =
+  let field_modulus:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS
+  in
+  let inverse_of_modulus_mod_montgomery_r:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (cast (Libcrux_ml_dsa.Simd.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R
+            <:
+            u64)
+        <:
+        i32)
+  in
+  let zeta7:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 25847l in
+  let zeta60:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-2608894l) in
+  let zeta61:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-518909l) in
+  let prod02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ sz 0 +! ntt_at_layer_7_and_6___STEP_BY_7_
+          <:
+          usize ]
+        <:
+        u8)
+      zeta7
+  in
+  let prod13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
+          245l
+          (re.[ sz 0 +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8)
+        <:
+        u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8)
+  in
+  let k02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
+  in
+  let k13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
+  in
+  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
+  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
+  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
+  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
+  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
+  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 0 +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 0 ] <: u8) t <: u8)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 0)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 0 ] <: u8) t <: u8)
+  in
+  let prod02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 0 +! sz 1 <: usize) +!
+          ntt_at_layer_7_and_6___STEP_BY_7_
+          <:
+          usize ]
+        <:
+        u8)
+      zeta7
+  in
+  let prod13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
+          245l
+          (re.[ (sz 0 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8)
+        <:
+        u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8)
+  in
+  let k02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
+  in
+  let k13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
+  in
+  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
+  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
+  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
+  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
+  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
+  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      ((sz 0 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 0 +! sz 1 <: usize ] <: u8) t <: u8)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 0 +! sz 1 <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 0 +! sz 1 <: usize ] <: u8) t <: u8)
+  in
+  let prod02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 0 +! sz 2 <: usize) +!
+          ntt_at_layer_7_and_6___STEP_BY_7_
+          <:
+          usize ]
+        <:
+        u8)
+      zeta7
+  in
+  let prod13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
+          245l
+          (re.[ (sz 0 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8)
+        <:
+        u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8)
+  in
+  let k02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
+  in
+  let k13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
+  in
+  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
+  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
+  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
+  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
+  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
+  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      ((sz 0 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 0 +! sz 2 <: usize ] <: u8) t <: u8)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 0 +! sz 2 <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 0 +! sz 2 <: usize ] <: u8) t <: u8)
+  in
+  let prod02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 0 +! sz 3 <: usize) +!
+          ntt_at_layer_7_and_6___STEP_BY_7_
+          <:
+          usize ]
+        <:
+        u8)
+      zeta7
+  in
+  let prod13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
+          245l
+          (re.[ (sz 0 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8)
+        <:
+        u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8)
+  in
+  let k02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
+  in
+  let k13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
+  in
+  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
+  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
+  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
+  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
+  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
+  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      ((sz 0 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 0 +! sz 3 <: usize ] <: u8) t <: u8)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 0 +! sz 3 <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 0 +! sz 3 <: usize ] <: u8) t <: u8)
+  in
+  let _:Prims.unit = () in
+  let prod02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ sz 8 +! ntt_at_layer_7_and_6___STEP_BY_7_
+          <:
+          usize ]
+        <:
+        u8)
+      zeta7
+  in
+  let prod13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
+          245l
+          (re.[ sz 8 +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8)
+        <:
+        u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8)
+  in
+  let k02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
+  in
+  let k13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
+  in
+  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
+  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
+  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
+  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
+  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
+  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 8 +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 8 ] <: u8) t <: u8)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 8)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 8 ] <: u8) t <: u8)
+  in
+  let prod02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 8 +! sz 1 <: usize) +!
+          ntt_at_layer_7_and_6___STEP_BY_7_
+          <:
+          usize ]
+        <:
+        u8)
+      zeta7
+  in
+  let prod13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
+          245l
+          (re.[ (sz 8 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8)
+        <:
+        u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8)
+  in
+  let k02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
+  in
+  let k13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
+  in
+  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
+  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
+  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
+  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
+  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
+  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      ((sz 8 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 8 +! sz 1 <: usize ] <: u8) t <: u8)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 8 +! sz 1 <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 8 +! sz 1 <: usize ] <: u8) t <: u8)
+  in
+  let prod02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 8 +! sz 2 <: usize) +!
+          ntt_at_layer_7_and_6___STEP_BY_7_
+          <:
+          usize ]
+        <:
+        u8)
+      zeta7
+  in
+  let prod13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
+          245l
+          (re.[ (sz 8 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8)
+        <:
+        u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8)
+  in
+  let k02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
+  in
+  let k13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
+  in
+  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
+  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
+  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
+  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
+  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
+  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      ((sz 8 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 8 +! sz 2 <: usize ] <: u8) t <: u8)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 8 +! sz 2 <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 8 +! sz 2 <: usize ] <: u8) t <: u8)
+  in
+  let prod02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 8 +! sz 3 <: usize) +!
+          ntt_at_layer_7_and_6___STEP_BY_7_
+          <:
+          usize ]
+        <:
+        u8)
+      zeta7
+  in
+  let prod13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
+          245l
+          (re.[ (sz 8 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8)
+        <:
+        u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8)
+  in
+  let k02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
+  in
+  let k13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
+  in
+  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
+  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
+  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
+  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
+  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
+  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      ((sz 8 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 8 +! sz 3 <: usize ] <: u8) t <: u8)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 8 +! sz 3 <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 8 +! sz 3 <: usize ] <: u8) t <: u8)
+  in
+  let _:Prims.unit = () in
+  let prod02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ sz 0 +! ntt_at_layer_7_and_6___STEP_BY_6_
+          <:
+          usize ]
+        <:
+        u8)
+      zeta60
+  in
+  let prod13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
+          245l
+          (re.[ sz 0 +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8)
+        <:
+        u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta60 <: u8)
+  in
+  let k02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
+  in
+  let k13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
+  in
+  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
+  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
+  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
+  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
+  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
+  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 0 +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 0 ] <: u8) t <: u8)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 0)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 0 ] <: u8) t <: u8)
+  in
+  let prod02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 0 +! sz 1 <: usize) +!
+          ntt_at_layer_7_and_6___STEP_BY_6_
+          <:
+          usize ]
+        <:
+        u8)
+      zeta60
+  in
+  let prod13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
+          245l
+          (re.[ (sz 0 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8)
+        <:
+        u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta60 <: u8)
+  in
+  let k02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
+  in
+  let k13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
+  in
+  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
+  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
+  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
+  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
+  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
+  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      ((sz 0 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 0 +! sz 1 <: usize ] <: u8) t <: u8)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 0 +! sz 1 <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 0 +! sz 1 <: usize ] <: u8) t <: u8)
+  in
+  let prod02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 0 +! sz 2 <: usize) +!
+          ntt_at_layer_7_and_6___STEP_BY_6_
+          <:
+          usize ]
+        <:
+        u8)
+      zeta60
+  in
+  let prod13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
+          245l
+          (re.[ (sz 0 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8)
+        <:
+        u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta60 <: u8)
+  in
+  let k02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
+  in
+  let k13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
+  in
+  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
+  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
+  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
+  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
+  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
+  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      ((sz 0 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 0 +! sz 2 <: usize ] <: u8) t <: u8)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 0 +! sz 2 <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 0 +! sz 2 <: usize ] <: u8) t <: u8)
+  in
+  let prod02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 0 +! sz 3 <: usize) +!
+          ntt_at_layer_7_and_6___STEP_BY_6_
+          <:
+          usize ]
+        <:
+        u8)
+      zeta60
+  in
+  let prod13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
+          245l
+          (re.[ (sz 0 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8)
+        <:
+        u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta60 <: u8)
+  in
+  let k02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
+  in
+  let k13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
+  in
+  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
+  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
+  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
+  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
+  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
+  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      ((sz 0 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 0 +! sz 3 <: usize ] <: u8) t <: u8)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 0 +! sz 3 <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 0 +! sz 3 <: usize ] <: u8) t <: u8)
+  in
+  let _:Prims.unit = () in
+  let prod02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ sz 16 +! ntt_at_layer_7_and_6___STEP_BY_6_
+          <:
+          usize ]
+        <:
+        u8)
+      zeta61
+  in
+  let prod13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
+          245l
+          (re.[ sz 16 +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8)
+        <:
+        u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta61 <: u8)
+  in
+  let k02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
+  in
+  let k13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
+  in
+  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
+  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
+  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
+  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
+  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
+  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 16 +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 16 ] <: u8) t <: u8)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 16)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 16 ] <: u8) t <: u8)
+  in
+  let prod02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 16 +! sz 1 <: usize) +!
+          ntt_at_layer_7_and_6___STEP_BY_6_
+          <:
+          usize ]
+        <:
+        u8)
+      zeta61
+  in
+  let prod13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
+          245l
+          (re.[ (sz 16 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8)
+        <:
+        u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta61 <: u8)
+  in
+  let k02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
+  in
+  let k13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
+  in
+  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
+  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
+  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
+  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
+  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
+  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      ((sz 16 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 16 +! sz 1 <: usize ] <: u8) t <: u8)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 16 +! sz 1 <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 16 +! sz 1 <: usize ] <: u8) t <: u8)
+  in
+  let prod02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 16 +! sz 2 <: usize) +!
+          ntt_at_layer_7_and_6___STEP_BY_6_
+          <:
+          usize ]
+        <:
+        u8)
+      zeta61
+  in
+  let prod13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
+          245l
+          (re.[ (sz 16 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8)
+        <:
+        u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta61 <: u8)
+  in
+  let k02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
+  in
+  let k13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
+  in
+  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
+  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
+  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
+  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
+  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
+  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      ((sz 16 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 16 +! sz 2 <: usize ] <: u8) t <: u8)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 16 +! sz 2 <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 16 +! sz 2 <: usize ] <: u8) t <: u8)
+  in
+  let prod02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 16 +! sz 3 <: usize) +!
+          ntt_at_layer_7_and_6___STEP_BY_6_
+          <:
+          usize ]
+        <:
+        u8)
+      zeta61
+  in
+  let prod13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
+          245l
+          (re.[ (sz 16 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8)
+        <:
+        u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta61 <: u8)
+  in
+  let k02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
+  in
+  let k13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
+  in
+  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
+  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
+  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
+  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
+  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
+  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      ((sz 16 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 16 +! sz 3 <: usize ] <: u8) t <: u8)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 16 +! sz 3 <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 16 +! sz 3 <: usize ] <: u8) t <: u8)
+  in
+  let _:Prims.unit = () in
+  let prod02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ sz 4 +! ntt_at_layer_7_and_6___STEP_BY_7_
+          <:
+          usize ]
+        <:
+        u8)
+      zeta7
+  in
+  let prod13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
+          245l
+          (re.[ sz 4 +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8)
+        <:
+        u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8)
+  in
+  let k02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
+  in
+  let k13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
+  in
+  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
+  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
+  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
+  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
+  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
+  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 4 +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 4 ] <: u8) t <: u8)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 4)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 4 ] <: u8) t <: u8)
+  in
+  let prod02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 4 +! sz 1 <: usize) +!
+          ntt_at_layer_7_and_6___STEP_BY_7_
+          <:
+          usize ]
+        <:
+        u8)
+      zeta7
+  in
+  let prod13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
+          245l
+          (re.[ (sz 4 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8)
+        <:
+        u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8)
+  in
+  let k02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
+  in
+  let k13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
+  in
+  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
+  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
+  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
+  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
+  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
+  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      ((sz 4 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 4 +! sz 1 <: usize ] <: u8) t <: u8)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 4 +! sz 1 <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 4 +! sz 1 <: usize ] <: u8) t <: u8)
+  in
+  let prod02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 4 +! sz 2 <: usize) +!
+          ntt_at_layer_7_and_6___STEP_BY_7_
+          <:
+          usize ]
+        <:
+        u8)
+      zeta7
+  in
+  let prod13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
+          245l
+          (re.[ (sz 4 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8)
+        <:
+        u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8)
+  in
+  let k02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
+  in
+  let k13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
+  in
+  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
+  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
+  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
+  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
+  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
+  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      ((sz 4 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 4 +! sz 2 <: usize ] <: u8) t <: u8)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 4 +! sz 2 <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 4 +! sz 2 <: usize ] <: u8) t <: u8)
+  in
+  let prod02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 4 +! sz 3 <: usize) +!
+          ntt_at_layer_7_and_6___STEP_BY_7_
+          <:
+          usize ]
+        <:
+        u8)
+      zeta7
+  in
+  let prod13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
+          245l
+          (re.[ (sz 4 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8)
+        <:
+        u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8)
+  in
+  let k02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
+  in
+  let k13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
+  in
+  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
+  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
+  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
+  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
+  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
+  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      ((sz 4 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 4 +! sz 3 <: usize ] <: u8) t <: u8)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 4 +! sz 3 <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 4 +! sz 3 <: usize ] <: u8) t <: u8)
+  in
+  let _:Prims.unit = () in
+  let prod02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ sz 12 +! ntt_at_layer_7_and_6___STEP_BY_7_
+          <:
+          usize ]
+        <:
+        u8)
+      zeta7
+  in
+  let prod13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
+          245l
+          (re.[ sz 12 +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8)
+        <:
+        u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8)
+  in
+  let k02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
+  in
+  let k13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
+  in
+  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
+  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
+  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
+  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
+  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
+  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 12 +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 12 ] <: u8) t <: u8)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 12)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 12 ] <: u8) t <: u8)
+  in
+  let prod02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 12 +! sz 1 <: usize) +!
+          ntt_at_layer_7_and_6___STEP_BY_7_
+          <:
+          usize ]
+        <:
+        u8)
+      zeta7
+  in
+  let prod13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
+          245l
+          (re.[ (sz 12 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8)
+        <:
+        u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8)
+  in
+  let k02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
+  in
+  let k13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
+  in
+  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
+  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
+  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
+  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
+  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
+  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      ((sz 12 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 12 +! sz 1 <: usize ] <: u8) t <: u8)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 12 +! sz 1 <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 12 +! sz 1 <: usize ] <: u8) t <: u8)
+  in
+  let prod02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 12 +! sz 2 <: usize) +!
+          ntt_at_layer_7_and_6___STEP_BY_7_
+          <:
+          usize ]
+        <:
+        u8)
+      zeta7
+  in
+  let prod13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
+          245l
+          (re.[ (sz 12 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8)
+        <:
+        u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8)
+  in
+  let k02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
+  in
+  let k13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
+  in
+  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
+  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
+  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
+  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
+  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
+  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      ((sz 12 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 12 +! sz 2 <: usize ] <: u8) t <: u8)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 12 +! sz 2 <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 12 +! sz 2 <: usize ] <: u8) t <: u8)
+  in
+  let prod02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 12 +! sz 3 <: usize) +!
+          ntt_at_layer_7_and_6___STEP_BY_7_
+          <:
+          usize ]
+        <:
+        u8)
+      zeta7
+  in
+  let prod13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
+          245l
+          (re.[ (sz 12 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8)
+        <:
+        u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8)
+  in
+  let k02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
+  in
+  let k13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
+  in
+  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
+  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
+  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
+  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
+  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
+  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      ((sz 12 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 12 +! sz 3 <: usize ] <: u8) t <: u8)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 12 +! sz 3 <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 12 +! sz 3 <: usize ] <: u8) t <: u8)
+  in
+  let _:Prims.unit = () in
+  let prod02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ sz 4 +! ntt_at_layer_7_and_6___STEP_BY_6_
+          <:
+          usize ]
+        <:
+        u8)
+      zeta60
+  in
+  let prod13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
+          245l
+          (re.[ sz 4 +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8)
+        <:
+        u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta60 <: u8)
+  in
+  let k02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
+  in
+  let k13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
+  in
+  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
+  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
+  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
+  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
+  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
+  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 4 +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 4 ] <: u8) t <: u8)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 4)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 4 ] <: u8) t <: u8)
+  in
+  let prod02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 4 +! sz 1 <: usize) +!
+          ntt_at_layer_7_and_6___STEP_BY_6_
+          <:
+          usize ]
+        <:
+        u8)
+      zeta60
+  in
+  let prod13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
+          245l
+          (re.[ (sz 4 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8)
+        <:
+        u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta60 <: u8)
+  in
+  let k02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
+  in
+  let k13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
+  in
+  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
+  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
+  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
+  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
+  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
+  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      ((sz 4 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 4 +! sz 1 <: usize ] <: u8) t <: u8)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 4 +! sz 1 <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 4 +! sz 1 <: usize ] <: u8) t <: u8)
+  in
+  let prod02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 4 +! sz 2 <: usize) +!
+          ntt_at_layer_7_and_6___STEP_BY_6_
+          <:
+          usize ]
+        <:
+        u8)
+      zeta60
+  in
+  let prod13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
+          245l
+          (re.[ (sz 4 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8)
+        <:
+        u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta60 <: u8)
+  in
+  let k02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
+  in
+  let k13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
+  in
+  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
+  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
+  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
+  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
+  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
+  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      ((sz 4 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 4 +! sz 2 <: usize ] <: u8) t <: u8)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 4 +! sz 2 <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 4 +! sz 2 <: usize ] <: u8) t <: u8)
+  in
+  let prod02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 4 +! sz 3 <: usize) +!
+          ntt_at_layer_7_and_6___STEP_BY_6_
+          <:
+          usize ]
+        <:
+        u8)
+      zeta60
+  in
+  let prod13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
+          245l
+          (re.[ (sz 4 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8)
+        <:
+        u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta60 <: u8)
+  in
+  let k02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
+  in
+  let k13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
+  in
+  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
+  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
+  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
+  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
+  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
+  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      ((sz 4 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 4 +! sz 3 <: usize ] <: u8) t <: u8)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 4 +! sz 3 <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 4 +! sz 3 <: usize ] <: u8) t <: u8)
+  in
+  let _:Prims.unit = () in
+  let prod02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ sz 20 +! ntt_at_layer_7_and_6___STEP_BY_6_
+          <:
+          usize ]
+        <:
+        u8)
+      zeta61
+  in
+  let prod13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
+          245l
+          (re.[ sz 20 +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8)
+        <:
+        u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta61 <: u8)
+  in
+  let k02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
+  in
+  let k13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
+  in
+  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
+  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
+  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
+  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
+  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
+  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 20 +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 20 ] <: u8) t <: u8)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 20)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 20 ] <: u8) t <: u8)
+  in
+  let prod02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 20 +! sz 1 <: usize) +!
+          ntt_at_layer_7_and_6___STEP_BY_6_
+          <:
+          usize ]
+        <:
+        u8)
+      zeta61
+  in
+  let prod13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
+          245l
+          (re.[ (sz 20 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8)
+        <:
+        u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta61 <: u8)
+  in
+  let k02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
+  in
+  let k13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
+  in
+  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
+  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
+  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
+  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
+  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
+  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      ((sz 20 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 20 +! sz 1 <: usize ] <: u8) t <: u8)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 20 +! sz 1 <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 20 +! sz 1 <: usize ] <: u8) t <: u8)
+  in
+  let prod02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 20 +! sz 2 <: usize) +!
+          ntt_at_layer_7_and_6___STEP_BY_6_
+          <:
+          usize ]
+        <:
+        u8)
+      zeta61
+  in
+  let prod13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
+          245l
+          (re.[ (sz 20 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8)
+        <:
+        u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta61 <: u8)
+  in
+  let k02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
+  in
+  let k13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
+  in
+  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
+  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
+  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
+  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
+  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
+  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      ((sz 20 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 20 +! sz 2 <: usize ] <: u8) t <: u8)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 20 +! sz 2 <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 20 +! sz 2 <: usize ] <: u8) t <: u8)
+  in
+  let prod02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 20 +! sz 3 <: usize) +!
+          ntt_at_layer_7_and_6___STEP_BY_6_
+          <:
+          usize ]
+        <:
+        u8)
+      zeta61
+  in
+  let prod13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
+          245l
+          (re.[ (sz 20 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8)
+        <:
+        u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta61 <: u8)
+  in
+  let k02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
+  in
+  let k13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
+  in
+  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
+  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
+  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
+  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
+  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
+  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      ((sz 20 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 20 +! sz 3 <: usize ] <: u8) t <: u8)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 20 +! sz 3 <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 20 +! sz 3 <: usize ] <: u8) t <: u8)
+  in
+  let _:Prims.unit = () in
+  re
+
+let ntt_at_layer_5_to_3_ (re: t_Array u8 (sz 32)) =
+  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 237124l in
+  let offset:usize =
+    ((sz 0 *! ntt_at_layer_5_to_3___STEP <: usize) *! sz 2 <: usize) /!
+    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Folds.fold_range offset
+      (offset +! ntt_at_layer_5_to_3___STEP_BY <: usize)
+      (fun re temp_1_ ->
+          let re:t_Array u8 (sz 32) = re in
+          let _:usize = temp_1_ in
+          true)
+      re
+      (fun re j ->
+          let re:t_Array u8 (sz 32) = re in
+          let j:usize = j in
+          let t:u8 =
+            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
+                  ntt_at_layer_5_to_3___STEP_BY
+                  <:
+                  usize ]
+                <:
+                u8)
+              rhs
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              (j +! ntt_at_layer_5_to_3___STEP_BY <: usize)
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              j
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
+          in
+          re)
+  in
+  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-777960l) in
+  let offset:usize =
+    ((sz 1 *! ntt_at_layer_5_to_3___STEP <: usize) *! sz 2 <: usize) /!
+    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Folds.fold_range offset
+      (offset +! ntt_at_layer_5_to_3___STEP_BY <: usize)
+      (fun re temp_1_ ->
+          let re:t_Array u8 (sz 32) = re in
+          let _:usize = temp_1_ in
+          true)
+      re
+      (fun re j ->
+          let re:t_Array u8 (sz 32) = re in
+          let j:usize = j in
+          let t:u8 =
+            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
+                  ntt_at_layer_5_to_3___STEP_BY
+                  <:
+                  usize ]
+                <:
+                u8)
+              rhs
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              (j +! ntt_at_layer_5_to_3___STEP_BY <: usize)
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              j
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
+          in
+          re)
+  in
+  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-876248l) in
+  let offset:usize =
+    ((sz 2 *! ntt_at_layer_5_to_3___STEP <: usize) *! sz 2 <: usize) /!
+    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Folds.fold_range offset
+      (offset +! ntt_at_layer_5_to_3___STEP_BY <: usize)
+      (fun re temp_1_ ->
+          let re:t_Array u8 (sz 32) = re in
+          let _:usize = temp_1_ in
+          true)
+      re
+      (fun re j ->
+          let re:t_Array u8 (sz 32) = re in
+          let j:usize = j in
+          let t:u8 =
+            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
+                  ntt_at_layer_5_to_3___STEP_BY
+                  <:
+                  usize ]
+                <:
+                u8)
+              rhs
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              (j +! ntt_at_layer_5_to_3___STEP_BY <: usize)
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              j
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
+          in
+          re)
+  in
+  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 466468l in
+  let offset:usize =
+    ((sz 3 *! ntt_at_layer_5_to_3___STEP <: usize) *! sz 2 <: usize) /!
+    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Folds.fold_range offset
+      (offset +! ntt_at_layer_5_to_3___STEP_BY <: usize)
+      (fun re temp_1_ ->
+          let re:t_Array u8 (sz 32) = re in
+          let _:usize = temp_1_ in
+          true)
+      re
+      (fun re j ->
+          let re:t_Array u8 (sz 32) = re in
+          let j:usize = j in
+          let t:u8 =
+            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
+                  ntt_at_layer_5_to_3___STEP_BY
+                  <:
+                  usize ]
+                <:
+                u8)
+              rhs
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              (j +! ntt_at_layer_5_to_3___STEP_BY <: usize)
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              j
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
+          in
+          re)
+  in
+  let _:Prims.unit = () in
+  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 1826347l in
+  let offset:usize =
+    ((sz 0 *! ntt_at_layer_5_to_3___STEP_1 <: usize) *! sz 2 <: usize) /!
+    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Folds.fold_range offset
+      (offset +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize)
+      (fun re temp_1_ ->
+          let re:t_Array u8 (sz 32) = re in
+          let _:usize = temp_1_ in
+          true)
+      re
+      (fun re j ->
+          let re:t_Array u8 (sz 32) = re in
+          let j:usize = j in
+          let t:u8 =
+            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
+                  ntt_at_layer_5_to_3___STEP_BY_1
+                  <:
+                  usize ]
+                <:
+                u8)
+              rhs
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              (j +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize)
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              j
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
+          in
+          re)
+  in
+  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 2353451l in
+  let offset:usize =
+    ((sz 1 *! ntt_at_layer_5_to_3___STEP_1 <: usize) *! sz 2 <: usize) /!
+    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Folds.fold_range offset
+      (offset +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize)
+      (fun re temp_1_ ->
+          let re:t_Array u8 (sz 32) = re in
           let _:usize = temp_1_ in
           true)
-      (re, zeta_i <: (t_Array u8 (sz 32) & usize))
-      (fun temp_0_ round ->
-          let re, zeta_i:(t_Array u8 (sz 32) & usize) = temp_0_ in
-          let round:usize = round in
-          let zeta_i:usize = zeta_i +! sz 1 in
-          let offset:usize =
-            ((round *! step <: usize) *! sz 2 <: usize) /!
-            Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
-          in
-          let step_by:usize = step /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Folds.fold_range offset
-              (offset +! step_by <: usize)
-              (fun re temp_1_ ->
-                  let re:t_Array u8 (sz 32) = re in
-                  let _:usize = temp_1_ in
-                  true)
-              re
-              (fun re j ->
-                  let re:t_Array u8 (sz 32) = re in
-                  let j:usize = j in
-                  let t:u8 =
-                    Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply_by_constant (re.[ j +!
-                          step_by
-                          <:
-                          usize ]
-                        <:
-                        u8)
-                      (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
-                  in
-                  let re:t_Array u8 (sz 32) =
-                    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-                      (j +! step_by <: usize)
-                      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
-                  in
-                  let re:t_Array u8 (sz 32) =
-                    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-                      j
-                      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
-                  in
-                  re)
-          in
-          re, zeta_i <: (t_Array u8 (sz 32) & usize))
+      re
+      (fun re j ->
+          let re:t_Array u8 (sz 32) = re in
+          let j:usize = j in
+          let t:u8 =
+            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
+                  ntt_at_layer_5_to_3___STEP_BY_1
+                  <:
+                  usize ]
+                <:
+                u8)
+              rhs
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              (j +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize)
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              j
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
+          in
+          re)
   in
-  let hax_temp_output:Prims.unit = () <: Prims.unit in
-  zeta_i, re <: (usize & t_Array u8 (sz 32))
-
-let ntt_at_layer_0_ (zeta_i: usize) (re: t_Array u8 (sz 32)) =
-  let zeta_i:usize = zeta_i +! sz 1 in
-  let re, zeta_i:(t_Array u8 (sz 32) & usize) =
-    Rust_primitives.Hax.Folds.fold_range_step_by (sz 0)
-      (Core.Slice.impl__len #u8 (re <: t_Slice u8) <: usize)
-      (sz 2)
-      (fun temp_0_ temp_1_ ->
-          let re, zeta_i:(t_Array u8 (sz 32) & usize) = temp_0_ in
+  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-359251l) in
+  let offset:usize =
+    ((sz 2 *! ntt_at_layer_5_to_3___STEP_1 <: usize) *! sz 2 <: usize) /!
+    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Folds.fold_range offset
+      (offset +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize)
+      (fun re temp_1_ ->
+          let re:t_Array u8 (sz 32) = re in
+          let _:usize = temp_1_ in
+          true)
+      re
+      (fun re j ->
+          let re:t_Array u8 (sz 32) = re in
+          let j:usize = j in
+          let t:u8 =
+            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
+                  ntt_at_layer_5_to_3___STEP_BY_1
+                  <:
+                  usize ]
+                <:
+                u8)
+              rhs
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              (j +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize)
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              j
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
+          in
+          re)
+  in
+  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-2091905l) in
+  let offset:usize =
+    ((sz 3 *! ntt_at_layer_5_to_3___STEP_1 <: usize) *! sz 2 <: usize) /!
+    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Folds.fold_range offset
+      (offset +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize)
+      (fun re temp_1_ ->
+          let re:t_Array u8 (sz 32) = re in
           let _:usize = temp_1_ in
           true)
-      (re, zeta_i <: (t_Array u8 (sz 32) & usize))
-      (fun temp_0_ round ->
-          let re, zeta_i:(t_Array u8 (sz 32) & usize) = temp_0_ in
-          let round:usize = round in
-          let a, b:(u8 & u8) =
-            butterfly_2_ (re.[ round ] <: u8) (re.[ round +! sz 1 <: usize ] <: u8)
-              (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
-              (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize ]
+      re
+      (fun re j ->
+          let re:t_Array u8 (sz 32) = re in
+          let j:usize = j in
+          let t:u8 =
+            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
+                  ntt_at_layer_5_to_3___STEP_BY_1
+                  <:
+                  usize ]
                 <:
-                i32)
-              (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 2 <: usize ]
+                u8)
+              rhs
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              (j +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize)
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              j
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
+          in
+          re)
+  in
+  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 3119733l in
+  let offset:usize =
+    ((sz 4 *! ntt_at_layer_5_to_3___STEP_1 <: usize) *! sz 2 <: usize) /!
+    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Folds.fold_range offset
+      (offset +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize)
+      (fun re temp_1_ ->
+          let re:t_Array u8 (sz 32) = re in
+          let _:usize = temp_1_ in
+          true)
+      re
+      (fun re j ->
+          let re:t_Array u8 (sz 32) = re in
+          let j:usize = j in
+          let t:u8 =
+            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
+                  ntt_at_layer_5_to_3___STEP_BY_1
+                  <:
+                  usize ]
                 <:
-                i32)
-              (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 3 <: usize ]
+                u8)
+              rhs
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              (j +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize)
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              j
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
+          in
+          re)
+  in
+  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-2884855l) in
+  let offset:usize =
+    ((sz 5 *! ntt_at_layer_5_to_3___STEP_1 <: usize) *! sz 2 <: usize) /!
+    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Folds.fold_range offset
+      (offset +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize)
+      (fun re temp_1_ ->
+          let re:t_Array u8 (sz 32) = re in
+          let _:usize = temp_1_ in
+          true)
+      re
+      (fun re j ->
+          let re:t_Array u8 (sz 32) = re in
+          let j:usize = j in
+          let t:u8 =
+            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
+                  ntt_at_layer_5_to_3___STEP_BY_1
+                  <:
+                  usize ]
                 <:
-                i32)
-              (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 4 <: usize ]
+                u8)
+              rhs
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              (j +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize)
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              j
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
+          in
+          re)
+  in
+  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 3111497l in
+  let offset:usize =
+    ((sz 6 *! ntt_at_layer_5_to_3___STEP_1 <: usize) *! sz 2 <: usize) /!
+    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Folds.fold_range offset
+      (offset +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize)
+      (fun re temp_1_ ->
+          let re:t_Array u8 (sz 32) = re in
+          let _:usize = temp_1_ in
+          true)
+      re
+      (fun re j ->
+          let re:t_Array u8 (sz 32) = re in
+          let j:usize = j in
+          let t:u8 =
+            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
+                  ntt_at_layer_5_to_3___STEP_BY_1
+                  <:
+                  usize ]
                 <:
-                i32)
-              (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 5 <: usize ]
+                u8)
+              rhs
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              (j +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize)
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              j
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
+          in
+          re)
+  in
+  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 2680103l in
+  let offset:usize =
+    ((sz 7 *! ntt_at_layer_5_to_3___STEP_1 <: usize) *! sz 2 <: usize) /!
+    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Folds.fold_range offset
+      (offset +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize)
+      (fun re temp_1_ ->
+          let re:t_Array u8 (sz 32) = re in
+          let _:usize = temp_1_ in
+          true)
+      re
+      (fun re j ->
+          let re:t_Array u8 (sz 32) = re in
+          let j:usize = j in
+          let t:u8 =
+            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
+                  ntt_at_layer_5_to_3___STEP_BY_1
+                  <:
+                  usize ]
                 <:
-                i32)
-              (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 6 <: usize ]
+                u8)
+              rhs
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              (j +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize)
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              j
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
+          in
+          re)
+  in
+  let _:Prims.unit = () in
+  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 2725464l in
+  let offset:usize =
+    ((sz 0 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /!
+    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Folds.fold_range offset
+      (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
+      (fun re temp_1_ ->
+          let re:t_Array u8 (sz 32) = re in
+          let _:usize = temp_1_ in
+          true)
+      re
+      (fun re j ->
+          let re:t_Array u8 (sz 32) = re in
+          let j:usize = j in
+          let t:u8 =
+            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
+                  ntt_at_layer_5_to_3___STEP_BY_2
+                  <:
+                  usize ]
                 <:
-                i32)
-              (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 7 <: usize ]
+                u8)
+              rhs
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              j
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
+          in
+          re)
+  in
+  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 1024112l in
+  let offset:usize =
+    ((sz 1 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /!
+    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Folds.fold_range offset
+      (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
+      (fun re temp_1_ ->
+          let re:t_Array u8 (sz 32) = re in
+          let _:usize = temp_1_ in
+          true)
+      re
+      (fun re j ->
+          let re:t_Array u8 (sz 32) = re in
+          let j:usize = j in
+          let t:u8 =
+            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
+                  ntt_at_layer_5_to_3___STEP_BY_2
+                  <:
+                  usize ]
                 <:
-                i32)
+                u8)
+              rhs
           in
           let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re round a
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
           in
           let re:t_Array u8 (sz 32) =
             Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              (round +! sz 1 <: usize)
-              b
+              j
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
           in
-          let zeta_i:usize = zeta_i +! sz 8 in
-          re, zeta_i <: (t_Array u8 (sz 32) & usize))
+          re)
   in
-  let zeta_i:usize = zeta_i -! sz 1 in
-  zeta_i, re <: (usize & t_Array u8 (sz 32))
-
-let ntt_at_layer_1_ (zeta_i: usize) (re: t_Array u8 (sz 32)) =
-  let zeta_i:usize = zeta_i +! sz 1 in
-  let re, zeta_i:(t_Array u8 (sz 32) & usize) =
-    Rust_primitives.Hax.Folds.fold_range_step_by (sz 0)
-      (Core.Slice.impl__len #u8 (re <: t_Slice u8) <: usize)
-      (sz 2)
-      (fun temp_0_ temp_1_ ->
-          let re, zeta_i:(t_Array u8 (sz 32) & usize) = temp_0_ in
+  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-1079900l) in
+  let offset:usize =
+    ((sz 2 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /!
+    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Folds.fold_range offset
+      (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
+      (fun re temp_1_ ->
+          let re:t_Array u8 (sz 32) = re in
           let _:usize = temp_1_ in
           true)
-      (re, zeta_i <: (t_Array u8 (sz 32) & usize))
-      (fun temp_0_ round ->
-          let re, zeta_i:(t_Array u8 (sz 32) & usize) = temp_0_ in
-          let round:usize = round in
-          let a, b:(u8 & u8) =
-            butterfly_4_ (re.[ round ] <: u8)
-              (re.[ round +! sz 1 <: usize ] <: u8)
-              (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
-              (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize ]
+      re
+      (fun re j ->
+          let re:t_Array u8 (sz 32) = re in
+          let j:usize = j in
+          let t:u8 =
+            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
+                  ntt_at_layer_5_to_3___STEP_BY_2
+                  <:
+                  usize ]
                 <:
-                i32)
-              (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 2 <: usize ]
+                u8)
+              rhs
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              j
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
+          in
+          re)
+  in
+  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 3585928l in
+  let offset:usize =
+    ((sz 3 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /!
+    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Folds.fold_range offset
+      (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
+      (fun re temp_1_ ->
+          let re:t_Array u8 (sz 32) = re in
+          let _:usize = temp_1_ in
+          true)
+      re
+      (fun re j ->
+          let re:t_Array u8 (sz 32) = re in
+          let j:usize = j in
+          let t:u8 =
+            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
+                  ntt_at_layer_5_to_3___STEP_BY_2
+                  <:
+                  usize ]
                 <:
-                i32)
-              (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 3 <: usize ]
+                u8)
+              rhs
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              j
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
+          in
+          re)
+  in
+  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-549488l) in
+  let offset:usize =
+    ((sz 4 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /!
+    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Folds.fold_range offset
+      (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
+      (fun re temp_1_ ->
+          let re:t_Array u8 (sz 32) = re in
+          let _:usize = temp_1_ in
+          true)
+      re
+      (fun re j ->
+          let re:t_Array u8 (sz 32) = re in
+          let j:usize = j in
+          let t:u8 =
+            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
+                  ntt_at_layer_5_to_3___STEP_BY_2
+                  <:
+                  usize ]
                 <:
-                i32)
+                u8)
+              rhs
           in
           let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re round a
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
           in
           let re:t_Array u8 (sz 32) =
             Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              (round +! sz 1 <: usize)
-              b
+              j
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
           in
-          let zeta_i:usize = zeta_i +! sz 4 in
-          re, zeta_i <: (t_Array u8 (sz 32) & usize))
+          re)
   in
-  let zeta_i:usize = zeta_i -! sz 1 in
-  zeta_i, re <: (usize & t_Array u8 (sz 32))
-
-let ntt_at_layer_2_ (zeta_i: usize) (re: t_Array u8 (sz 32)) =
-  let re, zeta_i:(t_Array u8 (sz 32) & usize) =
-    Rust_primitives.Hax.Folds.fold_range_step_by (sz 0)
-      (Core.Slice.impl__len #u8 (re <: t_Slice u8) <: usize)
-      (sz 2)
-      (fun temp_0_ temp_1_ ->
-          let re, zeta_i:(t_Array u8 (sz 32) & usize) = temp_0_ in
+  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-1119584l) in
+  let offset:usize =
+    ((sz 5 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /!
+    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Folds.fold_range offset
+      (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
+      (fun re temp_1_ ->
+          let re:t_Array u8 (sz 32) = re in
+          let _:usize = temp_1_ in
+          true)
+      re
+      (fun re j ->
+          let re:t_Array u8 (sz 32) = re in
+          let j:usize = j in
+          let t:u8 =
+            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
+                  ntt_at_layer_5_to_3___STEP_BY_2
+                  <:
+                  usize ]
+                <:
+                u8)
+              rhs
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              j
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
+          in
+          re)
+  in
+  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 2619752l in
+  let offset:usize =
+    ((sz 6 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /!
+    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Folds.fold_range offset
+      (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
+      (fun re temp_1_ ->
+          let re:t_Array u8 (sz 32) = re in
+          let _:usize = temp_1_ in
+          true)
+      re
+      (fun re j ->
+          let re:t_Array u8 (sz 32) = re in
+          let j:usize = j in
+          let t:u8 =
+            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
+                  ntt_at_layer_5_to_3___STEP_BY_2
+                  <:
+                  usize ]
+                <:
+                u8)
+              rhs
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              j
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
+          in
+          re)
+  in
+  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-2108549l) in
+  let offset:usize =
+    ((sz 7 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /!
+    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Folds.fold_range offset
+      (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
+      (fun re temp_1_ ->
+          let re:t_Array u8 (sz 32) = re in
+          let _:usize = temp_1_ in
+          true)
+      re
+      (fun re j ->
+          let re:t_Array u8 (sz 32) = re in
+          let j:usize = j in
+          let t:u8 =
+            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
+                  ntt_at_layer_5_to_3___STEP_BY_2
+                  <:
+                  usize ]
+                <:
+                u8)
+              rhs
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              j
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
+          in
+          re)
+  in
+  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-2118186l) in
+  let offset:usize =
+    ((sz 8 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /!
+    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Folds.fold_range offset
+      (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
+      (fun re temp_1_ ->
+          let re:t_Array u8 (sz 32) = re in
+          let _:usize = temp_1_ in
+          true)
+      re
+      (fun re j ->
+          let re:t_Array u8 (sz 32) = re in
+          let j:usize = j in
+          let t:u8 =
+            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
+                  ntt_at_layer_5_to_3___STEP_BY_2
+                  <:
+                  usize ]
+                <:
+                u8)
+              rhs
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              j
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
+          in
+          re)
+  in
+  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-3859737l) in
+  let offset:usize =
+    ((sz 9 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /!
+    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Folds.fold_range offset
+      (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
+      (fun re temp_1_ ->
+          let re:t_Array u8 (sz 32) = re in
+          let _:usize = temp_1_ in
+          true)
+      re
+      (fun re j ->
+          let re:t_Array u8 (sz 32) = re in
+          let j:usize = j in
+          let t:u8 =
+            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
+                  ntt_at_layer_5_to_3___STEP_BY_2
+                  <:
+                  usize ]
+                <:
+                u8)
+              rhs
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              j
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
+          in
+          re)
+  in
+  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-1399561l) in
+  let offset:usize =
+    ((sz 10 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /!
+    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Folds.fold_range offset
+      (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
+      (fun re temp_1_ ->
+          let re:t_Array u8 (sz 32) = re in
+          let _:usize = temp_1_ in
+          true)
+      re
+      (fun re j ->
+          let re:t_Array u8 (sz 32) = re in
+          let j:usize = j in
+          let t:u8 =
+            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
+                  ntt_at_layer_5_to_3___STEP_BY_2
+                  <:
+                  usize ]
+                <:
+                u8)
+              rhs
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              j
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
+          in
+          re)
+  in
+  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-3277672l) in
+  let offset:usize =
+    ((sz 11 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /!
+    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Folds.fold_range offset
+      (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
+      (fun re temp_1_ ->
+          let re:t_Array u8 (sz 32) = re in
+          let _:usize = temp_1_ in
+          true)
+      re
+      (fun re j ->
+          let re:t_Array u8 (sz 32) = re in
+          let j:usize = j in
+          let t:u8 =
+            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
+                  ntt_at_layer_5_to_3___STEP_BY_2
+                  <:
+                  usize ]
+                <:
+                u8)
+              rhs
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              j
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
+          in
+          re)
+  in
+  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 1757237l in
+  let offset:usize =
+    ((sz 12 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /!
+    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Folds.fold_range offset
+      (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
+      (fun re temp_1_ ->
+          let re:t_Array u8 (sz 32) = re in
+          let _:usize = temp_1_ in
+          true)
+      re
+      (fun re j ->
+          let re:t_Array u8 (sz 32) = re in
+          let j:usize = j in
+          let t:u8 =
+            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
+                  ntt_at_layer_5_to_3___STEP_BY_2
+                  <:
+                  usize ]
+                <:
+                u8)
+              rhs
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              j
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
+          in
+          re)
+  in
+  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-19422l) in
+  let offset:usize =
+    ((sz 13 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /!
+    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Folds.fold_range offset
+      (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
+      (fun re temp_1_ ->
+          let re:t_Array u8 (sz 32) = re in
+          let _:usize = temp_1_ in
+          true)
+      re
+      (fun re j ->
+          let re:t_Array u8 (sz 32) = re in
+          let j:usize = j in
+          let t:u8 =
+            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
+                  ntt_at_layer_5_to_3___STEP_BY_2
+                  <:
+                  usize ]
+                <:
+                u8)
+              rhs
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              j
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
+          in
+          re)
+  in
+  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 4010497l in
+  let offset:usize =
+    ((sz 14 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /!
+    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Folds.fold_range offset
+      (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
+      (fun re temp_1_ ->
+          let re:t_Array u8 (sz 32) = re in
+          let _:usize = temp_1_ in
+          true)
+      re
+      (fun re j ->
+          let re:t_Array u8 (sz 32) = re in
+          let j:usize = j in
+          let t:u8 =
+            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
+                  ntt_at_layer_5_to_3___STEP_BY_2
+                  <:
+                  usize ]
+                <:
+                u8)
+              rhs
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
+          in
+          let re:t_Array u8 (sz 32) =
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              j
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
+          in
+          re)
+  in
+  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 280005l in
+  let offset:usize =
+    ((sz 15 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /!
+    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Folds.fold_range offset
+      (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
+      (fun re temp_1_ ->
+          let re:t_Array u8 (sz 32) = re in
           let _:usize = temp_1_ in
           true)
-      (re, zeta_i <: (t_Array u8 (sz 32) & usize))
-      (fun temp_0_ round ->
-          let re, zeta_i:(t_Array u8 (sz 32) & usize) = temp_0_ in
-          let round:usize = round in
-          let zeta_i:usize = zeta_i +! sz 1 in
-          let a, b:(u8 & u8) =
-            butterfly_8_ (re.[ round ] <: u8)
-              (re.[ round +! sz 1 <: usize ] <: u8)
-              (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
-              (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize ]
+      re
+      (fun re j ->
+          let re:t_Array u8 (sz 32) = re in
+          let j:usize = j in
+          let t:u8 =
+            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
+                  ntt_at_layer_5_to_3___STEP_BY_2
+                  <:
+                  usize ]
                 <:
-                i32)
+                u8)
+              rhs
           in
           let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re round a
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+              (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
           in
           let re:t_Array u8 (sz 32) =
             Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              (round +! sz 1 <: usize)
-              b
+              j
+              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
           in
-          let zeta_i:usize = zeta_i +! sz 1 in
-          re, zeta_i <: (t_Array u8 (sz 32) & usize))
+          re)
   in
+  let _:Prims.unit = () in
   let hax_temp_output:Prims.unit = () <: Prims.unit in
-  zeta_i, re <: (usize & t_Array u8 (sz 32))
+  re
 
 let ntt (re: t_Array u8 (sz 32)) =
-  let zeta_i:usize = sz 0 in
-  let tmp0, tmp1:(usize & t_Array u8 (sz 32)) = ntt_at_layer_3_plus (sz 7) zeta_i re in
-  let zeta_i:usize = tmp0 in
-  let re:t_Array u8 (sz 32) = tmp1 in
-  let _:Prims.unit = () in
-  let tmp0, tmp1:(usize & t_Array u8 (sz 32)) = ntt_at_layer_3_plus (sz 6) zeta_i re in
-  let zeta_i:usize = tmp0 in
-  let re:t_Array u8 (sz 32) = tmp1 in
-  let _:Prims.unit = () in
-  let tmp0, tmp1:(usize & t_Array u8 (sz 32)) = ntt_at_layer_3_plus (sz 5) zeta_i re in
-  let zeta_i:usize = tmp0 in
-  let re:t_Array u8 (sz 32) = tmp1 in
-  let _:Prims.unit = () in
-  let tmp0, tmp1:(usize & t_Array u8 (sz 32)) = ntt_at_layer_3_plus (sz 4) zeta_i re in
-  let zeta_i:usize = tmp0 in
-  let re:t_Array u8 (sz 32) = tmp1 in
-  let _:Prims.unit = () in
-  let tmp0, tmp1:(usize & t_Array u8 (sz 32)) = ntt_at_layer_3_plus (sz 3) zeta_i re in
-  let zeta_i:usize = tmp0 in
-  let re:t_Array u8 (sz 32) = tmp1 in
-  let _:Prims.unit = () in
-  let tmp0, tmp1:(usize & t_Array u8 (sz 32)) = ntt_at_layer_2_ zeta_i re in
-  let zeta_i:usize = tmp0 in
-  let re:t_Array u8 (sz 32) = tmp1 in
-  let _:Prims.unit = () in
-  let tmp0, tmp1:(usize & t_Array u8 (sz 32)) = ntt_at_layer_1_ zeta_i re in
-  let zeta_i:usize = tmp0 in
-  let re:t_Array u8 (sz 32) = tmp1 in
-  let _:Prims.unit = () in
-  let tmp0, tmp1:(usize & t_Array u8 (sz 32)) = ntt_at_layer_0_ zeta_i re in
-  let zeta_i:usize = tmp0 in
-  let re:t_Array u8 (sz 32) = tmp1 in
-  let _:Prims.unit = () in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_7_and_6_ re in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3_ re in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_2_ re in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_1_ re in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_0_ re in
   re
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti
index 2b4b65ff5..afa539b9a 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti
@@ -5,6 +5,27 @@ open FStar.Mul
 
 let butterfly_2___SHUFFLE: i32 = 216l
 
+let ntt_at_layer_5_to_3___STEP: usize = sz 1 <<! 5l
+
+let ntt_at_layer_5_to_3___STEP_1: usize = sz 1 <<! 4l
+
+let ntt_at_layer_5_to_3___STEP_2: usize = sz 1 <<! 3l
+
+let ntt_at_layer_5_to_3___STEP_BY: usize =
+  ntt_at_layer_5_to_3___STEP /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
+
+let ntt_at_layer_5_to_3___STEP_BY_1: usize =
+  ntt_at_layer_5_to_3___STEP_1 /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
+
+let ntt_at_layer_5_to_3___STEP_BY_2: usize =
+  ntt_at_layer_5_to_3___STEP_2 /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
+
+let ntt_at_layer_7_and_6___STEP_BY_6_: usize =
+  (sz 1 <<! 6l <: usize) /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
+
+let ntt_at_layer_7_and_6___STEP_BY_7_: usize =
+  sz 2 *! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
+
 val butterfly_2_ (a b: u8) (zeta_a0 zeta_a1 zeta_a2 zeta_a3 zeta_b0 zeta_b1 zeta_b2 zeta_b3: i32)
     : Prims.Pure (u8 & u8) Prims.l_True (fun _ -> Prims.l_True)
 
@@ -23,17 +44,26 @@ val invert_ntt_at_layer_1_ (simd_unit: u8) (zeta0 zeta1: i32)
 val invert_ntt_at_layer_2_ (simd_unit: u8) (zeta: i32)
     : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
 
-val ntt_at_layer_3_plus (v_LAYER zeta_i: usize) (re: t_Array u8 (sz 32))
-    : Prims.Pure (usize & t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+val ntt_at_layer_0_ (re: t_Array u8 (sz 32))
+    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
 
-val ntt_at_layer_0_ (zeta_i: usize) (re: t_Array u8 (sz 32))
-    : Prims.Pure (usize & t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+val ntt_at_layer_1_ (re: t_Array u8 (sz 32))
+    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
 
-val ntt_at_layer_1_ (zeta_i: usize) (re: t_Array u8 (sz 32))
-    : Prims.Pure (usize & t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+val ntt_at_layer_2_ (re: t_Array u8 (sz 32))
+    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
 
-val ntt_at_layer_2_ (zeta_i: usize) (re: t_Array u8 (sz 32))
-    : Prims.Pure (usize & t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+/// This is equivalent to the pqclean 0 and 1
+/// This does 32 Montgomery multiplications (192 multiplications).
+/// This is the same as in pqclean. The only difference is locality of registers.
+val ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32))
+    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+
+/// Layer 5, 4, 3
+/// Each layer does 16 Montgomery multiplications -> 3*16 = 48 total
+/// pqclean does 4 * 4 on each layer -> 48 total | plus 4 * 4 shuffles every time (48)
+val ntt_at_layer_5_to_3_ (re: t_Array u8 (sz 32))
+    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
 
 val ntt (re: t_Array u8 (sz 32))
     : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst
index 47babb998..8cb54365c 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst
@@ -591,6 +591,427 @@ let simd_unit_ntt_at_layer_0_
   in
   simd_unit
 
+let ntt_at_layer_0_
+      (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
+     =
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 0)
+      (simd_unit_ntt_at_layer_0_ (re.[ sz 0 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          2091667l
+          3407706l
+          2316500l
+          3817976l
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 1)
+      (simd_unit_ntt_at_layer_0_ (re.[ sz 1 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-3342478l)
+          2244091l
+          (-2446433l)
+          (-3562462l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 2)
+      (simd_unit_ntt_at_layer_0_ (re.[ sz 2 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          266997l
+          2434439l
+          (-1235728l)
+          3513181l
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 3)
+      (simd_unit_ntt_at_layer_0_ (re.[ sz 3 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-3520352l)
+          (-3759364l)
+          (-1197226l)
+          (-3193378l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 4)
+      (simd_unit_ntt_at_layer_0_ (re.[ sz 4 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          900702l
+          1859098l
+          909542l
+          819034l
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 5)
+      (simd_unit_ntt_at_layer_0_ (re.[ sz 5 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          495491l
+          (-1613174l)
+          (-43260l)
+          (-522500l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 6)
+      (simd_unit_ntt_at_layer_0_ (re.[ sz 6 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-655327l)
+          (-3122442l)
+          2031748l
+          3207046l
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 7)
+      (simd_unit_ntt_at_layer_0_ (re.[ sz 7 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-3556995l)
+          (-525098l)
+          (-768622l)
+          (-3595838l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 8)
+      (simd_unit_ntt_at_layer_0_ (re.[ sz 8 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          342297l
+          286988l
+          (-2437823l)
+          4108315l
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 9)
+      (simd_unit_ntt_at_layer_0_ (re.[ sz 9 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          3437287l
+          (-3342277l)
+          1735879l
+          203044l
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 10)
+      (simd_unit_ntt_at_layer_0_ (re.[ sz 10 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          2842341l
+          2691481l
+          (-2590150l)
+          1265009l
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 11)
+      (simd_unit_ntt_at_layer_0_ (re.[ sz 11 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          4055324l
+          1247620l
+          2486353l
+          1595974l
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 12)
+      (simd_unit_ntt_at_layer_0_ (re.[ sz 12 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-3767016l)
+          1250494l
+          2635921l
+          (-3548272l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 13)
+      (simd_unit_ntt_at_layer_0_ (re.[ sz 13 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-2994039l)
+          1869119l
+          1903435l
+          (-1050970l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 14)
+      (simd_unit_ntt_at_layer_0_ (re.[ sz 14 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-1333058l)
+          1237275l
+          (-3318210l)
+          (-1430225l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 15)
+      (simd_unit_ntt_at_layer_0_ (re.[ sz 15 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-451100l)
+          1312455l
+          3306115l
+          (-1962642l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 16)
+      (simd_unit_ntt_at_layer_0_ (re.[ sz 16 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-1279661l)
+          1917081l
+          (-2546312l)
+          (-1374803l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 17)
+      (simd_unit_ntt_at_layer_0_ (re.[ sz 17 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          1500165l
+          777191l
+          2235880l
+          3406031l
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 18)
+      (simd_unit_ntt_at_layer_0_ (re.[ sz 18 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-542412l)
+          (-2831860l)
+          (-1671176l)
+          (-1846953l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 19)
+      (simd_unit_ntt_at_layer_0_ (re.[ sz 19 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-2584293l)
+          (-3724270l)
+          594136l
+          (-3776993l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 20)
+      (simd_unit_ntt_at_layer_0_ (re.[ sz 20 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-2013608l)
+          2432395l
+          2454455l
+          (-164721l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 21)
+      (simd_unit_ntt_at_layer_0_ (re.[ sz 21 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          1957272l
+          3369112l
+          185531l
+          (-1207385l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 22)
+      (simd_unit_ntt_at_layer_0_ (re.[ sz 22 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-3183426l)
+          162844l
+          1616392l
+          3014001l
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 23)
+      (simd_unit_ntt_at_layer_0_ (re.[ sz 23 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          810149l
+          1652634l
+          (-3694233l)
+          (-1799107l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 24)
+      (simd_unit_ntt_at_layer_0_ (re.[ sz 24 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-3038916l)
+          3523897l
+          3866901l
+          269760l
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 25)
+      (simd_unit_ntt_at_layer_0_ (re.[ sz 25 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          2213111l
+          (-975884l)
+          1717735l
+          472078l
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 26)
+      (simd_unit_ntt_at_layer_0_ (re.[ sz 26 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-426683l)
+          1723600l
+          (-1803090l)
+          1910376l
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 27)
+      (simd_unit_ntt_at_layer_0_ (re.[ sz 27 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-1667432l)
+          (-1104333l)
+          (-260646l)
+          (-3833893l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 28)
+      (simd_unit_ntt_at_layer_0_ (re.[ sz 28 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-2939036l)
+          (-2235985l)
+          (-420899l)
+          (-2286327l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 29)
+      (simd_unit_ntt_at_layer_0_ (re.[ sz 29 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          183443l
+          (-976891l)
+          1612842l
+          (-3545687l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 30)
+      (simd_unit_ntt_at_layer_0_ (re.[ sz 30 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-554416l)
+          3919660l
+          (-48306l)
+          (-1362209l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 31)
+      (simd_unit_ntt_at_layer_0_ (re.[ sz 31 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          3937738l
+          1400424l
+          (-846154l)
+          1976782l
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  re
+
 let simd_unit_ntt_at_layer_1_
       (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
       (zeta1 zeta2: i32)
@@ -745,6 +1166,363 @@ let simd_unit_ntt_at_layer_1_
   in
   simd_unit
 
+let ntt_at_layer_1_
+      (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
+     =
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 0)
+      (simd_unit_ntt_at_layer_1_ (re.[ sz 0 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-3930395l)
+          (-1528703l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 1)
+      (simd_unit_ntt_at_layer_1_ (re.[ sz 1 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-3677745l)
+          (-3041255l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 2)
+      (simd_unit_ntt_at_layer_1_ (re.[ sz 2 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-1452451l)
+          3475950l
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 3)
+      (simd_unit_ntt_at_layer_1_ (re.[ sz 3 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          2176455l
+          (-1585221l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 4)
+      (simd_unit_ntt_at_layer_1_ (re.[ sz 4 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-1257611l)
+          1939314l
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 5)
+      (simd_unit_ntt_at_layer_1_ (re.[ sz 5 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-4083598l)
+          (-1000202l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 6)
+      (simd_unit_ntt_at_layer_1_ (re.[ sz 6 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-3190144l)
+          (-3157330l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 7)
+      (simd_unit_ntt_at_layer_1_ (re.[ sz 7 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-3632928l)
+          126922l
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 8)
+      (simd_unit_ntt_at_layer_1_ (re.[ sz 8 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          3412210l
+          (-983419l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 9)
+      (simd_unit_ntt_at_layer_1_ (re.[ sz 9 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          2147896l
+          2715295l
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 10)
+      (simd_unit_ntt_at_layer_1_ (re.[ sz 10 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-2967645l)
+          (-3693493l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 11)
+      (simd_unit_ntt_at_layer_1_ (re.[ sz 11 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-411027l)
+          (-2477047l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 12)
+      (simd_unit_ntt_at_layer_1_ (re.[ sz 12 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-671102l)
+          (-1228525l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 13)
+      (simd_unit_ntt_at_layer_1_ (re.[ sz 13 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-22981l)
+          (-1308169l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 14)
+      (simd_unit_ntt_at_layer_1_ (re.[ sz 14 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-381987l)
+          1349076l
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 15)
+      (simd_unit_ntt_at_layer_1_ (re.[ sz 15 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          1852771l
+          (-1430430l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 16)
+      (simd_unit_ntt_at_layer_1_ (re.[ sz 16 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-3343383l)
+          264944l
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 17)
+      (simd_unit_ntt_at_layer_1_ (re.[ sz 17 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          508951l
+          3097992l
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 18)
+      (simd_unit_ntt_at_layer_1_ (re.[ sz 18 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          44288l
+          (-1100098l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 19)
+      (simd_unit_ntt_at_layer_1_ (re.[ sz 19 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          904516l
+          3958618l
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 20)
+      (simd_unit_ntt_at_layer_1_ (re.[ sz 20 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-3724342l)
+          (-8578l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 21)
+      (simd_unit_ntt_at_layer_1_ (re.[ sz 21 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          1653064l
+          (-3249728l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 22)
+      (simd_unit_ntt_at_layer_1_ (re.[ sz 22 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          2389356l
+          (-210977l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 23)
+      (simd_unit_ntt_at_layer_1_ (re.[ sz 23 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          759969l
+          (-1316856l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 24)
+      (simd_unit_ntt_at_layer_1_ (re.[ sz 24 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          189548l
+          (-3553272l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 25)
+      (simd_unit_ntt_at_layer_1_ (re.[ sz 25 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          3159746l
+          (-1851402l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 26)
+      (simd_unit_ntt_at_layer_1_ (re.[ sz 26 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-2409325l)
+          (-177440l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 27)
+      (simd_unit_ntt_at_layer_1_ (re.[ sz 27 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          1315589l
+          1341330l
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 28)
+      (simd_unit_ntt_at_layer_1_ (re.[ sz 28 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          1285669l
+          (-1584928l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 29)
+      (simd_unit_ntt_at_layer_1_ (re.[ sz 29 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-812732l)
+          (-1439742l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 30)
+      (simd_unit_ntt_at_layer_1_ (re.[ sz 30 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-3019102l)
+          (-3881060l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 31)
+      (simd_unit_ntt_at_layer_1_ (re.[ sz 31 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-3628969l)
+          3839961l
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  re
+
 let simd_unit_ntt_at_layer_2_
       (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
       (zeta: i32)
@@ -899,315 +1677,522 @@ let simd_unit_ntt_at_layer_2_
   in
   simd_unit
 
-let ntt_at_layer_0_
-      (zeta_i: usize)
+let ntt_at_layer_2_
       (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
      =
-  let zeta_i:usize = zeta_i +! sz 1 in
-  let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) &
-    usize) =
-    Rust_primitives.Hax.Folds.fold_range (sz 0)
-      (Core.Slice.impl__len #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit
-          (re <: t_Slice Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-        <:
-        usize)
-      (fun temp_0_ temp_1_ ->
-          let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit
-              (sz 32) &
-            usize) =
-            temp_0_
-          in
-          let _:usize = temp_1_ in
-          true)
-      (re, zeta_i
-        <:
-        (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize))
-      (fun temp_0_ round ->
-          let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit
-              (sz 32) &
-            usize) =
-            temp_0_
-          in
-          let round:usize = round in
-          let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              round
-              (simd_unit_ntt_at_layer_0_ (re.[ round ]
-                    <:
-                    Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-                  (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
-                  (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize ]
-                    <:
-                    i32)
-                  (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 2 <: usize ]
-                    <:
-                    i32)
-                  (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 3 <: usize ]
-                    <:
-                    i32)
-                <:
-                Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          in
-          let zeta_i:usize = zeta_i +! sz 4 in
-          re, zeta_i
-          <:
-          (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize))
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 0)
+      (simd_unit_ntt_at_layer_2_ (re.[ sz 0 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          2706023l
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 1)
+      (simd_unit_ntt_at_layer_2_ (re.[ sz 1 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          95776l
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 2)
+      (simd_unit_ntt_at_layer_2_ (re.[ sz 2 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          3077325l
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 3)
+      (simd_unit_ntt_at_layer_2_ (re.[ sz 3 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          3530437l
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 4)
+      (simd_unit_ntt_at_layer_2_ (re.[ sz 4 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-1661693l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 5)
+      (simd_unit_ntt_at_layer_2_ (re.[ sz 5 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-3592148l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 6)
+      (simd_unit_ntt_at_layer_2_ (re.[ sz 6 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-2537516l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 7)
+      (simd_unit_ntt_at_layer_2_ (re.[ sz 7 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          3915439l
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 8)
+      (simd_unit_ntt_at_layer_2_ (re.[ sz 8 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-3861115l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 9)
+      (simd_unit_ntt_at_layer_2_ (re.[ sz 9 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-3043716l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 10)
+      (simd_unit_ntt_at_layer_2_ (re.[ sz 10 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          3574422l
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 11)
+      (simd_unit_ntt_at_layer_2_ (re.[ sz 11 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-2867647l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 12)
+      (simd_unit_ntt_at_layer_2_ (re.[ sz 12 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          3539968l
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 13)
+      (simd_unit_ntt_at_layer_2_ (re.[ sz 13 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-300467l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 14)
+      (simd_unit_ntt_at_layer_2_ (re.[ sz 14 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          2348700l
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 15)
+      (simd_unit_ntt_at_layer_2_ (re.[ sz 15 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-539299l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 16)
+      (simd_unit_ntt_at_layer_2_ (re.[ sz 16 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-1699267l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 17)
+      (simd_unit_ntt_at_layer_2_ (re.[ sz 17 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-1643818l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 18)
+      (simd_unit_ntt_at_layer_2_ (re.[ sz 18 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          3505694l
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 19)
+      (simd_unit_ntt_at_layer_2_ (re.[ sz 19 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-3821735l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 20)
+      (simd_unit_ntt_at_layer_2_ (re.[ sz 20 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          3507263l
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 21)
+      (simd_unit_ntt_at_layer_2_ (re.[ sz 21 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-2140649l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 22)
+      (simd_unit_ntt_at_layer_2_ (re.[ sz 22 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-1600420l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 23)
+      (simd_unit_ntt_at_layer_2_ (re.[ sz 23 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          3699596l
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 24)
+      (simd_unit_ntt_at_layer_2_ (re.[ sz 24 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          811944l
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 25)
+      (simd_unit_ntt_at_layer_2_ (re.[ sz 25 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          531354l
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 26)
+      (simd_unit_ntt_at_layer_2_ (re.[ sz 26 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          954230l
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 27)
+      (simd_unit_ntt_at_layer_2_ (re.[ sz 27 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          3881043l
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 28)
+      (simd_unit_ntt_at_layer_2_ (re.[ sz 28 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          3900724l
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 29)
+      (simd_unit_ntt_at_layer_2_ (re.[ sz 29 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-2556880l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 30)
+      (simd_unit_ntt_at_layer_2_ (re.[ sz 30 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          2071892l
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (sz 31)
+      (simd_unit_ntt_at_layer_2_ (re.[ sz 31 ]
+            <:
+            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+          (-2797779l)
+        <:
+        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
   in
-  let zeta_i:usize = zeta_i -! sz 1 in
-  zeta_i, re
-  <:
-  (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
+  re
 
-let ntt_at_layer_1_
-      (zeta_i: usize)
+let outer_3_plus
+      (v_OFFSET v_STEP_BY: usize)
+      (v_ZETA: i32)
       (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
      =
-  let zeta_i:usize = zeta_i +! sz 1 in
-  let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) &
-    usize) =
-    Rust_primitives.Hax.Folds.fold_range (sz 0)
-      (Core.Slice.impl__len #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit
-          (re <: t_Slice Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-        <:
-        usize)
-      (fun temp_0_ temp_1_ ->
-          let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit
-              (sz 32) &
-            usize) =
-            temp_0_
-          in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    Rust_primitives.Hax.Folds.fold_range v_OFFSET
+      (v_OFFSET +! v_STEP_BY <: usize)
+      (fun re temp_1_ ->
+          let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = re in
           let _:usize = temp_1_ in
           true)
-      (re, zeta_i
-        <:
-        (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize))
-      (fun temp_0_ round ->
-          let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit
-              (sz 32) &
-            usize) =
-            temp_0_
+      re
+      (fun re j ->
+          let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = re in
+          let j:usize = j in
+          let t:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit =
+            Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_by_constant (re.[ j +!
+                  v_STEP_BY
+                  <:
+                  usize ]
+                <:
+                Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+              v_ZETA
           in
-          let round:usize = round in
           let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
             Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              round
-              (simd_unit_ntt_at_layer_1_ (re.[ round ]
+              (j +! v_STEP_BY <: usize)
+              (Libcrux_ml_dsa.Simd.Portable.Arithmetic.subtract (re.[ j ]
                     <:
                     Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-                  (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
-                  (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize ]
-                    <:
-                    i32)
+                  t
                 <:
                 Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
           in
-          let zeta_i:usize = zeta_i +! sz 2 in
-          re, zeta_i
-          <:
-          (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize))
-  in
-  let zeta_i:usize = zeta_i -! sz 1 in
-  zeta_i, re
-  <:
-  (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
-
-let ntt_at_layer_2_
-      (zeta_i: usize)
-      (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
-     =
-  let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) &
-    usize) =
-    Rust_primitives.Hax.Folds.fold_range (sz 0)
-      (Core.Slice.impl__len #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit
-          (re <: t_Slice Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-        <:
-        usize)
-      (fun temp_0_ temp_1_ ->
-          let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit
-              (sz 32) &
-            usize) =
-            temp_0_
-          in
-          let _:usize = temp_1_ in
-          true)
-      (re, zeta_i
-        <:
-        (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize))
-      (fun temp_0_ round ->
-          let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit
-              (sz 32) &
-            usize) =
-            temp_0_
-          in
-          let round:usize = round in
-          let zeta_i:usize = zeta_i +! sz 1 in
           let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
             Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              round
-              (simd_unit_ntt_at_layer_2_ (re.[ round ]
+              j
+              (Libcrux_ml_dsa.Simd.Portable.Arithmetic.add (re.[ j ]
                     <:
                     Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-                  (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
+                  t
                 <:
                 Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
           in
-          re, zeta_i
-          <:
-          (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize))
+          re)
   in
   let hax_temp_output:Prims.unit = () <: Prims.unit in
-  zeta_i, re
-  <:
-  (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
+  re
 
-let ntt_at_layer_3_plus
-      (v_LAYER zeta_i: usize)
+let ntt_at_layer_3_
       (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
      =
-  let step:usize = sz 1 <<! v_LAYER in
-  let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) &
-    usize) =
-    Rust_primitives.Hax.Folds.fold_range (sz 0)
-      (sz 128 >>! v_LAYER <: usize)
-      (fun temp_0_ temp_1_ ->
-          let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit
-              (sz 32) &
-            usize) =
-            temp_0_
-          in
-          let _:usize = temp_1_ in
-          true)
-      (re, zeta_i
-        <:
-        (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize))
-      (fun temp_0_ round ->
-          let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit
-              (sz 32) &
-            usize) =
-            temp_0_
-          in
-          let round:usize = round in
-          let zeta_i:usize = zeta_i +! sz 1 in
-          let offset:usize =
-            ((round *! step <: usize) *! sz 2 <: usize) /!
-            Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
-          in
-          let step_by:usize = step /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT in
-          let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-            Rust_primitives.Hax.Folds.fold_range offset
-              (offset +! step_by <: usize)
-              (fun re temp_1_ ->
-                  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)
-                  =
-                    re
-                  in
-                  let _:usize = temp_1_ in
-                  true)
-              re
-              (fun re j ->
-                  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)
-                  =
-                    re
-                  in
-                  let j:usize = j in
-                  let t:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit =
-                    Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_by_constant (re.[ j +!
-                          step_by
-                          <:
-                          usize ]
-                        <:
-                        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-                      (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
-                  in
-                  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)
-                  =
-                    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-                      (j +! step_by <: usize)
-                      (Libcrux_ml_dsa.Simd.Portable.Arithmetic.subtract (re.[ j ]
-                            <:
-                            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-                          t
-                        <:
-                        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-                  in
-                  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)
-                  =
-                    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-                      j
-                      (Libcrux_ml_dsa.Simd.Portable.Arithmetic.add (re.[ j ]
-                            <:
-                            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-                          t
-                        <:
-                        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-                  in
-                  re)
-          in
-          re, zeta_i
-          <:
-          (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize))
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    outer_3_plus (sz 0) (sz 1) 2725464l re
   in
-  let hax_temp_output:Prims.unit = () <: Prims.unit in
-  zeta_i, re
-  <:
-  (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    outer_3_plus (sz 2) (sz 1) 1024112l re
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    outer_3_plus (sz 4) (sz 1) (-1079900l) re
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    outer_3_plus (sz 6) (sz 1) 3585928l re
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    outer_3_plus (sz 8) (sz 1) (-549488l) re
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    outer_3_plus (sz 10) (sz 1) (-1119584l) re
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    outer_3_plus (sz 12) (sz 1) 2619752l re
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    outer_3_plus (sz 14) (sz 1) (-2108549l) re
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    outer_3_plus (sz 16) (sz 1) (-2118186l) re
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    outer_3_plus (sz 18) (sz 1) (-3859737l) re
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    outer_3_plus (sz 20) (sz 1) (-1399561l) re
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    outer_3_plus (sz 22) (sz 1) (-3277672l) re
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    outer_3_plus (sz 24) (sz 1) 1757237l re
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    outer_3_plus (sz 26) (sz 1) (-19422l) re
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    outer_3_plus (sz 28) (sz 1) 4010497l re
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    outer_3_plus (sz 30) (sz 1) 280005l re
+  in
+  re
+
+let ntt_at_layer_4_
+      (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
+     =
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    outer_3_plus (sz 0) (sz 2) 1826347l re
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    outer_3_plus (sz 4) (sz 2) 2353451l re
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    outer_3_plus (sz 8) (sz 2) (-359251l) re
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    outer_3_plus (sz 12) (sz 2) (-2091905l) re
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    outer_3_plus (sz 16) (sz 2) 3119733l re
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    outer_3_plus (sz 20) (sz 2) (-2884855l) re
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    outer_3_plus (sz 24) (sz 2) 3111497l re
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    outer_3_plus (sz 28) (sz 2) 2680103l re
+  in
+  re
+
+let ntt_at_layer_5_
+      (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
+     =
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    outer_3_plus (sz 0) (sz 4) 237124l re
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    outer_3_plus (sz 8) (sz 4) (-777960l) re
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    outer_3_plus (sz 16) (sz 4) (-876248l) re
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    outer_3_plus (sz 24) (sz 4) 466468l re
+  in
+  re
+
+let ntt_at_layer_6_
+      (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
+     =
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    outer_3_plus (sz 0) (sz 8) (-2608894l) re
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    outer_3_plus (sz 16) (sz 8) (-518909l) re
+  in
+  re
+
+let ntt_at_layer_7_
+      (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
+     =
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    outer_3_plus (sz 0) (sz 16) 25847l re
+  in
+  re
 
 let ntt (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) =
-  let zeta_i:usize = sz 0 in
-  let tmp0, tmp1:(usize &
-    t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) =
-    ntt_at_layer_3_plus (sz 7) zeta_i re
-  in
-  let zeta_i:usize = tmp0 in
-  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = tmp1 in
-  let _:Prims.unit = () in
-  let tmp0, tmp1:(usize &
-    t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) =
-    ntt_at_layer_3_plus (sz 6) zeta_i re
-  in
-  let zeta_i:usize = tmp0 in
-  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = tmp1 in
-  let _:Prims.unit = () in
-  let tmp0, tmp1:(usize &
-    t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) =
-    ntt_at_layer_3_plus (sz 5) zeta_i re
-  in
-  let zeta_i:usize = tmp0 in
-  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = tmp1 in
-  let _:Prims.unit = () in
-  let tmp0, tmp1:(usize &
-    t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) =
-    ntt_at_layer_3_plus (sz 4) zeta_i re
-  in
-  let zeta_i:usize = tmp0 in
-  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = tmp1 in
-  let _:Prims.unit = () in
-  let tmp0, tmp1:(usize &
-    t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) =
-    ntt_at_layer_3_plus (sz 3) zeta_i re
-  in
-  let zeta_i:usize = tmp0 in
-  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = tmp1 in
-  let _:Prims.unit = () in
-  let tmp0, tmp1:(usize &
-    t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) =
-    ntt_at_layer_2_ zeta_i re
-  in
-  let zeta_i:usize = tmp0 in
-  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = tmp1 in
-  let _:Prims.unit = () in
-  let tmp0, tmp1:(usize &
-    t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) =
-    ntt_at_layer_1_ zeta_i re
-  in
-  let zeta_i:usize = tmp0 in
-  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = tmp1 in
-  let _:Prims.unit = () in
-  let tmp0, tmp1:(usize &
-    t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) =
-    ntt_at_layer_0_ zeta_i re
-  in
-  let zeta_i:usize = tmp0 in
-  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = tmp1 in
-  let _:Prims.unit = () in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    ntt_at_layer_7_ re
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    ntt_at_layer_6_ re
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    ntt_at_layer_5_ re
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    ntt_at_layer_4_ re
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    ntt_at_layer_3_ re
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    ntt_at_layer_2_ re
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    ntt_at_layer_1_ re
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    ntt_at_layer_0_ re
+  in
   re
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti
index abb1d13d4..61fd4f830 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti
@@ -3,6 +3,26 @@ module Libcrux_ml_dsa.Simd.Portable.Ntt
 open Core
 open FStar.Mul
 
+let ntt_at_layer_3___STEP: usize = sz 8
+
+let ntt_at_layer_3___STEP_BY: usize = sz 1
+
+let ntt_at_layer_4___STEP: usize = sz 16
+
+let ntt_at_layer_4___STEP_BY: usize = sz 2
+
+let ntt_at_layer_5___STEP: usize = sz 32
+
+let ntt_at_layer_5___STEP_BY: usize = sz 4
+
+let ntt_at_layer_6___STEP: usize = sz 64
+
+let ntt_at_layer_6___STEP_BY: usize = sz 8
+
+let ntt_at_layer_7___STEP: usize = sz 128
+
+let ntt_at_layer_7___STEP_BY: usize = sz 16
+
 val invert_ntt_at_layer_0_
       (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
       (zeta0 zeta1 zeta2 zeta3: i32)
@@ -31,6 +51,12 @@ val simd_unit_ntt_at_layer_0_
       Prims.l_True
       (fun _ -> Prims.l_True)
 
+val ntt_at_layer_0_
+      (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
+    : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
 val simd_unit_ntt_at_layer_1_
       (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
       (zeta1 zeta2: i32)
@@ -38,6 +64,12 @@ val simd_unit_ntt_at_layer_1_
       Prims.l_True
       (fun _ -> Prims.l_True)
 
+val ntt_at_layer_1_
+      (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
+    : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
 val simd_unit_ntt_at_layer_2_
       (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
       (zeta: i32)
@@ -45,35 +77,47 @@ val simd_unit_ntt_at_layer_2_
       Prims.l_True
       (fun _ -> Prims.l_True)
 
-val ntt_at_layer_0_
-      (zeta_i: usize)
+val ntt_at_layer_2_
       (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
-    : Prims.Pure
-      (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
+    : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
       Prims.l_True
       (fun _ -> Prims.l_True)
 
-val ntt_at_layer_1_
-      (zeta_i: usize)
+val outer_3_plus
+      (v_OFFSET v_STEP_BY: usize)
+      (v_ZETA: i32)
       (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
-    : Prims.Pure
-      (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
+    : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
       Prims.l_True
       (fun _ -> Prims.l_True)
 
-val ntt_at_layer_2_
-      (zeta_i: usize)
+val ntt_at_layer_3_
+      (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
+    : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+val ntt_at_layer_4_
+      (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
+    : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+val ntt_at_layer_5_
       (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
-    : Prims.Pure
-      (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
+    : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
       Prims.l_True
       (fun _ -> Prims.l_True)
 
-val ntt_at_layer_3_plus
-      (v_LAYER zeta_i: usize)
+val ntt_at_layer_6_
       (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
-    : Prims.Pure
-      (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
+    : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
+val ntt_at_layer_7_
+      (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
+    : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
       Prims.l_True
       (fun _ -> Prims.l_True)
 
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti
index 1ef0cb0e8..543e2b390 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti
@@ -181,45 +181,5 @@ let v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R: u64 = 58728449uL
 let v_SIMD_UNITS_IN_RING_ELEMENT: usize =
   Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /! v_COEFFICIENTS_IN_SIMD_UNIT
 
-let v_ZETAS_TIMES_MONTGOMERY_R: t_Array i32 (sz 256) =
-  let list =
-    [
-      0l; 25847l; (-2608894l); (-518909l); 237124l; (-777960l); (-876248l); 466468l; 1826347l;
-      2353451l; (-359251l); (-2091905l); 3119733l; (-2884855l); 3111497l; 2680103l; 2725464l;
-      1024112l; (-1079900l); 3585928l; (-549488l); (-1119584l); 2619752l; (-2108549l); (-2118186l);
-      (-3859737l); (-1399561l); (-3277672l); 1757237l; (-19422l); 4010497l; 280005l; 2706023l;
-      95776l; 3077325l; 3530437l; (-1661693l); (-3592148l); (-2537516l); 3915439l; (-3861115l);
-      (-3043716l); 3574422l; (-2867647l); 3539968l; (-300467l); 2348700l; (-539299l); (-1699267l);
-      (-1643818l); 3505694l; (-3821735l); 3507263l; (-2140649l); (-1600420l); 3699596l; 811944l;
-      531354l; 954230l; 3881043l; 3900724l; (-2556880l); 2071892l; (-2797779l); (-3930395l);
-      (-1528703l); (-3677745l); (-3041255l); (-1452451l); 3475950l; 2176455l; (-1585221l);
-      (-1257611l); 1939314l; (-4083598l); (-1000202l); (-3190144l); (-3157330l); (-3632928l);
-      126922l; 3412210l; (-983419l); 2147896l; 2715295l; (-2967645l); (-3693493l); (-411027l);
-      (-2477047l); (-671102l); (-1228525l); (-22981l); (-1308169l); (-381987l); 1349076l; 1852771l;
-      (-1430430l); (-3343383l); 264944l; 508951l; 3097992l; 44288l; (-1100098l); 904516l; 3958618l;
-      (-3724342l); (-8578l); 1653064l; (-3249728l); 2389356l; (-210977l); 759969l; (-1316856l);
-      189548l; (-3553272l); 3159746l; (-1851402l); (-2409325l); (-177440l); 1315589l; 1341330l;
-      1285669l; (-1584928l); (-812732l); (-1439742l); (-3019102l); (-3881060l); (-3628969l);
-      3839961l; 2091667l; 3407706l; 2316500l; 3817976l; (-3342478l); 2244091l; (-2446433l);
-      (-3562462l); 266997l; 2434439l; (-1235728l); 3513181l; (-3520352l); (-3759364l); (-1197226l);
-      (-3193378l); 900702l; 1859098l; 909542l; 819034l; 495491l; (-1613174l); (-43260l); (-522500l);
-      (-655327l); (-3122442l); 2031748l; 3207046l; (-3556995l); (-525098l); (-768622l); (-3595838l);
-      342297l; 286988l; (-2437823l); 4108315l; 3437287l; (-3342277l); 1735879l; 203044l; 2842341l;
-      2691481l; (-2590150l); 1265009l; 4055324l; 1247620l; 2486353l; 1595974l; (-3767016l); 1250494l;
-      2635921l; (-3548272l); (-2994039l); 1869119l; 1903435l; (-1050970l); (-1333058l); 1237275l;
-      (-3318210l); (-1430225l); (-451100l); 1312455l; 3306115l; (-1962642l); (-1279661l); 1917081l;
-      (-2546312l); (-1374803l); 1500165l; 777191l; 2235880l; 3406031l; (-542412l); (-2831860l);
-      (-1671176l); (-1846953l); (-2584293l); (-3724270l); 594136l; (-3776993l); (-2013608l);
-      2432395l; 2454455l; (-164721l); 1957272l; 3369112l; 185531l; (-1207385l); (-3183426l); 162844l;
-      1616392l; 3014001l; 810149l; 1652634l; (-3694233l); (-1799107l); (-3038916l); 3523897l;
-      3866901l; 269760l; 2213111l; (-975884l); 1717735l; 472078l; (-426683l); 1723600l; (-1803090l);
-      1910376l; (-1667432l); (-1104333l); (-260646l); (-3833893l); (-2939036l); (-2235985l);
-      (-420899l); (-2286327l); 183443l; (-976891l); 1612842l; (-3545687l); (-554416l); 3919660l;
-      (-48306l); (-1362209l); 3937738l; 1400424l; (-846154l); 1976782l
-    ]
-  in
-  FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 256);
-  Rust_primitives.Hax.array_of_list 256 list
-
 val montgomery_multiply_by_fer (#v_S: Type0) {| i1: t_Operations v_S |} (simd_unit: v_S) (fer: i32)
     : Prims.Pure v_S Prims.l_True (fun _ -> Prims.l_True)
diff --git a/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fsti b/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fsti
index 0b77def1e..968a5585c 100644
--- a/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fsti
+++ b/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fsti
@@ -1,5 +1,5 @@
 module Libcrux_platform.X86
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 80"
 open Core
 open FStar.Mul
 

From b1ad8bbfa00359592f24d10b1c33827c741e44ed Mon Sep 17 00:00:00 2001
From: Jonas Schneider-Bensch <jonas@cryspen.com>
Date: Wed, 6 Nov 2024 13:11:27 +0100
Subject: [PATCH 17/22] Guard `target_feature` to `cfg(not(hax))`

---
 .../src/ml_dsa_generic/instantiations/avx2.rs | 14 +++++------
 libcrux-ml-dsa/src/simd/avx2/ntt.rs           | 18 +++++++-------
 .../src/ind_cca/instantiations/avx2.rs        | 24 +++++++++----------
 libcrux-sha3/src/simd/avx2.rs                 | 22 ++++++++---------
 4 files changed, 39 insertions(+), 39 deletions(-)

diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs
index 40111939b..6f3a754a2 100644
--- a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs
+++ b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs
@@ -9,7 +9,7 @@ mod avx2_feature {
     use super::*;
 
     /// Generate key pair.
-    #[target_feature(enable = "avx2")]
+    #[cfg_attr(not(hax), target_feature(enable = "avx2"))]
     #[allow(unsafe_code)]
     pub(super) unsafe fn generate_key_pair<
         const ROWS_IN_A: usize,
@@ -36,7 +36,7 @@ mod avx2_feature {
     }
 
     /// Sign.
-    #[target_feature(enable = "avx2")]
+    #[cfg_attr(not(hax), target_feature(enable = "avx2"))]
     #[allow(unsafe_code)]
     pub(super) unsafe fn sign<
         const ROWS_IN_A: usize,
@@ -83,7 +83,7 @@ mod avx2_feature {
 
     /// Sign (internal API)
     #[cfg(feature = "acvp")]
-    #[target_feature(enable = "avx2")]
+    #[cfg_attr(not(hax), target_feature(enable = "avx2"))]
     #[allow(unsafe_code)]
     pub(super) unsafe fn sign_internal<
         const ROWS_IN_A: usize,
@@ -128,7 +128,7 @@ mod avx2_feature {
     }
 
     /// Sign (pre-hashed).
-    #[target_feature(enable = "avx2")]
+    #[cfg_attr(not(hax), target_feature(enable = "avx2"))]
     #[allow(unsafe_code)]
     pub(super) unsafe fn sign_pre_hashed_shake128<
         const ROWS_IN_A: usize,
@@ -176,7 +176,7 @@ mod avx2_feature {
     }
 
     /// Verify.
-    #[target_feature(enable = "avx2")]
+    #[cfg_attr(not(hax), target_feature(enable = "avx2"))]
     #[allow(unsafe_code)]
     pub(super) unsafe fn verify<
         const ROWS_IN_A: usize,
@@ -220,7 +220,7 @@ mod avx2_feature {
 
     /// Verify (internal API).
     #[cfg(feature = "acvp")]
-    #[target_feature(enable = "avx2")]
+    #[cfg_attr(not(hax), target_feature(enable = "avx2"))]
     #[allow(unsafe_code)]
     pub(super) unsafe fn verify_internal<
         const ROWS_IN_A: usize,
@@ -262,7 +262,7 @@ mod avx2_feature {
     }
 
     /// Verify (pre-hashed with SHAKE-128).
-    #[target_feature(enable = "avx2")]
+    #[cfg_attr(not(hax), target_feature(enable = "avx2"))]
     #[allow(unsafe_code)]
     pub(super) unsafe fn verify_pre_hashed_shake128<
         const ROWS_IN_A: usize,
diff --git a/libcrux-ml-dsa/src/simd/avx2/ntt.rs b/libcrux-ml-dsa/src/simd/avx2/ntt.rs
index b764e6178..732d6ba55 100644
--- a/libcrux-ml-dsa/src/simd/avx2/ntt.rs
+++ b/libcrux-ml-dsa/src/simd/avx2/ntt.rs
@@ -100,7 +100,7 @@ fn butterfly_8(a: Vec256, b: Vec256, zeta0: i32, zeta1: i32) -> (Vec256, Vec256)
     (a_out, b_out)
 }
 
-#[target_feature(enable = "avx2")]
+#[cfg_attr(not(hax), target_feature(enable = "avx2"))]
 #[allow(unsafe_code)]
 pub(super) unsafe fn invert_ntt_at_layer_0(
     simd_unit: Vec256,
@@ -122,7 +122,7 @@ pub(super) unsafe fn invert_ntt_at_layer_0(
     mm256_blend_epi32::<0b1_0_1_0_1_0_1_0>(sums, products)
 }
 
-#[target_feature(enable = "avx2")]
+#[cfg_attr(not(hax), target_feature(enable = "avx2"))]
 #[allow(unsafe_code)]
 unsafe fn ntt_at_layer_0(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) {
     macro_rules! round {
@@ -162,7 +162,7 @@ unsafe fn ntt_at_layer_0(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) {
     round!(30, -554416, 3919660, -48306, -1362209, 3937738, 1400424, -846154, 1976782);
 }
 
-#[target_feature(enable = "avx2")]
+#[cfg_attr(not(hax), target_feature(enable = "avx2"))]
 #[allow(unsafe_code)]
 pub(super) unsafe fn invert_ntt_at_layer_1(simd_unit: Vec256, zeta0: i32, zeta1: i32) -> Vec256 {
     let zetas = mm256_set_epi32(zeta1, zeta1, 0, 0, zeta0, zeta0, 0, 0);
@@ -178,7 +178,7 @@ pub(super) unsafe fn invert_ntt_at_layer_1(simd_unit: Vec256, zeta0: i32, zeta1:
     mm256_blend_epi32::<0b1_1_0_0_1_1_0_0>(sums, products)
 }
 
-#[target_feature(enable = "avx2")]
+#[cfg_attr(not(hax), target_feature(enable = "avx2"))]
 #[allow(unsafe_code)]
 unsafe fn ntt_at_layer_1(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) {
     macro_rules! round {
@@ -207,7 +207,7 @@ unsafe fn ntt_at_layer_1(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) {
     round!(30, -3019102, -3881060, -3628969, 3839961);
 }
 
-#[target_feature(enable = "avx2")]
+#[cfg_attr(not(hax), target_feature(enable = "avx2"))]
 #[allow(unsafe_code)]
 pub(super) unsafe fn invert_ntt_at_layer_2(simd_unit: Vec256, zeta: i32) -> Vec256 {
     let zetas = mm256_set_epi32(zeta, zeta, zeta, zeta, 0, 0, 0, 0);
@@ -223,7 +223,7 @@ pub(super) unsafe fn invert_ntt_at_layer_2(simd_unit: Vec256, zeta: i32) -> Vec2
     mm256_blend_epi32::<0b1_1_1_1_0_0_0_0>(sums, products)
 }
 
-#[target_feature(enable = "avx2")]
+#[cfg_attr(not(hax), target_feature(enable = "avx2"))]
 #[allow(unsafe_code)]
 unsafe fn ntt_at_layer_2(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) {
     macro_rules! round {
@@ -256,7 +256,7 @@ unsafe fn ntt_at_layer_2(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) {
 ///
 /// This does 32 Montgomery multiplications (192 multiplications).
 /// This is the same as in pqclean. The only difference is locality of registers.
-#[target_feature(enable = "avx2")]
+#[cfg_attr(not(hax), target_feature(enable = "avx2"))]
 #[allow(unsafe_code)]
 unsafe fn ntt_at_layer_7_and_6(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) {
     let field_modulus = mm256_set1_epi32(crate::simd::traits::FIELD_MODULUS);
@@ -317,7 +317,7 @@ unsafe fn ntt_at_layer_7_and_6(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) {
 ///
 /// Each layer does 16 Montgomery multiplications -> 3*16 = 48 total
 /// pqclean does 4 * 4 on each layer -> 48 total | plus 4 * 4 shuffles every time (48)
-#[target_feature(enable = "avx2")]
+#[cfg_attr(not(hax), target_feature(enable = "avx2"))]
 #[allow(unsafe_code)]
 unsafe fn ntt_at_layer_5_to_3(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) {
     macro_rules! round {
@@ -398,7 +398,7 @@ unsafe fn ntt_at_layer_5_to_3(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) {
     ()
 }
 
-#[target_feature(enable = "avx2")]
+#[cfg_attr(not(hax), target_feature(enable = "avx2"))]
 #[allow(unsafe_code)]
 pub(crate) unsafe fn ntt(
     mut re: [Vec256; SIMD_UNITS_IN_RING_ELEMENT],
diff --git a/libcrux-ml-kem/src/ind_cca/instantiations/avx2.rs b/libcrux-ml-kem/src/ind_cca/instantiations/avx2.rs
index afaa606be..9dff8843a 100644
--- a/libcrux-ml-kem/src/ind_cca/instantiations/avx2.rs
+++ b/libcrux-ml-kem/src/ind_cca/instantiations/avx2.rs
@@ -5,7 +5,7 @@ use crate::{
 
 #[allow(unsafe_code)]
 /// Portable generate key pair.
-#[target_feature(enable = "avx2")]
+#[cfg_attr(not(hax), target_feature(enable = "avx2"))]
 unsafe fn generate_keypair_avx2<
     const K: usize,
     const CPA_PRIVATE_KEY_SIZE: usize,
@@ -58,7 +58,7 @@ pub(crate) fn generate_keypair<
 
 #[allow(unsafe_code)]
 #[cfg(feature = "kyber")]
-#[target_feature(enable = "avx2")]
+#[cfg_attr(not(hax), target_feature(enable = "avx2"))]
 unsafe fn kyber_generate_keypair_avx2<
     const K: usize,
     const CPA_PRIVATE_KEY_SIZE: usize,
@@ -111,7 +111,7 @@ pub(crate) fn kyber_generate_keypair<
 }
 
 #[allow(unsafe_code)]
-#[target_feature(enable = "avx2")]
+#[cfg_attr(not(hax), target_feature(enable = "avx2"))]
 unsafe fn validate_public_key_avx2<
     const K: usize,
     const RANKED_BYTES_PER_RING_ELEMENT: usize,
@@ -141,7 +141,7 @@ pub(crate) fn validate_public_key<
 }
 
 #[allow(unsafe_code)]
-#[target_feature(enable = "avx2")]
+#[cfg_attr(not(hax), target_feature(enable = "avx2"))]
 unsafe fn validate_private_key_avx2<
     const K: usize,
     const SECRET_KEY_SIZE: usize,
@@ -174,7 +174,7 @@ pub(crate) fn validate_private_key<
 
 #[allow(unsafe_code)]
 #[cfg(feature = "kyber")]
-#[target_feature(enable = "avx2")]
+#[cfg_attr(not(hax), target_feature(enable = "avx2"))]
 unsafe fn kyber_encapsulate_avx2<
     const K: usize,
     const CIPHERTEXT_SIZE: usize,
@@ -253,7 +253,7 @@ pub(crate) fn kyber_encapsulate<
 }
 
 #[allow(unsafe_code)]
-#[target_feature(enable = "avx2")]
+#[cfg_attr(not(hax), target_feature(enable = "avx2"))]
 unsafe fn encapsulate_avx2<
     const K: usize,
     const CIPHERTEXT_SIZE: usize,
@@ -332,7 +332,7 @@ pub(crate) fn encapsulate<
 
 #[allow(unsafe_code)]
 #[cfg(feature = "kyber")]
-#[target_feature(enable = "avx2")]
+#[cfg_attr(not(hax), target_feature(enable = "avx2"))]
 unsafe fn kyber_decapsulate_avx2<
     const K: usize,
     const SECRET_KEY_SIZE: usize,
@@ -423,7 +423,7 @@ pub fn kyber_decapsulate<
 }
 
 #[allow(unsafe_code)]
-#[target_feature(enable = "avx2")]
+#[cfg_attr(not(hax), target_feature(enable = "avx2"))]
 unsafe fn decapsulate_avx2<
     const K: usize,
     const SECRET_KEY_SIZE: usize,
@@ -522,7 +522,7 @@ pub(crate) mod unpacked {
         crate::ind_cca::unpacked::MlKemPublicKeyUnpacked<K, crate::vector::SIMD256Vector>;
 
     /// Get the unpacked public key.
-    #[target_feature(enable = "avx2")]
+    #[cfg_attr(not(hax), target_feature(enable = "avx2"))]
     #[allow(unsafe_code)]
     unsafe fn unpack_public_key_avx2<
         const K: usize,
@@ -565,7 +565,7 @@ pub(crate) mod unpacked {
     }
 
     #[allow(unsafe_code)]
-    #[target_feature(enable = "avx2")]
+    #[cfg_attr(not(hax), target_feature(enable = "avx2"))]
     unsafe fn generate_keypair_avx2<
         const K: usize,
         const CPA_PRIVATE_KEY_SIZE: usize,
@@ -620,7 +620,7 @@ pub(crate) mod unpacked {
     }
 
     #[allow(unsafe_code)]
-    #[target_feature(enable = "avx2")]
+    #[cfg_attr(not(hax), target_feature(enable = "avx2"))]
     unsafe fn encapsulate_avx2<
         const K: usize,
         const CIPHERTEXT_SIZE: usize,
@@ -697,7 +697,7 @@ pub(crate) mod unpacked {
         }
     }
 
-    #[target_feature(enable = "avx2")]
+    #[cfg_attr(not(hax), target_feature(enable = "avx2"))]
     #[allow(unsafe_code)]
     unsafe fn decapsulate_avx2<
         const K: usize,
diff --git a/libcrux-sha3/src/simd/avx2.rs b/libcrux-sha3/src/simd/avx2.rs
index f957fe115..5ccfc10ef 100644
--- a/libcrux-sha3/src/simd/avx2.rs
+++ b/libcrux-sha3/src/simd/avx2.rs
@@ -1,7 +1,7 @@
 use crate::traits::internal::*;
 use libcrux_intrinsics::avx2::*;
 
-#[target_feature(enable = "avx2")]
+#[cfg_attr(not(hax), target_feature(enable = "avx2"))]
 #[allow(unsafe_code)]
 unsafe fn rotate_left<const LEFT: i32, const RIGHT: i32>(x: Vec256) -> Vec256 {
     debug_assert!(LEFT + RIGHT == 64);
@@ -9,7 +9,7 @@ unsafe fn rotate_left<const LEFT: i32, const RIGHT: i32>(x: Vec256) -> Vec256 {
     mm256_xor_si256(mm256_slli_epi64::<LEFT>(x), mm256_srli_epi64::<RIGHT>(x))
 }
 
-#[target_feature(enable = "avx2")]
+#[cfg_attr(not(hax), target_feature(enable = "avx2"))]
 #[allow(unsafe_code)]
 unsafe fn _veor5q_u64(a: Vec256, b: Vec256, c: Vec256, d: Vec256, e: Vec256) -> Vec256 {
     let ab = mm256_xor_si256(a, b);
@@ -18,26 +18,26 @@ unsafe fn _veor5q_u64(a: Vec256, b: Vec256, c: Vec256, d: Vec256, e: Vec256) ->
     mm256_xor_si256(abcd, e)
 }
 
-#[target_feature(enable = "avx2")]
+#[cfg_attr(not(hax), target_feature(enable = "avx2"))]
 #[allow(unsafe_code)]
 unsafe fn _vrax1q_u64(a: Vec256, b: Vec256) -> Vec256 {
     mm256_xor_si256(a, rotate_left::<1, 63>(b))
 }
 
-#[target_feature(enable = "avx2")]
+#[cfg_attr(not(hax), target_feature(enable = "avx2"))]
 #[allow(unsafe_code)]
 unsafe fn _vxarq_u64<const LEFT: i32, const RIGHT: i32>(a: Vec256, b: Vec256) -> Vec256 {
     let ab = mm256_xor_si256(a, b);
     rotate_left::<LEFT, RIGHT>(ab)
 }
 
-#[target_feature(enable = "avx2")]
+#[cfg_attr(not(hax), target_feature(enable = "avx2"))]
 #[allow(unsafe_code)]
 unsafe fn _vbcaxq_u64(a: Vec256, b: Vec256, c: Vec256) -> Vec256 {
     mm256_xor_si256(a, mm256_andnot_si256(c, b))
 }
 
-#[target_feature(enable = "avx2")]
+#[cfg_attr(not(hax), target_feature(enable = "avx2"))]
 #[allow(unsafe_code)]
 unsafe fn _veorq_n_u64(a: Vec256, c: u64) -> Vec256 {
     // Casting here is required, doesn't change the value.
@@ -45,13 +45,13 @@ unsafe fn _veorq_n_u64(a: Vec256, c: u64) -> Vec256 {
     mm256_xor_si256(a, c)
 }
 
-#[target_feature(enable = "avx2")]
+#[cfg_attr(not(hax), target_feature(enable = "avx2"))]
 #[allow(unsafe_code)]
 unsafe fn xor(a: Vec256, b: Vec256) -> Vec256 {
     mm256_xor_si256(a, b)
 }
 
-#[target_feature(enable = "avx2")]
+#[cfg_attr(not(hax), target_feature(enable = "avx2"))]
 #[allow(unsafe_code)]
 unsafe fn load_block<const RATE: usize>(s: &mut [[Vec256; 5]; 5], blocks: [&[u8]; 4]) {
     debug_assert!(RATE <= blocks[0].len() && RATE % 8 == 0 && (RATE % 32 == 8 || RATE % 32 == 16));
@@ -120,7 +120,7 @@ pub(crate) fn load_block_full<const RATE: usize>(s: &mut [[Vec256; 5]; 5], block
     };
 }
 
-#[target_feature(enable = "avx2")]
+#[cfg_attr(not(hax), target_feature(enable = "avx2"))]
 #[allow(unsafe_code)]
 unsafe fn store_block<const RATE: usize>(s: &[[Vec256; 5]; 5], out: [&mut [u8]; 4]) {
     for i in 0..RATE / 32 {
@@ -186,7 +186,7 @@ pub(crate) fn store_block_full<const RATE: usize>(s: &[[Vec256; 5]; 5]) -> [[u8;
     [out0, out1, out2, out3]
 }
 
-#[target_feature(enable = "avx2")]
+#[cfg_attr(not(hax), target_feature(enable = "avx2"))]
 #[allow(unsafe_code)]
 unsafe fn slice_4(a: [&[u8]; 4], start: usize, len: usize) -> [&[u8]; 4] {
     [
@@ -197,7 +197,7 @@ unsafe fn slice_4(a: [&[u8]; 4], start: usize, len: usize) -> [&[u8]; 4] {
     ]
 }
 
-#[target_feature(enable = "avx2")]
+#[cfg_attr(not(hax), target_feature(enable = "avx2"))]
 #[allow(unsafe_code)]
 unsafe fn split_at_mut_4(out: [&mut [u8]; 4], mid: usize) -> ([&mut [u8]; 4], [&mut [u8]; 4]) {
     let [out0, out1, out2, out3] = out;

From 0dccff59c1c60cd71fb0bad292effda9681aa730 Mon Sep 17 00:00:00 2001
From: Jonas Schneider-Bensch <jonas@cryspen.com>
Date: Wed, 6 Nov 2024 13:12:54 +0100
Subject: [PATCH 18/22] Update F*

---
 .../Libcrux_ml_dsa.Ml_dsa_generic.fst         | 24 +++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst
index 95d331653..878dd2cb5 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst
@@ -543,7 +543,11 @@ let sign
         <:
         Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness
   | Core.Result.Result_Err err ->
-    Core.Result.Result_Err (Core.Convert.f_from #FStar.Tactics.Typeclasses.solve err)
+    Core.Result.Result_Err
+    (Core.Convert.f_from #Libcrux_ml_dsa.Types.t_SigningError
+        #Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError
+        #FStar.Tactics.Typeclasses.solve
+        err)
     <:
     Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE)
       Libcrux_ml_dsa.Types.t_SigningError
@@ -604,7 +608,11 @@ let sign_pre_hashed
           <:
           Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness
     | Core.Result.Result_Err err ->
-      Core.Result.Result_Err (Core.Convert.f_from #FStar.Tactics.Typeclasses.solve err)
+      Core.Result.Result_Err
+      (Core.Convert.f_from #Libcrux_ml_dsa.Types.t_SigningError
+          #Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError
+          #FStar.Tactics.Typeclasses.solve
+          err)
       <:
       Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE)
         Libcrux_ml_dsa.Types.t_SigningError
@@ -798,7 +806,11 @@ let verify
         <:
         Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) signature_serialized
   | Core.Result.Result_Err err ->
-    Core.Result.Result_Err (Core.Convert.f_from #FStar.Tactics.Typeclasses.solve err)
+    Core.Result.Result_Err
+    (Core.Convert.f_from #Libcrux_ml_dsa.Types.t_VerificationError
+        #Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError
+        #FStar.Tactics.Typeclasses.solve
+        err)
     <:
     Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError
 
@@ -847,7 +859,11 @@ let verify_pre_hashed
         <:
         Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) signature_serialized
   | Core.Result.Result_Err err ->
-    Core.Result.Result_Err (Core.Convert.f_from #FStar.Tactics.Typeclasses.solve err)
+    Core.Result.Result_Err
+    (Core.Convert.f_from #Libcrux_ml_dsa.Types.t_VerificationError
+        #Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError
+        #FStar.Tactics.Typeclasses.solve
+        err)
     <:
     Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError
 

From 11b5102a597fe52128ee3f1db18869141a4a5cc2 Mon Sep 17 00:00:00 2001
From: Jonas Schneider-Bensch <jonas@cryspen.com>
Date: Wed, 6 Nov 2024 14:29:56 +0100
Subject: [PATCH 19/22] Use local functions in favor of macros to help F*

---
 .../fstar/extraction/Libcrux_ml_dsa.Ntt.fst   | 1971 ++---------
 .../fstar/extraction/Libcrux_ml_dsa.Ntt.fsti  |   30 +
 .../Libcrux_ml_dsa.Simd.Avx2.Ntt.fst          | 3067 +++--------------
 .../Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti         |   30 +
 .../Libcrux_ml_dsa.Simd.Portable.Ntt.fst      | 1023 +-----
 .../Libcrux_ml_dsa.Simd.Portable.Ntt.fsti     |   24 +
 libcrux-ml-dsa/src/ntt.rs                     |  249 +-
 libcrux-ml-dsa/src/simd/avx2/ntt.rs           |  374 +-
 libcrux-ml-dsa/src/simd/portable/ntt.rs       |  225 +-
 9 files changed, 1382 insertions(+), 5611 deletions(-)

diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst
index f0e0c4d22..25a5d7d91 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst
@@ -9,12 +9,14 @@ let _ =
   let open Libcrux_ml_dsa.Simd.Traits in
   ()
 
-let invert_ntt_at_layer_0_
+let invert_ntt_at_layer_0___round
       (#v_SIMDUnit: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
           i1:
           Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
       (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+      (index: usize)
+      (zeta_0_ zeta_1_ zeta_2_ zeta_3_: i32)
      =
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
     {
@@ -23,314 +25,184 @@ let invert_ntt_at_layer_0_
       =
       Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
           .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 0)
+        index
         (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
             #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 0 ] <: v_SIMDUnit)
-            1976782l
-            (-846154l)
-            1400424l
-            3937738l
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ index ] <: v_SIMDUnit)
+            zeta_0_
+            zeta_1_
+            zeta_2_
+            zeta_3_
           <:
           v_SIMDUnit)
     }
     <:
     Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
   in
+  re
+
+let invert_ntt_at_layer_0_
+      (#v_SIMDUnit: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+      (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+     =
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 1)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 1 ] <: v_SIMDUnit)
-            (-1362209l)
-            (-48306l)
-            3919660l
-            (-554416l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 0) 1976782l (-846154l) 1400424l 3937738l
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 2)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 2 ] <: v_SIMDUnit)
-            (-3545687l)
-            1612842l
-            (-976891l)
-            183443l
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 1) (-1362209l) (-48306l) 3919660l (-554416l)
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 3)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 3 ] <: v_SIMDUnit)
-            (-2286327l)
-            (-420899l)
-            (-2235985l)
-            (-2939036l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 2) (-3545687l) 1612842l (-976891l) 183443l
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 4)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 4 ] <: v_SIMDUnit)
-            (-3833893l)
-            (-260646l)
-            (-1104333l)
-            (-1667432l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_0___round #v_SIMDUnit
+      re
+      (sz 3)
+      (-2286327l)
+      (-420899l)
+      (-2235985l)
+      (-2939036l)
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 5)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 5 ] <: v_SIMDUnit)
-            1910376l
-            (-1803090l)
-            1723600l
-            (-426683l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_0___round #v_SIMDUnit
+      re
+      (sz 4)
+      (-3833893l)
+      (-260646l)
+      (-1104333l)
+      (-1667432l)
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 6)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 6 ] <: v_SIMDUnit)
-            472078l
-            1717735l
-            (-975884l)
-            2213111l
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 5) 1910376l (-1803090l) 1723600l (-426683l)
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 7)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 7 ] <: v_SIMDUnit)
-            269760l
-            3866901l
-            3523897l
-            (-3038916l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 6) 472078l 1717735l (-975884l) 2213111l
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 8)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 8 ] <: v_SIMDUnit)
-            (-1799107l)
-            (-3694233l)
-            1652634l
-            810149l
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 7) 269760l 3866901l 3523897l (-3038916l)
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 9)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 9 ] <: v_SIMDUnit)
-            3014001l
-            1616392l
-            162844l
-            (-3183426l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 8) (-1799107l) (-3694233l) 1652634l 810149l
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 10)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 10 ] <: v_SIMDUnit)
-            (-1207385l)
-            185531l
-            3369112l
-            1957272l
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 9) 3014001l 1616392l 162844l (-3183426l)
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 11)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 11 ] <: v_SIMDUnit)
-            (-164721l)
-            2454455l
-            2432395l
-            (-2013608l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 10) (-1207385l) 185531l 3369112l 1957272l
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 12)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 12 ] <: v_SIMDUnit)
-            (-3776993l)
-            594136l
-            (-3724270l)
-            (-2584293l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 11) (-164721l) 2454455l 2432395l (-2013608l)
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 13)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 13 ] <: v_SIMDUnit)
-            (-1846953l)
-            (-1671176l)
-            (-2831860l)
-            (-542412l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 12) (-3776993l) 594136l (-3724270l) (-2584293l)
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 14)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 14 ] <: v_SIMDUnit)
-            3406031l
-            2235880l
-            777191l
-            1500165l
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_0___round #v_SIMDUnit
+      re
+      (sz 13)
+      (-1846953l)
+      (-1671176l)
+      (-2831860l)
+      (-542412l)
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 14) 3406031l 2235880l 777191l 1500165l
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    invert_ntt_at_layer_0___round #v_SIMDUnit
+      re
+      (sz 15)
+      (-1374803l)
+      (-2546312l)
+      1917081l
+      (-1279661l)
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 16) (-1962642l) 3306115l 1312455l (-451100l)
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    invert_ntt_at_layer_0___round #v_SIMDUnit
+      re
+      (sz 17)
+      (-1430225l)
+      (-3318210l)
+      1237275l
+      (-1333058l)
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 18) (-1050970l) 1903435l 1869119l (-2994039l)
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 19) (-3548272l) 2635921l 1250494l (-3767016l)
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 20) 1595974l 2486353l 1247620l 4055324l
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 21) 1265009l (-2590150l) 2691481l 2842341l
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 22) 203044l 1735879l (-3342277l) 3437287l
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 23) 4108315l (-2437823l) 286988l 342297l
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    invert_ntt_at_layer_0___round #v_SIMDUnit
+      re
+      (sz 24)
+      (-3595838l)
+      (-768622l)
+      (-525098l)
+      (-3556995l)
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 25) 3207046l 2031748l (-3122442l) (-655327l)
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 26) (-522500l) (-43260l) (-1613174l) 495491l
   in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 27) 819034l 909542l 1859098l 900702l
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    invert_ntt_at_layer_0___round #v_SIMDUnit
+      re
+      (sz 28)
+      (-3193378l)
+      (-1197226l)
+      (-3759364l)
+      (-3520352l)
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 29) 3513181l (-1235728l) 2434439l 266997l
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    invert_ntt_at_layer_0___round #v_SIMDUnit
+      re
+      (sz 30)
+      (-3562462l)
+      (-2446433l)
+      2244091l
+      (-3342478l)
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 31) 3817976l 2316500l 3407706l 2091667l
+  in
+  re
+
+let invert_ntt_at_layer_1___round
+      (#v_SIMDUnit: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+      (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+      (index: usize)
+      (zeta_0_ zeta_1_: i32)
+     =
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
     {
       re with
@@ -338,364 +210,133 @@ let invert_ntt_at_layer_0_
       =
       Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
           .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 15)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
+        index
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
             #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 15 ] <: v_SIMDUnit)
-            (-1374803l)
-            (-2546312l)
-            1917081l
-            (-1279661l)
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ index ] <: v_SIMDUnit)
+            zeta_0_
+            zeta_1_
           <:
           v_SIMDUnit)
     }
     <:
     Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
   in
+  re
+
+let invert_ntt_at_layer_1_
+      (#v_SIMDUnit: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+      (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+     =
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 16)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 16 ] <: v_SIMDUnit)
-            (-1962642l)
-            3306115l
-            1312455l
-            (-451100l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 0) 3839961l (-3628969l)
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 17)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 17 ] <: v_SIMDUnit)
-            (-1430225l)
-            (-3318210l)
-            1237275l
-            (-1333058l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 1) (-3881060l) (-3019102l)
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 18)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 18 ] <: v_SIMDUnit)
-            (-1050970l)
-            1903435l
-            1869119l
-            (-2994039l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 2) (-1439742l) (-812732l)
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 19)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 19 ] <: v_SIMDUnit)
-            (-3548272l)
-            2635921l
-            1250494l
-            (-3767016l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 3) (-1584928l) 1285669l
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 20)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 20 ] <: v_SIMDUnit)
-            1595974l
-            2486353l
-            1247620l
-            4055324l
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 4) 1341330l 1315589l
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 21)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 21 ] <: v_SIMDUnit)
-            1265009l
-            (-2590150l)
-            2691481l
-            2842341l
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 5) (-177440l) (-2409325l)
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 22)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 22 ] <: v_SIMDUnit)
-            203044l
-            1735879l
-            (-3342277l)
-            3437287l
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 6) (-1851402l) 3159746l
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 23)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 23 ] <: v_SIMDUnit)
-            4108315l
-            (-2437823l)
-            286988l
-            342297l
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 7) (-3553272l) 189548l
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 24)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 24 ] <: v_SIMDUnit)
-            (-3595838l)
-            (-768622l)
-            (-525098l)
-            (-3556995l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 8) (-1316856l) 759969l
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 25)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 25 ] <: v_SIMDUnit)
-            3207046l
-            2031748l
-            (-3122442l)
-            (-655327l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 9) (-210977l) 2389356l
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 26)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 26 ] <: v_SIMDUnit)
-            (-522500l)
-            (-43260l)
-            (-1613174l)
-            495491l
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 10) (-3249728l) 1653064l
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 27)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 27 ] <: v_SIMDUnit)
-            819034l
-            909542l
-            1859098l
-            900702l
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 11) (-8578l) (-3724342l)
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 28)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 28 ] <: v_SIMDUnit)
-            (-3193378l)
-            (-1197226l)
-            (-3759364l)
-            (-3520352l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 12) 3958618l 904516l
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 29)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 29 ] <: v_SIMDUnit)
-            3513181l
-            (-1235728l)
-            2434439l
-            266997l
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 13) (-1100098l) 44288l
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 30)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 30 ] <: v_SIMDUnit)
-            (-3562462l)
-            (-2446433l)
-            2244091l
-            (-3342478l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 14) 3097992l 508951l
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 31)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 31 ] <: v_SIMDUnit)
-            3817976l
-            2316500l
-            3407706l
-            2091667l
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 15) 264944l (-3343383l)
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 16) (-1430430l) 1852771l
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 17) 1349076l (-381987l)
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 18) (-1308169l) (-22981l)
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 19) (-1228525l) (-671102l)
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 20) (-2477047l) (-411027l)
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 21) (-3693493l) (-2967645l)
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 22) 2715295l 2147896l
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 23) (-983419l) 3412210l
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 24) 126922l (-3632928l)
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 25) (-3157330l) (-3190144l)
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 26) (-1000202l) (-4083598l)
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 27) 1939314l (-1257611l)
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 28) (-1585221l) 2176455l
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 29) 3475950l (-1452451l)
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 30) (-3041255l) (-3677745l)
+  in
+  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+    invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 31) (-1528703l) (-3930395l)
   in
   re
 
-let invert_ntt_at_layer_1_
+let invert_ntt_at_layer_2___round
       (#v_SIMDUnit: Type0)
       (#[FStar.Tactics.Typeclasses.tcresolve ()]
           i1:
           Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
       (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+      (index: usize)
+      (zeta: i32)
      =
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
     {
@@ -704,1191 +345,121 @@ let invert_ntt_at_layer_1_
       =
       Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
           .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 0)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
+        index
+        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
             #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 0 ] <: v_SIMDUnit)
-            3839961l
-            (-3628969l)
+            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ index ] <: v_SIMDUnit)
+            zeta
           <:
           v_SIMDUnit)
     }
     <:
     Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
   in
+  re
+
+let invert_ntt_at_layer_2_
+      (#v_SIMDUnit: Type0)
+      (#[FStar.Tactics.Typeclasses.tcresolve ()]
+          i1:
+          Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+      (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+     =
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 1)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 1 ] <: v_SIMDUnit)
-            (-3881060l)
-            (-3019102l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 0) (-2797779l)
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 2)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 2 ] <: v_SIMDUnit)
-            (-1439742l)
-            (-812732l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 1) 2071892l
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 3)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 3 ] <: v_SIMDUnit)
-            (-1584928l)
-            1285669l
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 2) (-2556880l)
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 4)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 4 ] <: v_SIMDUnit)
-            1341330l
-            1315589l
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 3) 3900724l
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 5)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 5 ] <: v_SIMDUnit)
-            (-177440l)
-            (-2409325l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 4) 3881043l
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 6)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 6 ] <: v_SIMDUnit)
-            (-1851402l)
-            3159746l
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 5) 954230l
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 7)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 7 ] <: v_SIMDUnit)
-            (-3553272l)
-            189548l
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 6) 531354l
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 8)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 8 ] <: v_SIMDUnit)
-            (-1316856l)
-            759969l
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 7) 811944l
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 9)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 9 ] <: v_SIMDUnit)
-            (-210977l)
-            2389356l
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 8) 3699596l
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 10)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 10 ] <: v_SIMDUnit)
-            (-3249728l)
-            1653064l
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 9) (-1600420l)
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 11)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 11 ] <: v_SIMDUnit)
-            (-8578l)
-            (-3724342l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 10) (-2140649l)
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 12)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 12 ] <: v_SIMDUnit)
-            3958618l
-            904516l
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 11) 3507263l
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 13)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 13 ] <: v_SIMDUnit)
-            (-1100098l)
-            44288l
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 12) (-3821735l)
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 14)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 14 ] <: v_SIMDUnit)
-            3097992l
-            508951l
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 13) 3505694l
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 15)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 15 ] <: v_SIMDUnit)
-            264944l
-            (-3343383l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 14) (-1643818l)
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 16)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 16 ] <: v_SIMDUnit)
-            (-1430430l)
-            1852771l
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 15) (-1699267l)
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 17)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 17 ] <: v_SIMDUnit)
-            1349076l
-            (-381987l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 16) (-539299l)
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 18)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 18 ] <: v_SIMDUnit)
-            (-1308169l)
-            (-22981l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 17) 2348700l
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 19)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 19 ] <: v_SIMDUnit)
-            (-1228525l)
-            (-671102l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 18) (-300467l)
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 20)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 20 ] <: v_SIMDUnit)
-            (-2477047l)
-            (-411027l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 19) 3539968l
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 21)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 21 ] <: v_SIMDUnit)
-            (-3693493l)
-            (-2967645l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
-  in
-  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 22)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 22 ] <: v_SIMDUnit)
-            2715295l
-            2147896l
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
-  in
-  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 23)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 23 ] <: v_SIMDUnit)
-            (-983419l)
-            3412210l
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
-  in
-  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 24)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 24 ] <: v_SIMDUnit)
-            126922l
-            (-3632928l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
-  in
-  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 25)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 25 ] <: v_SIMDUnit)
-            (-3157330l)
-            (-3190144l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
-  in
-  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 26)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 26 ] <: v_SIMDUnit)
-            (-1000202l)
-            (-4083598l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
-  in
-  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 27)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 27 ] <: v_SIMDUnit)
-            1939314l
-            (-1257611l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
-  in
-  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 28)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 28 ] <: v_SIMDUnit)
-            (-1585221l)
-            2176455l
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
-  in
-  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 29)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 29 ] <: v_SIMDUnit)
-            3475950l
-            (-1452451l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
-  in
-  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 30)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 30 ] <: v_SIMDUnit)
-            (-3041255l)
-            (-3677745l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
-  in
-  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 31)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 31 ] <: v_SIMDUnit)
-            (-1528703l)
-            (-3930395l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
-  in
-  re
-
-let invert_ntt_at_layer_2_
-      (#v_SIMDUnit: Type0)
-      (#[FStar.Tactics.Typeclasses.tcresolve ()]
-          i1:
-          Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
-      (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
-     =
-  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 0)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 0 ] <: v_SIMDUnit)
-            (-2797779l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
-  in
-  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 1)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 1 ] <: v_SIMDUnit)
-            2071892l
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
-  in
-  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 2)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 2 ] <: v_SIMDUnit)
-            (-2556880l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
-  in
-  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 3)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 3 ] <: v_SIMDUnit)
-            3900724l
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
-  in
-  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 4)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 4 ] <: v_SIMDUnit)
-            3881043l
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
-  in
-  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 5)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 5 ] <: v_SIMDUnit)
-            954230l
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
-  in
-  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 6)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 6 ] <: v_SIMDUnit)
-            531354l
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
-  in
-  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 7)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 7 ] <: v_SIMDUnit)
-            811944l
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
-  in
-  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 8)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 8 ] <: v_SIMDUnit)
-            3699596l
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
-  in
-  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 9)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 9 ] <: v_SIMDUnit)
-            (-1600420l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
-  in
-  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 10)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 10 ] <: v_SIMDUnit)
-            (-2140649l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
-  in
-  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 11)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 11 ] <: v_SIMDUnit)
-            3507263l
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
-  in
-  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 12)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 12 ] <: v_SIMDUnit)
-            (-3821735l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
-  in
-  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 13)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 13 ] <: v_SIMDUnit)
-            3505694l
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
-  in
-  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 14)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 14 ] <: v_SIMDUnit)
-            (-1643818l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
-  in
-  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 15)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 15 ] <: v_SIMDUnit)
-            (-1699267l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
-  in
-  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 16)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 16 ] <: v_SIMDUnit)
-            (-539299l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
-  in
-  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 17)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 17 ] <: v_SIMDUnit)
-            2348700l
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
-  in
-  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 18)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 18 ] <: v_SIMDUnit)
-            (-300467l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
-  in
-  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 19)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 19 ] <: v_SIMDUnit)
-            3539968l
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
-  in
-  let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 20)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 20 ] <: v_SIMDUnit)
-            (-2867647l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 20) (-2867647l)
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 21)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 21 ] <: v_SIMDUnit)
-            3574422l
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 21) 3574422l
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 22)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 22 ] <: v_SIMDUnit)
-            (-3043716l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 22) (-3043716l)
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 23)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 23 ] <: v_SIMDUnit)
-            (-3861115l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 23) (-3861115l)
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 24)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 24 ] <: v_SIMDUnit)
-            3915439l
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 24) 3915439l
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 25)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 25 ] <: v_SIMDUnit)
-            (-2537516l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 25) (-2537516l)
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 26)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 26 ] <: v_SIMDUnit)
-            (-3592148l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 26) (-3592148l)
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 27)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 27 ] <: v_SIMDUnit)
-            (-1661693l)
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 27) (-1661693l)
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 28)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 28 ] <: v_SIMDUnit)
-            3530437l
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 28) 3530437l
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 29)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 29 ] <: v_SIMDUnit)
-            3077325l
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 29) 3077325l
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 30)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 30 ] <: v_SIMDUnit)
-            95776l
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 30) 95776l
   in
   let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
-    {
-      re with
-      Libcrux_ml_dsa.Polynomial.f_simd_units
-      =
-      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-          .Libcrux_ml_dsa.Polynomial.f_simd_units
-        (sz 31)
-        (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit
-            #FStar.Tactics.Typeclasses.solve
-            (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 31 ] <: v_SIMDUnit)
-            2706023l
-          <:
-          v_SIMDUnit)
-    }
-    <:
-    Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit
+    invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 31) 2706023l
   in
   re
 
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fsti
index ed4cbfb4e..15b336a66 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fsti
@@ -29,6 +29,16 @@ let invert_ntt_at_layer_7___STEP: usize = sz 128
 
 let invert_ntt_at_layer_7___STEP_BY: usize = sz 16
 
+val invert_ntt_at_layer_0___round
+      (#v_SIMDUnit: Type0)
+      {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+      (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+      (index: usize)
+      (zeta_0_ zeta_1_ zeta_2_ zeta_3_: i32)
+    : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
 val invert_ntt_at_layer_0_
       (#v_SIMDUnit: Type0)
       {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
@@ -37,6 +47,16 @@ val invert_ntt_at_layer_0_
       Prims.l_True
       (fun _ -> Prims.l_True)
 
+val invert_ntt_at_layer_1___round
+      (#v_SIMDUnit: Type0)
+      {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+      (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+      (index: usize)
+      (zeta_0_ zeta_1_: i32)
+    : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
 val invert_ntt_at_layer_1_
       (#v_SIMDUnit: Type0)
       {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
@@ -45,6 +65,16 @@ val invert_ntt_at_layer_1_
       Prims.l_True
       (fun _ -> Prims.l_True)
 
+val invert_ntt_at_layer_2___round
+      (#v_SIMDUnit: Type0)
+      {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+      (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+      (index: usize)
+      (zeta: i32)
+    : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
 val invert_ntt_at_layer_2_
       (#v_SIMDUnit: Type0)
       {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst
index fb55f5f13..72db9fe4d 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst
@@ -3,6 +3,48 @@ module Libcrux_ml_dsa.Simd.Avx2.Ntt
 open Core
 open FStar.Mul
 
+let ntt_at_layer_7_and_6___mul
+      (re: t_Array u8 (sz 32))
+      (index: usize)
+      (zeta: u8)
+      (step_by: usize)
+      (field_modulus inverse_of_modulus_mod_montgomery_r: u8)
+     =
+  let prod02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ index +! step_by <: usize ] <: u8) zeta
+  in
+  let prod13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
+          245l
+          (re.[ index +! step_by <: usize ] <: u8)
+        <:
+        u8)
+      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta <: u8)
+  in
+  let k02:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
+  in
+  let k13:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
+  in
+  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
+  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
+  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
+  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
+  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
+  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      (index +! step_by <: usize)
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ index ] <: u8) t <: u8)
+  in
+  let re:t_Array u8 (sz 32) =
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+      index
+      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ index ] <: u8) t <: u8)
+  in
+  re
+
 let butterfly_2_ (a b: u8) (zeta_a0 zeta_a1 zeta_a2 zeta_a3 zeta_b0 zeta_b1 zeta_b2 zeta_b3: i32) =
   let a_shuffled:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l a in
   let b_shuffled:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l b in
@@ -121,2743 +163,487 @@ let invert_ntt_at_layer_2_ (simd_unit: u8) (zeta: i32) =
   let products:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply sums zetas in
   Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 240l sums products
 
-let ntt_at_layer_0_ (re: t_Array u8 (sz 32)) =
-  let a, b:(u8 & u8) =
-    butterfly_2_ (re.[ sz 0 ] <: u8) (re.[ sz 0 +! sz 1 <: usize ] <: u8) 2091667l 3407706l 2316500l
-      3817976l (-3342478l) 2244091l (-2446433l) (-3562462l)
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 0) a
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 0 +! sz 1 <: usize) b
-  in
-  let a, b:(u8 & u8) =
-    butterfly_2_ (re.[ sz 2 ] <: u8) (re.[ sz 2 +! sz 1 <: usize ] <: u8) 266997l 2434439l
-      (-1235728l) 3513181l (-3520352l) (-3759364l) (-1197226l) (-3193378l)
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 2) a
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 2 +! sz 1 <: usize) b
-  in
-  let a, b:(u8 & u8) =
-    butterfly_2_ (re.[ sz 4 ] <: u8) (re.[ sz 4 +! sz 1 <: usize ] <: u8) 900702l 1859098l 909542l
-      819034l 495491l (-1613174l) (-43260l) (-522500l)
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 4) a
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 4 +! sz 1 <: usize) b
-  in
-  let a, b:(u8 & u8) =
-    butterfly_2_ (re.[ sz 6 ] <: u8) (re.[ sz 6 +! sz 1 <: usize ] <: u8) (-655327l) (-3122442l)
-      2031748l 3207046l (-3556995l) (-525098l) (-768622l) (-3595838l)
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 6) a
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 6 +! sz 1 <: usize) b
-  in
-  let a, b:(u8 & u8) =
-    butterfly_2_ (re.[ sz 8 ] <: u8) (re.[ sz 8 +! sz 1 <: usize ] <: u8) 342297l 286988l
-      (-2437823l) 4108315l 3437287l (-3342277l) 1735879l 203044l
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 8) a
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 8 +! sz 1 <: usize) b
-  in
-  let a, b:(u8 & u8) =
-    butterfly_2_ (re.[ sz 10 ] <: u8) (re.[ sz 10 +! sz 1 <: usize ] <: u8) 2842341l 2691481l
-      (-2590150l) 1265009l 4055324l 1247620l 2486353l 1595974l
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 10) a
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 10 +! sz 1 <: usize) b
-  in
+let ntt_at_layer_0___round
+      (re: t_Array u8 (sz 32))
+      (index: usize)
+      (zeta_0_ zeta_1_ zeta_2_ zeta_3_ zeta_4_ zeta_5_ zeta_6_ zeta_7_: i32)
+     =
   let a, b:(u8 & u8) =
-    butterfly_2_ (re.[ sz 12 ] <: u8) (re.[ sz 12 +! sz 1 <: usize ] <: u8) (-3767016l) 1250494l
-      2635921l (-3548272l) (-2994039l) 1869119l 1903435l (-1050970l)
+    butterfly_2_ (re.[ index ] <: u8) (re.[ index +! sz 1 <: usize ] <: u8) zeta_0_ zeta_1_ zeta_2_
+      zeta_3_ zeta_4_ zeta_5_ zeta_6_ zeta_7_
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 12) a
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re index a
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 12 +! sz 1 <: usize) b
-  in
-  let a, b:(u8 & u8) =
-    butterfly_2_ (re.[ sz 14 ] <: u8) (re.[ sz 14 +! sz 1 <: usize ] <: u8) (-1333058l) 1237275l
-      (-3318210l) (-1430225l) (-451100l) 1312455l 3306115l (-1962642l)
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (index +! sz 1 <: usize) b
   in
+  re
+
+let ntt_at_layer_0_ (re: t_Array u8 (sz 32)) =
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 14) a
+    ntt_at_layer_0___round re (sz 0) 2091667l 3407706l 2316500l 3817976l (-3342478l) 2244091l
+      (-2446433l) (-3562462l)
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 14 +! sz 1 <: usize) b
-  in
-  let a, b:(u8 & u8) =
-    butterfly_2_ (re.[ sz 16 ] <: u8) (re.[ sz 16 +! sz 1 <: usize ] <: u8) (-1279661l) 1917081l
-      (-2546312l) (-1374803l) 1500165l 777191l 2235880l 3406031l
+    ntt_at_layer_0___round re (sz 2) 266997l 2434439l (-1235728l) 3513181l (-3520352l) (-3759364l)
+      (-1197226l) (-3193378l)
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 16) a
+    ntt_at_layer_0___round re (sz 4) 900702l 1859098l 909542l 819034l 495491l (-1613174l) (-43260l)
+      (-522500l)
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 16 +! sz 1 <: usize) b
-  in
-  let a, b:(u8 & u8) =
-    butterfly_2_ (re.[ sz 18 ] <: u8) (re.[ sz 18 +! sz 1 <: usize ] <: u8) (-542412l) (-2831860l)
-      (-1671176l) (-1846953l) (-2584293l) (-3724270l) 594136l (-3776993l)
+    ntt_at_layer_0___round re (sz 6) (-655327l) (-3122442l) 2031748l 3207046l (-3556995l) (-525098l)
+      (-768622l) (-3595838l)
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 18) a
+    ntt_at_layer_0___round re (sz 8) 342297l 286988l (-2437823l) 4108315l 3437287l (-3342277l)
+      1735879l 203044l
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 18 +! sz 1 <: usize) b
-  in
-  let a, b:(u8 & u8) =
-    butterfly_2_ (re.[ sz 20 ] <: u8) (re.[ sz 20 +! sz 1 <: usize ] <: u8) (-2013608l) 2432395l
-      2454455l (-164721l) 1957272l 3369112l 185531l (-1207385l)
+    ntt_at_layer_0___round re (sz 10) 2842341l 2691481l (-2590150l) 1265009l 4055324l 1247620l
+      2486353l 1595974l
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 20) a
+    ntt_at_layer_0___round re (sz 12) (-3767016l) 1250494l 2635921l (-3548272l) (-2994039l) 1869119l
+      1903435l (-1050970l)
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 20 +! sz 1 <: usize) b
-  in
-  let a, b:(u8 & u8) =
-    butterfly_2_ (re.[ sz 22 ] <: u8) (re.[ sz 22 +! sz 1 <: usize ] <: u8) (-3183426l) 162844l
-      1616392l 3014001l 810149l 1652634l (-3694233l) (-1799107l)
+    ntt_at_layer_0___round re (sz 14) (-1333058l) 1237275l (-3318210l) (-1430225l) (-451100l)
+      1312455l 3306115l (-1962642l)
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 22) a
+    ntt_at_layer_0___round re (sz 16) (-1279661l) 1917081l (-2546312l) (-1374803l) 1500165l 777191l
+      2235880l 3406031l
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 22 +! sz 1 <: usize) b
-  in
-  let a, b:(u8 & u8) =
-    butterfly_2_ (re.[ sz 24 ] <: u8) (re.[ sz 24 +! sz 1 <: usize ] <: u8) (-3038916l) 3523897l
-      3866901l 269760l 2213111l (-975884l) 1717735l 472078l
+    ntt_at_layer_0___round re (sz 18) (-542412l) (-2831860l) (-1671176l) (-1846953l) (-2584293l)
+      (-3724270l) 594136l (-3776993l)
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 24) a
+    ntt_at_layer_0___round re (sz 20) (-2013608l) 2432395l 2454455l (-164721l) 1957272l 3369112l
+      185531l (-1207385l)
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 24 +! sz 1 <: usize) b
-  in
-  let a, b:(u8 & u8) =
-    butterfly_2_ (re.[ sz 26 ] <: u8) (re.[ sz 26 +! sz 1 <: usize ] <: u8) (-426683l) 1723600l
-      (-1803090l) 1910376l (-1667432l) (-1104333l) (-260646l) (-3833893l)
+    ntt_at_layer_0___round re (sz 22) (-3183426l) 162844l 1616392l 3014001l 810149l 1652634l
+      (-3694233l) (-1799107l)
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 26) a
+    ntt_at_layer_0___round re (sz 24) (-3038916l) 3523897l 3866901l 269760l 2213111l (-975884l)
+      1717735l 472078l
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 26 +! sz 1 <: usize) b
-  in
-  let a, b:(u8 & u8) =
-    butterfly_2_ (re.[ sz 28 ] <: u8) (re.[ sz 28 +! sz 1 <: usize ] <: u8) (-2939036l) (-2235985l)
-      (-420899l) (-2286327l) 183443l (-976891l) 1612842l (-3545687l)
+    ntt_at_layer_0___round re (sz 26) (-426683l) 1723600l (-1803090l) 1910376l (-1667432l)
+      (-1104333l) (-260646l) (-3833893l)
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 28) a
+    ntt_at_layer_0___round re (sz 28) (-2939036l) (-2235985l) (-420899l) (-2286327l) 183443l
+      (-976891l) 1612842l (-3545687l)
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 28 +! sz 1 <: usize) b
+    ntt_at_layer_0___round re (sz 30) (-554416l) 3919660l (-48306l) (-1362209l) 3937738l 1400424l
+      (-846154l) 1976782l
   in
+  re
+
+let ntt_at_layer_1___round
+      (re: t_Array u8 (sz 32))
+      (index: usize)
+      (zeta_0_ zeta_1_ zeta_2_ zeta_3_: i32)
+     =
   let a, b:(u8 & u8) =
-    butterfly_2_ (re.[ sz 30 ] <: u8) (re.[ sz 30 +! sz 1 <: usize ] <: u8) (-554416l) 3919660l
-      (-48306l) (-1362209l) 3937738l 1400424l (-846154l) 1976782l
+    butterfly_4_ (re.[ index ] <: u8)
+      (re.[ index +! sz 1 <: usize ] <: u8)
+      zeta_0_
+      zeta_1_
+      zeta_2_
+      zeta_3_
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 30) a
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re index a
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 30 +! sz 1 <: usize) b
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (index +! sz 1 <: usize) b
   in
   re
 
 let ntt_at_layer_1_ (re: t_Array u8 (sz 32)) =
-  let a, b:(u8 & u8) =
-    butterfly_4_ (re.[ sz 0 ] <: u8)
-      (re.[ sz 0 +! sz 1 <: usize ] <: u8)
-      (-3930395l)
-      (-1528703l)
-      (-3677745l)
-      (-3041255l)
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 0) a
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 0 +! sz 1 <: usize) b
-  in
-  let a, b:(u8 & u8) =
-    butterfly_4_ (re.[ sz 2 ] <: u8)
-      (re.[ sz 2 +! sz 1 <: usize ] <: u8)
-      (-1452451l)
-      3475950l
-      2176455l
-      (-1585221l)
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 2) a
-  in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 2 +! sz 1 <: usize) b
-  in
-  let a, b:(u8 & u8) =
-    butterfly_4_ (re.[ sz 4 ] <: u8)
-      (re.[ sz 4 +! sz 1 <: usize ] <: u8)
-      (-1257611l)
-      1939314l
-      (-4083598l)
-      (-1000202l)
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 4) a
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 4 +! sz 1 <: usize) b
-  in
-  let a, b:(u8 & u8) =
-    butterfly_4_ (re.[ sz 6 ] <: u8)
-      (re.[ sz 6 +! sz 1 <: usize ] <: u8)
-      (-3190144l)
-      (-3157330l)
-      (-3632928l)
-      126922l
+    ntt_at_layer_1___round re (sz 0) (-3930395l) (-1528703l) (-3677745l) (-3041255l)
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 6) a
+    ntt_at_layer_1___round re (sz 2) (-1452451l) 3475950l 2176455l (-1585221l)
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 6 +! sz 1 <: usize) b
-  in
-  let a, b:(u8 & u8) =
-    butterfly_4_ (re.[ sz 8 ] <: u8)
-      (re.[ sz 8 +! sz 1 <: usize ] <: u8)
-      3412210l
-      (-983419l)
-      2147896l
-      2715295l
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 8) a
+    ntt_at_layer_1___round re (sz 4) (-1257611l) 1939314l (-4083598l) (-1000202l)
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 8 +! sz 1 <: usize) b
-  in
-  let a, b:(u8 & u8) =
-    butterfly_4_ (re.[ sz 10 ] <: u8)
-      (re.[ sz 10 +! sz 1 <: usize ] <: u8)
-      (-2967645l)
-      (-3693493l)
-      (-411027l)
-      (-2477047l)
+    ntt_at_layer_1___round re (sz 6) (-3190144l) (-3157330l) (-3632928l) 126922l
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 10) a
+    ntt_at_layer_1___round re (sz 8) 3412210l (-983419l) 2147896l 2715295l
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 10 +! sz 1 <: usize) b
-  in
-  let a, b:(u8 & u8) =
-    butterfly_4_ (re.[ sz 12 ] <: u8)
-      (re.[ sz 12 +! sz 1 <: usize ] <: u8)
-      (-671102l)
-      (-1228525l)
-      (-22981l)
-      (-1308169l)
+    ntt_at_layer_1___round re (sz 10) (-2967645l) (-3693493l) (-411027l) (-2477047l)
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 12) a
+    ntt_at_layer_1___round re (sz 12) (-671102l) (-1228525l) (-22981l) (-1308169l)
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 12 +! sz 1 <: usize) b
-  in
-  let a, b:(u8 & u8) =
-    butterfly_4_ (re.[ sz 14 ] <: u8)
-      (re.[ sz 14 +! sz 1 <: usize ] <: u8)
-      (-381987l)
-      1349076l
-      1852771l
-      (-1430430l)
+    ntt_at_layer_1___round re (sz 14) (-381987l) 1349076l 1852771l (-1430430l)
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 14) a
+    ntt_at_layer_1___round re (sz 16) (-3343383l) 264944l 508951l 3097992l
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 14 +! sz 1 <: usize) b
-  in
-  let a, b:(u8 & u8) =
-    butterfly_4_ (re.[ sz 16 ] <: u8)
-      (re.[ sz 16 +! sz 1 <: usize ] <: u8)
-      (-3343383l)
-      264944l
-      508951l
-      3097992l
+    ntt_at_layer_1___round re (sz 18) 44288l (-1100098l) 904516l 3958618l
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 16) a
+    ntt_at_layer_1___round re (sz 20) (-3724342l) (-8578l) 1653064l (-3249728l)
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 16 +! sz 1 <: usize) b
-  in
-  let a, b:(u8 & u8) =
-    butterfly_4_ (re.[ sz 18 ] <: u8)
-      (re.[ sz 18 +! sz 1 <: usize ] <: u8)
-      44288l
-      (-1100098l)
-      904516l
-      3958618l
+    ntt_at_layer_1___round re (sz 22) 2389356l (-210977l) 759969l (-1316856l)
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 18) a
+    ntt_at_layer_1___round re (sz 24) 189548l (-3553272l) 3159746l (-1851402l)
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 18 +! sz 1 <: usize) b
-  in
-  let a, b:(u8 & u8) =
-    butterfly_4_ (re.[ sz 20 ] <: u8)
-      (re.[ sz 20 +! sz 1 <: usize ] <: u8)
-      (-3724342l)
-      (-8578l)
-      1653064l
-      (-3249728l)
+    ntt_at_layer_1___round re (sz 26) (-2409325l) (-177440l) 1315589l 1341330l
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 20) a
+    ntt_at_layer_1___round re (sz 28) 1285669l (-1584928l) (-812732l) (-1439742l)
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 20 +! sz 1 <: usize) b
+    ntt_at_layer_1___round re (sz 30) (-3019102l) (-3881060l) (-3628969l) 3839961l
   in
+  re
+
+let ntt_at_layer_2___round (re: t_Array u8 (sz 32)) (index: usize) (zeta_0_ zeta_1_: i32) =
   let a, b:(u8 & u8) =
-    butterfly_4_ (re.[ sz 22 ] <: u8)
-      (re.[ sz 22 +! sz 1 <: usize ] <: u8)
-      2389356l
-      (-210977l)
-      759969l
-      (-1316856l)
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 22) a
+    butterfly_8_ (re.[ index ] <: u8) (re.[ index +! sz 1 <: usize ] <: u8) zeta_0_ zeta_1_
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 22 +! sz 1 <: usize) b
-  in
-  let a, b:(u8 & u8) =
-    butterfly_4_ (re.[ sz 24 ] <: u8)
-      (re.[ sz 24 +! sz 1 <: usize ] <: u8)
-      189548l
-      (-3553272l)
-      3159746l
-      (-1851402l)
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re index a
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 24) a
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (index +! sz 1 <: usize) b
   in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 24 +! sz 1 <: usize) b
+  re
+
+let ntt_at_layer_2_ (re: t_Array u8 (sz 32)) =
+  let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 0) 2706023l 95776l in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 2) 3077325l 3530437l in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 4) (-1661693l) (-3592148l) in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 6) (-2537516l) 3915439l in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 8) (-3861115l) (-3043716l) in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 10) 3574422l (-2867647l) in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 12) 3539968l (-300467l) in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 14) 2348700l (-539299l) in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 16) (-1699267l) (-1643818l) in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 18) 3505694l (-3821735l) in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 20) 3507263l (-2140649l) in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 22) (-1600420l) 3699596l in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 24) 811944l 531354l in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 26) 954230l 3881043l in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 28) 3900724l (-2556880l) in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 30) 2071892l (-2797779l) in
+  re
+
+let ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) =
+  let field_modulus:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS
   in
-  let a, b:(u8 & u8) =
-    butterfly_4_ (re.[ sz 26 ] <: u8)
-      (re.[ sz 26 +! sz 1 <: usize ] <: u8)
-      (-2409325l)
-      (-177440l)
-      1315589l
-      1341330l
+  let inverse_of_modulus_mod_montgomery_r:u8 =
+    Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (cast (Libcrux_ml_dsa.Simd.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R
+            <:
+            u64)
+        <:
+        i32)
   in
+  let zeta7:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 25847l in
+  let zeta60:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-2608894l) in
+  let zeta61:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-518909l) in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 26) a
+    ntt_at_layer_7_and_6___mul re
+      (sz 0)
+      zeta7
+      ntt_at_layer_7_and_6___STEP_BY_7_
+      field_modulus
+      inverse_of_modulus_mod_montgomery_r
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 26 +! sz 1 <: usize) b
-  in
-  let a, b:(u8 & u8) =
-    butterfly_4_ (re.[ sz 28 ] <: u8)
-      (re.[ sz 28 +! sz 1 <: usize ] <: u8)
-      1285669l
-      (-1584928l)
-      (-812732l)
-      (-1439742l)
+    ntt_at_layer_7_and_6___mul re
+      (sz 0 +! sz 1 <: usize)
+      zeta7
+      ntt_at_layer_7_and_6___STEP_BY_7_
+      field_modulus
+      inverse_of_modulus_mod_montgomery_r
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 28) a
+    ntt_at_layer_7_and_6___mul re
+      (sz 0 +! sz 2 <: usize)
+      zeta7
+      ntt_at_layer_7_and_6___STEP_BY_7_
+      field_modulus
+      inverse_of_modulus_mod_montgomery_r
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 28 +! sz 1 <: usize) b
-  in
-  let a, b:(u8 & u8) =
-    butterfly_4_ (re.[ sz 30 ] <: u8)
-      (re.[ sz 30 +! sz 1 <: usize ] <: u8)
-      (-3019102l)
-      (-3881060l)
-      (-3628969l)
-      3839961l
+    ntt_at_layer_7_and_6___mul re
+      (sz 0 +! sz 3 <: usize)
+      zeta7
+      ntt_at_layer_7_and_6___STEP_BY_7_
+      field_modulus
+      inverse_of_modulus_mod_montgomery_r
   in
+  let _:Prims.unit = () in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 30) a
+    ntt_at_layer_7_and_6___mul re
+      (sz 8)
+      zeta7
+      ntt_at_layer_7_and_6___STEP_BY_7_
+      field_modulus
+      inverse_of_modulus_mod_montgomery_r
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 30 +! sz 1 <: usize) b
-  in
-  re
-
-let ntt_at_layer_2_ (re: t_Array u8 (sz 32)) =
-  let a, b:(u8 & u8) =
-    butterfly_8_ (re.[ sz 0 ] <: u8) (re.[ sz 0 +! sz 1 <: usize ] <: u8) 2706023l 95776l
+    ntt_at_layer_7_and_6___mul re
+      (sz 8 +! sz 1 <: usize)
+      zeta7
+      ntt_at_layer_7_and_6___STEP_BY_7_
+      field_modulus
+      inverse_of_modulus_mod_montgomery_r
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 0) a
+    ntt_at_layer_7_and_6___mul re
+      (sz 8 +! sz 2 <: usize)
+      zeta7
+      ntt_at_layer_7_and_6___STEP_BY_7_
+      field_modulus
+      inverse_of_modulus_mod_montgomery_r
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 0 +! sz 1 <: usize) b
-  in
-  let a, b:(u8 & u8) =
-    butterfly_8_ (re.[ sz 2 ] <: u8) (re.[ sz 2 +! sz 1 <: usize ] <: u8) 3077325l 3530437l
+    ntt_at_layer_7_and_6___mul re
+      (sz 8 +! sz 3 <: usize)
+      zeta7
+      ntt_at_layer_7_and_6___STEP_BY_7_
+      field_modulus
+      inverse_of_modulus_mod_montgomery_r
   in
+  let _:Prims.unit = () in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 2) a
+    ntt_at_layer_7_and_6___mul re
+      (sz 0)
+      zeta60
+      ntt_at_layer_7_and_6___STEP_BY_6_
+      field_modulus
+      inverse_of_modulus_mod_montgomery_r
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 2 +! sz 1 <: usize) b
-  in
-  let a, b:(u8 & u8) =
-    butterfly_8_ (re.[ sz 4 ] <: u8) (re.[ sz 4 +! sz 1 <: usize ] <: u8) (-1661693l) (-3592148l)
+    ntt_at_layer_7_and_6___mul re
+      (sz 0 +! sz 1 <: usize)
+      zeta60
+      ntt_at_layer_7_and_6___STEP_BY_6_
+      field_modulus
+      inverse_of_modulus_mod_montgomery_r
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 4) a
+    ntt_at_layer_7_and_6___mul re
+      (sz 0 +! sz 2 <: usize)
+      zeta60
+      ntt_at_layer_7_and_6___STEP_BY_6_
+      field_modulus
+      inverse_of_modulus_mod_montgomery_r
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 4 +! sz 1 <: usize) b
-  in
-  let a, b:(u8 & u8) =
-    butterfly_8_ (re.[ sz 6 ] <: u8) (re.[ sz 6 +! sz 1 <: usize ] <: u8) (-2537516l) 3915439l
+    ntt_at_layer_7_and_6___mul re
+      (sz 0 +! sz 3 <: usize)
+      zeta60
+      ntt_at_layer_7_and_6___STEP_BY_6_
+      field_modulus
+      inverse_of_modulus_mod_montgomery_r
   in
+  let _:Prims.unit = () in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 6) a
+    ntt_at_layer_7_and_6___mul re
+      (sz 16)
+      zeta61
+      ntt_at_layer_7_and_6___STEP_BY_6_
+      field_modulus
+      inverse_of_modulus_mod_montgomery_r
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 6 +! sz 1 <: usize) b
-  in
-  let a, b:(u8 & u8) =
-    butterfly_8_ (re.[ sz 8 ] <: u8) (re.[ sz 8 +! sz 1 <: usize ] <: u8) (-3861115l) (-3043716l)
+    ntt_at_layer_7_and_6___mul re
+      (sz 16 +! sz 1 <: usize)
+      zeta61
+      ntt_at_layer_7_and_6___STEP_BY_6_
+      field_modulus
+      inverse_of_modulus_mod_montgomery_r
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 8) a
+    ntt_at_layer_7_and_6___mul re
+      (sz 16 +! sz 2 <: usize)
+      zeta61
+      ntt_at_layer_7_and_6___STEP_BY_6_
+      field_modulus
+      inverse_of_modulus_mod_montgomery_r
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 8 +! sz 1 <: usize) b
-  in
-  let a, b:(u8 & u8) =
-    butterfly_8_ (re.[ sz 10 ] <: u8) (re.[ sz 10 +! sz 1 <: usize ] <: u8) 3574422l (-2867647l)
+    ntt_at_layer_7_and_6___mul re
+      (sz 16 +! sz 3 <: usize)
+      zeta61
+      ntt_at_layer_7_and_6___STEP_BY_6_
+      field_modulus
+      inverse_of_modulus_mod_montgomery_r
   in
+  let _:Prims.unit = () in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 10) a
+    ntt_at_layer_7_and_6___mul re
+      (sz 4)
+      zeta7
+      ntt_at_layer_7_and_6___STEP_BY_7_
+      field_modulus
+      inverse_of_modulus_mod_montgomery_r
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 10 +! sz 1 <: usize) b
-  in
-  let a, b:(u8 & u8) =
-    butterfly_8_ (re.[ sz 12 ] <: u8) (re.[ sz 12 +! sz 1 <: usize ] <: u8) 3539968l (-300467l)
+    ntt_at_layer_7_and_6___mul re
+      (sz 4 +! sz 1 <: usize)
+      zeta7
+      ntt_at_layer_7_and_6___STEP_BY_7_
+      field_modulus
+      inverse_of_modulus_mod_montgomery_r
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 12) a
+    ntt_at_layer_7_and_6___mul re
+      (sz 4 +! sz 2 <: usize)
+      zeta7
+      ntt_at_layer_7_and_6___STEP_BY_7_
+      field_modulus
+      inverse_of_modulus_mod_montgomery_r
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 12 +! sz 1 <: usize) b
-  in
-  let a, b:(u8 & u8) =
-    butterfly_8_ (re.[ sz 14 ] <: u8) (re.[ sz 14 +! sz 1 <: usize ] <: u8) 2348700l (-539299l)
+    ntt_at_layer_7_and_6___mul re
+      (sz 4 +! sz 3 <: usize)
+      zeta7
+      ntt_at_layer_7_and_6___STEP_BY_7_
+      field_modulus
+      inverse_of_modulus_mod_montgomery_r
   in
+  let _:Prims.unit = () in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 14) a
+    ntt_at_layer_7_and_6___mul re
+      (sz 12)
+      zeta7
+      ntt_at_layer_7_and_6___STEP_BY_7_
+      field_modulus
+      inverse_of_modulus_mod_montgomery_r
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 14 +! sz 1 <: usize) b
-  in
-  let a, b:(u8 & u8) =
-    butterfly_8_ (re.[ sz 16 ] <: u8) (re.[ sz 16 +! sz 1 <: usize ] <: u8) (-1699267l) (-1643818l)
+    ntt_at_layer_7_and_6___mul re
+      (sz 12 +! sz 1 <: usize)
+      zeta7
+      ntt_at_layer_7_and_6___STEP_BY_7_
+      field_modulus
+      inverse_of_modulus_mod_montgomery_r
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 16) a
+    ntt_at_layer_7_and_6___mul re
+      (sz 12 +! sz 2 <: usize)
+      zeta7
+      ntt_at_layer_7_and_6___STEP_BY_7_
+      field_modulus
+      inverse_of_modulus_mod_montgomery_r
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 16 +! sz 1 <: usize) b
-  in
-  let a, b:(u8 & u8) =
-    butterfly_8_ (re.[ sz 18 ] <: u8) (re.[ sz 18 +! sz 1 <: usize ] <: u8) 3505694l (-3821735l)
+    ntt_at_layer_7_and_6___mul re
+      (sz 12 +! sz 3 <: usize)
+      zeta7
+      ntt_at_layer_7_and_6___STEP_BY_7_
+      field_modulus
+      inverse_of_modulus_mod_montgomery_r
   in
+  let _:Prims.unit = () in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 18) a
+    ntt_at_layer_7_and_6___mul re
+      (sz 4)
+      zeta60
+      ntt_at_layer_7_and_6___STEP_BY_6_
+      field_modulus
+      inverse_of_modulus_mod_montgomery_r
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 18 +! sz 1 <: usize) b
-  in
-  let a, b:(u8 & u8) =
-    butterfly_8_ (re.[ sz 20 ] <: u8) (re.[ sz 20 +! sz 1 <: usize ] <: u8) 3507263l (-2140649l)
+    ntt_at_layer_7_and_6___mul re
+      (sz 4 +! sz 1 <: usize)
+      zeta60
+      ntt_at_layer_7_and_6___STEP_BY_6_
+      field_modulus
+      inverse_of_modulus_mod_montgomery_r
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 20) a
+    ntt_at_layer_7_and_6___mul re
+      (sz 4 +! sz 2 <: usize)
+      zeta60
+      ntt_at_layer_7_and_6___STEP_BY_6_
+      field_modulus
+      inverse_of_modulus_mod_montgomery_r
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 20 +! sz 1 <: usize) b
-  in
-  let a, b:(u8 & u8) =
-    butterfly_8_ (re.[ sz 22 ] <: u8) (re.[ sz 22 +! sz 1 <: usize ] <: u8) (-1600420l) 3699596l
+    ntt_at_layer_7_and_6___mul re
+      (sz 4 +! sz 3 <: usize)
+      zeta60
+      ntt_at_layer_7_and_6___STEP_BY_6_
+      field_modulus
+      inverse_of_modulus_mod_montgomery_r
   in
+  let _:Prims.unit = () in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 22) a
+    ntt_at_layer_7_and_6___mul re
+      (sz 20)
+      zeta61
+      ntt_at_layer_7_and_6___STEP_BY_6_
+      field_modulus
+      inverse_of_modulus_mod_montgomery_r
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 22 +! sz 1 <: usize) b
-  in
-  let a, b:(u8 & u8) =
-    butterfly_8_ (re.[ sz 24 ] <: u8) (re.[ sz 24 +! sz 1 <: usize ] <: u8) 811944l 531354l
+    ntt_at_layer_7_and_6___mul re
+      (sz 20 +! sz 1 <: usize)
+      zeta61
+      ntt_at_layer_7_and_6___STEP_BY_6_
+      field_modulus
+      inverse_of_modulus_mod_montgomery_r
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 24) a
+    ntt_at_layer_7_and_6___mul re
+      (sz 20 +! sz 2 <: usize)
+      zeta61
+      ntt_at_layer_7_and_6___STEP_BY_6_
+      field_modulus
+      inverse_of_modulus_mod_montgomery_r
   in
   let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 24 +! sz 1 <: usize) b
+    ntt_at_layer_7_and_6___mul re
+      (sz 20 +! sz 3 <: usize)
+      zeta61
+      ntt_at_layer_7_and_6___STEP_BY_6_
+      field_modulus
+      inverse_of_modulus_mod_montgomery_r
   in
-  let a, b:(u8 & u8) =
-    butterfly_8_ (re.[ sz 26 ] <: u8) (re.[ sz 26 +! sz 1 <: usize ] <: u8) 954230l 3881043l
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 26) a
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 26 +! sz 1 <: usize) b
-  in
-  let a, b:(u8 & u8) =
-    butterfly_8_ (re.[ sz 28 ] <: u8) (re.[ sz 28 +! sz 1 <: usize ] <: u8) 3900724l (-2556880l)
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 28) a
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 28 +! sz 1 <: usize) b
-  in
-  let a, b:(u8 & u8) =
-    butterfly_8_ (re.[ sz 30 ] <: u8) (re.[ sz 30 +! sz 1 <: usize ] <: u8) 2071892l (-2797779l)
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 30) a
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 30 +! sz 1 <: usize) b
-  in
-  re
-
-let ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) =
-  let field_modulus:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS
-  in
-  let inverse_of_modulus_mod_montgomery_r:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (cast (Libcrux_ml_dsa.Simd.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R
-            <:
-            u64)
-        <:
-        i32)
-  in
-  let zeta7:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 25847l in
-  let zeta60:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-2608894l) in
-  let zeta61:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-518909l) in
-  let prod02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ sz 0 +! ntt_at_layer_7_and_6___STEP_BY_7_
-          <:
-          usize ]
-        <:
-        u8)
-      zeta7
-  in
-  let prod13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
-          245l
-          (re.[ sz 0 +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8)
-        <:
-        u8)
-      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8)
-  in
-  let k02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
-  in
-  let k13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
-  in
-  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
-  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
-  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
-  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
-  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
-  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 0 +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 0 ] <: u8) t <: u8)
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 0)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 0 ] <: u8) t <: u8)
-  in
-  let prod02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 0 +! sz 1 <: usize) +!
-          ntt_at_layer_7_and_6___STEP_BY_7_
-          <:
-          usize ]
-        <:
-        u8)
-      zeta7
-  in
-  let prod13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
-          245l
-          (re.[ (sz 0 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8)
-        <:
-        u8)
-      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8)
-  in
-  let k02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
-  in
-  let k13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
-  in
-  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
-  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
-  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
-  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
-  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
-  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      ((sz 0 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 0 +! sz 1 <: usize ] <: u8) t <: u8)
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 0 +! sz 1 <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 0 +! sz 1 <: usize ] <: u8) t <: u8)
-  in
-  let prod02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 0 +! sz 2 <: usize) +!
-          ntt_at_layer_7_and_6___STEP_BY_7_
-          <:
-          usize ]
-        <:
-        u8)
-      zeta7
-  in
-  let prod13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
-          245l
-          (re.[ (sz 0 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8)
-        <:
-        u8)
-      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8)
-  in
-  let k02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
-  in
-  let k13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
-  in
-  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
-  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
-  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
-  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
-  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
-  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      ((sz 0 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 0 +! sz 2 <: usize ] <: u8) t <: u8)
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 0 +! sz 2 <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 0 +! sz 2 <: usize ] <: u8) t <: u8)
-  in
-  let prod02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 0 +! sz 3 <: usize) +!
-          ntt_at_layer_7_and_6___STEP_BY_7_
-          <:
-          usize ]
-        <:
-        u8)
-      zeta7
-  in
-  let prod13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
-          245l
-          (re.[ (sz 0 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8)
-        <:
-        u8)
-      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8)
-  in
-  let k02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
-  in
-  let k13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
-  in
-  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
-  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
-  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
-  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
-  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
-  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      ((sz 0 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 0 +! sz 3 <: usize ] <: u8) t <: u8)
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 0 +! sz 3 <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 0 +! sz 3 <: usize ] <: u8) t <: u8)
-  in
-  let _:Prims.unit = () in
-  let prod02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ sz 8 +! ntt_at_layer_7_and_6___STEP_BY_7_
-          <:
-          usize ]
-        <:
-        u8)
-      zeta7
-  in
-  let prod13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
-          245l
-          (re.[ sz 8 +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8)
-        <:
-        u8)
-      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8)
-  in
-  let k02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
-  in
-  let k13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
-  in
-  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
-  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
-  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
-  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
-  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
-  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 8 +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 8 ] <: u8) t <: u8)
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 8)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 8 ] <: u8) t <: u8)
-  in
-  let prod02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 8 +! sz 1 <: usize) +!
-          ntt_at_layer_7_and_6___STEP_BY_7_
-          <:
-          usize ]
-        <:
-        u8)
-      zeta7
-  in
-  let prod13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
-          245l
-          (re.[ (sz 8 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8)
-        <:
-        u8)
-      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8)
-  in
-  let k02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
-  in
-  let k13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
-  in
-  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
-  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
-  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
-  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
-  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
-  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      ((sz 8 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 8 +! sz 1 <: usize ] <: u8) t <: u8)
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 8 +! sz 1 <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 8 +! sz 1 <: usize ] <: u8) t <: u8)
-  in
-  let prod02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 8 +! sz 2 <: usize) +!
-          ntt_at_layer_7_and_6___STEP_BY_7_
-          <:
-          usize ]
-        <:
-        u8)
-      zeta7
-  in
-  let prod13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
-          245l
-          (re.[ (sz 8 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8)
-        <:
-        u8)
-      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8)
-  in
-  let k02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
-  in
-  let k13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
-  in
-  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
-  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
-  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
-  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
-  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
-  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      ((sz 8 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 8 +! sz 2 <: usize ] <: u8) t <: u8)
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 8 +! sz 2 <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 8 +! sz 2 <: usize ] <: u8) t <: u8)
-  in
-  let prod02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 8 +! sz 3 <: usize) +!
-          ntt_at_layer_7_and_6___STEP_BY_7_
-          <:
-          usize ]
-        <:
-        u8)
-      zeta7
-  in
-  let prod13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
-          245l
-          (re.[ (sz 8 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8)
-        <:
-        u8)
-      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8)
-  in
-  let k02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
-  in
-  let k13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
-  in
-  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
-  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
-  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
-  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
-  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
-  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      ((sz 8 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 8 +! sz 3 <: usize ] <: u8) t <: u8)
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 8 +! sz 3 <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 8 +! sz 3 <: usize ] <: u8) t <: u8)
-  in
-  let _:Prims.unit = () in
-  let prod02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ sz 0 +! ntt_at_layer_7_and_6___STEP_BY_6_
-          <:
-          usize ]
-        <:
-        u8)
-      zeta60
-  in
-  let prod13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
-          245l
-          (re.[ sz 0 +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8)
-        <:
-        u8)
-      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta60 <: u8)
-  in
-  let k02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
-  in
-  let k13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
-  in
-  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
-  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
-  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
-  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
-  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
-  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 0 +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 0 ] <: u8) t <: u8)
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 0)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 0 ] <: u8) t <: u8)
-  in
-  let prod02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 0 +! sz 1 <: usize) +!
-          ntt_at_layer_7_and_6___STEP_BY_6_
-          <:
-          usize ]
-        <:
-        u8)
-      zeta60
-  in
-  let prod13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
-          245l
-          (re.[ (sz 0 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8)
-        <:
-        u8)
-      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta60 <: u8)
-  in
-  let k02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
-  in
-  let k13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
-  in
-  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
-  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
-  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
-  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
-  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
-  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      ((sz 0 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 0 +! sz 1 <: usize ] <: u8) t <: u8)
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 0 +! sz 1 <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 0 +! sz 1 <: usize ] <: u8) t <: u8)
-  in
-  let prod02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 0 +! sz 2 <: usize) +!
-          ntt_at_layer_7_and_6___STEP_BY_6_
-          <:
-          usize ]
-        <:
-        u8)
-      zeta60
-  in
-  let prod13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
-          245l
-          (re.[ (sz 0 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8)
-        <:
-        u8)
-      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta60 <: u8)
-  in
-  let k02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
-  in
-  let k13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
-  in
-  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
-  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
-  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
-  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
-  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
-  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      ((sz 0 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 0 +! sz 2 <: usize ] <: u8) t <: u8)
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 0 +! sz 2 <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 0 +! sz 2 <: usize ] <: u8) t <: u8)
-  in
-  let prod02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 0 +! sz 3 <: usize) +!
-          ntt_at_layer_7_and_6___STEP_BY_6_
-          <:
-          usize ]
-        <:
-        u8)
-      zeta60
-  in
-  let prod13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
-          245l
-          (re.[ (sz 0 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8)
-        <:
-        u8)
-      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta60 <: u8)
-  in
-  let k02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
-  in
-  let k13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
-  in
-  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
-  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
-  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
-  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
-  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
-  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      ((sz 0 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 0 +! sz 3 <: usize ] <: u8) t <: u8)
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 0 +! sz 3 <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 0 +! sz 3 <: usize ] <: u8) t <: u8)
-  in
-  let _:Prims.unit = () in
-  let prod02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ sz 16 +! ntt_at_layer_7_and_6___STEP_BY_6_
-          <:
-          usize ]
-        <:
-        u8)
-      zeta61
-  in
-  let prod13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
-          245l
-          (re.[ sz 16 +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8)
-        <:
-        u8)
-      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta61 <: u8)
-  in
-  let k02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
-  in
-  let k13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
-  in
-  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
-  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
-  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
-  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
-  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
-  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 16 +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 16 ] <: u8) t <: u8)
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 16)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 16 ] <: u8) t <: u8)
-  in
-  let prod02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 16 +! sz 1 <: usize) +!
-          ntt_at_layer_7_and_6___STEP_BY_6_
-          <:
-          usize ]
-        <:
-        u8)
-      zeta61
-  in
-  let prod13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
-          245l
-          (re.[ (sz 16 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8)
-        <:
-        u8)
-      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta61 <: u8)
-  in
-  let k02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
-  in
-  let k13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
-  in
-  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
-  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
-  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
-  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
-  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
-  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      ((sz 16 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 16 +! sz 1 <: usize ] <: u8) t <: u8)
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 16 +! sz 1 <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 16 +! sz 1 <: usize ] <: u8) t <: u8)
-  in
-  let prod02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 16 +! sz 2 <: usize) +!
-          ntt_at_layer_7_and_6___STEP_BY_6_
-          <:
-          usize ]
-        <:
-        u8)
-      zeta61
-  in
-  let prod13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
-          245l
-          (re.[ (sz 16 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8)
-        <:
-        u8)
-      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta61 <: u8)
-  in
-  let k02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
-  in
-  let k13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
-  in
-  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
-  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
-  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
-  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
-  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
-  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      ((sz 16 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 16 +! sz 2 <: usize ] <: u8) t <: u8)
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 16 +! sz 2 <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 16 +! sz 2 <: usize ] <: u8) t <: u8)
-  in
-  let prod02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 16 +! sz 3 <: usize) +!
-          ntt_at_layer_7_and_6___STEP_BY_6_
-          <:
-          usize ]
-        <:
-        u8)
-      zeta61
-  in
-  let prod13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
-          245l
-          (re.[ (sz 16 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8)
-        <:
-        u8)
-      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta61 <: u8)
-  in
-  let k02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
-  in
-  let k13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
-  in
-  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
-  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
-  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
-  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
-  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
-  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      ((sz 16 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 16 +! sz 3 <: usize ] <: u8) t <: u8)
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 16 +! sz 3 <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 16 +! sz 3 <: usize ] <: u8) t <: u8)
-  in
-  let _:Prims.unit = () in
-  let prod02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ sz 4 +! ntt_at_layer_7_and_6___STEP_BY_7_
-          <:
-          usize ]
-        <:
-        u8)
-      zeta7
-  in
-  let prod13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
-          245l
-          (re.[ sz 4 +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8)
-        <:
-        u8)
-      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8)
-  in
-  let k02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
-  in
-  let k13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
-  in
-  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
-  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
-  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
-  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
-  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
-  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 4 +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 4 ] <: u8) t <: u8)
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 4)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 4 ] <: u8) t <: u8)
-  in
-  let prod02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 4 +! sz 1 <: usize) +!
-          ntt_at_layer_7_and_6___STEP_BY_7_
-          <:
-          usize ]
-        <:
-        u8)
-      zeta7
-  in
-  let prod13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
-          245l
-          (re.[ (sz 4 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8)
-        <:
-        u8)
-      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8)
-  in
-  let k02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
-  in
-  let k13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
-  in
-  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
-  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
-  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
-  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
-  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
-  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      ((sz 4 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 4 +! sz 1 <: usize ] <: u8) t <: u8)
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 4 +! sz 1 <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 4 +! sz 1 <: usize ] <: u8) t <: u8)
-  in
-  let prod02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 4 +! sz 2 <: usize) +!
-          ntt_at_layer_7_and_6___STEP_BY_7_
-          <:
-          usize ]
-        <:
-        u8)
-      zeta7
-  in
-  let prod13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
-          245l
-          (re.[ (sz 4 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8)
-        <:
-        u8)
-      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8)
-  in
-  let k02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
-  in
-  let k13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
-  in
-  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
-  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
-  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
-  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
-  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
-  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      ((sz 4 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 4 +! sz 2 <: usize ] <: u8) t <: u8)
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 4 +! sz 2 <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 4 +! sz 2 <: usize ] <: u8) t <: u8)
-  in
-  let prod02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 4 +! sz 3 <: usize) +!
-          ntt_at_layer_7_and_6___STEP_BY_7_
-          <:
-          usize ]
-        <:
-        u8)
-      zeta7
-  in
-  let prod13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
-          245l
-          (re.[ (sz 4 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8)
-        <:
-        u8)
-      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8)
-  in
-  let k02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
-  in
-  let k13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
-  in
-  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
-  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
-  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
-  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
-  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
-  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      ((sz 4 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 4 +! sz 3 <: usize ] <: u8) t <: u8)
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 4 +! sz 3 <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 4 +! sz 3 <: usize ] <: u8) t <: u8)
-  in
-  let _:Prims.unit = () in
-  let prod02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ sz 12 +! ntt_at_layer_7_and_6___STEP_BY_7_
-          <:
-          usize ]
-        <:
-        u8)
-      zeta7
-  in
-  let prod13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
-          245l
-          (re.[ sz 12 +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8)
-        <:
-        u8)
-      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8)
-  in
-  let k02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
-  in
-  let k13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
-  in
-  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
-  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
-  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
-  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
-  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
-  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 12 +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 12 ] <: u8) t <: u8)
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 12)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 12 ] <: u8) t <: u8)
-  in
-  let prod02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 12 +! sz 1 <: usize) +!
-          ntt_at_layer_7_and_6___STEP_BY_7_
-          <:
-          usize ]
-        <:
-        u8)
-      zeta7
-  in
-  let prod13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
-          245l
-          (re.[ (sz 12 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8)
-        <:
-        u8)
-      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8)
-  in
-  let k02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
-  in
-  let k13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
-  in
-  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
-  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
-  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
-  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
-  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
-  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      ((sz 12 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 12 +! sz 1 <: usize ] <: u8) t <: u8)
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 12 +! sz 1 <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 12 +! sz 1 <: usize ] <: u8) t <: u8)
-  in
-  let prod02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 12 +! sz 2 <: usize) +!
-          ntt_at_layer_7_and_6___STEP_BY_7_
-          <:
-          usize ]
-        <:
-        u8)
-      zeta7
-  in
-  let prod13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
-          245l
-          (re.[ (sz 12 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8)
-        <:
-        u8)
-      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8)
-  in
-  let k02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
-  in
-  let k13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
-  in
-  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
-  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
-  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
-  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
-  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
-  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      ((sz 12 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 12 +! sz 2 <: usize ] <: u8) t <: u8)
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 12 +! sz 2 <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 12 +! sz 2 <: usize ] <: u8) t <: u8)
-  in
-  let prod02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 12 +! sz 3 <: usize) +!
-          ntt_at_layer_7_and_6___STEP_BY_7_
-          <:
-          usize ]
-        <:
-        u8)
-      zeta7
-  in
-  let prod13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
-          245l
-          (re.[ (sz 12 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8)
-        <:
-        u8)
-      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8)
-  in
-  let k02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
-  in
-  let k13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
-  in
-  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
-  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
-  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
-  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
-  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
-  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      ((sz 12 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 12 +! sz 3 <: usize ] <: u8) t <: u8)
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 12 +! sz 3 <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 12 +! sz 3 <: usize ] <: u8) t <: u8)
-  in
-  let _:Prims.unit = () in
-  let prod02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ sz 4 +! ntt_at_layer_7_and_6___STEP_BY_6_
-          <:
-          usize ]
-        <:
-        u8)
-      zeta60
-  in
-  let prod13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
-          245l
-          (re.[ sz 4 +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8)
-        <:
-        u8)
-      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta60 <: u8)
-  in
-  let k02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
-  in
-  let k13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
-  in
-  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
-  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
-  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
-  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
-  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
-  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 4 +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 4 ] <: u8) t <: u8)
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 4)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 4 ] <: u8) t <: u8)
-  in
-  let prod02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 4 +! sz 1 <: usize) +!
-          ntt_at_layer_7_and_6___STEP_BY_6_
-          <:
-          usize ]
-        <:
-        u8)
-      zeta60
-  in
-  let prod13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
-          245l
-          (re.[ (sz 4 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8)
-        <:
-        u8)
-      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta60 <: u8)
-  in
-  let k02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
-  in
-  let k13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
-  in
-  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
-  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
-  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
-  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
-  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
-  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      ((sz 4 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 4 +! sz 1 <: usize ] <: u8) t <: u8)
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 4 +! sz 1 <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 4 +! sz 1 <: usize ] <: u8) t <: u8)
-  in
-  let prod02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 4 +! sz 2 <: usize) +!
-          ntt_at_layer_7_and_6___STEP_BY_6_
-          <:
-          usize ]
-        <:
-        u8)
-      zeta60
-  in
-  let prod13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
-          245l
-          (re.[ (sz 4 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8)
-        <:
-        u8)
-      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta60 <: u8)
-  in
-  let k02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
-  in
-  let k13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
-  in
-  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
-  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
-  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
-  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
-  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
-  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      ((sz 4 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 4 +! sz 2 <: usize ] <: u8) t <: u8)
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 4 +! sz 2 <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 4 +! sz 2 <: usize ] <: u8) t <: u8)
-  in
-  let prod02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 4 +! sz 3 <: usize) +!
-          ntt_at_layer_7_and_6___STEP_BY_6_
-          <:
-          usize ]
-        <:
-        u8)
-      zeta60
-  in
-  let prod13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
-          245l
-          (re.[ (sz 4 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8)
-        <:
-        u8)
-      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta60 <: u8)
-  in
-  let k02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
-  in
-  let k13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
-  in
-  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
-  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
-  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
-  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
-  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
-  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      ((sz 4 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 4 +! sz 3 <: usize ] <: u8) t <: u8)
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 4 +! sz 3 <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 4 +! sz 3 <: usize ] <: u8) t <: u8)
-  in
-  let _:Prims.unit = () in
-  let prod02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ sz 20 +! ntt_at_layer_7_and_6___STEP_BY_6_
-          <:
-          usize ]
-        <:
-        u8)
-      zeta61
-  in
-  let prod13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
-          245l
-          (re.[ sz 20 +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8)
-        <:
-        u8)
-      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta61 <: u8)
-  in
-  let k02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
-  in
-  let k13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
-  in
-  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
-  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
-  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
-  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
-  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
-  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 20 +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 20 ] <: u8) t <: u8)
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 20)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 20 ] <: u8) t <: u8)
-  in
-  let prod02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 20 +! sz 1 <: usize) +!
-          ntt_at_layer_7_and_6___STEP_BY_6_
-          <:
-          usize ]
-        <:
-        u8)
-      zeta61
-  in
-  let prod13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
-          245l
-          (re.[ (sz 20 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8)
-        <:
-        u8)
-      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta61 <: u8)
-  in
-  let k02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
-  in
-  let k13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
-  in
-  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
-  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
-  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
-  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
-  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
-  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      ((sz 20 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 20 +! sz 1 <: usize ] <: u8) t <: u8)
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 20 +! sz 1 <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 20 +! sz 1 <: usize ] <: u8) t <: u8)
-  in
-  let prod02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 20 +! sz 2 <: usize) +!
-          ntt_at_layer_7_and_6___STEP_BY_6_
-          <:
-          usize ]
-        <:
-        u8)
-      zeta61
-  in
-  let prod13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
-          245l
-          (re.[ (sz 20 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8)
-        <:
-        u8)
-      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta61 <: u8)
-  in
-  let k02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
-  in
-  let k13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
-  in
-  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
-  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
-  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
-  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
-  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
-  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      ((sz 20 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 20 +! sz 2 <: usize ] <: u8) t <: u8)
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 20 +! sz 2 <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 20 +! sz 2 <: usize ] <: u8) t <: u8)
-  in
-  let prod02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 20 +! sz 3 <: usize) +!
-          ntt_at_layer_7_and_6___STEP_BY_6_
-          <:
-          usize ]
-        <:
-        u8)
-      zeta61
-  in
-  let prod13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
-          245l
-          (re.[ (sz 20 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8)
-        <:
-        u8)
-      (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta61 <: u8)
-  in
-  let k02:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
-  in
-  let k13:u8 =
-    Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
-  in
-  let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in
-  let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in
-  let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in
-  let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in
-  let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in
-  let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      ((sz 20 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 20 +! sz 3 <: usize ] <: u8) t <: u8)
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 20 +! sz 3 <: usize)
-      (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 20 +! sz 3 <: usize ] <: u8) t <: u8)
-  in
-  let _:Prims.unit = () in
-  re
-
-let ntt_at_layer_5_to_3_ (re: t_Array u8 (sz 32)) =
-  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 237124l in
-  let offset:usize =
-    ((sz 0 *! ntt_at_layer_5_to_3___STEP <: usize) *! sz 2 <: usize) /!
-    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Folds.fold_range offset
-      (offset +! ntt_at_layer_5_to_3___STEP_BY <: usize)
-      (fun re temp_1_ ->
-          let re:t_Array u8 (sz 32) = re in
-          let _:usize = temp_1_ in
-          true)
-      re
-      (fun re j ->
-          let re:t_Array u8 (sz 32) = re in
-          let j:usize = j in
-          let t:u8 =
-            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
-                  ntt_at_layer_5_to_3___STEP_BY
-                  <:
-                  usize ]
-                <:
-                u8)
-              rhs
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              (j +! ntt_at_layer_5_to_3___STEP_BY <: usize)
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              j
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
-          in
-          re)
-  in
-  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-777960l) in
-  let offset:usize =
-    ((sz 1 *! ntt_at_layer_5_to_3___STEP <: usize) *! sz 2 <: usize) /!
-    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Folds.fold_range offset
-      (offset +! ntt_at_layer_5_to_3___STEP_BY <: usize)
-      (fun re temp_1_ ->
-          let re:t_Array u8 (sz 32) = re in
-          let _:usize = temp_1_ in
-          true)
-      re
-      (fun re j ->
-          let re:t_Array u8 (sz 32) = re in
-          let j:usize = j in
-          let t:u8 =
-            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
-                  ntt_at_layer_5_to_3___STEP_BY
-                  <:
-                  usize ]
-                <:
-                u8)
-              rhs
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              (j +! ntt_at_layer_5_to_3___STEP_BY <: usize)
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              j
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
-          in
-          re)
-  in
-  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-876248l) in
-  let offset:usize =
-    ((sz 2 *! ntt_at_layer_5_to_3___STEP <: usize) *! sz 2 <: usize) /!
-    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Folds.fold_range offset
-      (offset +! ntt_at_layer_5_to_3___STEP_BY <: usize)
-      (fun re temp_1_ ->
-          let re:t_Array u8 (sz 32) = re in
-          let _:usize = temp_1_ in
-          true)
-      re
-      (fun re j ->
-          let re:t_Array u8 (sz 32) = re in
-          let j:usize = j in
-          let t:u8 =
-            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
-                  ntt_at_layer_5_to_3___STEP_BY
-                  <:
-                  usize ]
-                <:
-                u8)
-              rhs
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              (j +! ntt_at_layer_5_to_3___STEP_BY <: usize)
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              j
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
-          in
-          re)
-  in
-  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 466468l in
-  let offset:usize =
-    ((sz 3 *! ntt_at_layer_5_to_3___STEP <: usize) *! sz 2 <: usize) /!
-    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Folds.fold_range offset
-      (offset +! ntt_at_layer_5_to_3___STEP_BY <: usize)
-      (fun re temp_1_ ->
-          let re:t_Array u8 (sz 32) = re in
-          let _:usize = temp_1_ in
-          true)
-      re
-      (fun re j ->
-          let re:t_Array u8 (sz 32) = re in
-          let j:usize = j in
-          let t:u8 =
-            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
-                  ntt_at_layer_5_to_3___STEP_BY
-                  <:
-                  usize ]
-                <:
-                u8)
-              rhs
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              (j +! ntt_at_layer_5_to_3___STEP_BY <: usize)
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              j
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
-          in
-          re)
-  in
-  let _:Prims.unit = () in
-  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 1826347l in
-  let offset:usize =
-    ((sz 0 *! ntt_at_layer_5_to_3___STEP_1 <: usize) *! sz 2 <: usize) /!
-    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Folds.fold_range offset
-      (offset +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize)
-      (fun re temp_1_ ->
-          let re:t_Array u8 (sz 32) = re in
-          let _:usize = temp_1_ in
-          true)
-      re
-      (fun re j ->
-          let re:t_Array u8 (sz 32) = re in
-          let j:usize = j in
-          let t:u8 =
-            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
-                  ntt_at_layer_5_to_3___STEP_BY_1
-                  <:
-                  usize ]
-                <:
-                u8)
-              rhs
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              (j +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize)
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              j
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
-          in
-          re)
-  in
-  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 2353451l in
-  let offset:usize =
-    ((sz 1 *! ntt_at_layer_5_to_3___STEP_1 <: usize) *! sz 2 <: usize) /!
-    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Folds.fold_range offset
-      (offset +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize)
-      (fun re temp_1_ ->
-          let re:t_Array u8 (sz 32) = re in
-          let _:usize = temp_1_ in
-          true)
-      re
-      (fun re j ->
-          let re:t_Array u8 (sz 32) = re in
-          let j:usize = j in
-          let t:u8 =
-            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
-                  ntt_at_layer_5_to_3___STEP_BY_1
-                  <:
-                  usize ]
-                <:
-                u8)
-              rhs
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              (j +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize)
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              j
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
-          in
-          re)
-  in
-  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-359251l) in
-  let offset:usize =
-    ((sz 2 *! ntt_at_layer_5_to_3___STEP_1 <: usize) *! sz 2 <: usize) /!
-    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Folds.fold_range offset
-      (offset +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize)
-      (fun re temp_1_ ->
-          let re:t_Array u8 (sz 32) = re in
-          let _:usize = temp_1_ in
-          true)
-      re
-      (fun re j ->
-          let re:t_Array u8 (sz 32) = re in
-          let j:usize = j in
-          let t:u8 =
-            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
-                  ntt_at_layer_5_to_3___STEP_BY_1
-                  <:
-                  usize ]
-                <:
-                u8)
-              rhs
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              (j +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize)
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              j
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
-          in
-          re)
-  in
-  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-2091905l) in
-  let offset:usize =
-    ((sz 3 *! ntt_at_layer_5_to_3___STEP_1 <: usize) *! sz 2 <: usize) /!
-    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Folds.fold_range offset
-      (offset +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize)
-      (fun re temp_1_ ->
-          let re:t_Array u8 (sz 32) = re in
-          let _:usize = temp_1_ in
-          true)
-      re
-      (fun re j ->
-          let re:t_Array u8 (sz 32) = re in
-          let j:usize = j in
-          let t:u8 =
-            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
-                  ntt_at_layer_5_to_3___STEP_BY_1
-                  <:
-                  usize ]
-                <:
-                u8)
-              rhs
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              (j +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize)
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              j
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
-          in
-          re)
-  in
-  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 3119733l in
-  let offset:usize =
-    ((sz 4 *! ntt_at_layer_5_to_3___STEP_1 <: usize) *! sz 2 <: usize) /!
-    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Folds.fold_range offset
-      (offset +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize)
-      (fun re temp_1_ ->
-          let re:t_Array u8 (sz 32) = re in
-          let _:usize = temp_1_ in
-          true)
-      re
-      (fun re j ->
-          let re:t_Array u8 (sz 32) = re in
-          let j:usize = j in
-          let t:u8 =
-            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
-                  ntt_at_layer_5_to_3___STEP_BY_1
-                  <:
-                  usize ]
-                <:
-                u8)
-              rhs
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              (j +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize)
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              j
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
-          in
-          re)
-  in
-  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-2884855l) in
-  let offset:usize =
-    ((sz 5 *! ntt_at_layer_5_to_3___STEP_1 <: usize) *! sz 2 <: usize) /!
-    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Folds.fold_range offset
-      (offset +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize)
-      (fun re temp_1_ ->
-          let re:t_Array u8 (sz 32) = re in
-          let _:usize = temp_1_ in
-          true)
-      re
-      (fun re j ->
-          let re:t_Array u8 (sz 32) = re in
-          let j:usize = j in
-          let t:u8 =
-            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
-                  ntt_at_layer_5_to_3___STEP_BY_1
-                  <:
-                  usize ]
-                <:
-                u8)
-              rhs
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              (j +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize)
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              j
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
-          in
-          re)
-  in
-  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 3111497l in
-  let offset:usize =
-    ((sz 6 *! ntt_at_layer_5_to_3___STEP_1 <: usize) *! sz 2 <: usize) /!
-    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Folds.fold_range offset
-      (offset +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize)
-      (fun re temp_1_ ->
-          let re:t_Array u8 (sz 32) = re in
-          let _:usize = temp_1_ in
-          true)
-      re
-      (fun re j ->
-          let re:t_Array u8 (sz 32) = re in
-          let j:usize = j in
-          let t:u8 =
-            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
-                  ntt_at_layer_5_to_3___STEP_BY_1
-                  <:
-                  usize ]
-                <:
-                u8)
-              rhs
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              (j +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize)
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              j
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
-          in
-          re)
-  in
-  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 2680103l in
-  let offset:usize =
-    ((sz 7 *! ntt_at_layer_5_to_3___STEP_1 <: usize) *! sz 2 <: usize) /!
-    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Folds.fold_range offset
-      (offset +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize)
-      (fun re temp_1_ ->
-          let re:t_Array u8 (sz 32) = re in
-          let _:usize = temp_1_ in
-          true)
-      re
-      (fun re j ->
-          let re:t_Array u8 (sz 32) = re in
-          let j:usize = j in
-          let t:u8 =
-            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
-                  ntt_at_layer_5_to_3___STEP_BY_1
-                  <:
-                  usize ]
-                <:
-                u8)
-              rhs
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              (j +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize)
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              j
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
-          in
-          re)
-  in
-  let _:Prims.unit = () in
-  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 2725464l in
-  let offset:usize =
-    ((sz 0 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /!
-    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Folds.fold_range offset
-      (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
-      (fun re temp_1_ ->
-          let re:t_Array u8 (sz 32) = re in
-          let _:usize = temp_1_ in
-          true)
-      re
-      (fun re j ->
-          let re:t_Array u8 (sz 32) = re in
-          let j:usize = j in
-          let t:u8 =
-            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
-                  ntt_at_layer_5_to_3___STEP_BY_2
-                  <:
-                  usize ]
-                <:
-                u8)
-              rhs
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              j
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
-          in
-          re)
-  in
-  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 1024112l in
-  let offset:usize =
-    ((sz 1 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /!
-    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Folds.fold_range offset
-      (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
-      (fun re temp_1_ ->
-          let re:t_Array u8 (sz 32) = re in
-          let _:usize = temp_1_ in
-          true)
-      re
-      (fun re j ->
-          let re:t_Array u8 (sz 32) = re in
-          let j:usize = j in
-          let t:u8 =
-            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
-                  ntt_at_layer_5_to_3___STEP_BY_2
-                  <:
-                  usize ]
-                <:
-                u8)
-              rhs
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              j
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
-          in
-          re)
-  in
-  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-1079900l) in
-  let offset:usize =
-    ((sz 2 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /!
-    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Folds.fold_range offset
-      (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
-      (fun re temp_1_ ->
-          let re:t_Array u8 (sz 32) = re in
-          let _:usize = temp_1_ in
-          true)
-      re
-      (fun re j ->
-          let re:t_Array u8 (sz 32) = re in
-          let j:usize = j in
-          let t:u8 =
-            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
-                  ntt_at_layer_5_to_3___STEP_BY_2
-                  <:
-                  usize ]
-                <:
-                u8)
-              rhs
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              j
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
-          in
-          re)
-  in
-  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 3585928l in
-  let offset:usize =
-    ((sz 3 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /!
-    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Folds.fold_range offset
-      (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
-      (fun re temp_1_ ->
-          let re:t_Array u8 (sz 32) = re in
-          let _:usize = temp_1_ in
-          true)
-      re
-      (fun re j ->
-          let re:t_Array u8 (sz 32) = re in
-          let j:usize = j in
-          let t:u8 =
-            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
-                  ntt_at_layer_5_to_3___STEP_BY_2
-                  <:
-                  usize ]
-                <:
-                u8)
-              rhs
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              j
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
-          in
-          re)
-  in
-  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-549488l) in
-  let offset:usize =
-    ((sz 4 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /!
-    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Folds.fold_range offset
-      (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
-      (fun re temp_1_ ->
-          let re:t_Array u8 (sz 32) = re in
-          let _:usize = temp_1_ in
-          true)
-      re
-      (fun re j ->
-          let re:t_Array u8 (sz 32) = re in
-          let j:usize = j in
-          let t:u8 =
-            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
-                  ntt_at_layer_5_to_3___STEP_BY_2
-                  <:
-                  usize ]
-                <:
-                u8)
-              rhs
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              j
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
-          in
-          re)
-  in
-  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-1119584l) in
-  let offset:usize =
-    ((sz 5 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /!
-    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Folds.fold_range offset
-      (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
-      (fun re temp_1_ ->
-          let re:t_Array u8 (sz 32) = re in
-          let _:usize = temp_1_ in
-          true)
-      re
-      (fun re j ->
-          let re:t_Array u8 (sz 32) = re in
-          let j:usize = j in
-          let t:u8 =
-            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
-                  ntt_at_layer_5_to_3___STEP_BY_2
-                  <:
-                  usize ]
-                <:
-                u8)
-              rhs
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              j
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
-          in
-          re)
-  in
-  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 2619752l in
-  let offset:usize =
-    ((sz 6 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /!
-    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Folds.fold_range offset
-      (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
-      (fun re temp_1_ ->
-          let re:t_Array u8 (sz 32) = re in
-          let _:usize = temp_1_ in
-          true)
-      re
-      (fun re j ->
-          let re:t_Array u8 (sz 32) = re in
-          let j:usize = j in
-          let t:u8 =
-            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
-                  ntt_at_layer_5_to_3___STEP_BY_2
-                  <:
-                  usize ]
-                <:
-                u8)
-              rhs
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              j
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
-          in
-          re)
-  in
-  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-2108549l) in
-  let offset:usize =
-    ((sz 7 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /!
-    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Folds.fold_range offset
-      (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
-      (fun re temp_1_ ->
-          let re:t_Array u8 (sz 32) = re in
-          let _:usize = temp_1_ in
-          true)
-      re
-      (fun re j ->
-          let re:t_Array u8 (sz 32) = re in
-          let j:usize = j in
-          let t:u8 =
-            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
-                  ntt_at_layer_5_to_3___STEP_BY_2
-                  <:
-                  usize ]
-                <:
-                u8)
-              rhs
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              j
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
-          in
-          re)
-  in
-  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-2118186l) in
-  let offset:usize =
-    ((sz 8 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /!
-    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Folds.fold_range offset
-      (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
-      (fun re temp_1_ ->
-          let re:t_Array u8 (sz 32) = re in
-          let _:usize = temp_1_ in
-          true)
-      re
-      (fun re j ->
-          let re:t_Array u8 (sz 32) = re in
-          let j:usize = j in
-          let t:u8 =
-            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
-                  ntt_at_layer_5_to_3___STEP_BY_2
-                  <:
-                  usize ]
-                <:
-                u8)
-              rhs
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              j
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
-          in
-          re)
-  in
-  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-3859737l) in
-  let offset:usize =
-    ((sz 9 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /!
-    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Folds.fold_range offset
-      (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
-      (fun re temp_1_ ->
-          let re:t_Array u8 (sz 32) = re in
-          let _:usize = temp_1_ in
-          true)
-      re
-      (fun re j ->
-          let re:t_Array u8 (sz 32) = re in
-          let j:usize = j in
-          let t:u8 =
-            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
-                  ntt_at_layer_5_to_3___STEP_BY_2
-                  <:
-                  usize ]
-                <:
-                u8)
-              rhs
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              j
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
-          in
-          re)
-  in
-  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-1399561l) in
-  let offset:usize =
-    ((sz 10 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /!
-    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Folds.fold_range offset
-      (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
-      (fun re temp_1_ ->
-          let re:t_Array u8 (sz 32) = re in
-          let _:usize = temp_1_ in
-          true)
-      re
-      (fun re j ->
-          let re:t_Array u8 (sz 32) = re in
-          let j:usize = j in
-          let t:u8 =
-            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
-                  ntt_at_layer_5_to_3___STEP_BY_2
-                  <:
-                  usize ]
-                <:
-                u8)
-              rhs
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              j
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
-          in
-          re)
-  in
-  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-3277672l) in
-  let offset:usize =
-    ((sz 11 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /!
-    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Folds.fold_range offset
-      (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
-      (fun re temp_1_ ->
-          let re:t_Array u8 (sz 32) = re in
-          let _:usize = temp_1_ in
-          true)
-      re
-      (fun re j ->
-          let re:t_Array u8 (sz 32) = re in
-          let j:usize = j in
-          let t:u8 =
-            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
-                  ntt_at_layer_5_to_3___STEP_BY_2
-                  <:
-                  usize ]
-                <:
-                u8)
-              rhs
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              j
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
-          in
-          re)
-  in
-  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 1757237l in
-  let offset:usize =
-    ((sz 12 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /!
-    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Folds.fold_range offset
-      (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
-      (fun re temp_1_ ->
-          let re:t_Array u8 (sz 32) = re in
-          let _:usize = temp_1_ in
-          true)
-      re
-      (fun re j ->
-          let re:t_Array u8 (sz 32) = re in
-          let j:usize = j in
-          let t:u8 =
-            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
-                  ntt_at_layer_5_to_3___STEP_BY_2
-                  <:
-                  usize ]
-                <:
-                u8)
-              rhs
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              j
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
-          in
-          re)
-  in
-  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-19422l) in
-  let offset:usize =
-    ((sz 13 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /!
-    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
+  let _:Prims.unit = () in
+  re
+
+let ntt_at_layer_5_to_3___round
+      (v_STEP v_STEP_BY: usize)
+      (re: t_Array u8 (sz 32))
+      (index: usize)
+      (zeta: i32)
+     =
+  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 zeta in
+  let offset:usize =
+    ((index *! v_STEP <: usize) *! sz 2 <: usize) /!
+    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
   in
   let re:t_Array u8 (sz 32) =
     Rust_primitives.Hax.Folds.fold_range offset
-      (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
+      (offset +! v_STEP_BY <: usize)
       (fun re temp_1_ ->
           let re:t_Array u8 (sz 32) = re in
           let _:usize = temp_1_ in
@@ -2867,91 +653,14 @@ let ntt_at_layer_5_to_3_ (re: t_Array u8 (sz 32)) =
           let re:t_Array u8 (sz 32) = re in
           let j:usize = j in
           let t:u8 =
-            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
-                  ntt_at_layer_5_to_3___STEP_BY_2
-                  <:
-                  usize ]
+            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! v_STEP_BY <: usize ]
                 <:
                 u8)
               rhs
           in
           let re:t_Array u8 (sz 32) =
             Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              j
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
-          in
-          re)
-  in
-  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 4010497l in
-  let offset:usize =
-    ((sz 14 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /!
-    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Folds.fold_range offset
-      (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
-      (fun re temp_1_ ->
-          let re:t_Array u8 (sz 32) = re in
-          let _:usize = temp_1_ in
-          true)
-      re
-      (fun re j ->
-          let re:t_Array u8 (sz 32) = re in
-          let j:usize = j in
-          let t:u8 =
-            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
-                  ntt_at_layer_5_to_3___STEP_BY_2
-                  <:
-                  usize ]
-                <:
-                u8)
-              rhs
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              j
-              (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8)
-          in
-          re)
-  in
-  let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 280005l in
-  let offset:usize =
-    ((sz 15 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /!
-    Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
-  in
-  let re:t_Array u8 (sz 32) =
-    Rust_primitives.Hax.Folds.fold_range offset
-      (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
-      (fun re temp_1_ ->
-          let re:t_Array u8 (sz 32) = re in
-          let _:usize = temp_1_ in
-          true)
-      re
-      (fun re j ->
-          let re:t_Array u8 (sz 32) = re in
-          let j:usize = j in
-          let t:u8 =
-            Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +!
-                  ntt_at_layer_5_to_3___STEP_BY_2
-                  <:
-                  usize ]
-                <:
-                u8)
-              rhs
-          in
-          let re:t_Array u8 (sz 32) =
-            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-              (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize)
+              (j +! v_STEP_BY <: usize)
               (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8)
           in
           let re:t_Array u8 (sz 32) =
@@ -2961,6 +670,40 @@ let ntt_at_layer_5_to_3_ (re: t_Array u8 (sz 32)) =
           in
           re)
   in
+  let hax_temp_output:Prims.unit = () <: Prims.unit in
+  re
+
+let ntt_at_layer_5_to_3_ (re: t_Array u8 (sz 32)) =
+  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 32) (sz 4) re (sz 0) 237124l in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 32) (sz 4) re (sz 1) (-777960l) in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 32) (sz 4) re (sz 2) (-876248l) in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 32) (sz 4) re (sz 3) 466468l in
+  let _:Prims.unit = () in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 0) 1826347l in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 1) 2353451l in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 2) (-359251l) in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 3) (-2091905l) in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 4) 3119733l in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 5) (-2884855l) in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 6) 3111497l in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 7) 2680103l in
+  let _:Prims.unit = () in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 0) 2725464l in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 1) 1024112l in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 2) (-1079900l) in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 3) 3585928l in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 4) (-549488l) in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 5) (-1119584l) in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 6) 2619752l in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 7) (-2108549l) in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 8) (-2118186l) in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 9) (-3859737l) in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 10) (-1399561l) in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 11) (-3277672l) in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 12) 1757237l in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 13) (-19422l) in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 14) 4010497l in
+  let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 15) 280005l in
   let _:Prims.unit = () in
   let hax_temp_output:Prims.unit = () <: Prims.unit in
   re
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti
index afa539b9a..b0253f5ed 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti
@@ -11,6 +11,14 @@ let ntt_at_layer_5_to_3___STEP_1: usize = sz 1 <<! 4l
 
 let ntt_at_layer_5_to_3___STEP_2: usize = sz 1 <<! 3l
 
+val ntt_at_layer_7_and_6___mul
+      (re: t_Array u8 (sz 32))
+      (index: usize)
+      (zeta: u8)
+      (step_by: usize)
+      (field_modulus inverse_of_modulus_mod_montgomery_r: u8)
+    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+
 let ntt_at_layer_5_to_3___STEP_BY: usize =
   ntt_at_layer_5_to_3___STEP /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
 
@@ -44,12 +52,27 @@ val invert_ntt_at_layer_1_ (simd_unit: u8) (zeta0 zeta1: i32)
 val invert_ntt_at_layer_2_ (simd_unit: u8) (zeta: i32)
     : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
 
+val ntt_at_layer_0___round
+      (re: t_Array u8 (sz 32))
+      (index: usize)
+      (zeta_0_ zeta_1_ zeta_2_ zeta_3_ zeta_4_ zeta_5_ zeta_6_ zeta_7_: i32)
+    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+
 val ntt_at_layer_0_ (re: t_Array u8 (sz 32))
     : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
 
+val ntt_at_layer_1___round
+      (re: t_Array u8 (sz 32))
+      (index: usize)
+      (zeta_0_ zeta_1_ zeta_2_ zeta_3_: i32)
+    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+
 val ntt_at_layer_1_ (re: t_Array u8 (sz 32))
     : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
 
+val ntt_at_layer_2___round (re: t_Array u8 (sz 32)) (index: usize) (zeta_0_ zeta_1_: i32)
+    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+
 val ntt_at_layer_2_ (re: t_Array u8 (sz 32))
     : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
 
@@ -59,6 +82,13 @@ val ntt_at_layer_2_ (re: t_Array u8 (sz 32))
 val ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32))
     : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
 
+val ntt_at_layer_5_to_3___round
+      (v_STEP v_STEP_BY: usize)
+      (re: t_Array u8 (sz 32))
+      (index: usize)
+      (zeta: i32)
+    : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+
 /// Layer 5, 4, 3
 /// Each layer does 16 Montgomery multiplications -> 3*16 = 48 total
 /// pqclean does 4 * 4 on each layer -> 48 total | plus 4 * 4 shuffles every time (48)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst
index 8cb54365c..5cddf2bbf 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst
@@ -591,424 +591,124 @@ let simd_unit_ntt_at_layer_0_
   in
   simd_unit
 
-let ntt_at_layer_0_
+let ntt_at_layer_0___round
       (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
+      (index: usize)
+      (zeta_0_ zeta_1_ zeta_2_ zeta_3_: i32)
      =
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
     Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 0)
-      (simd_unit_ntt_at_layer_0_ (re.[ sz 0 ]
+      index
+      (simd_unit_ntt_at_layer_0_ (re.[ index ]
             <:
             Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          2091667l
-          3407706l
-          2316500l
-          3817976l
+          zeta_0_
+          zeta_1_
+          zeta_2_
+          zeta_3_
         <:
         Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
   in
+  re
+
+let ntt_at_layer_0_
+      (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
+     =
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 1)
-      (simd_unit_ntt_at_layer_0_ (re.[ sz 1 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-3342478l)
-          2244091l
-          (-2446433l)
-          (-3562462l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_0___round re (sz 0) 2091667l 3407706l 2316500l 3817976l
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 2)
-      (simd_unit_ntt_at_layer_0_ (re.[ sz 2 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          266997l
-          2434439l
-          (-1235728l)
-          3513181l
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_0___round re (sz 1) (-3342478l) 2244091l (-2446433l) (-3562462l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 3)
-      (simd_unit_ntt_at_layer_0_ (re.[ sz 3 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-3520352l)
-          (-3759364l)
-          (-1197226l)
-          (-3193378l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_0___round re (sz 2) 266997l 2434439l (-1235728l) 3513181l
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 4)
-      (simd_unit_ntt_at_layer_0_ (re.[ sz 4 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          900702l
-          1859098l
-          909542l
-          819034l
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_0___round re (sz 3) (-3520352l) (-3759364l) (-1197226l) (-3193378l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 5)
-      (simd_unit_ntt_at_layer_0_ (re.[ sz 5 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          495491l
-          (-1613174l)
-          (-43260l)
-          (-522500l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_0___round re (sz 4) 900702l 1859098l 909542l 819034l
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 6)
-      (simd_unit_ntt_at_layer_0_ (re.[ sz 6 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-655327l)
-          (-3122442l)
-          2031748l
-          3207046l
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_0___round re (sz 5) 495491l (-1613174l) (-43260l) (-522500l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 7)
-      (simd_unit_ntt_at_layer_0_ (re.[ sz 7 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-3556995l)
-          (-525098l)
-          (-768622l)
-          (-3595838l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_0___round re (sz 6) (-655327l) (-3122442l) 2031748l 3207046l
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 8)
-      (simd_unit_ntt_at_layer_0_ (re.[ sz 8 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          342297l
-          286988l
-          (-2437823l)
-          4108315l
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_0___round re (sz 7) (-3556995l) (-525098l) (-768622l) (-3595838l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 9)
-      (simd_unit_ntt_at_layer_0_ (re.[ sz 9 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          3437287l
-          (-3342277l)
-          1735879l
-          203044l
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_0___round re (sz 8) 342297l 286988l (-2437823l) 4108315l
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 10)
-      (simd_unit_ntt_at_layer_0_ (re.[ sz 10 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          2842341l
-          2691481l
-          (-2590150l)
-          1265009l
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_0___round re (sz 9) 3437287l (-3342277l) 1735879l 203044l
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 11)
-      (simd_unit_ntt_at_layer_0_ (re.[ sz 11 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          4055324l
-          1247620l
-          2486353l
-          1595974l
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_0___round re (sz 10) 2842341l 2691481l (-2590150l) 1265009l
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 12)
-      (simd_unit_ntt_at_layer_0_ (re.[ sz 12 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-3767016l)
-          1250494l
-          2635921l
-          (-3548272l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_0___round re (sz 11) 4055324l 1247620l 2486353l 1595974l
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 13)
-      (simd_unit_ntt_at_layer_0_ (re.[ sz 13 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-2994039l)
-          1869119l
-          1903435l
-          (-1050970l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_0___round re (sz 12) (-3767016l) 1250494l 2635921l (-3548272l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 14)
-      (simd_unit_ntt_at_layer_0_ (re.[ sz 14 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-1333058l)
-          1237275l
-          (-3318210l)
-          (-1430225l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_0___round re (sz 13) (-2994039l) 1869119l 1903435l (-1050970l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 15)
-      (simd_unit_ntt_at_layer_0_ (re.[ sz 15 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-451100l)
-          1312455l
-          3306115l
-          (-1962642l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_0___round re (sz 14) (-1333058l) 1237275l (-3318210l) (-1430225l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 16)
-      (simd_unit_ntt_at_layer_0_ (re.[ sz 16 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-1279661l)
-          1917081l
-          (-2546312l)
-          (-1374803l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_0___round re (sz 15) (-451100l) 1312455l 3306115l (-1962642l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 17)
-      (simd_unit_ntt_at_layer_0_ (re.[ sz 17 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          1500165l
-          777191l
-          2235880l
-          3406031l
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_0___round re (sz 16) (-1279661l) 1917081l (-2546312l) (-1374803l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 18)
-      (simd_unit_ntt_at_layer_0_ (re.[ sz 18 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-542412l)
-          (-2831860l)
-          (-1671176l)
-          (-1846953l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_0___round re (sz 17) 1500165l 777191l 2235880l 3406031l
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 19)
-      (simd_unit_ntt_at_layer_0_ (re.[ sz 19 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-2584293l)
-          (-3724270l)
-          594136l
-          (-3776993l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_0___round re (sz 18) (-542412l) (-2831860l) (-1671176l) (-1846953l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 20)
-      (simd_unit_ntt_at_layer_0_ (re.[ sz 20 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-2013608l)
-          2432395l
-          2454455l
-          (-164721l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_0___round re (sz 19) (-2584293l) (-3724270l) 594136l (-3776993l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 21)
-      (simd_unit_ntt_at_layer_0_ (re.[ sz 21 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          1957272l
-          3369112l
-          185531l
-          (-1207385l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_0___round re (sz 20) (-2013608l) 2432395l 2454455l (-164721l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 22)
-      (simd_unit_ntt_at_layer_0_ (re.[ sz 22 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-3183426l)
-          162844l
-          1616392l
-          3014001l
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_0___round re (sz 21) 1957272l 3369112l 185531l (-1207385l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 23)
-      (simd_unit_ntt_at_layer_0_ (re.[ sz 23 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          810149l
-          1652634l
-          (-3694233l)
-          (-1799107l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_0___round re (sz 22) (-3183426l) 162844l 1616392l 3014001l
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 24)
-      (simd_unit_ntt_at_layer_0_ (re.[ sz 24 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-3038916l)
-          3523897l
-          3866901l
-          269760l
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_0___round re (sz 23) 810149l 1652634l (-3694233l) (-1799107l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 25)
-      (simd_unit_ntt_at_layer_0_ (re.[ sz 25 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          2213111l
-          (-975884l)
-          1717735l
-          472078l
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_0___round re (sz 24) (-3038916l) 3523897l 3866901l 269760l
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 26)
-      (simd_unit_ntt_at_layer_0_ (re.[ sz 26 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-426683l)
-          1723600l
-          (-1803090l)
-          1910376l
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_0___round re (sz 25) 2213111l (-975884l) 1717735l 472078l
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 27)
-      (simd_unit_ntt_at_layer_0_ (re.[ sz 27 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-1667432l)
-          (-1104333l)
-          (-260646l)
-          (-3833893l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_0___round re (sz 26) (-426683l) 1723600l (-1803090l) 1910376l
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 28)
-      (simd_unit_ntt_at_layer_0_ (re.[ sz 28 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-2939036l)
-          (-2235985l)
-          (-420899l)
-          (-2286327l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_0___round re (sz 27) (-1667432l) (-1104333l) (-260646l) (-3833893l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 29)
-      (simd_unit_ntt_at_layer_0_ (re.[ sz 29 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          183443l
-          (-976891l)
-          1612842l
-          (-3545687l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_0___round re (sz 28) (-2939036l) (-2235985l) (-420899l) (-2286327l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 30)
-      (simd_unit_ntt_at_layer_0_ (re.[ sz 30 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-554416l)
-          3919660l
-          (-48306l)
-          (-1362209l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_0___round re (sz 29) 183443l (-976891l) 1612842l (-3545687l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 31)
-      (simd_unit_ntt_at_layer_0_ (re.[ sz 31 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          3937738l
-          1400424l
-          (-846154l)
-          1976782l
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_0___round re (sz 30) (-554416l) 3919660l (-48306l) (-1362209l)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    ntt_at_layer_0___round re (sz 31) 3937738l 1400424l (-846154l) 1976782l
   in
   re
 
@@ -1166,360 +866,122 @@ let simd_unit_ntt_at_layer_1_
   in
   simd_unit
 
-let ntt_at_layer_1_
+let ntt_at_layer_1___round
       (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
+      (index: usize)
+      (zeta_0_ zeta_1_: i32)
      =
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
     Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 0)
-      (simd_unit_ntt_at_layer_1_ (re.[ sz 0 ]
+      index
+      (simd_unit_ntt_at_layer_1_ (re.[ index ]
             <:
             Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-3930395l)
-          (-1528703l)
+          zeta_0_
+          zeta_1_
         <:
         Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
   in
+  re
+
+let ntt_at_layer_1_
+      (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
+     =
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 1)
-      (simd_unit_ntt_at_layer_1_ (re.[ sz 1 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-3677745l)
-          (-3041255l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_1___round re (sz 0) (-3930395l) (-1528703l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 2)
-      (simd_unit_ntt_at_layer_1_ (re.[ sz 2 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-1452451l)
-          3475950l
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_1___round re (sz 1) (-3677745l) (-3041255l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 3)
-      (simd_unit_ntt_at_layer_1_ (re.[ sz 3 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          2176455l
-          (-1585221l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_1___round re (sz 2) (-1452451l) 3475950l
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 4)
-      (simd_unit_ntt_at_layer_1_ (re.[ sz 4 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-1257611l)
-          1939314l
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_1___round re (sz 3) 2176455l (-1585221l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 5)
-      (simd_unit_ntt_at_layer_1_ (re.[ sz 5 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-4083598l)
-          (-1000202l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_1___round re (sz 4) (-1257611l) 1939314l
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 6)
-      (simd_unit_ntt_at_layer_1_ (re.[ sz 6 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-3190144l)
-          (-3157330l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_1___round re (sz 5) (-4083598l) (-1000202l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 7)
-      (simd_unit_ntt_at_layer_1_ (re.[ sz 7 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-3632928l)
-          126922l
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_1___round re (sz 6) (-3190144l) (-3157330l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 8)
-      (simd_unit_ntt_at_layer_1_ (re.[ sz 8 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          3412210l
-          (-983419l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_1___round re (sz 7) (-3632928l) 126922l
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 9)
-      (simd_unit_ntt_at_layer_1_ (re.[ sz 9 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          2147896l
-          2715295l
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_1___round re (sz 8) 3412210l (-983419l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 10)
-      (simd_unit_ntt_at_layer_1_ (re.[ sz 10 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-2967645l)
-          (-3693493l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_1___round re (sz 9) 2147896l 2715295l
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 11)
-      (simd_unit_ntt_at_layer_1_ (re.[ sz 11 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-411027l)
-          (-2477047l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_1___round re (sz 10) (-2967645l) (-3693493l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 12)
-      (simd_unit_ntt_at_layer_1_ (re.[ sz 12 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-671102l)
-          (-1228525l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_1___round re (sz 11) (-411027l) (-2477047l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 13)
-      (simd_unit_ntt_at_layer_1_ (re.[ sz 13 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-22981l)
-          (-1308169l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_1___round re (sz 12) (-671102l) (-1228525l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 14)
-      (simd_unit_ntt_at_layer_1_ (re.[ sz 14 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-381987l)
-          1349076l
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_1___round re (sz 13) (-22981l) (-1308169l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 15)
-      (simd_unit_ntt_at_layer_1_ (re.[ sz 15 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          1852771l
-          (-1430430l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_1___round re (sz 14) (-381987l) 1349076l
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 16)
-      (simd_unit_ntt_at_layer_1_ (re.[ sz 16 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-3343383l)
-          264944l
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_1___round re (sz 15) 1852771l (-1430430l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 17)
-      (simd_unit_ntt_at_layer_1_ (re.[ sz 17 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          508951l
-          3097992l
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_1___round re (sz 16) (-3343383l) 264944l
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 18)
-      (simd_unit_ntt_at_layer_1_ (re.[ sz 18 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          44288l
-          (-1100098l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_1___round re (sz 17) 508951l 3097992l
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 19)
-      (simd_unit_ntt_at_layer_1_ (re.[ sz 19 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          904516l
-          3958618l
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_1___round re (sz 18) 44288l (-1100098l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 20)
-      (simd_unit_ntt_at_layer_1_ (re.[ sz 20 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-3724342l)
-          (-8578l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_1___round re (sz 19) 904516l 3958618l
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 21)
-      (simd_unit_ntt_at_layer_1_ (re.[ sz 21 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          1653064l
-          (-3249728l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_1___round re (sz 20) (-3724342l) (-8578l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 22)
-      (simd_unit_ntt_at_layer_1_ (re.[ sz 22 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          2389356l
-          (-210977l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_1___round re (sz 21) 1653064l (-3249728l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 23)
-      (simd_unit_ntt_at_layer_1_ (re.[ sz 23 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          759969l
-          (-1316856l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_1___round re (sz 22) 2389356l (-210977l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 24)
-      (simd_unit_ntt_at_layer_1_ (re.[ sz 24 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          189548l
-          (-3553272l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_1___round re (sz 23) 759969l (-1316856l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 25)
-      (simd_unit_ntt_at_layer_1_ (re.[ sz 25 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          3159746l
-          (-1851402l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_1___round re (sz 24) 189548l (-3553272l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 26)
-      (simd_unit_ntt_at_layer_1_ (re.[ sz 26 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-2409325l)
-          (-177440l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_1___round re (sz 25) 3159746l (-1851402l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 27)
-      (simd_unit_ntt_at_layer_1_ (re.[ sz 27 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          1315589l
-          1341330l
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_1___round re (sz 26) (-2409325l) (-177440l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 28)
-      (simd_unit_ntt_at_layer_1_ (re.[ sz 28 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          1285669l
-          (-1584928l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_1___round re (sz 27) 1315589l 1341330l
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 29)
-      (simd_unit_ntt_at_layer_1_ (re.[ sz 29 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-812732l)
-          (-1439742l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_1___round re (sz 28) 1285669l (-1584928l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 30)
-      (simd_unit_ntt_at_layer_1_ (re.[ sz 30 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-3019102l)
-          (-3881060l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_1___round re (sz 29) (-812732l) (-1439742l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 31)
-      (simd_unit_ntt_at_layer_1_ (re.[ sz 31 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-3628969l)
-          3839961l
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_1___round re (sz 30) (-3019102l) (-3881060l)
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    ntt_at_layer_1___round re (sz 31) (-3628969l) 3839961l
   in
   re
 
@@ -1677,328 +1139,121 @@ let simd_unit_ntt_at_layer_2_
   in
   simd_unit
 
-let ntt_at_layer_2_
+let ntt_at_layer_2___round
       (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
+      (index: usize)
+      (zeta: i32)
      =
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
     Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 0)
-      (simd_unit_ntt_at_layer_2_ (re.[ sz 0 ]
+      index
+      (simd_unit_ntt_at_layer_2_ (re.[ index ]
             <:
             Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          2706023l
+          zeta
         <:
         Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
   in
+  re
+
+let ntt_at_layer_2_
+      (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
+     =
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 1)
-      (simd_unit_ntt_at_layer_2_ (re.[ sz 1 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          95776l
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_2___round re (sz 0) 2706023l
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 2)
-      (simd_unit_ntt_at_layer_2_ (re.[ sz 2 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          3077325l
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_2___round re (sz 1) 95776l
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 3)
-      (simd_unit_ntt_at_layer_2_ (re.[ sz 3 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          3530437l
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_2___round re (sz 2) 3077325l
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 4)
-      (simd_unit_ntt_at_layer_2_ (re.[ sz 4 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-1661693l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_2___round re (sz 3) 3530437l
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 5)
-      (simd_unit_ntt_at_layer_2_ (re.[ sz 5 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-3592148l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_2___round re (sz 4) (-1661693l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 6)
-      (simd_unit_ntt_at_layer_2_ (re.[ sz 6 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-2537516l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_2___round re (sz 5) (-3592148l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 7)
-      (simd_unit_ntt_at_layer_2_ (re.[ sz 7 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          3915439l
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_2___round re (sz 6) (-2537516l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 8)
-      (simd_unit_ntt_at_layer_2_ (re.[ sz 8 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-3861115l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_2___round re (sz 7) 3915439l
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 9)
-      (simd_unit_ntt_at_layer_2_ (re.[ sz 9 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-3043716l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_2___round re (sz 8) (-3861115l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 10)
-      (simd_unit_ntt_at_layer_2_ (re.[ sz 10 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          3574422l
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_2___round re (sz 9) (-3043716l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 11)
-      (simd_unit_ntt_at_layer_2_ (re.[ sz 11 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-2867647l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_2___round re (sz 10) 3574422l
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 12)
-      (simd_unit_ntt_at_layer_2_ (re.[ sz 12 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          3539968l
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_2___round re (sz 11) (-2867647l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 13)
-      (simd_unit_ntt_at_layer_2_ (re.[ sz 13 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-300467l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_2___round re (sz 12) 3539968l
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 14)
-      (simd_unit_ntt_at_layer_2_ (re.[ sz 14 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          2348700l
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_2___round re (sz 13) (-300467l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 15)
-      (simd_unit_ntt_at_layer_2_ (re.[ sz 15 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-539299l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_2___round re (sz 14) 2348700l
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 16)
-      (simd_unit_ntt_at_layer_2_ (re.[ sz 16 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-1699267l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_2___round re (sz 15) (-539299l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 17)
-      (simd_unit_ntt_at_layer_2_ (re.[ sz 17 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-1643818l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_2___round re (sz 16) (-1699267l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 18)
-      (simd_unit_ntt_at_layer_2_ (re.[ sz 18 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          3505694l
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_2___round re (sz 17) (-1643818l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 19)
-      (simd_unit_ntt_at_layer_2_ (re.[ sz 19 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-3821735l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_2___round re (sz 18) 3505694l
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 20)
-      (simd_unit_ntt_at_layer_2_ (re.[ sz 20 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          3507263l
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_2___round re (sz 19) (-3821735l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 21)
-      (simd_unit_ntt_at_layer_2_ (re.[ sz 21 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-2140649l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_2___round re (sz 20) 3507263l
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 22)
-      (simd_unit_ntt_at_layer_2_ (re.[ sz 22 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-1600420l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_2___round re (sz 21) (-2140649l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 23)
-      (simd_unit_ntt_at_layer_2_ (re.[ sz 23 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          3699596l
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_2___round re (sz 22) (-1600420l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 24)
-      (simd_unit_ntt_at_layer_2_ (re.[ sz 24 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          811944l
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_2___round re (sz 23) 3699596l
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 25)
-      (simd_unit_ntt_at_layer_2_ (re.[ sz 25 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          531354l
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_2___round re (sz 24) 811944l
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 26)
-      (simd_unit_ntt_at_layer_2_ (re.[ sz 26 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          954230l
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_2___round re (sz 25) 531354l
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 27)
-      (simd_unit_ntt_at_layer_2_ (re.[ sz 27 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          3881043l
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_2___round re (sz 26) 954230l
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 28)
-      (simd_unit_ntt_at_layer_2_ (re.[ sz 28 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          3900724l
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_2___round re (sz 27) 3881043l
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 29)
-      (simd_unit_ntt_at_layer_2_ (re.[ sz 29 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-2556880l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_2___round re (sz 28) 3900724l
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 30)
-      (simd_unit_ntt_at_layer_2_ (re.[ sz 30 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          2071892l
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_2___round re (sz 29) (-2556880l)
   in
   let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
-    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
-      (sz 31)
-      (simd_unit_ntt_at_layer_2_ (re.[ sz 31 ]
-            <:
-            Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
-          (-2797779l)
-        <:
-        Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)
+    ntt_at_layer_2___round re (sz 30) 2071892l
+  in
+  let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) =
+    ntt_at_layer_2___round re (sz 31) (-2797779l)
   in
   re
 
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti
index 61fd4f830..ae1f422e4 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti
@@ -51,6 +51,14 @@ val simd_unit_ntt_at_layer_0_
       Prims.l_True
       (fun _ -> Prims.l_True)
 
+val ntt_at_layer_0___round
+      (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
+      (index: usize)
+      (zeta_0_ zeta_1_ zeta_2_ zeta_3_: i32)
+    : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
 val ntt_at_layer_0_
       (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
     : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
@@ -64,6 +72,14 @@ val simd_unit_ntt_at_layer_1_
       Prims.l_True
       (fun _ -> Prims.l_True)
 
+val ntt_at_layer_1___round
+      (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
+      (index: usize)
+      (zeta_0_ zeta_1_: i32)
+    : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
 val ntt_at_layer_1_
       (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
     : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
@@ -77,6 +93,14 @@ val simd_unit_ntt_at_layer_2_
       Prims.l_True
       (fun _ -> Prims.l_True)
 
+val ntt_at_layer_2___round
+      (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
+      (index: usize)
+      (zeta: i32)
+    : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
+      Prims.l_True
+      (fun _ -> Prims.l_True)
+
 val ntt_at_layer_2_
       (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
     : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32))
diff --git a/libcrux-ml-dsa/src/ntt.rs b/libcrux-ml-dsa/src/ntt.rs
index df925fae8..eb8f2424d 100644
--- a/libcrux-ml-dsa/src/ntt.rs
+++ b/libcrux-ml-dsa/src/ntt.rs
@@ -15,135 +15,154 @@ pub(crate) fn ntt<SIMDUnit: Operations>(
 
 #[inline(always)]
 fn invert_ntt_at_layer_0<SIMDUnit: Operations>(re: &mut PolynomialRingElement<SIMDUnit>) {
-    macro_rules! round {
-        ($i:literal, $zeta_0:literal, $zeta_1:literal, $zeta_2:literal, $zeta_3:literal) => {
-            re.simd_units[$i] = SIMDUnit::invert_ntt_at_layer_0(
-                re.simd_units[$i],
-                $zeta_0,
-                $zeta_1,
-                $zeta_2,
-                $zeta_3,
-            );
-        };
+    #[inline(always)]
+    fn round<SIMDUnit: Operations>(
+        re: &mut PolynomialRingElement<SIMDUnit>,
+        index: usize,
+        zeta_0: i32,
+        zeta_1: i32,
+        zeta_2: i32,
+        zeta_3: i32,
+    ) {
+        re.simd_units[index] =
+            SIMDUnit::invert_ntt_at_layer_0(re.simd_units[index], zeta_0, zeta_1, zeta_2, zeta_3);
     }
 
-    round!(0, 1976782, -846154, 1400424, 3937738);
-    round!(1, -1362209, -48306, 3919660, -554416);
-    round!(2, -3545687, 1612842, -976891, 183443);
-    round!(3, -2286327, -420899, -2235985, -2939036);
-    round!(4, -3833893, -260646, -1104333, -1667432);
-    round!(5, 1910376, -1803090, 1723600, -426683);
-    round!(6, 472078, 1717735, -975884, 2213111);
-    round!(7, 269760, 3866901, 3523897, -3038916);
-    round!(8, -1799107, -3694233, 1652634, 810149);
-    round!(9, 3014001, 1616392, 162844, -3183426);
-    round!(10, -1207385, 185531, 3369112, 1957272);
-    round!(11, -164721, 2454455, 2432395, -2013608);
-    round!(12, -3776993, 594136, -3724270, -2584293);
-    round!(13, -1846953, -1671176, -2831860, -542412);
-    round!(14, 3406031, 2235880, 777191, 1500165);
-    round!(15, -1374803, -2546312, 1917081, -1279661);
-    round!(16, -1962642, 3306115, 1312455, -451100);
-    round!(17, -1430225, -3318210, 1237275, -1333058);
-    round!(18, -1050970, 1903435, 1869119, -2994039);
-    round!(19, -3548272, 2635921, 1250494, -3767016);
-    round!(20, 1595974, 2486353, 1247620, 4055324);
-    round!(21, 1265009, -2590150, 2691481, 2842341);
-    round!(22, 203044, 1735879, -3342277, 3437287);
-    round!(23, 4108315, -2437823, 286988, 342297);
-    round!(24, -3595838, -768622, -525098, -3556995);
-    round!(25, 3207046, 2031748, -3122442, -655327);
-    round!(26, -522500, -43260, -1613174, 495491);
-    round!(27, 819034, 909542, 1859098, 900702);
-    round!(28, -3193378, -1197226, -3759364, -3520352);
-    round!(29, 3513181, -1235728, 2434439, 266997);
-    round!(30, -3562462, -2446433, 2244091, -3342478);
-    round!(31, 3817976, 2316500, 3407706, 2091667);
+    // macro_rules! round {
+    //     ($i:literal, $zeta_0:literal, $zeta_1:literal, $zeta_2:literal, $zeta_3:literal) => {
+    //         re.simd_units[$i] = SIMDUnit::invert_ntt_at_layer_0(
+    //             re.simd_units[$i],
+    //             $zeta_0,
+    //             $zeta_1,
+    //             $zeta_2,
+    //             $zeta_3,
+    //         );
+    //     };
+    // }
+
+    round(re, 0, 1976782, -846154, 1400424, 3937738);
+    round(re, 1, -1362209, -48306, 3919660, -554416);
+    round(re, 2, -3545687, 1612842, -976891, 183443);
+    round(re, 3, -2286327, -420899, -2235985, -2939036);
+    round(re, 4, -3833893, -260646, -1104333, -1667432);
+    round(re, 5, 1910376, -1803090, 1723600, -426683);
+    round(re, 6, 472078, 1717735, -975884, 2213111);
+    round(re, 7, 269760, 3866901, 3523897, -3038916);
+    round(re, 8, -1799107, -3694233, 1652634, 810149);
+    round(re, 9, 3014001, 1616392, 162844, -3183426);
+    round(re, 10, -1207385, 185531, 3369112, 1957272);
+    round(re, 11, -164721, 2454455, 2432395, -2013608);
+    round(re, 12, -3776993, 594136, -3724270, -2584293);
+    round(re, 13, -1846953, -1671176, -2831860, -542412);
+    round(re, 14, 3406031, 2235880, 777191, 1500165);
+    round(re, 15, -1374803, -2546312, 1917081, -1279661);
+    round(re, 16, -1962642, 3306115, 1312455, -451100);
+    round(re, 17, -1430225, -3318210, 1237275, -1333058);
+    round(re, 18, -1050970, 1903435, 1869119, -2994039);
+    round(re, 19, -3548272, 2635921, 1250494, -3767016);
+    round(re, 20, 1595974, 2486353, 1247620, 4055324);
+    round(re, 21, 1265009, -2590150, 2691481, 2842341);
+    round(re, 22, 203044, 1735879, -3342277, 3437287);
+    round(re, 23, 4108315, -2437823, 286988, 342297);
+    round(re, 24, -3595838, -768622, -525098, -3556995);
+    round(re, 25, 3207046, 2031748, -3122442, -655327);
+    round(re, 26, -522500, -43260, -1613174, 495491);
+    round(re, 27, 819034, 909542, 1859098, 900702);
+    round(re, 28, -3193378, -1197226, -3759364, -3520352);
+    round(re, 29, 3513181, -1235728, 2434439, 266997);
+    round(re, 30, -3562462, -2446433, 2244091, -3342478);
+    round(re, 31, 3817976, 2316500, 3407706, 2091667);
 }
 
 #[inline(always)]
 fn invert_ntt_at_layer_1<SIMDUnit: Operations>(re: &mut PolynomialRingElement<SIMDUnit>) {
-    macro_rules! round {
-        ($i:literal, $zeta_0:literal, $zeta_1:literal) => {
-            re.simd_units[$i] =
-                SIMDUnit::invert_ntt_at_layer_1(re.simd_units[$i], $zeta_0, $zeta_1);
-        };
+    #[inline(always)]
+    fn round<SIMDUnit: Operations>(
+        re: &mut PolynomialRingElement<SIMDUnit>,
+        index: usize,
+        zeta_0: i32,
+        zeta_1: i32,
+    ) {
+        re.simd_units[index] =
+            SIMDUnit::invert_ntt_at_layer_1(re.simd_units[index], zeta_0, zeta_1);
     }
 
-    round!(0, 3839961, -3628969);
-    round!(1, -3881060, -3019102);
-    round!(2, -1439742, -812732);
-    round!(3, -1584928, 1285669);
-    round!(4, 1341330, 1315589);
-    round!(5, -177440, -2409325);
-    round!(6, -1851402, 3159746);
-    round!(7, -3553272, 189548);
-    round!(8, -1316856, 759969);
-    round!(9, -210977, 2389356);
-    round!(10, -3249728, 1653064);
-    round!(11, -8578, -3724342);
-    round!(12, 3958618, 904516);
-    round!(13, -1100098, 44288);
-    round!(14, 3097992, 508951);
-    round!(15, 264944, -3343383);
-    round!(16, -1430430, 1852771);
-    round!(17, 1349076, -381987);
-    round!(18, -1308169, -22981);
-    round!(19, -1228525, -671102);
-    round!(20, -2477047, -411027);
-    round!(21, -3693493, -2967645);
-    round!(22, 2715295, 2147896);
-    round!(23, -983419, 3412210);
-    round!(24, 126922, -3632928);
-    round!(25, -3157330, -3190144);
-    round!(26, -1000202, -4083598);
-    round!(27, 1939314, -1257611);
-    round!(28, -1585221, 2176455);
-    round!(29, 3475950, -1452451);
-    round!(30, -3041255, -3677745);
-    round!(31, -1528703, -3930395);
+    round(re, 0, 3839961, -3628969);
+    round(re, 1, -3881060, -3019102);
+    round(re, 2, -1439742, -812732);
+    round(re, 3, -1584928, 1285669);
+    round(re, 4, 1341330, 1315589);
+    round(re, 5, -177440, -2409325);
+    round(re, 6, -1851402, 3159746);
+    round(re, 7, -3553272, 189548);
+    round(re, 8, -1316856, 759969);
+    round(re, 9, -210977, 2389356);
+    round(re, 10, -3249728, 1653064);
+    round(re, 11, -8578, -3724342);
+    round(re, 12, 3958618, 904516);
+    round(re, 13, -1100098, 44288);
+    round(re, 14, 3097992, 508951);
+    round(re, 15, 264944, -3343383);
+    round(re, 16, -1430430, 1852771);
+    round(re, 17, 1349076, -381987);
+    round(re, 18, -1308169, -22981);
+    round(re, 19, -1228525, -671102);
+    round(re, 20, -2477047, -411027);
+    round(re, 21, -3693493, -2967645);
+    round(re, 22, 2715295, 2147896);
+    round(re, 23, -983419, 3412210);
+    round(re, 24, 126922, -3632928);
+    round(re, 25, -3157330, -3190144);
+    round(re, 26, -1000202, -4083598);
+    round(re, 27, 1939314, -1257611);
+    round(re, 28, -1585221, 2176455);
+    round(re, 29, 3475950, -1452451);
+    round(re, 30, -3041255, -3677745);
+    round(re, 31, -1528703, -3930395);
 }
 
 #[inline(always)]
 fn invert_ntt_at_layer_2<SIMDUnit: Operations>(re: &mut PolynomialRingElement<SIMDUnit>) {
-    macro_rules! round {
-        ($i:literal, $zeta:literal) => {
-            re.simd_units[$i] = SIMDUnit::invert_ntt_at_layer_2(re.simd_units[$i], $zeta);
-        };
+    fn round<SIMDUnit: Operations>(
+        re: &mut PolynomialRingElement<SIMDUnit>,
+        index: usize,
+        zeta: i32,
+    ) {
+        re.simd_units[index] = SIMDUnit::invert_ntt_at_layer_2(re.simd_units[index], zeta);
     }
 
-    round!(0, -2797779);
-    round!(1, 2071892);
-    round!(2, -2556880);
-    round!(3, 3900724);
-    round!(4, 3881043);
-    round!(5, 954230);
-    round!(6, 531354);
-    round!(7, 811944);
-    round!(8, 3699596);
-    round!(9, -1600420);
-    round!(10, -2140649);
-    round!(11, 3507263);
-    round!(12, -3821735);
-    round!(13, 3505694);
-    round!(14, -1643818);
-    round!(15, -1699267);
-    round!(16, -539299);
-    round!(17, 2348700);
-    round!(18, -300467);
-    round!(19, 3539968);
-    round!(20, -2867647);
-    round!(21, 3574422);
-    round!(22, -3043716);
-    round!(23, -3861115);
-    round!(24, 3915439);
-    round!(25, -2537516);
-    round!(26, -3592148);
-    round!(27, -1661693);
-    round!(28, 3530437);
-    round!(29, 3077325);
-    round!(30, 95776);
-    round!(31, 2706023);
+    round(re, 0, -2797779);
+    round(re, 1, 2071892);
+    round(re, 2, -2556880);
+    round(re, 3, 3900724);
+    round(re, 4, 3881043);
+    round(re, 5, 954230);
+    round(re, 6, 531354);
+    round(re, 7, 811944);
+    round(re, 8, 3699596);
+    round(re, 9, -1600420);
+    round(re, 10, -2140649);
+    round(re, 11, 3507263);
+    round(re, 12, -3821735);
+    round(re, 13, 3505694);
+    round(re, 14, -1643818);
+    round(re, 15, -1699267);
+    round(re, 16, -539299);
+    round(re, 17, 2348700);
+    round(re, 18, -300467);
+    round(re, 19, 3539968);
+    round(re, 20, -2867647);
+    round(re, 21, 3574422);
+    round(re, 22, -3043716);
+    round(re, 23, -3861115);
+    round(re, 24, 3915439);
+    round(re, 25, -2537516);
+    round(re, 26, -3592148);
+    round(re, 27, -1661693);
+    round(re, 28, 3530437);
+    round(re, 29, 3077325);
+    round(re, 30, 95776);
+    round(re, 31, 2706023);
 }
 
 #[inline(always)]
diff --git a/libcrux-ml-dsa/src/simd/avx2/ntt.rs b/libcrux-ml-dsa/src/simd/avx2/ntt.rs
index 732d6ba55..8ae3c9d68 100644
--- a/libcrux-ml-dsa/src/simd/avx2/ntt.rs
+++ b/libcrux-ml-dsa/src/simd/avx2/ntt.rs
@@ -125,41 +125,83 @@ pub(super) unsafe fn invert_ntt_at_layer_0(
 #[cfg_attr(not(hax), target_feature(enable = "avx2"))]
 #[allow(unsafe_code)]
 unsafe fn ntt_at_layer_0(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) {
-    macro_rules! round {
-        ($i:literal, $zeta_0:literal, $zeta_1:literal, $zeta_2:literal, $zeta_3:literal, $zeta_4:literal, $zeta_5:literal, $zeta_6:literal, $zeta_7:literal) => {
-            let (a, b) = butterfly_2(
-                re[$i],
-                re[$i + 1],
-                $zeta_0,
-                $zeta_1,
-                $zeta_2,
-                $zeta_3,
-                $zeta_4,
-                $zeta_5,
-                $zeta_6,
-                $zeta_7,
-            );
-            re[$i] = a;
-            re[$i + 1] = b;
-        };
+    #[inline(always)]
+    fn round(
+        re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT],
+        index: usize,
+        zeta_0: i32,
+        zeta_1: i32,
+        zeta_2: i32,
+        zeta_3: i32,
+        zeta_4: i32,
+        zeta_5: i32,
+        zeta_6: i32,
+        zeta_7: i32,
+    ) {
+        let (a, b) = butterfly_2(
+            re[index],
+            re[index + 1],
+            zeta_0,
+            zeta_1,
+            zeta_2,
+            zeta_3,
+            zeta_4,
+            zeta_5,
+            zeta_6,
+            zeta_7,
+        );
+        re[index] = a;
+        re[index + 1] = b;
     }
 
-    round!(0, 2091667, 3407706, 2316500, 3817976, -3342478, 2244091, -2446433, -3562462);
-    round!(2, 266997, 2434439, -1235728, 3513181, -3520352, -3759364, -1197226, -3193378);
-    round!(4, 900702, 1859098, 909542, 819034, 495491, -1613174, -43260, -522500);
-    round!(6, -655327, -3122442, 2031748, 3207046, -3556995, -525098, -768622, -3595838);
-    round!(8, 342297, 286988, -2437823, 4108315, 3437287, -3342277, 1735879, 203044);
-    round!(10, 2842341, 2691481, -2590150, 1265009, 4055324, 1247620, 2486353, 1595974);
-    round!(12, -3767016, 1250494, 2635921, -3548272, -2994039, 1869119, 1903435, -1050970);
-    round!(14, -1333058, 1237275, -3318210, -1430225, -451100, 1312455, 3306115, -1962642);
-    round!(16, -1279661, 1917081, -2546312, -1374803, 1500165, 777191, 2235880, 3406031);
-    round!(18, -542412, -2831860, -1671176, -1846953, -2584293, -3724270, 594136, -3776993);
-    round!(20, -2013608, 2432395, 2454455, -164721, 1957272, 3369112, 185531, -1207385);
-    round!(22, -3183426, 162844, 1616392, 3014001, 810149, 1652634, -3694233, -1799107);
-    round!(24, -3038916, 3523897, 3866901, 269760, 2213111, -975884, 1717735, 472078);
-    round!(26, -426683, 1723600, -1803090, 1910376, -1667432, -1104333, -260646, -3833893);
-    round!(28, -2939036, -2235985, -420899, -2286327, 183443, -976891, 1612842, -3545687);
-    round!(30, -554416, 3919660, -48306, -1362209, 3937738, 1400424, -846154, 1976782);
+    round(
+        re, 0, 2091667, 3407706, 2316500, 3817976, -3342478, 2244091, -2446433, -3562462,
+    );
+    round(
+        re, 2, 266997, 2434439, -1235728, 3513181, -3520352, -3759364, -1197226, -3193378,
+    );
+    round(
+        re, 4, 900702, 1859098, 909542, 819034, 495491, -1613174, -43260, -522500,
+    );
+    round(
+        re, 6, -655327, -3122442, 2031748, 3207046, -3556995, -525098, -768622, -3595838,
+    );
+    round(
+        re, 8, 342297, 286988, -2437823, 4108315, 3437287, -3342277, 1735879, 203044,
+    );
+    round(
+        re, 10, 2842341, 2691481, -2590150, 1265009, 4055324, 1247620, 2486353, 1595974,
+    );
+    round(
+        re, 12, -3767016, 1250494, 2635921, -3548272, -2994039, 1869119, 1903435, -1050970,
+    );
+    round(
+        re, 14, -1333058, 1237275, -3318210, -1430225, -451100, 1312455, 3306115, -1962642,
+    );
+    round(
+        re, 16, -1279661, 1917081, -2546312, -1374803, 1500165, 777191, 2235880, 3406031,
+    );
+    round(
+        re, 18, -542412, -2831860, -1671176, -1846953, -2584293, -3724270, 594136, -3776993,
+    );
+    round(
+        re, 20, -2013608, 2432395, 2454455, -164721, 1957272, 3369112, 185531, -1207385,
+    );
+    round(
+        re, 22, -3183426, 162844, 1616392, 3014001, 810149, 1652634, -3694233, -1799107,
+    );
+    round(
+        re, 24, -3038916, 3523897, 3866901, 269760, 2213111, -975884, 1717735, 472078,
+    );
+    round(
+        re, 26, -426683, 1723600, -1803090, 1910376, -1667432, -1104333, -260646, -3833893,
+    );
+    round(
+        re, 28, -2939036, -2235985, -420899, -2286327, 183443, -976891, 1612842, -3545687,
+    );
+    round(
+        re, 30, -554416, 3919660, -48306, -1362209, 3937738, 1400424, -846154, 1976782,
+    );
 }
 
 #[cfg_attr(not(hax), target_feature(enable = "avx2"))]
@@ -181,30 +223,36 @@ pub(super) unsafe fn invert_ntt_at_layer_1(simd_unit: Vec256, zeta0: i32, zeta1:
 #[cfg_attr(not(hax), target_feature(enable = "avx2"))]
 #[allow(unsafe_code)]
 unsafe fn ntt_at_layer_1(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) {
-    macro_rules! round {
-        ($i:literal, $zeta_0:literal, $zeta_1:literal, $zeta_2:literal, $zeta_3:literal) => {
-            let (a, b) = butterfly_4(re[$i], re[$i + 1], $zeta_0, $zeta_1, $zeta_2, $zeta_3);
-            re[$i] = a;
-            re[$i + 1] = b;
-        };
+    #[inline(always)]
+    fn round(
+        re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT],
+        index: usize,
+        zeta_0: i32,
+        zeta_1: i32,
+        zeta_2: i32,
+        zeta_3: i32,
+    ) {
+        let (a, b) = butterfly_4(re[index], re[index + 1], zeta_0, zeta_1, zeta_2, zeta_3);
+        re[index] = a;
+        re[index + 1] = b;
     }
 
-    round!(0, -3930395, -1528703, -3677745, -3041255);
-    round!(2, -1452451, 3475950, 2176455, -1585221);
-    round!(4, -1257611, 1939314, -4083598, -1000202);
-    round!(6, -3190144, -3157330, -3632928, 126922);
-    round!(8, 3412210, -983419, 2147896, 2715295);
-    round!(10, -2967645, -3693493, -411027, -2477047);
-    round!(12, -671102, -1228525, -22981, -1308169);
-    round!(14, -381987, 1349076, 1852771, -1430430);
-    round!(16, -3343383, 264944, 508951, 3097992);
-    round!(18, 44288, -1100098, 904516, 3958618);
-    round!(20, -3724342, -8578, 1653064, -3249728);
-    round!(22, 2389356, -210977, 759969, -1316856);
-    round!(24, 189548, -3553272, 3159746, -1851402);
-    round!(26, -2409325, -177440, 1315589, 1341330);
-    round!(28, 1285669, -1584928, -812732, -1439742);
-    round!(30, -3019102, -3881060, -3628969, 3839961);
+    round(re, 0, -3930395, -1528703, -3677745, -3041255);
+    round(re, 2, -1452451, 3475950, 2176455, -1585221);
+    round(re, 4, -1257611, 1939314, -4083598, -1000202);
+    round(re, 6, -3190144, -3157330, -3632928, 126922);
+    round(re, 8, 3412210, -983419, 2147896, 2715295);
+    round(re, 10, -2967645, -3693493, -411027, -2477047);
+    round(re, 12, -671102, -1228525, -22981, -1308169);
+    round(re, 14, -381987, 1349076, 1852771, -1430430);
+    round(re, 16, -3343383, 264944, 508951, 3097992);
+    round(re, 18, 44288, -1100098, 904516, 3958618);
+    round(re, 20, -3724342, -8578, 1653064, -3249728);
+    round(re, 22, 2389356, -210977, 759969, -1316856);
+    round(re, 24, 189548, -3553272, 3159746, -1851402);
+    round(re, 26, -2409325, -177440, 1315589, 1341330);
+    round(re, 28, 1285669, -1584928, -812732, -1439742);
+    round(re, 30, -3019102, -3881060, -3628969, 3839961);
 }
 
 #[cfg_attr(not(hax), target_feature(enable = "avx2"))]
@@ -226,30 +274,34 @@ pub(super) unsafe fn invert_ntt_at_layer_2(simd_unit: Vec256, zeta: i32) -> Vec2
 #[cfg_attr(not(hax), target_feature(enable = "avx2"))]
 #[allow(unsafe_code)]
 unsafe fn ntt_at_layer_2(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) {
-    macro_rules! round {
-        ($round:literal, $zeta_0:literal, $zeta_1:literal) => {
-            let (a, b) = butterfly_8(re[$round], re[$round + 1], $zeta_0, $zeta_1);
-            re[$round] = a;
-            re[$round + 1] = b;
-        };
+    #[inline(always)]
+    fn round(
+        re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT],
+        index: usize,
+        zeta_0: i32,
+        zeta_1: i32,
+    ) {
+        let (a, b) = butterfly_8(re[index], re[index + 1], zeta_0, zeta_1);
+        re[index] = a;
+        re[index + 1] = b;
     }
 
-    round!(0, 2706023, 95776);
-    round!(2, 3077325, 3530437);
-    round!(4, -1661693, -3592148);
-    round!(6, -2537516, 3915439);
-    round!(8, -3861115, -3043716);
-    round!(10, 3574422, -2867647);
-    round!(12, 3539968, -300467);
-    round!(14, 2348700, -539299);
-    round!(16, -1699267, -1643818);
-    round!(18, 3505694, -3821735);
-    round!(20, 3507263, -2140649);
-    round!(22, -1600420, 3699596);
-    round!(24, 811944, 531354);
-    round!(26, 954230, 3881043);
-    round!(28, 3900724, -2556880);
-    round!(30, 2071892, -2797779);
+    round(re, 0, 2706023, 95776);
+    round(re, 2, 3077325, 3530437);
+    round(re, 4, -1661693, -3592148);
+    round(re, 6, -2537516, 3915439);
+    round(re, 8, -3861115, -3043716);
+    round(re, 10, 3574422, -2867647);
+    round(re, 12, 3539968, -300467);
+    round(re, 14, 2348700, -539299);
+    round(re, 16, -1699267, -1643818);
+    round(re, 18, 3505694, -3821735);
+    round(re, 20, 3507263, -2140649);
+    round(re, 22, -1600420, 3699596);
+    round(re, 24, 811944, 531354);
+    round(re, 26, 954230, 3881043);
+    round(re, 28, 3900724, -2556880);
+    round(re, 30, 2071892, -2797779);
 }
 
 /// This is equivalent to the pqclean 0 and 1
@@ -263,35 +315,69 @@ unsafe fn ntt_at_layer_7_and_6(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) {
     let inverse_of_modulus_mod_montgomery_r =
         mm256_set1_epi32(crate::simd::traits::INVERSE_OF_MODULUS_MOD_MONTGOMERY_R as i32);
 
-    macro_rules! mul {
-        ($i:expr, $zeta:expr, $step_by:expr) => {
-            let prod02 = mm256_mul_epi32(re[$i + $step_by], $zeta);
-            let prod13 = mm256_mul_epi32(
-                mm256_shuffle_epi32::<0b11_11_01_01>(re[$i + $step_by]), // 0xF5
-                mm256_shuffle_epi32::<0b11_11_01_01>($zeta),             // 0xF5
-            );
-            let k02 = mm256_mul_epi32(prod02, inverse_of_modulus_mod_montgomery_r);
-            let k13 = mm256_mul_epi32(prod13, inverse_of_modulus_mod_montgomery_r);
-
-            let c02 = mm256_mul_epi32(k02, field_modulus);
-            let c13 = mm256_mul_epi32(k13, field_modulus);
-
-            let res02 = mm256_sub_epi32(prod02, c02);
-            let res13 = mm256_sub_epi32(prod13, c13);
-            let res02_shifted = mm256_shuffle_epi32::<0b11_11_01_01>(res02); // 0xF5
-            let t = mm256_blend_epi32::<0b10101010>(res02_shifted, res13); // 0xAA
-
-            re[$i + $step_by] = arithmetic::subtract(re[$i], t);
-            re[$i] = arithmetic::add(re[$i], t);
-        };
+    #[inline(always)]
+    fn mul(
+        re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT],
+        index: usize,
+        zeta: Vec256,
+        step_by: usize,
+        field_modulus: Vec256,
+        inverse_of_modulus_mod_montgomery_r: Vec256,
+    ) {
+        let prod02 = mm256_mul_epi32(re[index + step_by], zeta);
+        let prod13 = mm256_mul_epi32(
+            mm256_shuffle_epi32::<0b11_11_01_01>(re[index + step_by]), // 0xF5
+            mm256_shuffle_epi32::<0b11_11_01_01>(zeta),                // 0xF5
+        );
+        let k02 = mm256_mul_epi32(prod02, inverse_of_modulus_mod_montgomery_r);
+        let k13 = mm256_mul_epi32(prod13, inverse_of_modulus_mod_montgomery_r);
+
+        let c02 = mm256_mul_epi32(k02, field_modulus);
+        let c13 = mm256_mul_epi32(k13, field_modulus);
+
+        let res02 = mm256_sub_epi32(prod02, c02);
+        let res13 = mm256_sub_epi32(prod13, c13);
+        let res02_shifted = mm256_shuffle_epi32::<0b11_11_01_01>(res02); // 0xF5
+        let t = mm256_blend_epi32::<0b10101010>(res02_shifted, res13); // 0xAA
+
+        re[index + step_by] = arithmetic::subtract(re[index], t);
+        re[index] = arithmetic::add(re[index], t);
     }
 
     macro_rules! layer {
         ($start:literal, $zeta:expr, $step_by:expr) => {{
-            mul!($start, $zeta, $step_by);
-            mul!($start + 1, $zeta, $step_by);
-            mul!($start + 2, $zeta, $step_by);
-            mul!($start + 3, $zeta, $step_by);
+            mul(
+                re,
+                $start,
+                $zeta,
+                $step_by,
+                field_modulus,
+                inverse_of_modulus_mod_montgomery_r,
+            );
+            mul(
+                re,
+                $start + 1,
+                $zeta,
+                $step_by,
+                field_modulus,
+                inverse_of_modulus_mod_montgomery_r,
+            );
+            mul(
+                re,
+                $start + 2,
+                $zeta,
+                $step_by,
+                field_modulus,
+                inverse_of_modulus_mod_montgomery_r,
+            );
+            mul(
+                re,
+                $start + 3,
+                $zeta,
+                $step_by,
+                field_modulus,
+                inverse_of_modulus_mod_montgomery_r,
+            );
         }};
     }
 
@@ -320,18 +406,22 @@ unsafe fn ntt_at_layer_7_and_6(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) {
 #[cfg_attr(not(hax), target_feature(enable = "avx2"))]
 #[allow(unsafe_code)]
 unsafe fn ntt_at_layer_5_to_3(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) {
-    macro_rules! round {
-        ($i:literal, $zeta: literal) => {
-            let rhs = mm256_set1_epi32($zeta);
-            let offset = ($i * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT;
-
-            for j in offset..offset + STEP_BY {
-                let t = arithmetic::montgomery_multiply(re[j + STEP_BY], rhs);
-
-                re[j + STEP_BY] = arithmetic::subtract(re[j], t);
-                re[j] = arithmetic::add(re[j], t);
-            }
-        };
+    #[inline(always)]
+    fn round<const STEP: usize, const STEP_BY: usize>(
+        re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT],
+        index: usize,
+        zeta: i32,
+    ) {
+        let rhs = mm256_set1_epi32(zeta);
+        let offset = (index * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT;
+
+        for j in offset..offset + STEP_BY {
+            let t = arithmetic::montgomery_multiply(re[j + STEP_BY], rhs);
+
+            re[j + STEP_BY] = arithmetic::subtract(re[j], t);
+            re[j] = arithmetic::add(re[j], t);
+        }
+        () // Needed because of https://github.com/hacspec/hax/issues/720
     }
 
     // Layer 5
@@ -343,10 +433,10 @@ unsafe fn ntt_at_layer_5_to_3(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) {
         const STEP: usize = 1 << 5;
         const STEP_BY: usize = STEP / COEFFICIENTS_IN_SIMD_UNIT;
 
-        round!(0, 237124);
-        round!(1, -777960);
-        round!(2, -876248);
-        round!(3, 466468);
+        round::<STEP, STEP_BY>(re, 0, 237124);
+        round::<STEP, STEP_BY>(re, 1, -777960);
+        round::<STEP, STEP_BY>(re, 2, -876248);
+        round::<STEP, STEP_BY>(re, 3, 466468);
     }
 
     // Layer 4
@@ -362,14 +452,14 @@ unsafe fn ntt_at_layer_5_to_3(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) {
         const STEP: usize = 1 << 4;
         const STEP_BY: usize = STEP / COEFFICIENTS_IN_SIMD_UNIT;
 
-        round!(0, 1826347);
-        round!(1, 2353451);
-        round!(2, -359251);
-        round!(3, -2091905);
-        round!(4, 3119733);
-        round!(5, -2884855);
-        round!(6, 3111497);
-        round!(7, 2680103);
+        round::<STEP, STEP_BY>(re, 0, 1826347);
+        round::<STEP, STEP_BY>(re, 1, 2353451);
+        round::<STEP, STEP_BY>(re, 2, -359251);
+        round::<STEP, STEP_BY>(re, 3, -2091905);
+        round::<STEP, STEP_BY>(re, 4, 3119733);
+        round::<STEP, STEP_BY>(re, 5, -2884855);
+        round::<STEP, STEP_BY>(re, 6, 3111497);
+        round::<STEP, STEP_BY>(re, 7, 2680103);
     }
 
     // Layer 3
@@ -378,22 +468,22 @@ unsafe fn ntt_at_layer_5_to_3(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) {
         const STEP: usize = 1 << 3;
         const STEP_BY: usize = STEP / COEFFICIENTS_IN_SIMD_UNIT;
 
-        round!(0, 2725464);
-        round!(1, 1024112);
-        round!(2, -1079900);
-        round!(3, 3585928);
-        round!(4, -549488);
-        round!(5, -1119584);
-        round!(6, 2619752);
-        round!(7, -2108549);
-        round!(8, -2118186);
-        round!(9, -3859737);
-        round!(10, -1399561);
-        round!(11, -3277672);
-        round!(12, 1757237);
-        round!(13, -19422);
-        round!(14, 4010497);
-        round!(15, 280005);
+        round::<STEP, STEP_BY>(re, 0, 2725464);
+        round::<STEP, STEP_BY>(re, 1, 1024112);
+        round::<STEP, STEP_BY>(re, 2, -1079900);
+        round::<STEP, STEP_BY>(re, 3, 3585928);
+        round::<STEP, STEP_BY>(re, 4, -549488);
+        round::<STEP, STEP_BY>(re, 5, -1119584);
+        round::<STEP, STEP_BY>(re, 6, 2619752);
+        round::<STEP, STEP_BY>(re, 7, -2108549);
+        round::<STEP, STEP_BY>(re, 8, -2118186);
+        round::<STEP, STEP_BY>(re, 9, -3859737);
+        round::<STEP, STEP_BY>(re, 10, -1399561);
+        round::<STEP, STEP_BY>(re, 11, -3277672);
+        round::<STEP, STEP_BY>(re, 12, 1757237);
+        round::<STEP, STEP_BY>(re, 13, -19422);
+        round::<STEP, STEP_BY>(re, 14, 4010497);
+        round::<STEP, STEP_BY>(re, 15, 280005);
     }
     ()
 }
diff --git a/libcrux-ml-dsa/src/simd/portable/ntt.rs b/libcrux-ml-dsa/src/simd/portable/ntt.rs
index 11bfab4d2..b074ceffb 100644
--- a/libcrux-ml-dsa/src/simd/portable/ntt.rs
+++ b/libcrux-ml-dsa/src/simd/portable/ntt.rs
@@ -152,128 +152,137 @@ pub fn invert_ntt_at_layer_2(mut simd_unit: PortableSIMDUnit, zeta: i32) -> Port
 
 #[inline(always)]
 fn ntt_at_layer_0(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) {
-    macro_rules! round {
-        ($i:literal, $zeta_0:literal, $zeta_1:literal, $zeta_2:literal, $zeta_3:literal) => {
-            re[$i] = simd_unit_ntt_at_layer_0(re[$i], $zeta_0, $zeta_1, $zeta_2, $zeta_3);
-        };
+    #[inline(always)]
+    fn round(
+        re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT],
+        index: usize,
+        zeta_0: i32,
+        zeta_1: i32,
+        zeta_2: i32,
+        zeta_3: i32,
+    ) {
+        re[index] = simd_unit_ntt_at_layer_0(re[index], zeta_0, zeta_1, zeta_2, zeta_3);
     }
 
-    round!(0, 2091667, 3407706, 2316500, 3817976);
-    round!(1, -3342478, 2244091, -2446433, -3562462);
-    round!(2, 266997, 2434439, -1235728, 3513181);
-    round!(3, -3520352, -3759364, -1197226, -3193378);
-    round!(4, 900702, 1859098, 909542, 819034);
-    round!(5, 495491, -1613174, -43260, -522500);
-    round!(6, -655327, -3122442, 2031748, 3207046);
-    round!(7, -3556995, -525098, -768622, -3595838);
-    round!(8, 342297, 286988, -2437823, 4108315);
-    round!(9, 3437287, -3342277, 1735879, 203044);
-    round!(10, 2842341, 2691481, -2590150, 1265009);
-    round!(11, 4055324, 1247620, 2486353, 1595974);
-    round!(12, -3767016, 1250494, 2635921, -3548272);
-    round!(13, -2994039, 1869119, 1903435, -1050970);
-    round!(14, -1333058, 1237275, -3318210, -1430225);
-    round!(15, -451100, 1312455, 3306115, -1962642);
-    round!(16, -1279661, 1917081, -2546312, -1374803);
-    round!(17, 1500165, 777191, 2235880, 3406031);
-    round!(18, -542412, -2831860, -1671176, -1846953);
-    round!(19, -2584293, -3724270, 594136, -3776993);
-    round!(20, -2013608, 2432395, 2454455, -164721);
-    round!(21, 1957272, 3369112, 185531, -1207385);
-    round!(22, -3183426, 162844, 1616392, 3014001);
-    round!(23, 810149, 1652634, -3694233, -1799107);
-    round!(24, -3038916, 3523897, 3866901, 269760);
-    round!(25, 2213111, -975884, 1717735, 472078);
-    round!(26, -426683, 1723600, -1803090, 1910376);
-    round!(27, -1667432, -1104333, -260646, -3833893);
-    round!(28, -2939036, -2235985, -420899, -2286327);
-    round!(29, 183443, -976891, 1612842, -3545687);
-    round!(30, -554416, 3919660, -48306, -1362209);
-    round!(31, 3937738, 1400424, -846154, 1976782);
+    round(re, 0, 2091667, 3407706, 2316500, 3817976);
+    round(re, 1, -3342478, 2244091, -2446433, -3562462);
+    round(re, 2, 266997, 2434439, -1235728, 3513181);
+    round(re, 3, -3520352, -3759364, -1197226, -3193378);
+    round(re, 4, 900702, 1859098, 909542, 819034);
+    round(re, 5, 495491, -1613174, -43260, -522500);
+    round(re, 6, -655327, -3122442, 2031748, 3207046);
+    round(re, 7, -3556995, -525098, -768622, -3595838);
+    round(re, 8, 342297, 286988, -2437823, 4108315);
+    round(re, 9, 3437287, -3342277, 1735879, 203044);
+    round(re, 10, 2842341, 2691481, -2590150, 1265009);
+    round(re, 11, 4055324, 1247620, 2486353, 1595974);
+    round(re, 12, -3767016, 1250494, 2635921, -3548272);
+    round(re, 13, -2994039, 1869119, 1903435, -1050970);
+    round(re, 14, -1333058, 1237275, -3318210, -1430225);
+    round(re, 15, -451100, 1312455, 3306115, -1962642);
+    round(re, 16, -1279661, 1917081, -2546312, -1374803);
+    round(re, 17, 1500165, 777191, 2235880, 3406031);
+    round(re, 18, -542412, -2831860, -1671176, -1846953);
+    round(re, 19, -2584293, -3724270, 594136, -3776993);
+    round(re, 20, -2013608, 2432395, 2454455, -164721);
+    round(re, 21, 1957272, 3369112, 185531, -1207385);
+    round(re, 22, -3183426, 162844, 1616392, 3014001);
+    round(re, 23, 810149, 1652634, -3694233, -1799107);
+    round(re, 24, -3038916, 3523897, 3866901, 269760);
+    round(re, 25, 2213111, -975884, 1717735, 472078);
+    round(re, 26, -426683, 1723600, -1803090, 1910376);
+    round(re, 27, -1667432, -1104333, -260646, -3833893);
+    round(re, 28, -2939036, -2235985, -420899, -2286327);
+    round(re, 29, 183443, -976891, 1612842, -3545687);
+    round(re, 30, -554416, 3919660, -48306, -1362209);
+    round(re, 31, 3937738, 1400424, -846154, 1976782);
 }
 
 #[inline(always)]
 fn ntt_at_layer_1(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) {
-    macro_rules! round {
-        ($i:literal, $zeta_0:literal, $zeta_1:literal) => {
-            re[$i] = simd_unit_ntt_at_layer_1(re[$i], $zeta_0, $zeta_1);
-        };
+    #[inline(always)]
+    fn round(
+        re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT],
+        index: usize,
+        zeta_0: i32,
+        zeta_1: i32,
+    ) {
+        re[index] = simd_unit_ntt_at_layer_1(re[index], zeta_0, zeta_1);
     }
 
-    round!(0, -3930395, -1528703);
-    round!(1, -3677745, -3041255);
-    round!(2, -1452451, 3475950);
-    round!(3, 2176455, -1585221);
-    round!(4, -1257611, 1939314);
-    round!(5, -4083598, -1000202);
-    round!(6, -3190144, -3157330);
-    round!(7, -3632928, 126922);
-    round!(8, 3412210, -983419);
-    round!(9, 2147896, 2715295);
-    round!(10, -2967645, -3693493);
-    round!(11, -411027, -2477047);
-    round!(12, -671102, -1228525);
-    round!(13, -22981, -1308169);
-    round!(14, -381987, 1349076);
-    round!(15, 1852771, -1430430);
-    round!(16, -3343383, 264944);
-    round!(17, 508951, 3097992);
-    round!(18, 44288, -1100098);
-    round!(19, 904516, 3958618);
-    round!(20, -3724342, -8578);
-    round!(21, 1653064, -3249728);
-    round!(22, 2389356, -210977);
-    round!(23, 759969, -1316856);
-    round!(24, 189548, -3553272);
-    round!(25, 3159746, -1851402);
-    round!(26, -2409325, -177440);
-    round!(27, 1315589, 1341330);
-    round!(28, 1285669, -1584928);
-    round!(29, -812732, -1439742);
-    round!(30, -3019102, -3881060);
-    round!(31, -3628969, 3839961);
+    round(re, 0, -3930395, -1528703);
+    round(re, 1, -3677745, -3041255);
+    round(re, 2, -1452451, 3475950);
+    round(re, 3, 2176455, -1585221);
+    round(re, 4, -1257611, 1939314);
+    round(re, 5, -4083598, -1000202);
+    round(re, 6, -3190144, -3157330);
+    round(re, 7, -3632928, 126922);
+    round(re, 8, 3412210, -983419);
+    round(re, 9, 2147896, 2715295);
+    round(re, 10, -2967645, -3693493);
+    round(re, 11, -411027, -2477047);
+    round(re, 12, -671102, -1228525);
+    round(re, 13, -22981, -1308169);
+    round(re, 14, -381987, 1349076);
+    round(re, 15, 1852771, -1430430);
+    round(re, 16, -3343383, 264944);
+    round(re, 17, 508951, 3097992);
+    round(re, 18, 44288, -1100098);
+    round(re, 19, 904516, 3958618);
+    round(re, 20, -3724342, -8578);
+    round(re, 21, 1653064, -3249728);
+    round(re, 22, 2389356, -210977);
+    round(re, 23, 759969, -1316856);
+    round(re, 24, 189548, -3553272);
+    round(re, 25, 3159746, -1851402);
+    round(re, 26, -2409325, -177440);
+    round(re, 27, 1315589, 1341330);
+    round(re, 28, 1285669, -1584928);
+    round(re, 29, -812732, -1439742);
+    round(re, 30, -3019102, -3881060);
+    round(re, 31, -3628969, 3839961);
 }
 
 #[inline(always)]
 fn ntt_at_layer_2(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) {
-    macro_rules! round {
-        ($i:literal, $zeta:literal) => {
-            re[$i] = simd_unit_ntt_at_layer_2(re[$i], $zeta);
-        };
+    #[inline(always)]
+    fn round(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT], index: usize, zeta: i32) {
+        re[index] = simd_unit_ntt_at_layer_2(re[index], zeta);
     }
 
-    round!(0, 2706023);
-    round!(1, 95776);
-    round!(2, 3077325);
-    round!(3, 3530437);
-    round!(4, -1661693);
-    round!(5, -3592148);
-    round!(6, -2537516);
-    round!(7, 3915439);
-    round!(8, -3861115);
-    round!(9, -3043716);
-    round!(10, 3574422);
-    round!(11, -2867647);
-    round!(12, 3539968);
-    round!(13, -300467);
-    round!(14, 2348700);
-    round!(15, -539299);
-    round!(16, -1699267);
-    round!(17, -1643818);
-    round!(18, 3505694);
-    round!(19, -3821735);
-    round!(20, 3507263);
-    round!(21, -2140649);
-    round!(22, -1600420);
-    round!(23, 3699596);
-    round!(24, 811944);
-    round!(25, 531354);
-    round!(26, 954230);
-    round!(27, 3881043);
-    round!(28, 3900724);
-    round!(29, -2556880);
-    round!(30, 2071892);
-    round!(31, -2797779);
+    round(re, 0, 2706023);
+    round(re, 1, 95776);
+    round(re, 2, 3077325);
+    round(re, 3, 3530437);
+    round(re, 4, -1661693);
+    round(re, 5, -3592148);
+    round(re, 6, -2537516);
+    round(re, 7, 3915439);
+    round(re, 8, -3861115);
+    round(re, 9, -3043716);
+    round(re, 10, 3574422);
+    round(re, 11, -2867647);
+    round(re, 12, 3539968);
+    round(re, 13, -300467);
+    round(re, 14, 2348700);
+    round(re, 15, -539299);
+    round(re, 16, -1699267);
+    round(re, 17, -1643818);
+    round(re, 18, 3505694);
+    round(re, 19, -3821735);
+    round(re, 20, 3507263);
+    round(re, 21, -2140649);
+    round(re, 22, -1600420);
+    round(re, 23, 3699596);
+    round(re, 24, 811944);
+    round(re, 25, 531354);
+    round(re, 26, 954230);
+    round(re, 27, 3881043);
+    round(re, 28, 3900724);
+    round(re, 29, -2556880);
+    round(re, 30, 2071892);
+    round(re, 31, -2797779);
 }
 
 #[inline(always)]

From 8f41090fdc368a2b2b091d7faa3b40ede05dc390 Mon Sep 17 00:00:00 2001
From: Franziskus Kiefer <franziskuskiefer@gmail.com>
Date: Fri, 8 Nov 2024 07:44:04 +0000
Subject: [PATCH 20/22] Revert "SHA-3 AVX2 target feature"

This reverts commit 0703c5ba349bf587e1cfb3f9628fc61693e61119.
---
 libcrux-ml-dsa/Cargo.toml     |   2 +-
 libcrux-sha3/Cargo.toml       |   4 +-
 libcrux-sha3/src/lib.rs       |  55 ++++++++++++++-
 libcrux-sha3/src/simd/avx2.rs | 122 +++++++++++-----------------------
 4 files changed, 97 insertions(+), 86 deletions(-)

diff --git a/libcrux-ml-dsa/Cargo.toml b/libcrux-ml-dsa/Cargo.toml
index 0949b4a9c..3358b8678 100644
--- a/libcrux-ml-dsa/Cargo.toml
+++ b/libcrux-ml-dsa/Cargo.toml
@@ -34,7 +34,7 @@ pqcrypto-dilithium = { version = "0.5.0" }         #, default-features = false
 [features]
 simd128 = ["libcrux-sha3/simd128", "libcrux-intrinsics/simd128"]
 simd256 = ["libcrux-sha3/simd256", "libcrux-intrinsics/simd256"]
-acvp = []                                                        # expose internal API for ACVP testing
+acvp = [] # expose internal API for ACVP testing
 
 [[bench]]
 name = "manual44"
diff --git a/libcrux-sha3/Cargo.toml b/libcrux-sha3/Cargo.toml
index 23b21b401..85ed0be95 100644
--- a/libcrux-sha3/Cargo.toml
+++ b/libcrux-sha3/Cargo.toml
@@ -23,8 +23,8 @@ libcrux-intrinsics = { version = "0.0.2-beta.2", path = "../libcrux-intrinsics"
 hax-lib = { version = "0.1.0-alpha.1", git = "https://github.com/hacspec/hax/" }
 
 [features]
-simd128 = ["libcrux-intrinsics/simd128"]
-simd256 = ["libcrux-intrinsics/simd256"]
+simd128 = []
+simd256 = []
 
 [[bench]]
 name = "sha3"
diff --git a/libcrux-sha3/src/lib.rs b/libcrux-sha3/src/lib.rs
index d48dea15f..c1395155d 100644
--- a/libcrux-sha3/src/lib.rs
+++ b/libcrux-sha3/src/lib.rs
@@ -3,7 +3,7 @@
 //! A SHA3 implementation with optional simd optimisations.
 
 #![no_std]
-#![deny(unsafe_code)]
+#![forbid(unsafe_code)]
 #![deny(missing_docs)]
 
 pub mod simd;
@@ -92,6 +92,7 @@ pub fn hash<const LEN: usize>(algorithm: Algorithm, payload: &[u8]) -> [u8; LEN]
 pub use hash as sha3;
 
 /// SHA3 224
+#[inline(always)]
 pub fn sha224(data: &[u8]) -> Sha3_224Digest {
     let mut out = [0u8; 28];
     sha224_ema(&mut out, data);
@@ -102,6 +103,7 @@ pub fn sha224(data: &[u8]) -> Sha3_224Digest {
 ///
 /// Preconditions:
 /// - `digest.len() == 28`
+#[inline(always)]
 pub fn sha224_ema(digest: &mut [u8], payload: &[u8]) {
     debug_assert!(payload.len() <= u32::MAX as usize);
     debug_assert!(digest.len() == 28);
@@ -110,6 +112,7 @@ pub fn sha224_ema(digest: &mut [u8], payload: &[u8]) {
 }
 
 /// SHA3 256
+#[inline(always)]
 pub fn sha256(data: &[u8]) -> Sha3_256Digest {
     let mut out = [0u8; 32];
     sha256_ema(&mut out, data);
@@ -117,6 +120,7 @@ pub fn sha256(data: &[u8]) -> Sha3_256Digest {
 }
 
 /// SHA3 256
+#[inline(always)]
 pub fn sha256_ema(digest: &mut [u8], payload: &[u8]) {
     debug_assert!(payload.len() <= u32::MAX as usize);
     debug_assert!(digest.len() == 32);
@@ -125,6 +129,7 @@ pub fn sha256_ema(digest: &mut [u8], payload: &[u8]) {
 }
 
 /// SHA3 384
+#[inline(always)]
 pub fn sha384(data: &[u8]) -> Sha3_384Digest {
     let mut out = [0u8; 48];
     sha384_ema(&mut out, data);
@@ -132,6 +137,7 @@ pub fn sha384(data: &[u8]) -> Sha3_384Digest {
 }
 
 /// SHA3 384
+#[inline(always)]
 pub fn sha384_ema(digest: &mut [u8], payload: &[u8]) {
     debug_assert!(payload.len() <= u32::MAX as usize);
     debug_assert!(digest.len() == 48);
@@ -140,6 +146,7 @@ pub fn sha384_ema(digest: &mut [u8], payload: &[u8]) {
 }
 
 /// SHA3 512
+#[inline(always)]
 pub fn sha512(data: &[u8]) -> Sha3_512Digest {
     let mut out = [0u8; 64];
     sha512_ema(&mut out, data);
@@ -147,6 +154,7 @@ pub fn sha512(data: &[u8]) -> Sha3_512Digest {
 }
 
 /// SHA3 512
+#[inline(always)]
 pub fn sha512_ema(digest: &mut [u8], payload: &[u8]) {
     debug_assert!(payload.len() <= u32::MAX as usize);
     debug_assert!(digest.len() == 64);
@@ -158,6 +166,7 @@ pub fn sha512_ema(digest: &mut [u8], payload: &[u8]) {
 ///
 /// Note that the output length `BYTES` must fit into 32 bit. If it is longer,
 /// the output will only return `u32::MAX` bytes.
+#[inline(always)]
 pub fn shake128<const BYTES: usize>(data: &[u8]) -> [u8; BYTES] {
     let mut out = [0u8; BYTES];
     portable::shake128(&mut out, data);
@@ -167,6 +176,7 @@ pub fn shake128<const BYTES: usize>(data: &[u8]) -> [u8; BYTES] {
 /// SHAKE 128
 ///
 /// Writes `out.len()` bytes.
+#[inline(always)]
 pub fn shake128_ema(out: &mut [u8], data: &[u8]) {
     portable::shake128(out, data);
 }
@@ -175,6 +185,7 @@ pub fn shake128_ema(out: &mut [u8], data: &[u8]) {
 ///
 /// Note that the output length `BYTES` must fit into 32 bit. If it is longer,
 /// the output will only return `u32::MAX` bytes.
+#[inline(always)]
 pub fn shake256<const BYTES: usize>(data: &[u8]) -> [u8; BYTES] {
     let mut out = [0u8; BYTES];
     portable::shake256(&mut out, data);
@@ -184,6 +195,7 @@ pub fn shake256<const BYTES: usize>(data: &[u8]) -> [u8; BYTES] {
 /// SHAKE 256
 ///
 /// Writes `out.len()` bytes.
+#[inline(always)]
 pub fn shake256_ema(out: &mut [u8], data: &[u8]) {
     portable::shake256(out, data);
 }
@@ -209,31 +221,37 @@ pub mod portable {
     }
 
     /// A portable SHA3 224 implementation.
+    #[inline(always)]
     pub fn sha224(digest: &mut [u8], data: &[u8]) {
         keccakx1::<144, 0x06u8>([data], [digest]);
     }
 
     /// A portable SHA3 256 implementation.
+    #[inline(always)]
     pub fn sha256(digest: &mut [u8], data: &[u8]) {
         keccakx1::<136, 0x06u8>([data], [digest]);
     }
 
     /// A portable SHA3 384 implementation.
+    #[inline(always)]
     pub fn sha384(digest: &mut [u8], data: &[u8]) {
         keccakx1::<104, 0x06u8>([data], [digest]);
     }
 
     /// A portable SHA3 512 implementation.
+    #[inline(always)]
     pub fn sha512(digest: &mut [u8], data: &[u8]) {
         keccakx1::<72, 0x06u8>([data], [digest]);
     }
 
     /// A portable SHAKE128 implementation.
+    #[inline(always)]
     pub fn shake128(digest: &mut [u8], data: &[u8]) {
         keccakx1::<168, 0x1fu8>([data], [digest]);
     }
 
     /// A portable SHAKE256 implementation.
+    #[inline(always)]
     pub fn shake256(digest: &mut [u8], data: &[u8]) {
         keccakx1::<136, 0x1fu8>([data], [digest]);
     }
@@ -348,6 +366,7 @@ pub mod portable {
         }
 
         /// Create a new SHAKE-128 state object.
+        #[inline(always)]
         pub fn shake128_init() -> KeccakState {
             KeccakState {
                 state: GenericState::<1, u64>::new(),
@@ -355,26 +374,31 @@ pub mod portable {
         }
 
         /// Absorb
+        #[inline(always)]
         pub fn shake128_absorb_final(s: &mut KeccakState, data0: &[u8]) {
             absorb_final::<1, u64, 168, 0x1fu8>(&mut s.state, [data0]);
         }
 
         /// Squeeze three blocks
+        #[inline(always)]
         pub fn shake128_squeeze_first_three_blocks(s: &mut KeccakState, out0: &mut [u8]) {
             squeeze_first_three_blocks::<1, u64, 168>(&mut s.state, [out0])
         }
 
         /// Squeeze five blocks
+        #[inline(always)]
         pub fn shake128_squeeze_first_five_blocks(s: &mut KeccakState, out0: &mut [u8]) {
             squeeze_first_five_blocks::<1, u64, 168>(&mut s.state, [out0])
         }
 
         /// Squeeze another block
+        #[inline(always)]
         pub fn shake128_squeeze_next_block(s: &mut KeccakState, out0: &mut [u8]) {
             squeeze_next_block::<1, u64, 168>(&mut s.state, [out0])
         }
 
         /// Create a new SHAKE-256 state object.
+        #[inline(always)]
         pub fn shake256_init() -> KeccakState {
             KeccakState {
                 state: GenericState::<1, u64>::new(),
@@ -382,16 +406,19 @@ pub mod portable {
         }
 
         /// Absorb some data for SHAKE-256 for the last time
+        #[inline(always)]
         pub fn shake256_absorb_final(s: &mut KeccakState, data: &[u8]) {
             absorb_final::<1, u64, 136, 0x1fu8>(&mut s.state, [data]);
         }
 
         /// Squeeze the first SHAKE-256 block
+        #[inline(always)]
         pub fn shake256_squeeze_first_block(s: &mut KeccakState, out: &mut [u8]) {
             squeeze_first_block::<1, u64, 136>(&mut s.state, [out])
         }
 
         /// Squeeze the next SHAKE-256 block
+        #[inline(always)]
         pub fn shake256_squeeze_next_block(s: &mut KeccakState, out: &mut [u8]) {
             squeeze_next_block::<1, u64, 136>(&mut s.state, [out])
         }
@@ -417,6 +444,7 @@ pub mod neon {
 
     /// A portable SHA3 224 implementation.
     #[allow(unused_variables)]
+    #[inline(always)]
     pub fn sha224(digest: &mut [u8], data: &[u8]) {
         #[cfg(not(feature = "simd128"))]
         unimplemented!();
@@ -429,6 +457,7 @@ pub mod neon {
 
     /// A portable SHA3 256 implementation.
     #[allow(unused_variables)]
+    #[inline(always)]
     pub fn sha256(digest: &mut [u8], data: &[u8]) {
         #[cfg(not(feature = "simd128"))]
         unimplemented!();
@@ -441,6 +470,7 @@ pub mod neon {
 
     /// A portable SHA3 384 implementation.
     #[allow(unused_variables)]
+    #[inline(always)]
     pub fn sha384(digest: &mut [u8], data: &[u8]) {
         #[cfg(not(feature = "simd128"))]
         unimplemented!();
@@ -453,6 +483,7 @@ pub mod neon {
 
     /// A portable SHA3 512 implementation.
     #[allow(unused_variables)]
+    #[inline(always)]
     pub fn sha512(digest: &mut [u8], data: &[u8]) {
         #[cfg(not(feature = "simd128"))]
         unimplemented!();
@@ -465,6 +496,7 @@ pub mod neon {
 
     /// A portable SHAKE128 implementation.
     #[allow(unused_variables)]
+    #[inline(always)]
     pub fn shake128<const LEN: usize>(digest: &mut [u8; LEN], data: &[u8]) {
         #[cfg(not(feature = "simd128"))]
         unimplemented!();
@@ -477,6 +509,7 @@ pub mod neon {
 
     /// A portable SHAKE256 implementation.
     #[allow(unused_variables)]
+    #[inline(always)]
     pub fn shake256<const LEN: usize>(digest: &mut [u8; LEN], data: &[u8]) {
         #[cfg(not(feature = "simd128"))]
         unimplemented!();
@@ -496,6 +529,7 @@ pub mod neon {
         ///
         /// Writes the two results into `out0` and `out1`
         #[allow(unused_variables)]
+        #[inline(always)]
         pub fn shake256(input0: &[u8], input1: &[u8], out0: &mut [u8], out1: &mut [u8]) {
             // TODO: make argument ordering consistent
             #[cfg(not(feature = "simd128"))]
@@ -562,6 +596,7 @@ pub mod neon {
             }
 
             /// Initialise the `KeccakState2`.
+            #[inline(always)]
             pub fn init() -> KeccakState {
                 #[cfg(not(feature = "simd128"))]
                 unimplemented!();
@@ -579,6 +614,7 @@ pub mod neon {
             }
 
             /// Shake128 absorb `data0` and `data1` in the [`KeccakState`] `s`.
+            #[inline(always)]
             #[allow(unused_variables)]
             pub fn shake128_absorb_final(s: &mut KeccakState, data0: &[u8], data1: &[u8]) {
                 #[cfg(not(feature = "simd128"))]
@@ -598,6 +634,7 @@ pub mod neon {
             }
 
             /// Shake256 absorb `data0` and `data1` in the [`KeccakState`] `s`.
+            #[inline(always)]
             #[allow(unused_variables)]
             pub fn shake256_absorb_final(s: &mut KeccakState, data0: &[u8], data1: &[u8]) {
                 #[cfg(not(feature = "simd128"))]
@@ -647,6 +684,7 @@ pub mod neon {
             /// Squeeze 2 times the first three blocks in parallel in the
             /// [`KeccakState`] and return the output in `out0` and `out1`.
             #[allow(unused_variables)]
+            #[inline(always)]
             pub fn shake128_squeeze_first_three_blocks(
                 s: &mut KeccakState,
                 out0: &mut [u8],
@@ -670,6 +708,7 @@ pub mod neon {
 
             /// Squeeze five blocks
             #[allow(unused_variables)]
+            #[inline(always)]
             pub fn shake128_squeeze_first_five_blocks(
                 s: &mut KeccakState,
                 out0: &mut [u8],
@@ -685,6 +724,7 @@ pub mod neon {
             }
 
             /// Squeeze block
+            #[inline(always)]
             #[allow(unused_variables)] // TODO: decide if we want to fall back here
             pub fn shake256_squeeze_first_block(
                 s: &mut KeccakState,
@@ -701,6 +741,7 @@ pub mod neon {
             }
 
             /// Squeeze next block
+            #[inline(always)]
             #[allow(unused_variables)] // TODO: decide if we want to fall back here
             pub fn shake256_squeeze_next_block(
                 s: &mut KeccakState,
@@ -775,6 +816,7 @@ pub mod neon {
             /// Squeeze 2 times the next block in parallel in the
             /// [`KeccakState`] and return the output in `out0` and `out1`.
             #[allow(unused_variables)]
+            #[inline(always)]
             pub fn shake128_squeeze_next_block(
                 s: &mut KeccakState,
                 out0: &mut [u8],
@@ -801,6 +843,7 @@ pub mod neon {
             ///
             /// **PANICS** when `N` is not 2, 3, or 4.
             #[allow(unused_variables, non_snake_case)]
+            #[inline(always)]
             fn _shake128_squeezexN<const LEN: usize, const N: usize>(
                 state: &mut [KeccakState; 2],
             ) -> [[u8; LEN]; N] {
@@ -864,6 +907,7 @@ pub mod avx2 {
 
         /// Perform 4 SHAKE256 operations in parallel
         #[allow(unused_variables, clippy::too_many_arguments)] // TODO: decide if we want to fall back here
+        #[inline(always)]
         pub fn shake256(
             input0: &[u8],
             input1: &[u8],
@@ -900,6 +944,7 @@ pub mod avx2 {
         ///
         /// **PANICS** when `N` is not 2, 3, or 4.
         #[allow(unused_variables, non_snake_case)]
+        #[inline(always)]
         fn _shake256xN<const LEN: usize, const N: usize>(input: &[[u8; 33]; N]) -> [[u8; LEN]; N] {
             debug_assert!(N == 2 || N == 3 || N == 4);
             let mut out = [[0u8; LEN]; N];
@@ -985,6 +1030,7 @@ pub mod avx2 {
             pub type KeccakState = [crate::portable::KeccakState; 4];
 
             /// Initialise the [`KeccakState`].
+            #[inline(always)]
             pub fn init() -> KeccakState {
                 #[cfg(not(feature = "simd256"))]
                 unimplemented!();
@@ -1011,6 +1057,7 @@ pub mod avx2 {
             }
 
             /// Absorb
+            #[inline(always)]
             #[allow(unused_variables)] // TODO: decide if we want to fall back here
             pub fn shake128_absorb_final(
                 s: &mut KeccakState,
@@ -1048,6 +1095,7 @@ pub mod avx2 {
             }
 
             /// Absorb
+            #[inline(always)]
             #[allow(unused_variables)] // TODO: decide if we want to fall back here
             pub fn shake256_absorb_final(
                 s: &mut KeccakState,
@@ -1063,6 +1111,7 @@ pub mod avx2 {
             }
 
             /// Squeeze block
+            #[inline(always)]
             #[allow(unused_variables)] // TODO: decide if we want to fall back here
             pub fn shake256_squeeze_first_block(
                 s: &mut KeccakState,
@@ -1078,6 +1127,7 @@ pub mod avx2 {
             }
 
             /// Squeeze next block
+            #[inline(always)]
             #[allow(unused_variables)] // TODO: decide if we want to fall back here
             pub fn shake256_squeeze_next_block(
                 s: &mut KeccakState,
@@ -1125,6 +1175,7 @@ pub mod avx2 {
             }
 
             /// Squeeze three blocks
+            #[inline(always)]
             #[allow(unused_variables)] // TODO: decide if we want to fall back here
             pub fn shake128_squeeze_first_three_blocks(
                 s: &mut KeccakState,
@@ -1165,6 +1216,7 @@ pub mod avx2 {
             }
 
             /// Squeeze five blocks
+            #[inline(always)]
             #[allow(unused_variables)] // TODO: decide if we want to fall back here
             pub fn shake128_squeeze_first_five_blocks(
                 s: &mut KeccakState,
@@ -1234,6 +1286,7 @@ pub mod avx2 {
             }
 
             /// Squeeze another block
+            #[inline(always)]
             #[allow(unused_variables)] // TODO: decide if we want to fall back here
             pub fn shake128_squeeze_next_block(
                 s: &mut KeccakState,
diff --git a/libcrux-sha3/src/simd/avx2.rs b/libcrux-sha3/src/simd/avx2.rs
index 5ccfc10ef..07578e1d1 100644
--- a/libcrux-sha3/src/simd/avx2.rs
+++ b/libcrux-sha3/src/simd/avx2.rs
@@ -1,59 +1,46 @@
 use crate::traits::internal::*;
 use libcrux_intrinsics::avx2::*;
 
-#[cfg_attr(not(hax), target_feature(enable = "avx2"))]
-#[allow(unsafe_code)]
-unsafe fn rotate_left<const LEFT: i32, const RIGHT: i32>(x: Vec256) -> Vec256 {
+#[inline(always)]
+fn rotate_left<const LEFT: i32, const RIGHT: i32>(x: Vec256) -> Vec256 {
     debug_assert!(LEFT + RIGHT == 64);
     // XXX: This could be done more efficiently, if the shift values are multiples of 8.
     mm256_xor_si256(mm256_slli_epi64::<LEFT>(x), mm256_srli_epi64::<RIGHT>(x))
 }
 
-#[cfg_attr(not(hax), target_feature(enable = "avx2"))]
-#[allow(unsafe_code)]
-unsafe fn _veor5q_u64(a: Vec256, b: Vec256, c: Vec256, d: Vec256, e: Vec256) -> Vec256 {
+#[inline(always)]
+fn _veor5q_u64(a: Vec256, b: Vec256, c: Vec256, d: Vec256, e: Vec256) -> Vec256 {
     let ab = mm256_xor_si256(a, b);
     let cd = mm256_xor_si256(c, d);
     let abcd = mm256_xor_si256(ab, cd);
     mm256_xor_si256(abcd, e)
 }
 
-#[cfg_attr(not(hax), target_feature(enable = "avx2"))]
-#[allow(unsafe_code)]
-unsafe fn _vrax1q_u64(a: Vec256, b: Vec256) -> Vec256 {
+#[inline(always)]
+fn _vrax1q_u64(a: Vec256, b: Vec256) -> Vec256 {
     mm256_xor_si256(a, rotate_left::<1, 63>(b))
 }
 
-#[cfg_attr(not(hax), target_feature(enable = "avx2"))]
-#[allow(unsafe_code)]
-unsafe fn _vxarq_u64<const LEFT: i32, const RIGHT: i32>(a: Vec256, b: Vec256) -> Vec256 {
+#[inline(always)]
+fn _vxarq_u64<const LEFT: i32, const RIGHT: i32>(a: Vec256, b: Vec256) -> Vec256 {
     let ab = mm256_xor_si256(a, b);
     rotate_left::<LEFT, RIGHT>(ab)
 }
 
-#[cfg_attr(not(hax), target_feature(enable = "avx2"))]
-#[allow(unsafe_code)]
-unsafe fn _vbcaxq_u64(a: Vec256, b: Vec256, c: Vec256) -> Vec256 {
+#[inline(always)]
+fn _vbcaxq_u64(a: Vec256, b: Vec256, c: Vec256) -> Vec256 {
     mm256_xor_si256(a, mm256_andnot_si256(c, b))
 }
 
-#[cfg_attr(not(hax), target_feature(enable = "avx2"))]
-#[allow(unsafe_code)]
-unsafe fn _veorq_n_u64(a: Vec256, c: u64) -> Vec256 {
+#[inline(always)]
+fn _veorq_n_u64(a: Vec256, c: u64) -> Vec256 {
     // Casting here is required, doesn't change the value.
     let c = mm256_set1_epi64x(c as i64);
     mm256_xor_si256(a, c)
 }
 
-#[cfg_attr(not(hax), target_feature(enable = "avx2"))]
-#[allow(unsafe_code)]
-unsafe fn xor(a: Vec256, b: Vec256) -> Vec256 {
-    mm256_xor_si256(a, b)
-}
-
-#[cfg_attr(not(hax), target_feature(enable = "avx2"))]
-#[allow(unsafe_code)]
-unsafe fn load_block<const RATE: usize>(s: &mut [[Vec256; 5]; 5], blocks: [&[u8]; 4]) {
+#[inline(always)]
+pub(crate) fn load_block<const RATE: usize>(s: &mut [[Vec256; 5]; 5], blocks: [&[u8]; 4]) {
     debug_assert!(RATE <= blocks[0].len() && RATE % 8 == 0 && (RATE % 32 == 8 || RATE % 32 == 16));
     for i in 0..RATE / 32 {
         let v0 = mm256_loadu_si256_u8(&blocks[0][32 * i..32 * (i + 1)]);
@@ -105,24 +92,20 @@ unsafe fn load_block<const RATE: usize>(s: &mut [[Vec256; 5]; 5], blocks: [&[u8]
 }
 
 #[inline(always)]
-#[allow(unsafe_code)]
 pub(crate) fn load_block_full<const RATE: usize>(s: &mut [[Vec256; 5]; 5], blocks: [[u8; 200]; 4]) {
-    unsafe {
-        load_block::<RATE>(
-            s,
-            [
-                &blocks[0] as &[u8],
-                &blocks[1] as &[u8],
-                &blocks[2] as &[u8],
-                &blocks[3] as &[u8],
-            ],
-        )
-    };
+    load_block::<RATE>(
+        s,
+        [
+            &blocks[0] as &[u8],
+            &blocks[1] as &[u8],
+            &blocks[2] as &[u8],
+            &blocks[3] as &[u8],
+        ],
+    );
 }
 
-#[cfg_attr(not(hax), target_feature(enable = "avx2"))]
-#[allow(unsafe_code)]
-unsafe fn store_block<const RATE: usize>(s: &[[Vec256; 5]; 5], out: [&mut [u8]; 4]) {
+#[inline(always)]
+pub(crate) fn store_block<const RATE: usize>(s: &[[Vec256; 5]; 5], out: [&mut [u8]; 4]) {
     for i in 0..RATE / 32 {
         let v0l = mm256_permute2x128_si256::<0x20>(
             s[(4 * i) / 5][(4 * i) % 5],
@@ -176,19 +159,17 @@ unsafe fn store_block<const RATE: usize>(s: &[[Vec256; 5]; 5], out: [&mut [u8];
 }
 
 #[inline(always)]
-#[allow(unsafe_code)]
 pub(crate) fn store_block_full<const RATE: usize>(s: &[[Vec256; 5]; 5]) -> [[u8; 200]; 4] {
     let mut out0 = [0u8; 200];
     let mut out1 = [0u8; 200];
     let mut out2 = [0u8; 200];
     let mut out3 = [0u8; 200];
-    unsafe { store_block::<RATE>(s, [&mut out0, &mut out1, &mut out2, &mut out3]) };
+    store_block::<RATE>(s, [&mut out0, &mut out1, &mut out2, &mut out3]);
     [out0, out1, out2, out3]
 }
 
-#[cfg_attr(not(hax), target_feature(enable = "avx2"))]
-#[allow(unsafe_code)]
-unsafe fn slice_4(a: [&[u8]; 4], start: usize, len: usize) -> [&[u8]; 4] {
+#[inline(always)]
+fn slice_4(a: [&[u8]; 4], start: usize, len: usize) -> [&[u8]; 4] {
     [
         &a[0][start..start + len],
         &a[1][start..start + len],
@@ -197,9 +178,8 @@ unsafe fn slice_4(a: [&[u8]; 4], start: usize, len: usize) -> [&[u8]; 4] {
     ]
 }
 
-#[cfg_attr(not(hax), target_feature(enable = "avx2"))]
-#[allow(unsafe_code)]
-unsafe fn split_at_mut_4(out: [&mut [u8]; 4], mid: usize) -> ([&mut [u8]; 4], [&mut [u8]; 4]) {
+#[inline(always)]
+fn split_at_mut_4(out: [&mut [u8]; 4], mid: usize) -> ([&mut [u8]; 4], [&mut [u8]; 4]) {
     let [out0, out1, out2, out3] = out;
     let (out00, out01) = out0.split_at_mut(mid);
     let (out10, out11) = out1.split_at_mut(mid);
@@ -213,75 +193,53 @@ impl KeccakItem<4> for Vec256 {
     fn zero() -> Self {
         mm256_set1_epi64x(0)
     }
-
     #[inline(always)]
-    #[allow(unsafe_code)]
     fn xor5(a: Self, b: Self, c: Self, d: Self, e: Self) -> Self {
-        unsafe { _veor5q_u64(a, b, c, d, e) }
+        _veor5q_u64(a, b, c, d, e)
     }
-
     #[inline(always)]
-    #[allow(unsafe_code)]
     fn rotate_left1_and_xor(a: Self, b: Self) -> Self {
-        unsafe { _vrax1q_u64(a, b) }
+        _vrax1q_u64(a, b)
     }
-
     #[inline(always)]
-    #[allow(unsafe_code)]
     fn xor_and_rotate<const LEFT: i32, const RIGHT: i32>(a: Self, b: Self) -> Self {
-        unsafe { _vxarq_u64::<LEFT, RIGHT>(a, b) }
+        _vxarq_u64::<LEFT, RIGHT>(a, b)
     }
-
     #[inline(always)]
-    #[allow(unsafe_code)]
     fn and_not_xor(a: Self, b: Self, c: Self) -> Self {
-        unsafe { _vbcaxq_u64(a, b, c) }
+        _vbcaxq_u64(a, b, c)
     }
-
     #[inline(always)]
-    #[allow(unsafe_code)]
     fn xor_constant(a: Self, c: u64) -> Self {
-        unsafe { _veorq_n_u64(a, c) }
+        _veorq_n_u64(a, c)
     }
-
     #[inline(always)]
-    #[allow(unsafe_code)]
     fn xor(a: Self, b: Self) -> Self {
-        unsafe { xor(a, b) }
+        mm256_xor_si256(a, b)
     }
-
     #[inline(always)]
-    #[allow(unsafe_code)]
     fn load_block<const RATE: usize>(a: &mut [[Self; 5]; 5], b: [&[u8]; 4]) {
-        unsafe { load_block::<RATE>(a, b) }
+        load_block::<RATE>(a, b)
     }
-
     #[inline(always)]
-    #[allow(unsafe_code)]
     fn store_block<const RATE: usize>(a: &[[Self; 5]; 5], b: [&mut [u8]; 4]) {
-        unsafe { store_block::<RATE>(a, b) }
+        store_block::<RATE>(a, b)
     }
-
     #[inline(always)]
     fn load_block_full<const RATE: usize>(a: &mut [[Self; 5]; 5], b: [[u8; 200]; 4]) {
         load_block_full::<RATE>(a, b)
     }
-
     #[inline(always)]
     fn store_block_full<const RATE: usize>(a: &[[Self; 5]; 5]) -> [[u8; 200]; 4] {
         store_block_full::<RATE>(a)
     }
-
     #[inline(always)]
-    #[allow(unsafe_code)]
     fn slice_n(a: [&[u8]; 4], start: usize, len: usize) -> [&[u8]; 4] {
-        unsafe { slice_4(a, start, len) }
+        slice_4(a, start, len)
     }
-
     #[inline(always)]
-    #[allow(unsafe_code)]
     fn split_at_mut_n(a: [&mut [u8]; 4], mid: usize) -> ([&mut [u8]; 4], [&mut [u8]; 4]) {
-        unsafe { split_at_mut_4(a, mid) }
+        split_at_mut_4(a, mid)
     }
 
     // TODO: Do we need this, or not? cf. https://github.com/cryspen/libcrux/issues/482

From a31e411ce57494f7a7e8c5962c9951a52a62c770 Mon Sep 17 00:00:00 2001
From: Franziskus Kiefer <franziskuskiefer@gmail.com>
Date: Fri, 8 Nov 2024 08:56:13 +0000
Subject: [PATCH 21/22] inline ntt

---
 libcrux-ml-dsa/src/simd/avx2.rs     |  3 +--
 libcrux-ml-dsa/src/simd/avx2/ntt.rs | 16 +++++++++-------
 2 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/libcrux-ml-dsa/src/simd/avx2.rs b/libcrux-ml-dsa/src/simd/avx2.rs
index f4236caa2..608f37add 100644
--- a/libcrux-ml-dsa/src/simd/avx2.rs
+++ b/libcrux-ml-dsa/src/simd/avx2.rs
@@ -129,9 +129,8 @@ impl Operations for AVX2SIMDUnit {
     }
 
     #[inline(always)]
-    #[allow(unsafe_code)]
     fn ntt(simd_units: [Self; SIMD_UNITS_IN_RING_ELEMENT]) -> [Self; SIMD_UNITS_IN_RING_ELEMENT] {
-        let result = unsafe { ntt::ntt(simd_units.map(|x| x.coefficients)) };
+        let result = ntt::ntt(simd_units.map(|x| x.coefficients));
 
         result.map(|x| x.into())
     }
diff --git a/libcrux-ml-dsa/src/simd/avx2/ntt.rs b/libcrux-ml-dsa/src/simd/avx2/ntt.rs
index 8ae3c9d68..cb84a2933 100644
--- a/libcrux-ml-dsa/src/simd/avx2/ntt.rs
+++ b/libcrux-ml-dsa/src/simd/avx2/ntt.rs
@@ -488,16 +488,18 @@ unsafe fn ntt_at_layer_5_to_3(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) {
     ()
 }
 
-#[cfg_attr(not(hax), target_feature(enable = "avx2"))]
 #[allow(unsafe_code)]
-pub(crate) unsafe fn ntt(
+#[inline(always)]
+pub(crate) fn ntt(
     mut re: [Vec256; SIMD_UNITS_IN_RING_ELEMENT],
 ) -> [Vec256; SIMD_UNITS_IN_RING_ELEMENT] {
-    ntt_at_layer_7_and_6(&mut re);
-    ntt_at_layer_5_to_3(&mut re);
-    ntt_at_layer_2(&mut re);
-    ntt_at_layer_1(&mut re);
-    ntt_at_layer_0(&mut re);
+    unsafe {
+        ntt_at_layer_7_and_6(&mut re);
+        ntt_at_layer_5_to_3(&mut re);
+        ntt_at_layer_2(&mut re);
+        ntt_at_layer_1(&mut re);
+        ntt_at_layer_0(&mut re);
+    }
 
     re
 }

From 1cefb79e2e0193ffc4a30bc7f9c74e60dfba7209 Mon Sep 17 00:00:00 2001
From: Franziskus Kiefer <franziskuskiefer@gmail.com>
Date: Fri, 8 Nov 2024 09:48:33 +0000
Subject: [PATCH 22/22] update mlkem C code

---
 libcrux-ml-kem/c/code_gen.txt                 |   8 +-
 libcrux-ml-kem/c/internal/libcrux_core.h      |   8 +-
 .../c/internal/libcrux_mlkem_avx2.h           |   8 +-
 .../c/internal/libcrux_mlkem_portable.h       |   8 +-
 libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h |   8 +-
 .../c/internal/libcrux_sha3_internal.h        |  28 ++-
 libcrux-ml-kem/c/libcrux_core.c               |   8 +-
 libcrux-ml-kem/c/libcrux_core.h               |   8 +-
 libcrux-ml-kem/c/libcrux_mlkem1024.h          |   8 +-
 libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c     |   8 +-
 libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h     |   8 +-
 libcrux-ml-kem/c/libcrux_mlkem1024_portable.c |   8 +-
 libcrux-ml-kem/c/libcrux_mlkem1024_portable.h |   8 +-
 libcrux-ml-kem/c/libcrux_mlkem512.h           |   8 +-
 libcrux-ml-kem/c/libcrux_mlkem512_avx2.c      |   8 +-
 libcrux-ml-kem/c/libcrux_mlkem512_avx2.h      |   8 +-
 libcrux-ml-kem/c/libcrux_mlkem512_portable.c  |   8 +-
 libcrux-ml-kem/c/libcrux_mlkem512_portable.h  |   8 +-
 libcrux-ml-kem/c/libcrux_mlkem768.h           |   8 +-
 libcrux-ml-kem/c/libcrux_mlkem768_avx2.c      |   8 +-
 libcrux-ml-kem/c/libcrux_mlkem768_avx2.h      |   8 +-
 libcrux-ml-kem/c/libcrux_mlkem768_portable.c  |   8 +-
 libcrux-ml-kem/c/libcrux_mlkem768_portable.h  |   8 +-
 libcrux-ml-kem/c/libcrux_mlkem_avx2.c         |   8 +-
 libcrux-ml-kem/c/libcrux_mlkem_avx2.h         |   8 +-
 libcrux-ml-kem/c/libcrux_mlkem_portable.c     |   8 +-
 libcrux-ml-kem/c/libcrux_mlkem_portable.h     |   8 +-
 libcrux-ml-kem/c/libcrux_sha3.h               |  68 ++---
 libcrux-ml-kem/c/libcrux_sha3_avx2.c          | 149 +++++------
 libcrux-ml-kem/c/libcrux_sha3_avx2.h          |   8 +-
 libcrux-ml-kem/c/libcrux_sha3_internal.h      |   8 +-
 libcrux-ml-kem/c/libcrux_sha3_neon.c          |  47 ++--
 libcrux-ml-kem/c/libcrux_sha3_neon.h          |   8 +-
 libcrux-ml-kem/cg/code_gen.txt                |   8 +-
 libcrux-ml-kem/cg/libcrux_core.h              |   8 +-
 libcrux-ml-kem/cg/libcrux_ct_ops.h            |   8 +-
 libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h     |   8 +-
 .../cg/libcrux_mlkem768_avx2_types.h          |   8 +-
 libcrux-ml-kem/cg/libcrux_mlkem768_portable.h |   8 +-
 .../cg/libcrux_mlkem768_portable_types.h      |   8 +-
 libcrux-ml-kem/cg/libcrux_sha3_avx2.h         | 237 ++++++++++--------
 libcrux-ml-kem/cg/libcrux_sha3_portable.h     | 132 +++++-----
 42 files changed, 502 insertions(+), 447 deletions(-)

diff --git a/libcrux-ml-kem/c/code_gen.txt b/libcrux-ml-kem/c/code_gen.txt
index a9f0fcd1a..8499b9238 100644
--- a/libcrux-ml-kem/c/code_gen.txt
+++ b/libcrux-ml-kem/c/code_gen.txt
@@ -1,6 +1,6 @@
 This code was generated with the following revisions:
-Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f
+Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
 Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
-Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
-F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
-Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
+Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
+F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
+Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770
diff --git a/libcrux-ml-kem/c/internal/libcrux_core.h b/libcrux-ml-kem/c/internal/libcrux_core.h
index a6219b29c..7f5862bfb 100644
--- a/libcrux-ml-kem/c/internal/libcrux_core.h
+++ b/libcrux-ml-kem/c/internal/libcrux_core.h
@@ -4,11 +4,11 @@
  * SPDX-License-Identifier: MIT or Apache-2.0
  *
  * This code was generated with the following revisions:
- * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f
+ * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
- * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
- * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
+ * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
+ * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
+ * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770
  */
 
 #ifndef __internal_libcrux_core_H
diff --git a/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h b/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h
index 122098dd0..57c7e9008 100644
--- a/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h
+++ b/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h
@@ -4,11 +4,11 @@
  * SPDX-License-Identifier: MIT or Apache-2.0
  *
  * This code was generated with the following revisions:
- * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f
+ * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
- * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
- * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
+ * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
+ * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
+ * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770
  */
 
 #ifndef __internal_libcrux_mlkem_avx2_H
diff --git a/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h b/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h
index fe31b4dfe..59bc0be6d 100644
--- a/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h
+++ b/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h
@@ -4,11 +4,11 @@
  * SPDX-License-Identifier: MIT or Apache-2.0
  *
  * This code was generated with the following revisions:
- * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f
+ * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
- * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
- * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
+ * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
+ * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
+ * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770
  */
 
 #ifndef __internal_libcrux_mlkem_portable_H
diff --git a/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h b/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h
index 822ba71c9..4154d969b 100644
--- a/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h
+++ b/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h
@@ -4,11 +4,11 @@
  * SPDX-License-Identifier: MIT or Apache-2.0
  *
  * This code was generated with the following revisions:
- * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f
+ * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
- * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
- * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
+ * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
+ * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
+ * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770
  */
 
 #ifndef __internal_libcrux_sha3_avx2_H
diff --git a/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h b/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h
index c033eebf3..ee6a37d9b 100644
--- a/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h
+++ b/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h
@@ -4,11 +4,11 @@
  * SPDX-License-Identifier: MIT or Apache-2.0
  *
  * This code was generated with the following revisions:
- * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f
+ * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
- * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
- * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
+ * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
+ * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
+ * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770
  */
 
 #ifndef __internal_libcrux_sha3_internal_H
@@ -27,7 +27,7 @@ typedef libcrux_sha3_generic_keccak_KeccakState_17
 /**
  Create a new SHAKE-128 state object.
 */
-static inline libcrux_sha3_generic_keccak_KeccakState_17
+static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_17
 libcrux_sha3_portable_incremental_shake128_init(void) {
   return libcrux_sha3_generic_keccak_new_89_04();
 }
@@ -35,7 +35,8 @@ libcrux_sha3_portable_incremental_shake128_init(void) {
 /**
  Absorb
 */
-static inline void libcrux_sha3_portable_incremental_shake128_absorb_final(
+static KRML_MUSTINLINE void
+libcrux_sha3_portable_incremental_shake128_absorb_final(
     libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice data0) {
   Eurydice_slice buf[1U] = {data0};
   libcrux_sha3_generic_keccak_absorb_final_9e(s, buf);
@@ -44,7 +45,7 @@ static inline void libcrux_sha3_portable_incremental_shake128_absorb_final(
 /**
  Squeeze another block
 */
-static inline void
+static KRML_MUSTINLINE void
 libcrux_sha3_portable_incremental_shake128_squeeze_next_block(
     libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out0) {
   Eurydice_slice buf[1U] = {out0};
@@ -81,7 +82,7 @@ libcrux_sha3_generic_keccak_squeeze_first_three_blocks_c6(
 /**
  Squeeze three blocks
 */
-static inline void
+static KRML_MUSTINLINE void
 libcrux_sha3_portable_incremental_shake128_squeeze_first_three_blocks(
     libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out0) {
   Eurydice_slice buf[1U] = {out0};
@@ -184,7 +185,7 @@ libcrux_sha3_generic_keccak_squeeze_first_five_blocks_c6(
 /**
  Squeeze five blocks
 */
-static inline void
+static KRML_MUSTINLINE void
 libcrux_sha3_portable_incremental_shake128_squeeze_first_five_blocks(
     libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out0) {
   Eurydice_slice buf[1U] = {out0};
@@ -194,7 +195,8 @@ libcrux_sha3_portable_incremental_shake128_squeeze_first_five_blocks(
 /**
  Absorb some data for SHAKE-256 for the last time
 */
-static inline void libcrux_sha3_portable_incremental_shake256_absorb_final(
+static KRML_MUSTINLINE void
+libcrux_sha3_portable_incremental_shake256_absorb_final(
     libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice data) {
   Eurydice_slice buf[1U] = {data};
   libcrux_sha3_generic_keccak_absorb_final_9e0(s, buf);
@@ -203,7 +205,7 @@ static inline void libcrux_sha3_portable_incremental_shake256_absorb_final(
 /**
  Create a new SHAKE-256 state object.
 */
-static inline libcrux_sha3_generic_keccak_KeccakState_17
+static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_17
 libcrux_sha3_portable_incremental_shake256_init(void) {
   return libcrux_sha3_generic_keccak_new_89_04();
 }
@@ -211,7 +213,7 @@ libcrux_sha3_portable_incremental_shake256_init(void) {
 /**
  Squeeze the first SHAKE-256 block
 */
-static inline void
+static KRML_MUSTINLINE void
 libcrux_sha3_portable_incremental_shake256_squeeze_first_block(
     libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out) {
   Eurydice_slice buf[1U] = {out};
@@ -221,7 +223,7 @@ libcrux_sha3_portable_incremental_shake256_squeeze_first_block(
 /**
  Squeeze the next SHAKE-256 block
 */
-static inline void
+static KRML_MUSTINLINE void
 libcrux_sha3_portable_incremental_shake256_squeeze_next_block(
     libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out) {
   Eurydice_slice buf[1U] = {out};
diff --git a/libcrux-ml-kem/c/libcrux_core.c b/libcrux-ml-kem/c/libcrux_core.c
index 380560655..1ca124a33 100644
--- a/libcrux-ml-kem/c/libcrux_core.c
+++ b/libcrux-ml-kem/c/libcrux_core.c
@@ -4,11 +4,11 @@
  * SPDX-License-Identifier: MIT or Apache-2.0
  *
  * This code was generated with the following revisions:
- * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f
+ * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
- * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
- * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
+ * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
+ * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
+ * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770
  */
 
 #include "internal/libcrux_core.h"
diff --git a/libcrux-ml-kem/c/libcrux_core.h b/libcrux-ml-kem/c/libcrux_core.h
index a9ea4ae31..c6e16c759 100644
--- a/libcrux-ml-kem/c/libcrux_core.h
+++ b/libcrux-ml-kem/c/libcrux_core.h
@@ -4,11 +4,11 @@
  * SPDX-License-Identifier: MIT or Apache-2.0
  *
  * This code was generated with the following revisions:
- * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f
+ * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
- * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
- * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
+ * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
+ * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
+ * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770
  */
 
 #ifndef __libcrux_core_H
diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024.h b/libcrux-ml-kem/c/libcrux_mlkem1024.h
index 2a1bac2bc..17224c4b8 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem1024.h
+++ b/libcrux-ml-kem/c/libcrux_mlkem1024.h
@@ -4,11 +4,11 @@
  * SPDX-License-Identifier: MIT or Apache-2.0
  *
  * This code was generated with the following revisions:
- * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f
+ * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
- * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
- * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
+ * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
+ * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
+ * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770
  */
 
 #ifndef __libcrux_mlkem1024_H
diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c
index e998b91fa..90ad418e8 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c
+++ b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c
@@ -4,11 +4,11 @@
  * SPDX-License-Identifier: MIT or Apache-2.0
  *
  * This code was generated with the following revisions:
- * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f
+ * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
- * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
- * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
+ * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
+ * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
+ * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770
  */
 
 #include "libcrux_mlkem1024_avx2.h"
diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h
index c6b5f62bf..7793d845c 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h
+++ b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h
@@ -4,11 +4,11 @@
  * SPDX-License-Identifier: MIT or Apache-2.0
  *
  * This code was generated with the following revisions:
- * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f
+ * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
- * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
- * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
+ * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
+ * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
+ * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770
  */
 
 #ifndef __libcrux_mlkem1024_avx2_H
diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c
index 575ffc15b..777087e3e 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c
+++ b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c
@@ -4,11 +4,11 @@
  * SPDX-License-Identifier: MIT or Apache-2.0
  *
  * This code was generated with the following revisions:
- * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f
+ * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
- * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
- * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
+ * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
+ * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
+ * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770
  */
 
 #include "libcrux_mlkem1024_portable.h"
diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h
index 623f86b6a..0d385ff7f 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h
+++ b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h
@@ -4,11 +4,11 @@
  * SPDX-License-Identifier: MIT or Apache-2.0
  *
  * This code was generated with the following revisions:
- * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f
+ * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
- * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
- * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
+ * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
+ * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
+ * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770
  */
 
 #ifndef __libcrux_mlkem1024_portable_H
diff --git a/libcrux-ml-kem/c/libcrux_mlkem512.h b/libcrux-ml-kem/c/libcrux_mlkem512.h
index e50855804..8b9ba74b4 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem512.h
+++ b/libcrux-ml-kem/c/libcrux_mlkem512.h
@@ -4,11 +4,11 @@
  * SPDX-License-Identifier: MIT or Apache-2.0
  *
  * This code was generated with the following revisions:
- * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f
+ * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
- * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
- * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
+ * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
+ * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
+ * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770
  */
 
 #ifndef __libcrux_mlkem512_H
diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c
index b45918ce0..6e7b7232a 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c
+++ b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c
@@ -4,11 +4,11 @@
  * SPDX-License-Identifier: MIT or Apache-2.0
  *
  * This code was generated with the following revisions:
- * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f
+ * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
- * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
- * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
+ * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
+ * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
+ * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770
  */
 
 #include "libcrux_mlkem512_avx2.h"
diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h
index a24272f38..0cfb59f30 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h
+++ b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h
@@ -4,11 +4,11 @@
  * SPDX-License-Identifier: MIT or Apache-2.0
  *
  * This code was generated with the following revisions:
- * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f
+ * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
- * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
- * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
+ * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
+ * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
+ * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770
  */
 
 #ifndef __libcrux_mlkem512_avx2_H
diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_portable.c b/libcrux-ml-kem/c/libcrux_mlkem512_portable.c
index 1aca3e46a..be7835ad5 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem512_portable.c
+++ b/libcrux-ml-kem/c/libcrux_mlkem512_portable.c
@@ -4,11 +4,11 @@
  * SPDX-License-Identifier: MIT or Apache-2.0
  *
  * This code was generated with the following revisions:
- * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f
+ * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
- * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
- * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
+ * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
+ * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
+ * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770
  */
 
 #include "libcrux_mlkem512_portable.h"
diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_portable.h b/libcrux-ml-kem/c/libcrux_mlkem512_portable.h
index 82f656696..948e81ea1 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem512_portable.h
+++ b/libcrux-ml-kem/c/libcrux_mlkem512_portable.h
@@ -4,11 +4,11 @@
  * SPDX-License-Identifier: MIT or Apache-2.0
  *
  * This code was generated with the following revisions:
- * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f
+ * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
- * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
- * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
+ * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
+ * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
+ * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770
  */
 
 #ifndef __libcrux_mlkem512_portable_H
diff --git a/libcrux-ml-kem/c/libcrux_mlkem768.h b/libcrux-ml-kem/c/libcrux_mlkem768.h
index 4c486fa96..f6e24fa88 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem768.h
+++ b/libcrux-ml-kem/c/libcrux_mlkem768.h
@@ -4,11 +4,11 @@
  * SPDX-License-Identifier: MIT or Apache-2.0
  *
  * This code was generated with the following revisions:
- * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f
+ * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
- * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
- * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
+ * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
+ * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
+ * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770
  */
 
 #ifndef __libcrux_mlkem768_H
diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c
index 7754cb2d5..a45904109 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c
+++ b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c
@@ -4,11 +4,11 @@
  * SPDX-License-Identifier: MIT or Apache-2.0
  *
  * This code was generated with the following revisions:
- * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f
+ * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
- * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
- * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
+ * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
+ * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
+ * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770
  */
 
 #include "libcrux_mlkem768_avx2.h"
diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h
index b0f6e449c..1487a3e64 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h
+++ b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h
@@ -4,11 +4,11 @@
  * SPDX-License-Identifier: MIT or Apache-2.0
  *
  * This code was generated with the following revisions:
- * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f
+ * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
- * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
- * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
+ * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
+ * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
+ * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770
  */
 
 #ifndef __libcrux_mlkem768_avx2_H
diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_portable.c b/libcrux-ml-kem/c/libcrux_mlkem768_portable.c
index cadac4f79..1396149db 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem768_portable.c
+++ b/libcrux-ml-kem/c/libcrux_mlkem768_portable.c
@@ -4,11 +4,11 @@
  * SPDX-License-Identifier: MIT or Apache-2.0
  *
  * This code was generated with the following revisions:
- * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f
+ * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
- * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
- * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
+ * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
+ * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
+ * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770
  */
 
 #include "libcrux_mlkem768_portable.h"
diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_portable.h b/libcrux-ml-kem/c/libcrux_mlkem768_portable.h
index 58f4deb7e..89e860721 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem768_portable.h
+++ b/libcrux-ml-kem/c/libcrux_mlkem768_portable.h
@@ -4,11 +4,11 @@
  * SPDX-License-Identifier: MIT or Apache-2.0
  *
  * This code was generated with the following revisions:
- * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f
+ * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
- * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
- * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
+ * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
+ * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
+ * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770
  */
 
 #ifndef __libcrux_mlkem768_portable_H
diff --git a/libcrux-ml-kem/c/libcrux_mlkem_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem_avx2.c
index 450e14514..dd14a27bf 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem_avx2.c
+++ b/libcrux-ml-kem/c/libcrux_mlkem_avx2.c
@@ -4,11 +4,11 @@
  * SPDX-License-Identifier: MIT or Apache-2.0
  *
  * This code was generated with the following revisions:
- * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f
+ * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
- * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
- * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
+ * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
+ * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
+ * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770
  */
 
 #include "internal/libcrux_mlkem_avx2.h"
diff --git a/libcrux-ml-kem/c/libcrux_mlkem_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem_avx2.h
index b072c10b8..81fceac23 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem_avx2.h
+++ b/libcrux-ml-kem/c/libcrux_mlkem_avx2.h
@@ -4,11 +4,11 @@
  * SPDX-License-Identifier: MIT or Apache-2.0
  *
  * This code was generated with the following revisions:
- * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f
+ * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
- * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
- * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
+ * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
+ * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
+ * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770
  */
 
 #ifndef __libcrux_mlkem_avx2_H
diff --git a/libcrux-ml-kem/c/libcrux_mlkem_portable.c b/libcrux-ml-kem/c/libcrux_mlkem_portable.c
index 5ada2704e..5cd8bb2ee 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem_portable.c
+++ b/libcrux-ml-kem/c/libcrux_mlkem_portable.c
@@ -4,11 +4,11 @@
  * SPDX-License-Identifier: MIT or Apache-2.0
  *
  * This code was generated with the following revisions:
- * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f
+ * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
- * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
- * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
+ * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
+ * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
+ * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770
  */
 
 #include "internal/libcrux_mlkem_portable.h"
diff --git a/libcrux-ml-kem/c/libcrux_mlkem_portable.h b/libcrux-ml-kem/c/libcrux_mlkem_portable.h
index 6750e40b5..0ed288fba 100644
--- a/libcrux-ml-kem/c/libcrux_mlkem_portable.h
+++ b/libcrux-ml-kem/c/libcrux_mlkem_portable.h
@@ -4,11 +4,11 @@
  * SPDX-License-Identifier: MIT or Apache-2.0
  *
  * This code was generated with the following revisions:
- * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f
+ * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
- * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
- * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
+ * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
+ * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
+ * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770
  */
 
 #ifndef __libcrux_mlkem_portable_H
diff --git a/libcrux-ml-kem/c/libcrux_sha3.h b/libcrux-ml-kem/c/libcrux_sha3.h
index 4f9736e53..ae0487c65 100644
--- a/libcrux-ml-kem/c/libcrux_sha3.h
+++ b/libcrux-ml-kem/c/libcrux_sha3.h
@@ -4,11 +4,11 @@
  * SPDX-License-Identifier: MIT or Apache-2.0
  *
  * This code was generated with the following revisions:
- * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f
+ * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
- * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
- * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
+ * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
+ * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
+ * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770
  */
 
 #ifndef __libcrux_sha3_H
@@ -25,8 +25,8 @@ extern "C" {
 /**
  A portable SHA3 512 implementation.
 */
-static inline void libcrux_sha3_portable_sha512(Eurydice_slice digest,
-                                                Eurydice_slice data) {
+static KRML_MUSTINLINE void libcrux_sha3_portable_sha512(Eurydice_slice digest,
+                                                         Eurydice_slice data) {
   Eurydice_slice buf0[1U] = {data};
   Eurydice_slice buf[1U] = {digest};
   libcrux_sha3_portable_keccakx1_96(buf0, buf);
@@ -35,8 +35,8 @@ static inline void libcrux_sha3_portable_sha512(Eurydice_slice digest,
 /**
  A portable SHA3 256 implementation.
 */
-static inline void libcrux_sha3_portable_sha256(Eurydice_slice digest,
-                                                Eurydice_slice data) {
+static KRML_MUSTINLINE void libcrux_sha3_portable_sha256(Eurydice_slice digest,
+                                                         Eurydice_slice data) {
   Eurydice_slice buf0[1U] = {data};
   Eurydice_slice buf[1U] = {digest};
   libcrux_sha3_portable_keccakx1_ad(buf0, buf);
@@ -45,8 +45,8 @@ static inline void libcrux_sha3_portable_sha256(Eurydice_slice digest,
 /**
  A portable SHAKE256 implementation.
 */
-static inline void libcrux_sha3_portable_shake256(Eurydice_slice digest,
-                                                  Eurydice_slice data) {
+static KRML_MUSTINLINE void libcrux_sha3_portable_shake256(
+    Eurydice_slice digest, Eurydice_slice data) {
   Eurydice_slice buf0[1U] = {data};
   Eurydice_slice buf[1U] = {digest};
   libcrux_sha3_portable_keccakx1_ad0(buf0, buf);
@@ -55,8 +55,8 @@ static inline void libcrux_sha3_portable_shake256(Eurydice_slice digest,
 /**
  A portable SHA3 224 implementation.
 */
-static inline void libcrux_sha3_portable_sha224(Eurydice_slice digest,
-                                                Eurydice_slice data) {
+static KRML_MUSTINLINE void libcrux_sha3_portable_sha224(Eurydice_slice digest,
+                                                         Eurydice_slice data) {
   Eurydice_slice buf0[1U] = {data};
   Eurydice_slice buf[1U] = {digest};
   libcrux_sha3_portable_keccakx1_1e(buf0, buf);
@@ -65,8 +65,8 @@ static inline void libcrux_sha3_portable_sha224(Eurydice_slice digest,
 /**
  A portable SHA3 384 implementation.
 */
-static inline void libcrux_sha3_portable_sha384(Eurydice_slice digest,
-                                                Eurydice_slice data) {
+static KRML_MUSTINLINE void libcrux_sha3_portable_sha384(Eurydice_slice digest,
+                                                         Eurydice_slice data) {
   Eurydice_slice buf0[1U] = {data};
   Eurydice_slice buf[1U] = {digest};
   libcrux_sha3_portable_keccakx1_7c(buf0, buf);
@@ -78,15 +78,16 @@ static inline void libcrux_sha3_portable_sha384(Eurydice_slice digest,
  Preconditions:
  - `digest.len() == 28`
 */
-static inline void libcrux_sha3_sha224_ema(Eurydice_slice digest,
-                                           Eurydice_slice payload) {
+static KRML_MUSTINLINE void libcrux_sha3_sha224_ema(Eurydice_slice digest,
+                                                    Eurydice_slice payload) {
   libcrux_sha3_portable_sha224(digest, payload);
 }
 
 /**
  SHA3 224
 */
-static inline void libcrux_sha3_sha224(Eurydice_slice data, uint8_t ret[28U]) {
+static KRML_MUSTINLINE void libcrux_sha3_sha224(Eurydice_slice data,
+                                                uint8_t ret[28U]) {
   uint8_t out[28U] = {0U};
   libcrux_sha3_sha224_ema(Eurydice_array_to_slice((size_t)28U, out, uint8_t),
                           data);
@@ -96,15 +97,16 @@ static inline void libcrux_sha3_sha224(Eurydice_slice data, uint8_t ret[28U]) {
 /**
  SHA3 256
 */
-static inline void libcrux_sha3_sha256_ema(Eurydice_slice digest,
-                                           Eurydice_slice payload) {
+static KRML_MUSTINLINE void libcrux_sha3_sha256_ema(Eurydice_slice digest,
+                                                    Eurydice_slice payload) {
   libcrux_sha3_portable_sha256(digest, payload);
 }
 
 /**
  SHA3 256
 */
-static inline void libcrux_sha3_sha256(Eurydice_slice data, uint8_t ret[32U]) {
+static KRML_MUSTINLINE void libcrux_sha3_sha256(Eurydice_slice data,
+                                                uint8_t ret[32U]) {
   uint8_t out[32U] = {0U};
   libcrux_sha3_sha256_ema(Eurydice_array_to_slice((size_t)32U, out, uint8_t),
                           data);
@@ -114,15 +116,16 @@ static inline void libcrux_sha3_sha256(Eurydice_slice data, uint8_t ret[32U]) {
 /**
  SHA3 384
 */
-static inline void libcrux_sha3_sha384_ema(Eurydice_slice digest,
-                                           Eurydice_slice payload) {
+static KRML_MUSTINLINE void libcrux_sha3_sha384_ema(Eurydice_slice digest,
+                                                    Eurydice_slice payload) {
   libcrux_sha3_portable_sha384(digest, payload);
 }
 
 /**
  SHA3 384
 */
-static inline void libcrux_sha3_sha384(Eurydice_slice data, uint8_t ret[48U]) {
+static KRML_MUSTINLINE void libcrux_sha3_sha384(Eurydice_slice data,
+                                                uint8_t ret[48U]) {
   uint8_t out[48U] = {0U};
   libcrux_sha3_sha384_ema(Eurydice_array_to_slice((size_t)48U, out, uint8_t),
                           data);
@@ -132,15 +135,16 @@ static inline void libcrux_sha3_sha384(Eurydice_slice data, uint8_t ret[48U]) {
 /**
  SHA3 512
 */
-static inline void libcrux_sha3_sha512_ema(Eurydice_slice digest,
-                                           Eurydice_slice payload) {
+static KRML_MUSTINLINE void libcrux_sha3_sha512_ema(Eurydice_slice digest,
+                                                    Eurydice_slice payload) {
   libcrux_sha3_portable_sha512(digest, payload);
 }
 
 /**
  SHA3 512
 */
-static inline void libcrux_sha3_sha512(Eurydice_slice data, uint8_t ret[64U]) {
+static KRML_MUSTINLINE void libcrux_sha3_sha512(Eurydice_slice data,
+                                                uint8_t ret[64U]) {
   uint8_t out[64U] = {0U};
   libcrux_sha3_sha512_ema(Eurydice_array_to_slice((size_t)64U, out, uint8_t),
                           data);
@@ -150,8 +154,8 @@ static inline void libcrux_sha3_sha512(Eurydice_slice data, uint8_t ret[64U]) {
 /**
  A portable SHAKE128 implementation.
 */
-static inline void libcrux_sha3_portable_shake128(Eurydice_slice digest,
-                                                  Eurydice_slice data) {
+static KRML_MUSTINLINE void libcrux_sha3_portable_shake128(
+    Eurydice_slice digest, Eurydice_slice data) {
   Eurydice_slice buf0[1U] = {data};
   Eurydice_slice buf[1U] = {digest};
   libcrux_sha3_portable_keccakx1_c6(buf0, buf);
@@ -162,8 +166,8 @@ static inline void libcrux_sha3_portable_shake128(Eurydice_slice digest,
 
  Writes `out.len()` bytes.
 */
-static inline void libcrux_sha3_shake128_ema(Eurydice_slice out,
-                                             Eurydice_slice data) {
+static KRML_MUSTINLINE void libcrux_sha3_shake128_ema(Eurydice_slice out,
+                                                      Eurydice_slice data) {
   libcrux_sha3_portable_shake128(out, data);
 }
 
@@ -172,8 +176,8 @@ static inline void libcrux_sha3_shake128_ema(Eurydice_slice out,
 
  Writes `out.len()` bytes.
 */
-static inline void libcrux_sha3_shake256_ema(Eurydice_slice out,
-                                             Eurydice_slice data) {
+static KRML_MUSTINLINE void libcrux_sha3_shake256_ema(Eurydice_slice out,
+                                                      Eurydice_slice data) {
   libcrux_sha3_portable_shake256(out, data);
 }
 
diff --git a/libcrux-ml-kem/c/libcrux_sha3_avx2.c b/libcrux-ml-kem/c/libcrux_sha3_avx2.c
index 7fc037744..6bb8c32bd 100644
--- a/libcrux-ml-kem/c/libcrux_sha3_avx2.c
+++ b/libcrux-ml-kem/c/libcrux_sha3_avx2.c
@@ -4,11 +4,11 @@
  * SPDX-License-Identifier: MIT or Apache-2.0
  *
  * This code was generated with the following revisions:
- * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f
+ * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
- * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
- * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
+ * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
+ * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
+ * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770
  */
 
 #include "internal/libcrux_sha3_avx2.h"
@@ -23,8 +23,8 @@ static KRML_MUSTINLINE __m256i zero_ef(void) {
   return mm256_set1_epi64x((int64_t)0);
 }
 
-static __m256i _veor5q_u64(__m256i a, __m256i b, __m256i c, __m256i d,
-                           __m256i e) {
+static KRML_MUSTINLINE __m256i _veor5q_u64(__m256i a, __m256i b, __m256i c,
+                                           __m256i d, __m256i e) {
   __m256i ab = mm256_xor_si256(a, b);
   __m256i cd = mm256_xor_si256(c, d);
   __m256i abcd = mm256_xor_si256(ab, cd);
@@ -46,12 +46,12 @@ with const generics
 - LEFT= 1
 - RIGHT= 63
 */
-static __m256i rotate_left_76(__m256i x) {
+static KRML_MUSTINLINE __m256i rotate_left_76(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)1, x, __m256i),
                          mm256_srli_epi64((int32_t)63, x, __m256i));
 }
 
-static __m256i _vrax1q_u64(__m256i a, __m256i b) {
+static KRML_MUSTINLINE __m256i _vrax1q_u64(__m256i a, __m256i b) {
   __m256i uu____0 = a;
   return mm256_xor_si256(uu____0, rotate_left_76(b));
 }
@@ -64,7 +64,7 @@ static KRML_MUSTINLINE __m256i rotate_left1_and_xor_ef(__m256i a, __m256i b) {
   return _vrax1q_u64(a, b);
 }
 
-static __m256i _vbcaxq_u64(__m256i a, __m256i b, __m256i c) {
+static KRML_MUSTINLINE __m256i _vbcaxq_u64(__m256i a, __m256i b, __m256i c) {
   return mm256_xor_si256(a, mm256_andnot_si256(c, b));
 }
 
@@ -76,7 +76,7 @@ static KRML_MUSTINLINE __m256i and_not_xor_ef(__m256i a, __m256i b, __m256i c) {
   return _vbcaxq_u64(a, b, c);
 }
 
-static __m256i _veorq_n_u64(__m256i a, uint64_t c) {
+static KRML_MUSTINLINE __m256i _veorq_n_u64(__m256i a, uint64_t c) {
   __m256i c0 = mm256_set1_epi64x(
       (int64_t) /* Casting here is required, doesn't change the value. */ c);
   return mm256_xor_si256(a, c0);
@@ -90,18 +90,16 @@ static KRML_MUSTINLINE __m256i xor_constant_ef(__m256i a, uint64_t c) {
   return _veorq_n_u64(a, c);
 }
 
-static __m256i xor0(__m256i a, __m256i b) { return mm256_xor_si256(a, b); }
-
 /**
 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4:
 usize> for core::core_arch::x86::__m256i)}
 */
 static KRML_MUSTINLINE __m256i xor_ef(__m256i a, __m256i b) {
-  return xor0(a, b);
+  return mm256_xor_si256(a, b);
 }
 
-static void slice_4(Eurydice_slice a[4U], size_t start, size_t len,
-                    Eurydice_slice ret[4U]) {
+static KRML_MUSTINLINE void slice_4(Eurydice_slice a[4U], size_t start,
+                                    size_t len, Eurydice_slice ret[4U]) {
   ret[0U] = Eurydice_slice_subslice2(a[0U], start, start + len, uint8_t);
   ret[1U] = Eurydice_slice_subslice2(a[1U], start, start + len, uint8_t);
   ret[2U] = Eurydice_slice_subslice2(a[2U], start, start + len, uint8_t);
@@ -122,8 +120,8 @@ static KRML_MUSTINLINE void slice_n_ef(Eurydice_slice a[4U], size_t start,
   memcpy(ret, ret0, (size_t)4U * sizeof(Eurydice_slice));
 }
 
-static Eurydice_slice_uint8_t_4size_t__x2 split_at_mut_4(Eurydice_slice out[4U],
-                                                         size_t mid) {
+static KRML_MUSTINLINE Eurydice_slice_uint8_t_4size_t__x2
+split_at_mut_4(Eurydice_slice out[4U], size_t mid) {
   Eurydice_slice out0 = out[0U];
   Eurydice_slice out1 = out[1U];
   Eurydice_slice out2 = out[2U];
@@ -214,7 +212,8 @@ A monomorphic instance of libcrux_sha3.simd.avx2.load_block
 with const generics
 - RATE= 136
 */
-static void load_block_5b(__m256i (*s)[5U], Eurydice_slice blocks[4U]) {
+static KRML_MUSTINLINE void load_block_5b(__m256i (*s)[5U],
+                                          Eurydice_slice blocks[4U]) {
   for (size_t i = (size_t)0U; i < (size_t)136U / (size_t)32U; i++) {
     size_t i0 = i;
     __m256i v00 = mm256_loadu_si256_u8(
@@ -348,7 +347,7 @@ with const generics
 - LEFT= 36
 - RIGHT= 28
 */
-static __m256i rotate_left_02(__m256i x) {
+static KRML_MUSTINLINE __m256i rotate_left_02(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)36, x, __m256i),
                          mm256_srli_epi64((int32_t)28, x, __m256i));
 }
@@ -359,7 +358,7 @@ with const generics
 - LEFT= 36
 - RIGHT= 28
 */
-static __m256i _vxarq_u64_02(__m256i a, __m256i b) {
+static KRML_MUSTINLINE __m256i _vxarq_u64_02(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_02(ab);
 }
@@ -384,7 +383,7 @@ with const generics
 - LEFT= 3
 - RIGHT= 61
 */
-static __m256i rotate_left_ac(__m256i x) {
+static KRML_MUSTINLINE __m256i rotate_left_ac(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)3, x, __m256i),
                          mm256_srli_epi64((int32_t)61, x, __m256i));
 }
@@ -395,7 +394,7 @@ with const generics
 - LEFT= 3
 - RIGHT= 61
 */
-static __m256i _vxarq_u64_ac(__m256i a, __m256i b) {
+static KRML_MUSTINLINE __m256i _vxarq_u64_ac(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_ac(ab);
 }
@@ -420,7 +419,7 @@ with const generics
 - LEFT= 41
 - RIGHT= 23
 */
-static __m256i rotate_left_020(__m256i x) {
+static KRML_MUSTINLINE __m256i rotate_left_020(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)41, x, __m256i),
                          mm256_srli_epi64((int32_t)23, x, __m256i));
 }
@@ -431,7 +430,7 @@ with const generics
 - LEFT= 41
 - RIGHT= 23
 */
-static __m256i _vxarq_u64_020(__m256i a, __m256i b) {
+static KRML_MUSTINLINE __m256i _vxarq_u64_020(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_020(ab);
 }
@@ -456,7 +455,7 @@ with const generics
 - LEFT= 18
 - RIGHT= 46
 */
-static __m256i rotate_left_a9(__m256i x) {
+static KRML_MUSTINLINE __m256i rotate_left_a9(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)18, x, __m256i),
                          mm256_srli_epi64((int32_t)46, x, __m256i));
 }
@@ -467,7 +466,7 @@ with const generics
 - LEFT= 18
 - RIGHT= 46
 */
-static __m256i _vxarq_u64_a9(__m256i a, __m256i b) {
+static KRML_MUSTINLINE __m256i _vxarq_u64_a9(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_a9(ab);
 }
@@ -492,7 +491,7 @@ with const generics
 - LEFT= 1
 - RIGHT= 63
 */
-static __m256i _vxarq_u64_76(__m256i a, __m256i b) {
+static KRML_MUSTINLINE __m256i _vxarq_u64_76(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_76(ab);
 }
@@ -517,7 +516,7 @@ with const generics
 - LEFT= 44
 - RIGHT= 20
 */
-static __m256i rotate_left_58(__m256i x) {
+static KRML_MUSTINLINE __m256i rotate_left_58(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)44, x, __m256i),
                          mm256_srli_epi64((int32_t)20, x, __m256i));
 }
@@ -528,7 +527,7 @@ with const generics
 - LEFT= 44
 - RIGHT= 20
 */
-static __m256i _vxarq_u64_58(__m256i a, __m256i b) {
+static KRML_MUSTINLINE __m256i _vxarq_u64_58(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_58(ab);
 }
@@ -553,7 +552,7 @@ with const generics
 - LEFT= 10
 - RIGHT= 54
 */
-static __m256i rotate_left_e0(__m256i x) {
+static KRML_MUSTINLINE __m256i rotate_left_e0(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)10, x, __m256i),
                          mm256_srli_epi64((int32_t)54, x, __m256i));
 }
@@ -564,7 +563,7 @@ with const generics
 - LEFT= 10
 - RIGHT= 54
 */
-static __m256i _vxarq_u64_e0(__m256i a, __m256i b) {
+static KRML_MUSTINLINE __m256i _vxarq_u64_e0(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_e0(ab);
 }
@@ -589,7 +588,7 @@ with const generics
 - LEFT= 45
 - RIGHT= 19
 */
-static __m256i rotate_left_63(__m256i x) {
+static KRML_MUSTINLINE __m256i rotate_left_63(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)45, x, __m256i),
                          mm256_srli_epi64((int32_t)19, x, __m256i));
 }
@@ -600,7 +599,7 @@ with const generics
 - LEFT= 45
 - RIGHT= 19
 */
-static __m256i _vxarq_u64_63(__m256i a, __m256i b) {
+static KRML_MUSTINLINE __m256i _vxarq_u64_63(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_63(ab);
 }
@@ -625,7 +624,7 @@ with const generics
 - LEFT= 2
 - RIGHT= 62
 */
-static __m256i rotate_left_6a(__m256i x) {
+static KRML_MUSTINLINE __m256i rotate_left_6a(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)2, x, __m256i),
                          mm256_srli_epi64((int32_t)62, x, __m256i));
 }
@@ -636,7 +635,7 @@ with const generics
 - LEFT= 2
 - RIGHT= 62
 */
-static __m256i _vxarq_u64_6a(__m256i a, __m256i b) {
+static KRML_MUSTINLINE __m256i _vxarq_u64_6a(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_6a(ab);
 }
@@ -661,7 +660,7 @@ with const generics
 - LEFT= 62
 - RIGHT= 2
 */
-static __m256i rotate_left_ab(__m256i x) {
+static KRML_MUSTINLINE __m256i rotate_left_ab(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)62, x, __m256i),
                          mm256_srli_epi64((int32_t)2, x, __m256i));
 }
@@ -672,7 +671,7 @@ with const generics
 - LEFT= 62
 - RIGHT= 2
 */
-static __m256i _vxarq_u64_ab(__m256i a, __m256i b) {
+static KRML_MUSTINLINE __m256i _vxarq_u64_ab(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_ab(ab);
 }
@@ -697,7 +696,7 @@ with const generics
 - LEFT= 6
 - RIGHT= 58
 */
-static __m256i rotate_left_5b(__m256i x) {
+static KRML_MUSTINLINE __m256i rotate_left_5b(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)6, x, __m256i),
                          mm256_srli_epi64((int32_t)58, x, __m256i));
 }
@@ -708,7 +707,7 @@ with const generics
 - LEFT= 6
 - RIGHT= 58
 */
-static __m256i _vxarq_u64_5b(__m256i a, __m256i b) {
+static KRML_MUSTINLINE __m256i _vxarq_u64_5b(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_5b(ab);
 }
@@ -733,7 +732,7 @@ with const generics
 - LEFT= 43
 - RIGHT= 21
 */
-static __m256i rotate_left_6f(__m256i x) {
+static KRML_MUSTINLINE __m256i rotate_left_6f(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)43, x, __m256i),
                          mm256_srli_epi64((int32_t)21, x, __m256i));
 }
@@ -744,7 +743,7 @@ with const generics
 - LEFT= 43
 - RIGHT= 21
 */
-static __m256i _vxarq_u64_6f(__m256i a, __m256i b) {
+static KRML_MUSTINLINE __m256i _vxarq_u64_6f(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_6f(ab);
 }
@@ -769,7 +768,7 @@ with const generics
 - LEFT= 15
 - RIGHT= 49
 */
-static __m256i rotate_left_62(__m256i x) {
+static KRML_MUSTINLINE __m256i rotate_left_62(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)15, x, __m256i),
                          mm256_srli_epi64((int32_t)49, x, __m256i));
 }
@@ -780,7 +779,7 @@ with const generics
 - LEFT= 15
 - RIGHT= 49
 */
-static __m256i _vxarq_u64_62(__m256i a, __m256i b) {
+static KRML_MUSTINLINE __m256i _vxarq_u64_62(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_62(ab);
 }
@@ -805,7 +804,7 @@ with const generics
 - LEFT= 61
 - RIGHT= 3
 */
-static __m256i rotate_left_23(__m256i x) {
+static KRML_MUSTINLINE __m256i rotate_left_23(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)61, x, __m256i),
                          mm256_srli_epi64((int32_t)3, x, __m256i));
 }
@@ -816,7 +815,7 @@ with const generics
 - LEFT= 61
 - RIGHT= 3
 */
-static __m256i _vxarq_u64_23(__m256i a, __m256i b) {
+static KRML_MUSTINLINE __m256i _vxarq_u64_23(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_23(ab);
 }
@@ -841,7 +840,7 @@ with const generics
 - LEFT= 28
 - RIGHT= 36
 */
-static __m256i rotate_left_37(__m256i x) {
+static KRML_MUSTINLINE __m256i rotate_left_37(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)28, x, __m256i),
                          mm256_srli_epi64((int32_t)36, x, __m256i));
 }
@@ -852,7 +851,7 @@ with const generics
 - LEFT= 28
 - RIGHT= 36
 */
-static __m256i _vxarq_u64_37(__m256i a, __m256i b) {
+static KRML_MUSTINLINE __m256i _vxarq_u64_37(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_37(ab);
 }
@@ -877,7 +876,7 @@ with const generics
 - LEFT= 55
 - RIGHT= 9
 */
-static __m256i rotate_left_bb(__m256i x) {
+static KRML_MUSTINLINE __m256i rotate_left_bb(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)55, x, __m256i),
                          mm256_srli_epi64((int32_t)9, x, __m256i));
 }
@@ -888,7 +887,7 @@ with const generics
 - LEFT= 55
 - RIGHT= 9
 */
-static __m256i _vxarq_u64_bb(__m256i a, __m256i b) {
+static KRML_MUSTINLINE __m256i _vxarq_u64_bb(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_bb(ab);
 }
@@ -913,7 +912,7 @@ with const generics
 - LEFT= 25
 - RIGHT= 39
 */
-static __m256i rotate_left_b9(__m256i x) {
+static KRML_MUSTINLINE __m256i rotate_left_b9(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)25, x, __m256i),
                          mm256_srli_epi64((int32_t)39, x, __m256i));
 }
@@ -924,7 +923,7 @@ with const generics
 - LEFT= 25
 - RIGHT= 39
 */
-static __m256i _vxarq_u64_b9(__m256i a, __m256i b) {
+static KRML_MUSTINLINE __m256i _vxarq_u64_b9(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_b9(ab);
 }
@@ -949,7 +948,7 @@ with const generics
 - LEFT= 21
 - RIGHT= 43
 */
-static __m256i rotate_left_54(__m256i x) {
+static KRML_MUSTINLINE __m256i rotate_left_54(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)21, x, __m256i),
                          mm256_srli_epi64((int32_t)43, x, __m256i));
 }
@@ -960,7 +959,7 @@ with const generics
 - LEFT= 21
 - RIGHT= 43
 */
-static __m256i _vxarq_u64_54(__m256i a, __m256i b) {
+static KRML_MUSTINLINE __m256i _vxarq_u64_54(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_54(ab);
 }
@@ -985,7 +984,7 @@ with const generics
 - LEFT= 56
 - RIGHT= 8
 */
-static __m256i rotate_left_4c(__m256i x) {
+static KRML_MUSTINLINE __m256i rotate_left_4c(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)56, x, __m256i),
                          mm256_srli_epi64((int32_t)8, x, __m256i));
 }
@@ -996,7 +995,7 @@ with const generics
 - LEFT= 56
 - RIGHT= 8
 */
-static __m256i _vxarq_u64_4c(__m256i a, __m256i b) {
+static KRML_MUSTINLINE __m256i _vxarq_u64_4c(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_4c(ab);
 }
@@ -1021,7 +1020,7 @@ with const generics
 - LEFT= 27
 - RIGHT= 37
 */
-static __m256i rotate_left_ce(__m256i x) {
+static KRML_MUSTINLINE __m256i rotate_left_ce(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)27, x, __m256i),
                          mm256_srli_epi64((int32_t)37, x, __m256i));
 }
@@ -1032,7 +1031,7 @@ with const generics
 - LEFT= 27
 - RIGHT= 37
 */
-static __m256i _vxarq_u64_ce(__m256i a, __m256i b) {
+static KRML_MUSTINLINE __m256i _vxarq_u64_ce(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_ce(ab);
 }
@@ -1057,7 +1056,7 @@ with const generics
 - LEFT= 20
 - RIGHT= 44
 */
-static __m256i rotate_left_77(__m256i x) {
+static KRML_MUSTINLINE __m256i rotate_left_77(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)20, x, __m256i),
                          mm256_srli_epi64((int32_t)44, x, __m256i));
 }
@@ -1068,7 +1067,7 @@ with const generics
 - LEFT= 20
 - RIGHT= 44
 */
-static __m256i _vxarq_u64_77(__m256i a, __m256i b) {
+static KRML_MUSTINLINE __m256i _vxarq_u64_77(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_77(ab);
 }
@@ -1093,7 +1092,7 @@ with const generics
 - LEFT= 39
 - RIGHT= 25
 */
-static __m256i rotate_left_25(__m256i x) {
+static KRML_MUSTINLINE __m256i rotate_left_25(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)39, x, __m256i),
                          mm256_srli_epi64((int32_t)25, x, __m256i));
 }
@@ -1104,7 +1103,7 @@ with const generics
 - LEFT= 39
 - RIGHT= 25
 */
-static __m256i _vxarq_u64_25(__m256i a, __m256i b) {
+static KRML_MUSTINLINE __m256i _vxarq_u64_25(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_25(ab);
 }
@@ -1129,7 +1128,7 @@ with const generics
 - LEFT= 8
 - RIGHT= 56
 */
-static __m256i rotate_left_af(__m256i x) {
+static KRML_MUSTINLINE __m256i rotate_left_af(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)8, x, __m256i),
                          mm256_srli_epi64((int32_t)56, x, __m256i));
 }
@@ -1140,7 +1139,7 @@ with const generics
 - LEFT= 8
 - RIGHT= 56
 */
-static __m256i _vxarq_u64_af(__m256i a, __m256i b) {
+static KRML_MUSTINLINE __m256i _vxarq_u64_af(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_af(ab);
 }
@@ -1165,7 +1164,7 @@ with const generics
 - LEFT= 14
 - RIGHT= 50
 */
-static __m256i rotate_left_fd(__m256i x) {
+static KRML_MUSTINLINE __m256i rotate_left_fd(__m256i x) {
   return mm256_xor_si256(mm256_slli_epi64((int32_t)14, x, __m256i),
                          mm256_srli_epi64((int32_t)50, x, __m256i));
 }
@@ -1176,7 +1175,7 @@ with const generics
 - LEFT= 14
 - RIGHT= 50
 */
-static __m256i _vxarq_u64_fd(__m256i a, __m256i b) {
+static KRML_MUSTINLINE __m256i _vxarq_u64_fd(__m256i a, __m256i b) {
   __m256i ab = mm256_xor_si256(a, b);
   return rotate_left_fd(ab);
 }
@@ -1422,7 +1421,8 @@ A monomorphic instance of libcrux_sha3.simd.avx2.store_block
 with const generics
 - RATE= 136
 */
-static void store_block_5b(__m256i (*s)[5U], Eurydice_slice out[4U]) {
+static KRML_MUSTINLINE void store_block_5b(__m256i (*s)[5U],
+                                           Eurydice_slice out[4U]) {
   for (size_t i = (size_t)0U; i < (size_t)136U / (size_t)32U; i++) {
     size_t i0 = i;
     __m256i v0l = mm256_permute2x128_si256(
@@ -1775,7 +1775,8 @@ A monomorphic instance of libcrux_sha3.simd.avx2.load_block
 with const generics
 - RATE= 168
 */
-static void load_block_3a(__m256i (*s)[5U], Eurydice_slice blocks[4U]) {
+static KRML_MUSTINLINE void load_block_3a(__m256i (*s)[5U],
+                                          Eurydice_slice blocks[4U]) {
   for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)32U; i++) {
     size_t i0 = i;
     __m256i v00 = mm256_loadu_si256_u8(
@@ -1961,7 +1962,8 @@ A monomorphic instance of libcrux_sha3.simd.avx2.store_block
 with const generics
 - RATE= 168
 */
-static void store_block_3a(__m256i (*s)[5U], Eurydice_slice out[4U]) {
+static KRML_MUSTINLINE void store_block_3a(__m256i (*s)[5U],
+                                           Eurydice_slice out[4U]) {
   for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)32U; i++) {
     size_t i0 = i;
     __m256i v0l = mm256_permute2x128_si256(
@@ -2205,7 +2207,8 @@ static KRML_MUSTINLINE void squeeze_first_five_blocks_97(
 /**
  Squeeze five blocks
 */
-void libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_five_blocks(
+KRML_MUSTINLINE void
+libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_five_blocks(
     libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0,
     Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) {
   Eurydice_slice buf[4U] = {out0, out1, out2, out3};
@@ -2215,7 +2218,7 @@ void libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_five_blocks(
 /**
  Absorb
 */
-void libcrux_sha3_avx2_x4_incremental_shake256_absorb_final(
+KRML_MUSTINLINE void libcrux_sha3_avx2_x4_incremental_shake256_absorb_final(
     libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice data0,
     Eurydice_slice data1, Eurydice_slice data2, Eurydice_slice data3) {
   Eurydice_slice buf[4U] = {data0, data1, data2, data3};
@@ -2225,7 +2228,8 @@ void libcrux_sha3_avx2_x4_incremental_shake256_absorb_final(
 /**
  Squeeze block
 */
-void libcrux_sha3_avx2_x4_incremental_shake256_squeeze_first_block(
+KRML_MUSTINLINE void
+libcrux_sha3_avx2_x4_incremental_shake256_squeeze_first_block(
     libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0,
     Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) {
   Eurydice_slice buf[4U] = {out0, out1, out2, out3};
@@ -2235,7 +2239,8 @@ void libcrux_sha3_avx2_x4_incremental_shake256_squeeze_first_block(
 /**
  Squeeze next block
 */
-void libcrux_sha3_avx2_x4_incremental_shake256_squeeze_next_block(
+KRML_MUSTINLINE void
+libcrux_sha3_avx2_x4_incremental_shake256_squeeze_next_block(
     libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0,
     Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) {
   Eurydice_slice buf[4U] = {out0, out1, out2, out3};
diff --git a/libcrux-ml-kem/c/libcrux_sha3_avx2.h b/libcrux-ml-kem/c/libcrux_sha3_avx2.h
index b13fc4697..6abfa8697 100644
--- a/libcrux-ml-kem/c/libcrux_sha3_avx2.h
+++ b/libcrux-ml-kem/c/libcrux_sha3_avx2.h
@@ -4,11 +4,11 @@
  * SPDX-License-Identifier: MIT or Apache-2.0
  *
  * This code was generated with the following revisions:
- * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f
+ * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
- * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
- * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
+ * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
+ * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
+ * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770
  */
 
 #ifndef __libcrux_sha3_avx2_H
diff --git a/libcrux-ml-kem/c/libcrux_sha3_internal.h b/libcrux-ml-kem/c/libcrux_sha3_internal.h
index 44ee7755b..f204ff714 100644
--- a/libcrux-ml-kem/c/libcrux_sha3_internal.h
+++ b/libcrux-ml-kem/c/libcrux_sha3_internal.h
@@ -4,11 +4,11 @@
  * SPDX-License-Identifier: MIT or Apache-2.0
  *
  * This code was generated with the following revisions:
- * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f
+ * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
- * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
- * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
+ * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
+ * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
+ * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770
  */
 
 #ifndef __libcrux_sha3_internal_H
diff --git a/libcrux-ml-kem/c/libcrux_sha3_neon.c b/libcrux-ml-kem/c/libcrux_sha3_neon.c
index 527fa850b..ab9ae179a 100644
--- a/libcrux-ml-kem/c/libcrux_sha3_neon.c
+++ b/libcrux-ml-kem/c/libcrux_sha3_neon.c
@@ -4,11 +4,11 @@
  * SPDX-License-Identifier: MIT or Apache-2.0
  *
  * This code was generated with the following revisions:
- * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f
+ * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
- * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
- * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
+ * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
+ * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
+ * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770
  */
 
 #include "libcrux_sha3_neon.h"
@@ -16,7 +16,8 @@
 /**
  A portable SHA3 224 implementation.
 */
-void libcrux_sha3_neon_sha224(Eurydice_slice digest, Eurydice_slice data) {
+KRML_MUSTINLINE void libcrux_sha3_neon_sha224(Eurydice_slice digest,
+                                              Eurydice_slice data) {
   KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
                     "panic!");
   KRML_HOST_EXIT(255U);
@@ -25,7 +26,8 @@ void libcrux_sha3_neon_sha224(Eurydice_slice digest, Eurydice_slice data) {
 /**
  A portable SHA3 256 implementation.
 */
-void libcrux_sha3_neon_sha256(Eurydice_slice digest, Eurydice_slice data) {
+KRML_MUSTINLINE void libcrux_sha3_neon_sha256(Eurydice_slice digest,
+                                              Eurydice_slice data) {
   KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
                     "panic!");
   KRML_HOST_EXIT(255U);
@@ -34,7 +36,8 @@ void libcrux_sha3_neon_sha256(Eurydice_slice digest, Eurydice_slice data) {
 /**
  A portable SHA3 384 implementation.
 */
-void libcrux_sha3_neon_sha384(Eurydice_slice digest, Eurydice_slice data) {
+KRML_MUSTINLINE void libcrux_sha3_neon_sha384(Eurydice_slice digest,
+                                              Eurydice_slice data) {
   KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
                     "panic!");
   KRML_HOST_EXIT(255U);
@@ -43,7 +46,8 @@ void libcrux_sha3_neon_sha384(Eurydice_slice digest, Eurydice_slice data) {
 /**
  A portable SHA3 512 implementation.
 */
-void libcrux_sha3_neon_sha512(Eurydice_slice digest, Eurydice_slice data) {
+KRML_MUSTINLINE void libcrux_sha3_neon_sha512(Eurydice_slice digest,
+                                              Eurydice_slice data) {
   KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
                     "panic!");
   KRML_HOST_EXIT(255U);
@@ -54,8 +58,10 @@ void libcrux_sha3_neon_sha512(Eurydice_slice digest, Eurydice_slice data) {
 
  Writes the two results into `out0` and `out1`
 */
-void libcrux_sha3_neon_x2_shake256(Eurydice_slice input0, Eurydice_slice input1,
-                                   Eurydice_slice out0, Eurydice_slice out1) {
+KRML_MUSTINLINE void libcrux_sha3_neon_x2_shake256(Eurydice_slice input0,
+                                                   Eurydice_slice input1,
+                                                   Eurydice_slice out0,
+                                                   Eurydice_slice out1) {
   /* TODO: make argument ordering consistent */
   KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
                     "panic!");
@@ -65,7 +71,7 @@ void libcrux_sha3_neon_x2_shake256(Eurydice_slice input0, Eurydice_slice input1,
 /**
  Initialise the `KeccakState2`.
 */
-libcrux_sha3_neon_x2_incremental_KeccakState
+KRML_MUSTINLINE libcrux_sha3_neon_x2_incremental_KeccakState
 libcrux_sha3_neon_x2_incremental_init(void) {
   /* XXX: These functions could alternatively implement the same with the
    * portable implementation { let s0 = KeccakState::new(); let s1 =
@@ -78,7 +84,7 @@ libcrux_sha3_neon_x2_incremental_init(void) {
 /**
  Shake128 absorb `data0` and `data1` in the [`KeccakState`] `s`.
 */
-void libcrux_sha3_neon_x2_incremental_shake128_absorb_final(
+KRML_MUSTINLINE void libcrux_sha3_neon_x2_incremental_shake128_absorb_final(
     libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice data0,
     Eurydice_slice data1) {
   /* XXX: These functions could alternatively implement the same with the
@@ -94,7 +100,8 @@ void libcrux_sha3_neon_x2_incremental_shake128_absorb_final(
  Squeeze 2 times the first three blocks in parallel in the
  [`KeccakState`] and return the output in `out0` and `out1`.
 */
-void libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_three_blocks(
+KRML_MUSTINLINE void
+libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_three_blocks(
     libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0,
     Eurydice_slice out1) {
   /* XXX: These functions could alternatively implement the same with the
@@ -110,7 +117,8 @@ void libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_three_blocks(
  Squeeze 2 times the next block in parallel in the
  [`KeccakState`] and return the output in `out0` and `out1`.
 */
-void libcrux_sha3_neon_x2_incremental_shake128_squeeze_next_block(
+KRML_MUSTINLINE void
+libcrux_sha3_neon_x2_incremental_shake128_squeeze_next_block(
     libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0,
     Eurydice_slice out1) {
   /* XXX: These functions could alternatively implement the same with the
@@ -125,7 +133,8 @@ void libcrux_sha3_neon_x2_incremental_shake128_squeeze_next_block(
 /**
  Squeeze five blocks
 */
-void libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_five_blocks(
+KRML_MUSTINLINE void
+libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_five_blocks(
     libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0,
     Eurydice_slice out1) {
   KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
@@ -136,7 +145,7 @@ void libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_five_blocks(
 /**
  Shake256 absorb `data0` and `data1` in the [`KeccakState`] `s`.
 */
-void libcrux_sha3_neon_x2_incremental_shake256_absorb_final(
+KRML_MUSTINLINE void libcrux_sha3_neon_x2_incremental_shake256_absorb_final(
     libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice data0,
     Eurydice_slice data1) {
   /* XXX: These functions could alternatively implement the same with the
@@ -151,7 +160,8 @@ void libcrux_sha3_neon_x2_incremental_shake256_absorb_final(
 /**
  Squeeze block
 */
-void libcrux_sha3_neon_x2_incremental_shake256_squeeze_first_block(
+KRML_MUSTINLINE void
+libcrux_sha3_neon_x2_incremental_shake256_squeeze_first_block(
     libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0,
     Eurydice_slice out1) {
   KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
@@ -162,7 +172,8 @@ void libcrux_sha3_neon_x2_incremental_shake256_squeeze_first_block(
 /**
  Squeeze next block
 */
-void libcrux_sha3_neon_x2_incremental_shake256_squeeze_next_block(
+KRML_MUSTINLINE void
+libcrux_sha3_neon_x2_incremental_shake256_squeeze_next_block(
     libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0,
     Eurydice_slice out1) {
   KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
diff --git a/libcrux-ml-kem/c/libcrux_sha3_neon.h b/libcrux-ml-kem/c/libcrux_sha3_neon.h
index 0fda1a76f..e53786c98 100644
--- a/libcrux-ml-kem/c/libcrux_sha3_neon.h
+++ b/libcrux-ml-kem/c/libcrux_sha3_neon.h
@@ -4,11 +4,11 @@
  * SPDX-License-Identifier: MIT or Apache-2.0
  *
  * This code was generated with the following revisions:
- * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f
+ * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
- * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
- * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6
+ * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
+ * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
+ * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770
  */
 
 #ifndef __libcrux_sha3_neon_H
diff --git a/libcrux-ml-kem/cg/code_gen.txt b/libcrux-ml-kem/cg/code_gen.txt
index ec74b2b30..8499b9238 100644
--- a/libcrux-ml-kem/cg/code_gen.txt
+++ b/libcrux-ml-kem/cg/code_gen.txt
@@ -1,6 +1,6 @@
 This code was generated with the following revisions:
-Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f
+Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
 Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
-Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
-F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
-Libcrux: b6ea994fd158898395679fbace91f4cb000bbe13
+Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
+F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
+Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770
diff --git a/libcrux-ml-kem/cg/libcrux_core.h b/libcrux-ml-kem/cg/libcrux_core.h
index b96c41ebd..0855ea040 100644
--- a/libcrux-ml-kem/cg/libcrux_core.h
+++ b/libcrux-ml-kem/cg/libcrux_core.h
@@ -4,11 +4,11 @@
  * SPDX-License-Identifier: MIT or Apache-2.0
  *
  * This code was generated with the following revisions:
- * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f
+ * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
- * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
- * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: b6ea994fd158898395679fbace91f4cb000bbe13
+ * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
+ * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
+ * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770
  */
 
 #ifndef __libcrux_core_H
diff --git a/libcrux-ml-kem/cg/libcrux_ct_ops.h b/libcrux-ml-kem/cg/libcrux_ct_ops.h
index 5c325dd1c..e5c8b4a89 100644
--- a/libcrux-ml-kem/cg/libcrux_ct_ops.h
+++ b/libcrux-ml-kem/cg/libcrux_ct_ops.h
@@ -4,11 +4,11 @@
  * SPDX-License-Identifier: MIT or Apache-2.0
  *
  * This code was generated with the following revisions:
- * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f
+ * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
- * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
- * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: b6ea994fd158898395679fbace91f4cb000bbe13
+ * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
+ * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
+ * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770
  */
 
 #ifndef __libcrux_ct_ops_H
diff --git a/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h b/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h
index 30f56aa6c..178061ffb 100644
--- a/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h
+++ b/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h
@@ -4,11 +4,11 @@
  * SPDX-License-Identifier: MIT or Apache-2.0
  *
  * This code was generated with the following revisions:
- * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f
+ * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
- * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
- * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: b6ea994fd158898395679fbace91f4cb000bbe13
+ * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
+ * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
+ * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770
  */
 
 #ifndef __libcrux_mlkem768_avx2_H
diff --git a/libcrux-ml-kem/cg/libcrux_mlkem768_avx2_types.h b/libcrux-ml-kem/cg/libcrux_mlkem768_avx2_types.h
index 7bf29c82c..7c6012c47 100644
--- a/libcrux-ml-kem/cg/libcrux_mlkem768_avx2_types.h
+++ b/libcrux-ml-kem/cg/libcrux_mlkem768_avx2_types.h
@@ -4,11 +4,11 @@
  * SPDX-License-Identifier: MIT or Apache-2.0
  *
  * This code was generated with the following revisions:
- * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f
+ * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
- * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
- * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: b6ea994fd158898395679fbace91f4cb000bbe13
+ * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
+ * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
+ * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770
  */
 
 #ifndef __libcrux_mlkem768_avx2_types_H
diff --git a/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h b/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h
index 4968a4688..ed2d45bf4 100644
--- a/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h
+++ b/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h
@@ -4,11 +4,11 @@
  * SPDX-License-Identifier: MIT or Apache-2.0
  *
  * This code was generated with the following revisions:
- * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f
+ * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
- * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
- * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: b6ea994fd158898395679fbace91f4cb000bbe13
+ * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
+ * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
+ * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770
  */
 
 #ifndef __libcrux_mlkem768_portable_H
diff --git a/libcrux-ml-kem/cg/libcrux_mlkem768_portable_types.h b/libcrux-ml-kem/cg/libcrux_mlkem768_portable_types.h
index c5ed62a6d..1d9e30625 100644
--- a/libcrux-ml-kem/cg/libcrux_mlkem768_portable_types.h
+++ b/libcrux-ml-kem/cg/libcrux_mlkem768_portable_types.h
@@ -4,11 +4,11 @@
  * SPDX-License-Identifier: MIT or Apache-2.0
  *
  * This code was generated with the following revisions:
- * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f
+ * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
- * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
- * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: b6ea994fd158898395679fbace91f4cb000bbe13
+ * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
+ * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
+ * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770
  */
 
 #ifndef __libcrux_mlkem768_portable_types_H
diff --git a/libcrux-ml-kem/cg/libcrux_sha3_avx2.h b/libcrux-ml-kem/cg/libcrux_sha3_avx2.h
index c3db3f651..35fa95616 100644
--- a/libcrux-ml-kem/cg/libcrux_sha3_avx2.h
+++ b/libcrux-ml-kem/cg/libcrux_sha3_avx2.h
@@ -4,11 +4,11 @@
  * SPDX-License-Identifier: MIT or Apache-2.0
  *
  * This code was generated with the following revisions:
- * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f
+ * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
- * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
- * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: b6ea994fd158898395679fbace91f4cb000bbe13
+ * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
+ * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
+ * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770
  */
 
 #ifndef __libcrux_sha3_avx2_H
@@ -33,9 +33,8 @@ static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2_zero_ef(void) {
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2__veor5q_u64(__m256i a, __m256i b,
-                                                         __m256i c, __m256i d,
-                                                         __m256i e) {
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__veor5q_u64(
+    __m256i a, __m256i b, __m256i c, __m256i d, __m256i e) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   __m256i cd = libcrux_intrinsics_avx2_mm256_xor_si256(c, d);
   __m256i abcd = libcrux_intrinsics_avx2_mm256_xor_si256(ab, cd);
@@ -59,14 +58,16 @@ with const generics
 - RIGHT= 63
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2_rotate_left_76(__m256i x) {
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_76(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)1, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)63, x, __m256i));
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2__vrax1q_u64(__m256i a, __m256i b) {
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vrax1q_u64(__m256i a,
+                                                                  __m256i b) {
   __m256i uu____0 = a;
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       uu____0, libcrux_sha3_simd_avx2_rotate_left_76(b));
@@ -83,8 +84,9 @@ libcrux_sha3_simd_avx2_rotate_left1_and_xor_ef(__m256i a, __m256i b) {
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2__vbcaxq_u64(__m256i a, __m256i b,
-                                                         __m256i c) {
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vbcaxq_u64(__m256i a,
+                                                                  __m256i b,
+                                                                  __m256i c) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       a, libcrux_intrinsics_avx2_mm256_andnot_si256(c, b));
 }
@@ -100,8 +102,8 @@ libcrux_sha3_simd_avx2_and_not_xor_ef(__m256i a, __m256i b, __m256i c) {
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2__veorq_n_u64(__m256i a,
-                                                          uint64_t c) {
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__veorq_n_u64(__m256i a,
+                                                                   uint64_t c) {
   __m256i c0 = libcrux_intrinsics_avx2_mm256_set1_epi64x(
       (int64_t) /* Casting here is required, doesn't change the value. */
       c);
@@ -118,11 +120,6 @@ libcrux_sha3_simd_avx2_xor_constant_ef(__m256i a, uint64_t c) {
   return libcrux_sha3_simd_avx2__veorq_n_u64(a, c);
 }
 
-KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2_xor(__m256i a, __m256i b) {
-  return libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
-}
-
 /**
 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4:
 usize> for core::core_arch::x86::__m256i)}
@@ -130,13 +127,12 @@ usize> for core::core_arch::x86::__m256i)}
 KRML_ATTRIBUTE_TARGET("avx2")
 static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2_xor_ef(__m256i a,
                                                              __m256i b) {
-  return libcrux_sha3_simd_avx2_xor(a, b);
+  return libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline void libcrux_sha3_simd_avx2_slice_4(Eurydice_slice a[4U],
-                                                  size_t start, size_t len,
-                                                  Eurydice_slice ret[4U]) {
+static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_slice_4(
+    Eurydice_slice a[4U], size_t start, size_t len, Eurydice_slice ret[4U]) {
   ret[0U] = Eurydice_slice_subslice2(a[0U], start, start + len, uint8_t);
   ret[1U] = Eurydice_slice_subslice2(a[1U], start, start + len, uint8_t);
   ret[2U] = Eurydice_slice_subslice2(a[2U], start, start + len, uint8_t);
@@ -159,7 +155,7 @@ static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_slice_n_ef(
 }
 
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline Eurydice_slice_uint8_t_4size_t__x2
+static KRML_MUSTINLINE Eurydice_slice_uint8_t_4size_t__x2
 libcrux_sha3_simd_avx2_split_at_mut_4(Eurydice_slice out[4U], size_t mid) {
   Eurydice_slice out0 = out[0U];
   Eurydice_slice out1 = out[1U];
@@ -264,7 +260,7 @@ with const generics
 - RATE= 136
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline void libcrux_sha3_simd_avx2_load_block_5b(
+static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_load_block_5b(
     __m256i (*s)[5U], Eurydice_slice blocks[4U]) {
   for (size_t i = (size_t)0U; i < (size_t)136U / (size_t)32U; i++) {
     size_t i0 = i;
@@ -410,7 +406,8 @@ with const generics
 - RIGHT= 28
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2_rotate_left_02(__m256i x) {
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_02(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)36, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)28, x, __m256i));
@@ -423,8 +420,8 @@ with const generics
 - RIGHT= 28
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_02(__m256i a,
-                                                           __m256i b) {
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_02(__m256i a,
+                                                                    __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_02(ab);
 }
@@ -452,7 +449,8 @@ with const generics
 - RIGHT= 61
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2_rotate_left_ac(__m256i x) {
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_ac(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)3, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)61, x, __m256i));
@@ -465,8 +463,8 @@ with const generics
 - RIGHT= 61
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_ac(__m256i a,
-                                                           __m256i b) {
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_ac(__m256i a,
+                                                                    __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_ac(ab);
 }
@@ -494,7 +492,8 @@ with const generics
 - RIGHT= 23
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2_rotate_left_020(__m256i x) {
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_020(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)41, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)23, x, __m256i));
@@ -507,8 +506,8 @@ with const generics
 - RIGHT= 23
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_020(__m256i a,
-                                                            __m256i b) {
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2__vxarq_u64_020(__m256i a, __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_020(ab);
 }
@@ -536,7 +535,8 @@ with const generics
 - RIGHT= 46
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2_rotate_left_a9(__m256i x) {
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_a9(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)18, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)46, x, __m256i));
@@ -549,8 +549,8 @@ with const generics
 - RIGHT= 46
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_a9(__m256i a,
-                                                           __m256i b) {
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_a9(__m256i a,
+                                                                    __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_a9(ab);
 }
@@ -578,8 +578,8 @@ with const generics
 - RIGHT= 63
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_76(__m256i a,
-                                                           __m256i b) {
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_76(__m256i a,
+                                                                    __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_76(ab);
 }
@@ -607,7 +607,8 @@ with const generics
 - RIGHT= 20
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2_rotate_left_58(__m256i x) {
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_58(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)44, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)20, x, __m256i));
@@ -620,8 +621,8 @@ with const generics
 - RIGHT= 20
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_58(__m256i a,
-                                                           __m256i b) {
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_58(__m256i a,
+                                                                    __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_58(ab);
 }
@@ -649,7 +650,8 @@ with const generics
 - RIGHT= 54
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2_rotate_left_e0(__m256i x) {
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_e0(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)10, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)54, x, __m256i));
@@ -662,8 +664,8 @@ with const generics
 - RIGHT= 54
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_e0(__m256i a,
-                                                           __m256i b) {
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_e0(__m256i a,
+                                                                    __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_e0(ab);
 }
@@ -691,7 +693,8 @@ with const generics
 - RIGHT= 19
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2_rotate_left_63(__m256i x) {
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_63(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)45, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)19, x, __m256i));
@@ -704,8 +707,8 @@ with const generics
 - RIGHT= 19
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_63(__m256i a,
-                                                           __m256i b) {
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_63(__m256i a,
+                                                                    __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_63(ab);
 }
@@ -733,7 +736,8 @@ with const generics
 - RIGHT= 62
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2_rotate_left_6a(__m256i x) {
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_6a(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)2, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)62, x, __m256i));
@@ -746,8 +750,8 @@ with const generics
 - RIGHT= 62
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_6a(__m256i a,
-                                                           __m256i b) {
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_6a(__m256i a,
+                                                                    __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_6a(ab);
 }
@@ -775,7 +779,8 @@ with const generics
 - RIGHT= 2
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2_rotate_left_ab(__m256i x) {
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_ab(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)62, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)2, x, __m256i));
@@ -788,8 +793,8 @@ with const generics
 - RIGHT= 2
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_ab(__m256i a,
-                                                           __m256i b) {
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_ab(__m256i a,
+                                                                    __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_ab(ab);
 }
@@ -817,7 +822,8 @@ with const generics
 - RIGHT= 58
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2_rotate_left_5b(__m256i x) {
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_5b(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)6, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)58, x, __m256i));
@@ -830,8 +836,8 @@ with const generics
 - RIGHT= 58
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_5b(__m256i a,
-                                                           __m256i b) {
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_5b(__m256i a,
+                                                                    __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_5b(ab);
 }
@@ -859,7 +865,8 @@ with const generics
 - RIGHT= 21
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2_rotate_left_6f(__m256i x) {
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_6f(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)43, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)21, x, __m256i));
@@ -872,8 +879,8 @@ with const generics
 - RIGHT= 21
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_6f(__m256i a,
-                                                           __m256i b) {
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_6f(__m256i a,
+                                                                    __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_6f(ab);
 }
@@ -901,7 +908,8 @@ with const generics
 - RIGHT= 49
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2_rotate_left_62(__m256i x) {
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_62(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)15, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)49, x, __m256i));
@@ -914,8 +922,8 @@ with const generics
 - RIGHT= 49
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_62(__m256i a,
-                                                           __m256i b) {
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_62(__m256i a,
+                                                                    __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_62(ab);
 }
@@ -943,7 +951,8 @@ with const generics
 - RIGHT= 3
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2_rotate_left_23(__m256i x) {
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_23(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)61, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)3, x, __m256i));
@@ -956,8 +965,8 @@ with const generics
 - RIGHT= 3
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_23(__m256i a,
-                                                           __m256i b) {
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_23(__m256i a,
+                                                                    __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_23(ab);
 }
@@ -985,7 +994,8 @@ with const generics
 - RIGHT= 36
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2_rotate_left_37(__m256i x) {
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_37(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)28, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)36, x, __m256i));
@@ -998,8 +1008,8 @@ with const generics
 - RIGHT= 36
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_37(__m256i a,
-                                                           __m256i b) {
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_37(__m256i a,
+                                                                    __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_37(ab);
 }
@@ -1027,7 +1037,8 @@ with const generics
 - RIGHT= 9
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2_rotate_left_bb(__m256i x) {
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_bb(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)55, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)9, x, __m256i));
@@ -1040,8 +1051,8 @@ with const generics
 - RIGHT= 9
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_bb(__m256i a,
-                                                           __m256i b) {
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_bb(__m256i a,
+                                                                    __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_bb(ab);
 }
@@ -1069,7 +1080,8 @@ with const generics
 - RIGHT= 39
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2_rotate_left_b9(__m256i x) {
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_b9(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)25, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)39, x, __m256i));
@@ -1082,8 +1094,8 @@ with const generics
 - RIGHT= 39
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_b9(__m256i a,
-                                                           __m256i b) {
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_b9(__m256i a,
+                                                                    __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_b9(ab);
 }
@@ -1111,7 +1123,8 @@ with const generics
 - RIGHT= 43
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2_rotate_left_54(__m256i x) {
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_54(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)21, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)43, x, __m256i));
@@ -1124,8 +1137,8 @@ with const generics
 - RIGHT= 43
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_54(__m256i a,
-                                                           __m256i b) {
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_54(__m256i a,
+                                                                    __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_54(ab);
 }
@@ -1153,7 +1166,8 @@ with const generics
 - RIGHT= 8
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2_rotate_left_4c(__m256i x) {
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_4c(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)56, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)8, x, __m256i));
@@ -1166,8 +1180,8 @@ with const generics
 - RIGHT= 8
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_4c(__m256i a,
-                                                           __m256i b) {
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_4c(__m256i a,
+                                                                    __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_4c(ab);
 }
@@ -1195,7 +1209,8 @@ with const generics
 - RIGHT= 37
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2_rotate_left_ce(__m256i x) {
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_ce(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)27, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)37, x, __m256i));
@@ -1208,8 +1223,8 @@ with const generics
 - RIGHT= 37
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_ce(__m256i a,
-                                                           __m256i b) {
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_ce(__m256i a,
+                                                                    __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_ce(ab);
 }
@@ -1237,7 +1252,8 @@ with const generics
 - RIGHT= 44
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2_rotate_left_77(__m256i x) {
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_77(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)20, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)44, x, __m256i));
@@ -1250,8 +1266,8 @@ with const generics
 - RIGHT= 44
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_77(__m256i a,
-                                                           __m256i b) {
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_77(__m256i a,
+                                                                    __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_77(ab);
 }
@@ -1279,7 +1295,8 @@ with const generics
 - RIGHT= 25
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2_rotate_left_25(__m256i x) {
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_25(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)39, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)25, x, __m256i));
@@ -1292,8 +1309,8 @@ with const generics
 - RIGHT= 25
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_25(__m256i a,
-                                                           __m256i b) {
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_25(__m256i a,
+                                                                    __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_25(ab);
 }
@@ -1321,7 +1338,8 @@ with const generics
 - RIGHT= 56
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2_rotate_left_af(__m256i x) {
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_af(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)8, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)56, x, __m256i));
@@ -1334,8 +1352,8 @@ with const generics
 - RIGHT= 56
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_af(__m256i a,
-                                                           __m256i b) {
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_af(__m256i a,
+                                                                    __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_af(ab);
 }
@@ -1363,7 +1381,8 @@ with const generics
 - RIGHT= 50
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2_rotate_left_fd(__m256i x) {
+static KRML_MUSTINLINE __m256i
+libcrux_sha3_simd_avx2_rotate_left_fd(__m256i x) {
   return libcrux_intrinsics_avx2_mm256_xor_si256(
       libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)14, x, __m256i),
       libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)50, x, __m256i));
@@ -1376,8 +1395,8 @@ with const generics
 - RIGHT= 50
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_fd(__m256i a,
-                                                           __m256i b) {
+static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_fd(__m256i a,
+                                                                    __m256i b) {
   __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b);
   return libcrux_sha3_simd_avx2_rotate_left_fd(ab);
 }
@@ -1670,7 +1689,7 @@ with const generics
 - RATE= 136
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline void libcrux_sha3_simd_avx2_store_block_5b(
+static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_store_block_5b(
     __m256i (*s)[5U], Eurydice_slice out[4U]) {
   for (size_t i = (size_t)0U; i < (size_t)136U / (size_t)32U; i++) {
     size_t i0 = i;
@@ -2013,7 +2032,7 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_keccak_fb(
  Perform 4 SHAKE256 operations in parallel
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline void libcrux_sha3_avx2_x4_shake256(
+static KRML_MUSTINLINE void libcrux_sha3_avx2_x4_shake256(
     Eurydice_slice input0, Eurydice_slice input1, Eurydice_slice input2,
     Eurydice_slice input3, Eurydice_slice out0, Eurydice_slice out1,
     Eurydice_slice out2, Eurydice_slice out3) {
@@ -2037,7 +2056,7 @@ typedef libcrux_sha3_generic_keccak_KeccakState_55
  Initialise the [`KeccakState`].
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline libcrux_sha3_generic_keccak_KeccakState_55
+static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_55
 libcrux_sha3_avx2_x4_incremental_init(void) {
   return libcrux_sha3_generic_keccak_new_89_a6();
 }
@@ -2048,7 +2067,7 @@ with const generics
 - RATE= 168
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline void libcrux_sha3_simd_avx2_load_block_3a(
+static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_load_block_3a(
     __m256i (*s)[5U], Eurydice_slice blocks[4U]) {
   for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)32U; i++) {
     size_t i0 = i;
@@ -2239,7 +2258,8 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_fb0(
  Absorb
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline void libcrux_sha3_avx2_x4_incremental_shake128_absorb_final(
+static KRML_MUSTINLINE void
+libcrux_sha3_avx2_x4_incremental_shake128_absorb_final(
     libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice data0,
     Eurydice_slice data1, Eurydice_slice data2, Eurydice_slice data3) {
   Eurydice_slice buf[4U] = {data0, data1, data2, data3};
@@ -2252,7 +2272,7 @@ with const generics
 - RATE= 168
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline void libcrux_sha3_simd_avx2_store_block_3a(
+static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_store_block_3a(
     __m256i (*s)[5U], Eurydice_slice out[4U]) {
   for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)32U; i++) {
     size_t i0 = i;
@@ -2402,7 +2422,8 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_next_block_970(
  Squeeze another block
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline void libcrux_sha3_avx2_x4_incremental_shake128_squeeze_next_block(
+static KRML_MUSTINLINE void
+libcrux_sha3_avx2_x4_incremental_shake128_squeeze_next_block(
     libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0,
     Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) {
   Eurydice_slice buf[4U] = {out0, out1, out2, out3};
@@ -2454,7 +2475,7 @@ libcrux_sha3_generic_keccak_squeeze_first_three_blocks_97(
  Squeeze three blocks
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline void
+static KRML_MUSTINLINE void
 libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_three_blocks(
     libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0,
     Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) {
@@ -2508,7 +2529,7 @@ libcrux_sha3_generic_keccak_squeeze_first_five_blocks_97(
  Squeeze five blocks
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline void
+static KRML_MUSTINLINE void
 libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_five_blocks(
     libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0,
     Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) {
@@ -2520,7 +2541,8 @@ libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_five_blocks(
  Absorb
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline void libcrux_sha3_avx2_x4_incremental_shake256_absorb_final(
+static KRML_MUSTINLINE void
+libcrux_sha3_avx2_x4_incremental_shake256_absorb_final(
     libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice data0,
     Eurydice_slice data1, Eurydice_slice data2, Eurydice_slice data3) {
   Eurydice_slice buf[4U] = {data0, data1, data2, data3};
@@ -2531,7 +2553,7 @@ static inline void libcrux_sha3_avx2_x4_incremental_shake256_absorb_final(
  Squeeze block
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline void
+static KRML_MUSTINLINE void
 libcrux_sha3_avx2_x4_incremental_shake256_squeeze_first_block(
     libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0,
     Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) {
@@ -2543,7 +2565,8 @@ libcrux_sha3_avx2_x4_incremental_shake256_squeeze_first_block(
  Squeeze next block
 */
 KRML_ATTRIBUTE_TARGET("avx2")
-static inline void libcrux_sha3_avx2_x4_incremental_shake256_squeeze_next_block(
+static KRML_MUSTINLINE void
+libcrux_sha3_avx2_x4_incremental_shake256_squeeze_next_block(
     libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0,
     Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) {
   Eurydice_slice buf[4U] = {out0, out1, out2, out3};
diff --git a/libcrux-ml-kem/cg/libcrux_sha3_portable.h b/libcrux-ml-kem/cg/libcrux_sha3_portable.h
index 65f8d5cb2..b814c2361 100644
--- a/libcrux-ml-kem/cg/libcrux_sha3_portable.h
+++ b/libcrux-ml-kem/cg/libcrux_sha3_portable.h
@@ -4,11 +4,11 @@
  * SPDX-License-Identifier: MIT or Apache-2.0
  *
  * This code was generated with the following revisions:
- * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f
+ * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9
  * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c
- * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198
- * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc
- * Libcrux: b6ea994fd158898395679fbace91f4cb000bbe13
+ * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd
+ * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty
+ * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770
  */
 
 #ifndef __libcrux_sha3_portable_H
@@ -1662,8 +1662,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_96(
 /**
  A portable SHA3 512 implementation.
 */
-static inline void libcrux_sha3_portable_sha512(Eurydice_slice digest,
-                                                Eurydice_slice data) {
+static KRML_MUSTINLINE void libcrux_sha3_portable_sha512(Eurydice_slice digest,
+                                                         Eurydice_slice data) {
   Eurydice_slice buf0[1U] = {data};
   Eurydice_slice buf[1U] = {digest};
   libcrux_sha3_portable_keccakx1_96(buf0, buf);
@@ -2021,8 +2021,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_ad(
 /**
  A portable SHA3 256 implementation.
 */
-static inline void libcrux_sha3_portable_sha256(Eurydice_slice digest,
-                                                Eurydice_slice data) {
+static KRML_MUSTINLINE void libcrux_sha3_portable_sha256(Eurydice_slice digest,
+                                                         Eurydice_slice data) {
   Eurydice_slice buf0[1U] = {data};
   Eurydice_slice buf[1U] = {digest};
   libcrux_sha3_portable_keccakx1_ad(buf0, buf);
@@ -2150,8 +2150,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_ad0(
 /**
  A portable SHAKE256 implementation.
 */
-static inline void libcrux_sha3_portable_shake256(Eurydice_slice digest,
-                                                  Eurydice_slice data) {
+static KRML_MUSTINLINE void libcrux_sha3_portable_shake256(
+    Eurydice_slice digest, Eurydice_slice data) {
   Eurydice_slice buf0[1U] = {data};
   Eurydice_slice buf[1U] = {digest};
   libcrux_sha3_portable_keccakx1_ad0(buf0, buf);
@@ -2163,7 +2163,7 @@ typedef libcrux_sha3_generic_keccak_KeccakState_17
 /**
  Create a new SHAKE-128 state object.
 */
-static inline libcrux_sha3_generic_keccak_KeccakState_17
+static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_17
 libcrux_sha3_portable_incremental_shake128_init(void) {
   return libcrux_sha3_generic_keccak_new_89_04();
 }
@@ -2256,7 +2256,8 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_9e2(
 /**
  Absorb
 */
-static inline void libcrux_sha3_portable_incremental_shake128_absorb_final(
+static KRML_MUSTINLINE void
+libcrux_sha3_portable_incremental_shake128_absorb_final(
     libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice data0) {
   Eurydice_slice buf[1U] = {data0};
   libcrux_sha3_generic_keccak_absorb_final_9e2(s, buf);
@@ -2310,7 +2311,7 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_next_block_c61(
 /**
  Squeeze another block
 */
-static inline void
+static KRML_MUSTINLINE void
 libcrux_sha3_portable_incremental_shake128_squeeze_next_block(
     libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out0) {
   Eurydice_slice buf[1U] = {out0};
@@ -2359,7 +2360,7 @@ libcrux_sha3_generic_keccak_squeeze_first_three_blocks_c6(
 /**
  Squeeze three blocks
 */
-static inline void
+static KRML_MUSTINLINE void
 libcrux_sha3_portable_incremental_shake128_squeeze_first_three_blocks(
     libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out0) {
   Eurydice_slice buf[1U] = {out0};
@@ -2756,8 +2757,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_1e(
 /**
  A portable SHA3 224 implementation.
 */
-static inline void libcrux_sha3_portable_sha224(Eurydice_slice digest,
-                                                Eurydice_slice data) {
+static KRML_MUSTINLINE void libcrux_sha3_portable_sha224(Eurydice_slice digest,
+                                                         Eurydice_slice data) {
   Eurydice_slice buf0[1U] = {data};
   Eurydice_slice buf[1U] = {digest};
   libcrux_sha3_portable_keccakx1_1e(buf0, buf);
@@ -3115,8 +3116,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_7c(
 /**
  A portable SHA3 384 implementation.
 */
-static inline void libcrux_sha3_portable_sha384(Eurydice_slice digest,
-                                                Eurydice_slice data) {
+static KRML_MUSTINLINE void libcrux_sha3_portable_sha384(Eurydice_slice digest,
+                                                         Eurydice_slice data) {
   Eurydice_slice buf0[1U] = {data};
   Eurydice_slice buf[1U] = {digest};
   libcrux_sha3_portable_keccakx1_7c(buf0, buf);
@@ -3128,15 +3129,16 @@ static inline void libcrux_sha3_portable_sha384(Eurydice_slice digest,
  Preconditions:
  - `digest.len() == 28`
 */
-static inline void libcrux_sha3_sha224_ema(Eurydice_slice digest,
-                                           Eurydice_slice payload) {
+static KRML_MUSTINLINE void libcrux_sha3_sha224_ema(Eurydice_slice digest,
+                                                    Eurydice_slice payload) {
   libcrux_sha3_portable_sha224(digest, payload);
 }
 
 /**
  SHA3 224
 */
-static inline void libcrux_sha3_sha224(Eurydice_slice data, uint8_t ret[28U]) {
+static KRML_MUSTINLINE void libcrux_sha3_sha224(Eurydice_slice data,
+                                                uint8_t ret[28U]) {
   uint8_t out[28U] = {0U};
   libcrux_sha3_sha224_ema(Eurydice_array_to_slice((size_t)28U, out, uint8_t),
                           data);
@@ -3146,15 +3148,16 @@ static inline void libcrux_sha3_sha224(Eurydice_slice data, uint8_t ret[28U]) {
 /**
  SHA3 256
 */
-static inline void libcrux_sha3_sha256_ema(Eurydice_slice digest,
-                                           Eurydice_slice payload) {
+static KRML_MUSTINLINE void libcrux_sha3_sha256_ema(Eurydice_slice digest,
+                                                    Eurydice_slice payload) {
   libcrux_sha3_portable_sha256(digest, payload);
 }
 
 /**
  SHA3 256
 */
-static inline void libcrux_sha3_sha256(Eurydice_slice data, uint8_t ret[32U]) {
+static KRML_MUSTINLINE void libcrux_sha3_sha256(Eurydice_slice data,
+                                                uint8_t ret[32U]) {
   uint8_t out[32U] = {0U};
   libcrux_sha3_sha256_ema(Eurydice_array_to_slice((size_t)32U, out, uint8_t),
                           data);
@@ -3164,15 +3167,16 @@ static inline void libcrux_sha3_sha256(Eurydice_slice data, uint8_t ret[32U]) {
 /**
  SHA3 384
 */
-static inline void libcrux_sha3_sha384_ema(Eurydice_slice digest,
-                                           Eurydice_slice payload) {
+static KRML_MUSTINLINE void libcrux_sha3_sha384_ema(Eurydice_slice digest,
+                                                    Eurydice_slice payload) {
   libcrux_sha3_portable_sha384(digest, payload);
 }
 
 /**
  SHA3 384
 */
-static inline void libcrux_sha3_sha384(Eurydice_slice data, uint8_t ret[48U]) {
+static KRML_MUSTINLINE void libcrux_sha3_sha384(Eurydice_slice data,
+                                                uint8_t ret[48U]) {
   uint8_t out[48U] = {0U};
   libcrux_sha3_sha384_ema(Eurydice_array_to_slice((size_t)48U, out, uint8_t),
                           data);
@@ -3182,15 +3186,16 @@ static inline void libcrux_sha3_sha384(Eurydice_slice data, uint8_t ret[48U]) {
 /**
  SHA3 512
 */
-static inline void libcrux_sha3_sha512_ema(Eurydice_slice digest,
-                                           Eurydice_slice payload) {
+static KRML_MUSTINLINE void libcrux_sha3_sha512_ema(Eurydice_slice digest,
+                                                    Eurydice_slice payload) {
   libcrux_sha3_portable_sha512(digest, payload);
 }
 
 /**
  SHA3 512
 */
-static inline void libcrux_sha3_sha512(Eurydice_slice data, uint8_t ret[64U]) {
+static KRML_MUSTINLINE void libcrux_sha3_sha512(Eurydice_slice data,
+                                                uint8_t ret[64U]) {
   uint8_t out[64U] = {0U};
   libcrux_sha3_sha512_ema(Eurydice_array_to_slice((size_t)64U, out, uint8_t),
                           data);
@@ -3407,8 +3412,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_c6(
 /**
  A portable SHAKE128 implementation.
 */
-static inline void libcrux_sha3_portable_shake128(Eurydice_slice digest,
-                                                  Eurydice_slice data) {
+static KRML_MUSTINLINE void libcrux_sha3_portable_shake128(
+    Eurydice_slice digest, Eurydice_slice data) {
   Eurydice_slice buf0[1U] = {data};
   Eurydice_slice buf[1U] = {digest};
   libcrux_sha3_portable_keccakx1_c6(buf0, buf);
@@ -3419,8 +3424,8 @@ static inline void libcrux_sha3_portable_shake128(Eurydice_slice digest,
 
  Writes `out.len()` bytes.
 */
-static inline void libcrux_sha3_shake128_ema(Eurydice_slice out,
-                                             Eurydice_slice data) {
+static KRML_MUSTINLINE void libcrux_sha3_shake128_ema(Eurydice_slice out,
+                                                      Eurydice_slice data) {
   libcrux_sha3_portable_shake128(out, data);
 }
 
@@ -3429,8 +3434,8 @@ static inline void libcrux_sha3_shake128_ema(Eurydice_slice out,
 
  Writes `out.len()` bytes.
 */
-static inline void libcrux_sha3_shake256_ema(Eurydice_slice out,
-                                             Eurydice_slice data) {
+static KRML_MUSTINLINE void libcrux_sha3_shake256_ema(Eurydice_slice out,
+                                                      Eurydice_slice data) {
   libcrux_sha3_portable_shake256(out, data);
 }
 
@@ -3451,8 +3456,8 @@ static const size_t libcrux_sha3_generic_keccak__ROTC[24U] = {
 /**
  A portable SHA3 224 implementation.
 */
-static inline void libcrux_sha3_neon_sha224(Eurydice_slice digest,
-                                            Eurydice_slice data) {
+static KRML_MUSTINLINE void libcrux_sha3_neon_sha224(Eurydice_slice digest,
+                                                     Eurydice_slice data) {
   KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
                     "panic!");
   KRML_HOST_EXIT(255U);
@@ -3461,8 +3466,8 @@ static inline void libcrux_sha3_neon_sha224(Eurydice_slice digest,
 /**
  A portable SHA3 256 implementation.
 */
-static inline void libcrux_sha3_neon_sha256(Eurydice_slice digest,
-                                            Eurydice_slice data) {
+static KRML_MUSTINLINE void libcrux_sha3_neon_sha256(Eurydice_slice digest,
+                                                     Eurydice_slice data) {
   KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
                     "panic!");
   KRML_HOST_EXIT(255U);
@@ -3471,8 +3476,8 @@ static inline void libcrux_sha3_neon_sha256(Eurydice_slice digest,
 /**
  A portable SHA3 384 implementation.
 */
-static inline void libcrux_sha3_neon_sha384(Eurydice_slice digest,
-                                            Eurydice_slice data) {
+static KRML_MUSTINLINE void libcrux_sha3_neon_sha384(Eurydice_slice digest,
+                                                     Eurydice_slice data) {
   KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
                     "panic!");
   KRML_HOST_EXIT(255U);
@@ -3481,8 +3486,8 @@ static inline void libcrux_sha3_neon_sha384(Eurydice_slice digest,
 /**
  A portable SHA3 512 implementation.
 */
-static inline void libcrux_sha3_neon_sha512(Eurydice_slice digest,
-                                            Eurydice_slice data) {
+static KRML_MUSTINLINE void libcrux_sha3_neon_sha512(Eurydice_slice digest,
+                                                     Eurydice_slice data) {
   KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
                     "panic!");
   KRML_HOST_EXIT(255U);
@@ -3493,10 +3498,10 @@ static inline void libcrux_sha3_neon_sha512(Eurydice_slice digest,
 
  Writes the two results into `out0` and `out1`
 */
-static inline void libcrux_sha3_neon_x2_shake256(Eurydice_slice input0,
-                                                 Eurydice_slice input1,
-                                                 Eurydice_slice out0,
-                                                 Eurydice_slice out1) {
+static KRML_MUSTINLINE void libcrux_sha3_neon_x2_shake256(Eurydice_slice input0,
+                                                          Eurydice_slice input1,
+                                                          Eurydice_slice out0,
+                                                          Eurydice_slice out1) {
   /* TODO: make argument ordering consistent */
   KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
                     "panic!");
@@ -3510,7 +3515,7 @@ typedef struct libcrux_sha3_neon_x2_incremental_KeccakState_s {
 /**
  Initialise the `KeccakState2`.
 */
-static inline libcrux_sha3_neon_x2_incremental_KeccakState
+static KRML_MUSTINLINE libcrux_sha3_neon_x2_incremental_KeccakState
 libcrux_sha3_neon_x2_incremental_init(void) {
   /* XXX: These functions could alternatively implement the same with the
    * portable implementation { let s0 = KeccakState::new(); let s1 =
@@ -3523,7 +3528,8 @@ libcrux_sha3_neon_x2_incremental_init(void) {
 /**
  Shake128 absorb `data0` and `data1` in the [`KeccakState`] `s`.
 */
-static inline void libcrux_sha3_neon_x2_incremental_shake128_absorb_final(
+static KRML_MUSTINLINE void
+libcrux_sha3_neon_x2_incremental_shake128_absorb_final(
     libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice data0,
     Eurydice_slice data1) {
   /* XXX: These functions could alternatively implement the same with the
@@ -3539,7 +3545,7 @@ static inline void libcrux_sha3_neon_x2_incremental_shake128_absorb_final(
  Squeeze 2 times the first three blocks in parallel in the
  [`KeccakState`] and return the output in `out0` and `out1`.
 */
-static inline void
+static KRML_MUSTINLINE void
 libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_three_blocks(
     libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0,
     Eurydice_slice out1) {
@@ -3556,7 +3562,8 @@ libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_three_blocks(
  Squeeze 2 times the next block in parallel in the
  [`KeccakState`] and return the output in `out0` and `out1`.
 */
-static inline void libcrux_sha3_neon_x2_incremental_shake128_squeeze_next_block(
+static KRML_MUSTINLINE void
+libcrux_sha3_neon_x2_incremental_shake128_squeeze_next_block(
     libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0,
     Eurydice_slice out1) {
   /* XXX: These functions could alternatively implement the same with the
@@ -3571,7 +3578,7 @@ static inline void libcrux_sha3_neon_x2_incremental_shake128_squeeze_next_block(
 /**
  Squeeze five blocks
 */
-static inline void
+static KRML_MUSTINLINE void
 libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_five_blocks(
     libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0,
     Eurydice_slice out1) {
@@ -3583,7 +3590,8 @@ libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_five_blocks(
 /**
  Shake256 absorb `data0` and `data1` in the [`KeccakState`] `s`.
 */
-static inline void libcrux_sha3_neon_x2_incremental_shake256_absorb_final(
+static KRML_MUSTINLINE void
+libcrux_sha3_neon_x2_incremental_shake256_absorb_final(
     libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice data0,
     Eurydice_slice data1) {
   /* XXX: These functions could alternatively implement the same with the
@@ -3598,7 +3606,7 @@ static inline void libcrux_sha3_neon_x2_incremental_shake256_absorb_final(
 /**
  Squeeze block
 */
-static inline void
+static KRML_MUSTINLINE void
 libcrux_sha3_neon_x2_incremental_shake256_squeeze_first_block(
     libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0,
     Eurydice_slice out1) {
@@ -3610,7 +3618,8 @@ libcrux_sha3_neon_x2_incremental_shake256_squeeze_first_block(
 /**
  Squeeze next block
 */
-static inline void libcrux_sha3_neon_x2_incremental_shake256_squeeze_next_block(
+static KRML_MUSTINLINE void
+libcrux_sha3_neon_x2_incremental_shake256_squeeze_next_block(
     libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0,
     Eurydice_slice out1) {
   KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
@@ -3662,7 +3671,7 @@ libcrux_sha3_generic_keccak_squeeze_first_five_blocks_c6(
 /**
  Squeeze five blocks
 */
-static inline void
+static KRML_MUSTINLINE void
 libcrux_sha3_portable_incremental_shake128_squeeze_first_five_blocks(
     libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out0) {
   Eurydice_slice buf[1U] = {out0};
@@ -3672,7 +3681,8 @@ libcrux_sha3_portable_incremental_shake128_squeeze_first_five_blocks(
 /**
  Absorb some data for SHAKE-256 for the last time
 */
-static inline void libcrux_sha3_portable_incremental_shake256_absorb_final(
+static KRML_MUSTINLINE void
+libcrux_sha3_portable_incremental_shake256_absorb_final(
     libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice data) {
   Eurydice_slice buf[1U] = {data};
   libcrux_sha3_generic_keccak_absorb_final_9e1(s, buf);
@@ -3681,7 +3691,7 @@ static inline void libcrux_sha3_portable_incremental_shake256_absorb_final(
 /**
  Create a new SHAKE-256 state object.
 */
-static inline libcrux_sha3_generic_keccak_KeccakState_17
+static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_17
 libcrux_sha3_portable_incremental_shake256_init(void) {
   return libcrux_sha3_generic_keccak_new_89_04();
 }
@@ -3689,7 +3699,7 @@ libcrux_sha3_portable_incremental_shake256_init(void) {
 /**
  Squeeze the first SHAKE-256 block
 */
-static inline void
+static KRML_MUSTINLINE void
 libcrux_sha3_portable_incremental_shake256_squeeze_first_block(
     libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out) {
   Eurydice_slice buf[1U] = {out};
@@ -3699,7 +3709,7 @@ libcrux_sha3_portable_incremental_shake256_squeeze_first_block(
 /**
  Squeeze the next SHAKE-256 block
 */
-static inline void
+static KRML_MUSTINLINE void
 libcrux_sha3_portable_incremental_shake256_squeeze_next_block(
     libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out) {
   Eurydice_slice buf[1U] = {out};